DSB (Austria) - D135.027 2025-0.477.534

Summary

Austria's Data Protection Authority (DSB) ruled that Microsoft, a Federal Gymnasium, and the Ministry of Education violated GDPR information obligations. A student's complaint highlighted incomplete data access and the unlawful processing of non-essential tracking cookies without consent. The DSB ordered the immediate deletion of data related to these cookies.

Full text

Help DSB (Austria) - D135.027 2025-0.477.534: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 14:51, 18 November 2025 view sourceLde (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators181 editsmTag: Visual edit: Switched← Older edit Latest revision as of 08:30, 24 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators118 edits (2 intermediate revisions by the same user not shown)Line 10: Line 10: |ECLI=|ECLI= |Original_Source_Name_1=|Original_Source_Name_1=DSB |Original_Source_Link_1=|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokumente/Dsk/DSBT_20251008_2025_0_477_534_00/DSBT_20251008_2025_0_477_534_00.pdf |Original_Source_Language_1=|Original_Source_Language_1=German |Original_Source_Language__Code_1=|Original_Source_Language__Code_1= Latest revision as of 08:30, 24 June 2026 DSB - D135.027 2025-0.477.534 Authority: DSB (Austria) Jurisdiction: Austria Relevant Law: Article 12(1) GDPR Article 13 GDPR Article 15 GDPR Type: Complaint Outcome: Partly Upheld Started: 04.06.2024 Decided: 08.10.2025 Published: Fine: n/a Parties: A student represented by noyb Microsoft Corporation Federal Ministry of Education, Science and Research A Federal Gymnasium National Case Number/Name: D135.027 2025-0.477.534 European Case Law Identifier: n/a Appeal: n/a Original Language(s): German Original Source: DSB (in ) Initial Contributor: n/a The DPA found Microsoft, the school, and the Ministry of Education in violation of information obligations under the GDPR. They also found unlawful processing of non-essential tracking cookies, ordering immediate deletion of data relating to cookies. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A student used Microsoft 365 Education provided by her school. Her father, as her legal representative, asked for full information and access to all personal data used by the software, but received incomplete answers. Still, from these answers it was clear that tracking cookies were used without consent, and logs showed interaction with third parties like LinkedIn, OpenAI, and Xandr. Essentially, the data subject complained that the school, Microsoft, and Ministry did not provide complete access to the requested data. In addition to this, it was argued that the student never received full access to information under Article 13 GDPR, especially regarding cookies and data transfers. A major point also concerned Microsoft explanations as they were far too vague, for example mentioning “business model analytics” and “internal reporting” without providing explanations. Moreover, the alleged violations were not fixed promptly, even after repeated requests. On the other hand, the school and the Ministry argued that they did provide access, and could not give more detailed information because they were also not given access by Microsoft. They also stated they had little to no control over technical details, which were in the hands of Microsoft. The Education Authority claimed not to be involved at all in providing Microsoft 365 to schools. Microsoft affirmed that certain processing for legitimate business activities is allowed and not harmful, for example relating to security and analytics. On top of that, according to Microsoft, the cookie lists and general documentation provided to the data subjects should have been sufficient to comply with information obligations. They added to this that the school and Ministry were the entities having a say on overall use of the software. Holding The DPA dismissed the complaint directed to the Education Authority, as it was not found responsible for Microsoft Education 365’s operations. The DPA held that the school and the Ministry, acting as joint controllers under Article 26, violated Article 13 GDPR and Article 15(1)(a) to (h) GDPR by failing to provide complete information about the data processed when using Microsoft Education 365. They must then provide complete information and access to the data subject, including on cookies and transfers, within 10 weeks. Microsoft violated the data subject's right to information under Article 15 GDPR, by failing to provide complete information about the data processed when using the software. They must provide within 4 weeks complete explanations of all data received, all cookies used, processing purposes, and any transfers to third parties. Under Article 12(1), explanations must be written in plain language, especially considering that the data subject is a minor. The DPA also found that non-essential tracking cookies were used without consent, amounting to unlawful processing. All respondents shall delete all data relating to cookies within 10 weeks. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the original. Please refer to the original for more details. Barichgasse 40-42 A-1030 Vienna Tel.: +43-1-52152 0 E-Mail: dsb@dsb.gv.at File No.: D135.027 2025-0.477.534 Attn: NOYB – European Center for Digital Rights via email DECISION RULING The Data Protection Authority decides on the data protection complaint of the minor (complainant), represented by her father, represented by NOYB – European Center for Digital Rights, dated June 4, 2024, against 1. the Federal Gymnasium and school administration (first respondent), 2. the Regional Directorate of Education (second respondent), 3. the Federal Ministry of Education, Science and Research (third respondent), and 4. Microsoft Corporation (Fourth Respondent), the latter represented by Höhne, In der Maur & Partner Rechtsanwälte GmbH & Co KG, regarding A) violation of the right of access, B) violation of the right to information, and C) violation of the right to erasure of personal data that was unlawfully processed, as follows: 1. The complaint against the first and third respondent is granted, and it is determined that, in their capacity as controllers pursuant to Article 4(7) GDPR, they violated the complainant's right a) to access pursuant to Article 15 GDPR by failing to provide complete information about the data processed during the use of Microsoft Education 365, and b) to information pursuant to Article 13 GDPR by failing to inform the complainant in a timely and complete manner about the data processed during the use of Microsoft Education 365. - 2 – 2. The first and third respondent are ordered to provide the complainant, within a period of ten weeks, a) with information about all personal data concerning her that was processed during the use of Microsoft Education 365 (Account:). This information must include, at a minimum, content data (files, documents, messages), log data (connection data, log files, IP addresses), data about cookies (cookie values), and data transfers to the fourth respondent. With regard to the use of cookies, all information pursuant to Article 15(1)(a) to (h) and (2) GDPR must be provided; b) with the information pursuant to Article 13(1)(c) to (f) and (2)(a) GDPR in full, describing the cookies set or read during the use of Microsoft Education 365, in particular with regard to the extent to which data is transferred to the The fourth respondent has been or is currently being apprehended. 3. The appeal against the fourth respondent is granted, and it is determined that, in its capacity as data controller, it violated the complainant's right of access under Article 15 GDPR by failing to provide complete information about the data processed during the use of Microsoft Education 365. The appeal against the fourth respondent is upheld, and it is determined that the fourth respondent, in its capacity as data controller, violated the complainant's right of access under Article 15 GDPR by failing to pr

Indicators of Compromise

• domain — linkedin.com
• domain — openai.com
• domain — xandr.com

Entities