022 Datenschutzkonferenz

After a two-year process, the joint committee of the German Federal Data Protection Authority and 17 state regulators found that on the basis of these documents (provided by MS), it is not possible to use Microsoft Office 365 in a manner that complies with data protection requirements.


Now I wonder if and how it is possible for similar services from Google or other US companies to comply with EU laws.

This is particularly significant in Italy, where almost all schools use Google Classroom (shouldn’t EU services be used instead?).

Last week, the French Ministry of Education, responding to a question from an MP, had already stated that the use of Microsoft and Google in schools was illegal under the EU’s GDPR regulation.

France: Assemblée Nationale
Germany: AG DSK Microsoft-Onlinedienste

The Germans say:
“The current privacy addendum of September 2022 includes changes to the previous provisions governing the disclosure of data provided to Microsoft as a processor for its own business purposes “to comply with legal obligations”. The changes contain new wording, but the substance is that the powers remain equally broad.
For instance, the regulation restricts the customer’s right to issue instructions regarding the disclosure of data processed on behalf of the customer. The data privacy addendum permits disclosures if required by law or described in the data protection addendum. Such disclosures are not limited to the instructions of the data controller, so that they can be made in the context of Section 28(3)(1) sentence. 28(3)(1) sentence 2(a) DSGVO, are only permitted if they relate to obligations under Union or Member State law to which Microsoft is subject, are restricted. This is not the case here. Therefore, Microsoft’s obligation to provide instructions does not meet the minimum legal requirements pursuant to section 28(3) subsection(1) DSGVO. 28(3) p(1) sentence2(a) GDPR.
The Working Party’s investigations show that Microsoft also contractually reserves the right to disclose extensive information that, if implemented, would not comply with the requirements of Art. 48 of the GDPR if implemented.”

This is quite a mess…

Stefano Quintarelli
Partner Founder Rexilience