Blog

German privacy regulators have ruled that the use Microsoft 365 by governments, companies and educational institutions is in violation of GDPR. Only by taking additional technical measures is it possible to use the software in Germany. This was the opinion of the German regulators during the Datenschutzkonferenz (DSK) that took place last week (see below pdf). Although Microsoft has come up with a new data processing agreement and new contractual provisions are being used, according to the regulators it is still unclear what data Microsoft collects, sends and processes for its own purposes. Microsoft must therefore make improvements, the federal German protection authority Ulrich Kelber said during the conference. As long as the necessary transparency regarding the processing of personal data for Microsoft’s own purposes has not been established and the legality has not been proven, this proof cannot be provided,” said Kelber. According to Kelber, the documents available to DSK are insufficient to establish the legality of the use of Microsoft 365. Kelber also doubted whether Microsoft 365 could be used on a computer without further protective measures. In a response, Microsoft says that it does not agree with the position of the DSK and that Microsoft 365 complies with German and European privacy legislation. “The concerns raised by DSK do not adequately address the changes we have already made and stem from various misunderstandings about how our services work and the actions we have already taken,” the tech company said.