The use of Microsoft 365 in German schools is now prohibited. The German Federal and State Data Protection Authorities (hereinafter DSK) have prohibited the use of the Microsoft 365 pack in German schools, due to an incompatibility between the Microsoft 365 pack and the Data Protection laws of Germany and the European Union.

Report of the German Data Protection Authorities

After two years of negotiation between the German Data Protection authorities and Microsoft, the report of the German control organism has been drafted, determining that the office suite (a set of computer programs that simplify office tasks) still does not comply with the European Union’s GDPR.

Consent of minors

The report of the German authorities has determined that the Microsoft 365 package collects data of minors, which is expressly prohibited by the General Data Protection Regulation of the European Union.

This regulation, in Article 8, determines that minors under the age of 13 are not legally qualified to consent to the collection of their data, and their parents may not give consent for them. They may only do so when the child’s age is between 13 and 16.

In the case of storage of adult data by the platforms, they may request the deletion of the data from all their registries.


Processing of unencrypted data

The German control organism’s report has determined that many of the services offered by the Microsoft 365 pack require the company Microsoft to access unencrypted user data.

This is a non-compliance with the legal requirements established in the GDPR, so the use of this pack would be inappropriate in schools or public administration entities, due to the lack of clarity in the procedures at the time of collecting data.

However, this situation will not be extended to individual users or companies, as they are free to choose the product they consider, although the German authorities do not recommend the use of Microsoft 365.


Cross-border processing of data by Microsoft

Additionally, the DSK has criticized in its report the transfer of data of German Microsoft 365 users to the USA, being accessible to US authorities.

They condemn that the US authorities have access to the personal data of German minors.


Microsoft’s reply to the German authorities’ report

In response, Microsoft has stated that the evaluation by the German Federal and State Data Protection authorities was imprecise.

They have published a communication stating that the products offered by Microsoft 365 comply with and exceed the European Union’s Data Protection laws. They defend the security and legality of the Microsoft 365 package.


Purpose of the report issued by DSK

Ultimately, the purpose of the report issued by the DSK is none other than to pressure Microsoft to comply with German data protection regulations.

Therefore, it has emphasized the obligation for foreign companies to comply with current data protection regulations. In this manner, it avoid any damage to users, and especially to the education system.

They point out that the protection of minors is the most important aspect. Therefore, they have prohibited the use of the Microsoft 365 package in German schools.

Instead of using the Microsoft 365 package, it is recommended that from now on they make use of local email software.

In this way, the data storage will not cross the borders of the German territory, providing more security for schools and, collaterally, for minors.


From Auratech we are at your disposal.


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *