Due to privacy concerns raised by the use of US cloud providers, federal German data protection authorities have prohibited the use of Microsoft Office 365 in schools.
According to the German Data Protection Conference (DSK), which includes the German Federal Data Protection Authority and 16 state regulators, the use of Microsoft 365 is not legally compliant with the General Data Protection Regulation due to a lack of transparency about how Microsoft collects and processes personal data, as well as the possibility of third-party access to it. Also because the product remains in breach of the General Data Protection Regulation (GDPR).
Under the GDPR, children below the age of 13 are incapable of consenting to their data being collected, while consent may be given by those with parental responsibility for those under 16 but not younger than 13. When platforms do store data on adults, those customers are meant to be able to request the deletion of their records.
According to the report, the working group’s discussions with Microsoft confirmed that when O365 is used, personal data is always transferred to the US, claiming that it is not possible to use Microsoft 365 without transferring personal data to the USA.
“Microsoft does not fully disclose which processing operations take place in detail. In addition, Microsoft does not fully disclose which processing operations are carried out on behalf of the customer or which are carried out for its own purposes,” said a report by the DSK working group looking at the issue.
The sources for this piece include an article in TheRegister.