"During the COVID pandemic, schools around the world rapidly switched to cloud services. Microsoft immediately offered "educational" products. At the same time, responsibility for privacy compliance was shifted to schools and national authorities. The fundamental tension came to light when a student requested access to his personal data. Microsoft simply referred him to the local educational institution, which in turn could only provide minimal information because it does not have access to data held by Microsoft. The result: no one could guarantee GDPR rights."
"Microsoft 365 Education appears to use tracking cookies without consent, which is illegal. Remarkably, both the school involved and the Austrian Ministry of Education claimed during the proceedings that they were unaware of these tracking cookies. For this violation, the Austrian authority has now ordered the deletion of all relevant personal data. In addition, Microsoft violated the right of access under Article 15 of the GDPR by failing to grant the complainant full access to their data."
Microsoft 365 Education collected and processed student personal data for its own purposes while denying schools full access to that data. A student access request exposed that Microsoft redirected requests to schools, which lacked access to data held by Microsoft, preventing enforcement of GDPR rights. The Austrian data protection authority (DSB) found multiple violations, including use of tracking cookies without consent and failure to comply with Article 15 access rights. The DSB ordered deletion of relevant personal data and criticized Microsoft's practice of shifting compliance responsibilities to schools and national authorities, which undermined transparency and accountability.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]