[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpFlcZHiGVcg3xPfYHDk2LCXl2F_NdXj5LGbAZQJ08jk":3},{"article":4,"iocs":48},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":26,"category":27,"article_tags":30},"99b69c94-bb27-4e3e-a671-2671e515e045","CTPDA (Spain) - RPS-2025\u002F082","ctpda-spain-rps-2025-082-379b02","← Older revision Revision as of 07:28, 26 May 2026 Line 75: Line 75: }} }} The Andalusian DPA upheld a complaint over the Education Ministry’s agreement with Microsoft for cloud tools in public schools, finding GDPR breaches on transparency, privacy by design, international data transfers and DPIA duties. The DPA held that the Ministry of Education and Sports of Andalusia’s provision of cloud-based educational services to public schools violated GDPR provisions relating to transparency, privacy by design, international data transfers and DPIA duties. The Ministry used Microsoft as a processor for this activity. == English Summary == == English Summary == Line 86: Line 86: Under the agreement, Microsoft Ireland Operations Limited had access to personal data under the responsibility of the controller in order to provide the relevant cloud-based educational services. Under the agreement, Microsoft Ireland Operations Limited had access to personal data under the responsibility of the controller in order to provide the relevant cloud-based educational services. In March 2023, the CTPDA received a complaint alleging several infringements of the GDPR and the Spanish data protection framework. The complaint concerned, in particular: In March 2023, the DPA received a complaint alleging several infringements of the GDPR and the Spanish data protection framework. The complaint concerned, in particular: - [[Article 25 GDPR]], on data protection by design and by default, due to the alleged failure to adopt appropriate technical and organisational measures to reduce the risk that users would upload special categories of personal data, inappropriate images or audiovisual material to the system. - [[Article 25 GDPR]], on data protection by design and by default, due to the alleged failure to adopt appropriate technical and organisational measures to reduce the risk that users would upload special categories of personal data, inappropriate images or audiovisual material to the system.","Spain's Andalusian Data Protection Authority (CTPDA) upheld a complaint against the Ministry of Education and Sports of Andalusia for GDPR violations in its cloud services agreement with Microsoft Ireland Operations Limited. The violations included breaches of transparency, privacy by design (Article 25), international data transfers, and Data Protection Impact Assessment (DPIA) duties. The DPA found that the Ministry failed to implement adequate technical and organizational measures to prevent users from uploading special categories of personal data and inappropriate content to the system.","Spanish DPA upheld GDPR breaches against Education Ministry's Microsoft cloud agreement for public schools.","Help CTPDA (Spain) - RPS-2025\u002F082: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 07:07, 26 May 2026 view sourceMba (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators913 editsm Tag: Visual edit← Older edit Latest revision as of 07:28, 26 May 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators43 editsTag: Visual edit Line 75: Line 75: }}}} The Andalusian DPA upheld a complaint over the Education Ministry’s agreement with Microsoft for cloud tools in public schools, finding GDPR breaches on transparency, privacy by design, international data transfers and DPIA duties.The DPA held that the Ministry of Education and Sports of Andalusia’s provision of cloud-based educational services to public schools violated GDPR provisions relating to transparency, privacy by design, international data transfers and DPIA duties. The Ministry used Microsoft as a processor for this activity. == English Summary ==== English Summary == Line 86: Line 86: Under the agreement, Microsoft Ireland Operations Limited had access to personal data under the responsibility of the controller in order to provide the relevant cloud-based educational services.Under the agreement, Microsoft Ireland Operations Limited had access to personal data under the responsibility of the controller in order to provide the relevant cloud-based educational services. In March 2023, the CTPDA received a complaint alleging several infringements of the GDPR and the Spanish data protection framework. The complaint concerned, in particular:In March 2023, the DPA received a complaint alleging several infringements of the GDPR and the Spanish data protection framework. The complaint concerned, in particular: - [[Article 25 GDPR]], on data protection by design and by default, due to the alleged failure to adopt appropriate technical and organisational measures to reduce the risk that users would upload special categories of personal data, inappropriate images or audiovisual material to the system.- [[Article 25 GDPR]], on data protection by design and by default, due to the alleged failure to adopt appropriate technical and organisational measures to reduce the risk that users would upload special categories of personal data, inappropriate images or audiovisual material to the system. Latest revision as of 07:28, 26 May 2026 CTPDA - RPS-2025\u002F082 [[File:|center|250px]] Authority: CTPDA (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 6 GDPR Article 13 GDPR Article 25 GDPR Article 30 GDPR Article 32 GDPR Article 35 GDPR Type: Complaint Outcome: Upheld Started: 01.03.2023 Decided: 02.12.2025 Published: Fine: n\u002Fa Parties: Dirección General de Innovación y Formación del Profesorado National Case Number\u002FName: RPS-2025\u002F082 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Spanish Original Source: CTPDA (in ES) Initial Contributor: bms The DPA held that the Ministry of Education and Sports of Andalusia’s provision of cloud-based educational services to public schools violated GDPR provisions relating to transparency, privacy by design, international data transfers and DPIA duties. The Ministry used Microsoft as a processor for this activity. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts In November 2020, the Regional Ministry of Education and Sports of Andalusia, acting as controller, entered into a collaboration agreement with Microsoft Ireland Operations Limited, acting as processor, for the provision of cloud-based educational services to public schools wishing to use them. The services covered by the agreement included Microsoft Office Online applications, such as Outlook, Word, Excel, PowerPoint and OneNote, as well as Exchange, Forms, OneDrive, SharePoint, Teams and Sway. These services provided communication, collaboration, productivity and cloud storage functionalities for the education sector. Under the agreement, Microsoft Ireland Operations Limited had access to personal data under the responsibility of the controller in order to provide the relevant cloud-based educational services. In March 2023, the DPA received a complaint alleging several infringements of the GDPR and the Spanish data protection framework. The complaint concerned, in particular: - Article 25 GDPR, on data protection by design and by default, due to the alleged failure to adopt appropriate technical and organisational measures to reduce the risk that users would upload special categories of personal data, inappropriate images or audiovisual material to the system. - Article 13 GDPR, concerning the information to be provided to data subjects when their personal data is collected. - Articles 44–49 GDPR, concerning international transfers of personal data to third countries or international organisations without the required safeguards, conditions or derogations. - Article 30 GDPR, due to the alleged lack of adequate information in the controller’s record of processing activities regarding international data transfers. - Article 35 GDPR, concerning the alleged absence of a data protection impact assessment in relation to the use of the cloud-based educational services. Holding The DPA upheld the complaint and found that the controller had infringed Articles 13, 25, 30, 35, 44-49 GDPR. The DPA ordered the controller to adopt corrective measures, including the following: - Submit an action plan identifying the measures to be implemented to remedy the non-compliance, together with an implementation timeline and justification for that timeline. - Provide evidence that appropriate technical and organisational measures had been adopted to mitigate the high risk that users may enter special categories of personal data into the cloud-based educational services. - Provide documentation demonstrating the means or measures used to inform data subjects about the processing of their personal data, in compliance with Articles 13 and 14 GDPR. - Suspend data flows to the processors and sub-processors’ facilities located in third countries that are not subject to an adequacy decision, except where the relevant safeguards, conditions or derogations under Articles 44–49 GDPR are met. - Submit copies of the instructions and protocols provided to members of the educational community regarding which photographs and audiovisual content may appropriately be uploaded to the cloud-based educational services, and which content should not be included. - Indicate the control and monitoring mechanisms implemented in relation to the uploading of photographs and audiovisual content. - Provide documentary evidence that the record of processing activities had been amended to include appropriate information on international data transfers, in accordance with Article 30 GDPR. - Provide documentary evidence of a data protection impact assessment carried out in accordance with Article 35 GDPR. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. Document suitable for publication on the Council Portal RESOLUTION OF SANCTIONING PROCEEDINGS FOR INFRINGEMENT OF PERSONAL DATA PROTECTION REGULATIONS Resolution RPS-2025\u002F082 Sanctioning Procedure PS-2024\u002F088 File RCO-2023\u002F037 Entity initiated: Directorate General for Innovation and Teacher Training (Ministry of Educational Development and Vocational Training) Reason for the complaint: Non-compliance with personal data protection regulations in the agreement signed between Microsoft Ireland Operations Limited and the Ministry of Education and Sport (current Ministry of Educational Development and Vocational T","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=CTPDA_(Spain)_-_RPS-2025\u002F082&diff=51715&oldid=51714",null,"2026-05-26T07:28:47+00:00","2026-05-26T08:00:10.860356+00:00",7,[18,21,24],{"name":19,"type":20},"Microsoft","vendor",{"name":22,"type":23},"Microsoft Office Online","product",{"name":25,"type":20},"Ministry of Education and Sports of Andalusia","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":26,"icon":13,"name":28,"slug":29},"GDPR","gdpr",[31,33,38,43],{"category":32},{"id":26,"icon":13,"name":28,"slug":29},{"category":34},{"id":35,"icon":13,"name":36,"slug":37},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":39},{"id":40,"icon":13,"name":41,"slug":42},"614132b8-5837-4952-b8b5-c6c9a32a1d85","Privacy","privacy",{"category":44},{"id":45,"icon":13,"name":46,"slug":47},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",[]]