Office365 violates GDPR in schools

[German]The Commissioner for Data Protection and Freedom of Information in the German state Hesse, declaring that Windows 10 and Office 365 is not compliant with the GDPR for use in schools.


This is a slat into Microsoft's jaw, the Data Protection and Freedom of Information officer of German state Hesse, Ronellenfitsch, has declared the use of Office 365 in schools inadmissible. The guiding principle of the data protector's decision is as follows:

The use of Microsoft Office 365 in schools is not permitted under data protection law if schools store personal data in the European cloud.

According to Ronellenfitsch, Germany has been discussing for years whether schools can use the Microsoft Office 365 software in a data protection-compliant manner. In August 2017, the Hessian Commissioner for Data Protection and Freedom of Information (HBDI) made a statement on this issue after an extensive review of the Germany cloud by Microsoft, the only German data protection supervisory authority.

First assessment: It's possible with the Germany cloud

In its statement at that time, HBDI stated that Office 365 can be used by schools in the Germany cloud in accordance with data protection regulations, as long as the tools provided by Microsoft (e.g. role and authorization concept, logging, etc.) are properly used by the schools.

Germany cloud to be discontinued

In August 2018, Microsoft announced to the public that no more contracts will be offered for the Germany cloud and that the sale of this product will be discontinued. Since then, a large number of teachers and school administrators, as well as school authorities, have asked HBDI about the use of Office 365 in the European cloud. In addition, in recent months individual school authorities have massively promoted Office 365 into the school landscape, regardless of the unresolved data protection issues.

Use of Office 365 with Euro-Cloud not permitted

In a press release, the Hessian data protection commissioner goes into more detail on the question of why the use of Microsoft Office 365 in schools is currently inadmissible. According to the data protection officer, the use of cloud applications by schools is generally not a data protection problem. Many schools in Hesse are already using cloud solutions. Schools can use digital applications that comply with data protection regulations, provided that the security of data processing


The legal situation is different with Office 365 as a cloud solution. The regulatory authorities have been discussing this with Microsoft for years. The decisive aspect here is whether the school as a public institution can store personal data (of children) in a (European) cloud that is, for example, exposed to possible access by US authorities.

Public institutions in Germany have a special responsibility with regard to the permissibility and traceability of the processing of personal data. The digital sovereignty of state data processing must also be guaranteed. In autumn 2018, the Federal Office for Information Security drew the public's attention to another problem.

When using the Windows 10 operating system, a wealth of telemetry data is transmitted to Microsoft, the contents of which have not been conclusively clarified despite repeated requests to Microsoft. Such data is also transmitted when Office 365 is used.

The data protector sees the use of Office 365 in the cloud as a violation of the DSGVO regulations that cannot be cured by parental consent. The reason is that the security and traceability of the data processing processes is not guaranteed. Data processing is therefore not permitted. The attempt to achieve a cure through a declaration of consent from the parents would also not take sufficient account of the special protective rights of children, e.g. under Art. 8 of the Basic Data Protection Regulation (DS-GVO).

Microsoft has to move or is out

HBDI is aware of the needs that schools have for the use of office packages. For this reason, there is also an interest in working with Microsoft to arrive at a data protection-compliant solution. However, this is not the fault of HBDI or the other German supervisory authorities, but mainly of Microsoft itself. As soon as, in particular, the possible access of third parties to the data stored in the cloud and the issue of telemetry data have been resolved in a comprehensible and data protection-compliant manner, Office 365 can be used as a cloud solution by schools. Until then, however, schools can use other instruments such as on-premises licenses on local systems.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Office, Security, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *