[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3LKEG69lVV2dMZT5xBm9ovoQchtXWBlSqX_6mWfpN20":3},{"article":4,"iocs":48},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":28,"category":29,"article_tags":32},"89a33589-3e60-463a-818f-5eff57f56a5a","CTPDA (Spain) - RPS-2025\u002F082","ctpda-spain-rps-2025-082-07e6a4","← Older revision Revision as of 08:42, 26 May 2026 Line 99: Line 99: === Holding === === Holding === The DPA upheld the complaint and found that the controller had infringed Articles 13, 25, 30, 35, 44-49 GDPR. The DPA upheld the complaint and found that the controller infringed the GDPR because it had not implemented appropriate data protection by design and by default measures to mitigate the risk that users could upload special categories of personal data, images or audiovisual material to the cloud services. It also failed to provide adequate [[Article 13 GDPR]] information to pupils, families and teachers about the processing, carried out international data transfers without demonstrating that the safeguards, conditions or derogations under [[Article 44 GDPR|Articles 44]]–[[Article 49 GDPR|49 GDPR]] were met, failed to record those transfers properly in its [[Article 30 GDPR]] record of processing activities, and had not carried out a DPIA before starting the processing, despite the risks involved. The DPA ordered the controller to adopt corrective measures, including the following: The DPA ordered the controller to adopt corrective measures, including the following:","Spain's Data Protection Authority (CTPDA) upheld a complaint against Andalusia's Ministry of Education and Sports for violating multiple GDPR articles in its provision of Microsoft cloud-based educational services to public schools. The violations included failure to implement data protection by design and by default, inadequate transparency disclosures, improper international data transfers without safeguards, missing DPIA assessments, and incomplete processing activity records. The DPA ordered corrective measures but did not impose a monetary fine.","Spain's CTPDA fined Ministry of Education for GDPR violations in Microsoft cloud services for schools.","Help CTPDA (Spain) - RPS-2025\u002F082: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 07:28, 26 May 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators44 editsTag: Visual edit← Older edit Latest revision as of 08:42, 26 May 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators44 editsTag: Visual edit Line 99: Line 99: === Holding ====== Holding === The DPA upheld the complaint and found that the controller had infringed Articles 13, 25, 30, 35, 44-49 GDPR. The DPA upheld the complaint and found that the controller infringed the GDPR because it had not implemented appropriate data protection by design and by default measures to mitigate the risk that users could upload special categories of personal data, images or audiovisual material to the cloud services. It also failed to provide adequate [[Article 13 GDPR]] information to pupils, families and teachers about the processing, carried out international data transfers without demonstrating that the safeguards, conditions or derogations under [[Article 44 GDPR|Articles 44]]–[[Article 49 GDPR|49 GDPR]] were met, failed to record those transfers properly in its [[Article 30 GDPR]] record of processing activities, and had not carried out a DPIA before starting the processing, despite the risks involved. The DPA ordered the controller to adopt corrective measures, including the following:The DPA ordered the controller to adopt corrective measures, including the following: Latest revision as of 08:42, 26 May 2026 CTPDA - RPS-2025\u002F082 [[File:|center|250px]] Authority: CTPDA (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 6 GDPR Article 13 GDPR Article 25 GDPR Article 30 GDPR Article 32 GDPR Article 35 GDPR Type: Complaint Outcome: Upheld Started: 01.03.2023 Decided: 02.12.2025 Published: Fine: n\u002Fa Parties: Dirección General de Innovación y Formación del Profesorado National Case Number\u002FName: RPS-2025\u002F082 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Spanish Original Source: CTPDA (in ES) Initial Contributor: bms The DPA held that the Ministry of Education and Sports of Andalusia’s provision of cloud-based educational services to public schools violated GDPR provisions relating to transparency, privacy by design, international data transfers and DPIA duties. The Ministry used Microsoft as a processor for this activity. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts In November 2020, the Regional Ministry of Education and Sports of Andalusia, acting as controller, entered into a collaboration agreement with Microsoft Ireland Operations Limited, acting as processor, for the provision of cloud-based educational services to public schools wishing to use them. The services covered by the agreement included Microsoft Office Online applications, such as Outlook, Word, Excel, PowerPoint and OneNote, as well as Exchange, Forms, OneDrive, SharePoint, Teams and Sway. These services provided communication, collaboration, productivity and cloud storage functionalities for the education sector. Under the agreement, Microsoft Ireland Operations Limited had access to personal data under the responsibility of the controller in order to provide the relevant cloud-based educational services. In March 2023, the DPA received a complaint alleging several infringements of the GDPR and the Spanish data protection framework. The complaint concerned, in particular: - Article 25 GDPR, on data protection by design and by default, due to the alleged failure to adopt appropriate technical and organisational measures to reduce the risk that users would upload special categories of personal data, inappropriate images or audiovisual material to the system. - Article 13 GDPR, concerning the information to be provided to data subjects when their personal data is collected. - Articles 44–49 GDPR, concerning international transfers of personal data to third countries or international organisations without the required safeguards, conditions or derogations. - Article 30 GDPR, due to the alleged lack of adequate information in the controller’s record of processing activities regarding international data transfers. - Article 35 GDPR, concerning the alleged absence of a data protection impact assessment in relation to the use of the cloud-based educational services. Holding The DPA upheld the complaint and found that the controller infringed the GDPR because it had not implemented appropriate data protection by design and by default measures to mitigate the risk that users could upload special categories of personal data, images or audiovisual material to the cloud services. It also failed to provide adequate Article 13 GDPR information to pupils, families and teachers about the processing, carried out international data transfers without demonstrating that the safeguards, conditions or derogations under Articles 44–49 GDPR were met, failed to record those transfers properly in its Article 30 GDPR record of processing activities, and had not carried out a DPIA before starting the processing, despite the risks involved. The DPA ordered the controller to adopt corrective measures, including the following: - Submit an action plan identifying the measures to be implemented to remedy the non-compliance, together with an implementation timeline and justification for that timeline. - Provide evidence that appropriate technical and organisational measures had been adopted to mitigate the high risk that users may enter special categories of personal data into the cloud-based educational services. - Provide documentation demonstrating the means or measures used to inform data subjects about the processing of their personal data, in compliance with Articles 13 and 14 GDPR. - Suspend data flows to the processors and sub-processors’ facilities located in third countries that are not subject to an adequacy decision, except where the relevant safeguards, conditions or derogations under Articles 44–49 GDPR are met. - Submit copies of the instructions and protocols provided to members of the educational community regarding which photographs and audiovisual content may appropriately be uploaded to the cloud-based educational services, and which content should not be included. - Indicate the control and monitoring mechanisms implemented in relation to the uploading of photographs and audiovisual content. - Provide documentary evidence that the record of processing activities had been amended to include appropriate information on international data transfers, in accordance with Article 30 GDPR. - Provide documentary evidence of a data protection impact assessment carried out in accordance with Article 35 GDPR. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. Document suitable for publication on the Council Portal RESOLUTION OF SANCTIONING PROCEEDINGS FOR INFRINGEMENT OF PERSONAL DATA PROTECTION REGULATIONS Resolution RPS-2025\u002F082 Sanctioning Procedure PS-2024\u002F088 File RCO-2023\u002F037 Entity initiated: Directorate General for Innovation and Teacher Training (Ministry of Educational Development and Vocational Training) Reason for the complaint: Non-compliance with personal data protection regulations in the agreement signed between Microsoft Ireland Operations Limited and the Ministry of Education and Sport (current Ministry of Educational Development and Vocational Training) Articles affected: 5.1.a), 5.1.b), 6, 13, 25, 30, 32, 35 and 44 to 49 GDPR 33 LOPDGDD Abbreviations: GDPR. REGULATION (EU) 2016\u002F679 OF THE EUROPEAN PARL","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=CTPDA_(Spain)_-_RPS-2025\u002F082&diff=51720&oldid=51715",null,"2026-05-26T08:42:37+00:00","2026-05-26T10:00:11.255784+00:00",7,[18,21,23,26],{"name":19,"type":20},"Microsoft","vendor",{"name":22,"type":20},"Microsoft Ireland Operations Limited",{"name":24,"type":25},"Microsoft Office Online","product",{"name":27,"type":25},"Microsoft Teams","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":28,"icon":13,"name":30,"slug":31},"GDPR","gdpr",[33,38,43],{"category":34},{"id":35,"icon":13,"name":36,"slug":37},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":39},{"id":40,"icon":13,"name":41,"slug":42},"614132b8-5837-4952-b8b5-c6c9a32a1d85","Privacy","privacy",{"category":44},{"id":45,"icon":13,"name":46,"slug":47},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",[]]