News
Austrian DPA decisions on Microsoft 365 Education: Unlawful Cookie tracking of school children – and nobody knew about it
In two parallel decisions of October 2025 and January 2026, the Austrian Data Protection Authority (DSB) ruled that Microsoft Corporation acts as a (joint) controller for parts of the data processing carried out via Microsoft 365 Education and unlawfully placed tracking cookies on a pupil’s device without consent. The decisions clarify the allocation of GDPR responsibilities between Microsoft, schools and education ministries. These decisions also have implication for any organisation using Microsoft 365 across the EEA.
In two related decisions issued in October 2025 (GZ D135.027) and January 2026 (GZ D135.026), the Austrian Data Protection Authority (Datenschutzbehörde, “DSB”) has clarified the GDPR responsibilities of Microsoft Corporation, Austrian schools and the Federal Ministry of Education in connection with the use of Microsoft 365 Education in Austrian public schools. Both proceedings were initiated by a complaint of a minor pupil, represented by NOYB – European Center for Digital Rights.
1. CASE FACTS
The Austrian Federal Ministry of Education (“BMBWF”) provides Austrian federal schools with several cloud services through private providers for IT-supported teaching. To this end, the BMBWF concluded a framework agreement with the European subsidiary Microsoft Ireland Operations Limited covering, inter alia, the deployment of Microsoft 365 Education. The complainant, a minor pupil at an Austrian federal grammar school, was provided with a school account and a school e-mail address linked to that platform.
On 31 July 2023, when the pupil used Microsoft 365 Education in the browser version (in particular Word Online) via her school account, several cookies were placed on her device and read out. According to Microsoft’s own published descriptions, these cookies are used, inter alia, for advertising, page analytics and other “business operations”. However, the student has not consented to these cookies being stored.
In parallel, the pupil’s father had submitted access requests under Art 15 GDPR to both Microsoft Corporation and the school. Microsoft Corporation referred him to the school as the alleged controller. The school in turn provided only limited information and referred the requesting party back to Microsoft. Two complaints were lodged with the DSB: one concerning the lack of complete information and access in relation to the data processed via Microsoft 365 Education (D135.027), and one concerning the unlawful placement of tracking cookies without consent (D135.026). Both proceedings were directed expressly against Microsoft Corporation (US parent), not against Microsoft Ireland Operations Limited.
2. HELD
Microsoft Corporation as (joint) controller. In both decisions, the DSB qualified Microsoft Corporation (US) as a controller within the meaning of Art 4 no. 7 GDPR with respect to processing carried out for its own purposes. Relying on the case-law of the CJEU (in particular C-25/17, C-40/17, C-683/21 and C-604/22), the DSB held that Microsoft Corporation, as the parent company, develops Microsoft 365 Education, sets the corporate guidelines and influences the technical and organisational specifications of the data processing. The fact that Microsoft Ireland Operations Limited adapts those guidelines to the European market does not shift controllership to the Irish entity but at most leads to joint controllership with the US parent company. Microsoft’s argument that it acts solely as a (sub-)processor was rejected: as soon as Microsoft processes data for its own “legitimate business operations” (e.g. internal reporting, business modelling, fraud prevention, improvement of core functionality), it acts as controller for those purposes.
Joint controllership of school and Ministry. In decision D135.027, the DSB qualified the school management and the BMBWF as joint controllers under Art 26 GDPR for the deployment of Microsoft 365 Education, based on a Union-law-conform interpretation of section 4 of the Austrian Education Documentation Act 2020 (BilDokG 2020) and section 15 of the ICT School Regulations (IKT-Schulverordnung). The complaint against the regional education directorate of Vienna (Bildungsdirektion Wien) was dismissed for lack of factual influence on the processing.
Violation of Art 15 and Art 13 GDPR. The DSB found that neither the school and the BMBWF nor Microsoft Corporation had provided complete access information regarding the data processed via Microsoft 365 Education, in particular as regards the cookies placed and the data transferred to Microsoft. Generic terms used by Microsoft, such as “business modelling” or “legitimate business operations”, did not satisfy the standards of Art 12(1) GDPR (intelligibility, plain language), all the more so since the data subject was a minor. Microsoft was ordered to disclose, within four weeks, what data had actually been transferred and processed for its own purposes, including any onward transfers to third parties identified in the log files (LinkedIn, OpenAI and the advertising company Xandr).
Unlawful tracking cookies. In decision D135.026, the DSB held that the cookies in question contain a unique, randomly generated identifier capable of singling out the user and therefore qualify as personal data within the meaning of Art 4 no. 1 GDPR (online identifier). The DSB confirmed that cookies for advertising, tracking or analytics purposes are not “strictly necessary” within the meaning of section 165(3) of the Austrian Telecommunications Act 2021 (transposing Art 5(3) of the ePrivacy Directive) and therefore require prior consent. Since no consent had been obtained, the processing lacked any legal basis under Art 6(1) GDPR. With reference to CJEU case C-597/19, the DSB also rejected reliance on legitimate interests under Art 6(1)(f) GDPR where the underlying ePrivacy requirement of consent is not met. As a consequence, the DSB found a violation of Art 5(1)(a) and Art 6(1) GDPR and, pursuant to Art 58(2)(f) GDPR, ordered Microsoft to refrain from placing technically non-necessary cookies without a valid legal basis within four weeks.
3. CONSEQUENCES AND PRACTICAL IMPLICATIONS BEYOND AUSTRIA
Although the decisions originate from a national supervisory authority and concern a specific Austrian school setting, their reasoning has implications well beyond Austria and beyond the education sector.
Hyperscaler controllership for “business operations”. The DSB’s analysis is in line with a growing line of European decisions and EDPS findings (notably the EDPS decision of 8 March 2024 against the European Commission concerning Microsoft 365) holding that hyperscaler cloud providers cannot reduce their role to that of a mere processor where they process customer data for their own business purposes. Any organisation in the EEA using Microsoft 365 (or comparable SaaS offerings) for processing personal data of employees, customers or pupils should re-assess the controller/processor allocation in their contractual setup, in particular with regard to processing for “legitimate business operations” and similar provider-defined purposes.
Forum and competent authority. Notably, the DSB conducted the proceedings against Microsoft Corporation (US) directly and rejected the argument that Microsoft Ireland Operations Limited would be the relevant counterparty for European matters. National supervisory authorities outside Ireland may therefore feel encouraged to take action against US parent companies in their own right, in particular where strategic and product-design decisions are taken outside the EU.
Cookie consent for SaaS environments. The DSB’s strict reading of the consent requirement under Art 5(3) ePrivacy Directive (and its national transpositions) confirms that cookies set within the logged-in user environment of a SaaS application are not exempt from the consent requirement merely because the user is authenticated or the cookies are labelled as “dual-purpose”. As clarified by the CJEU in C-597/19, where consent is required under the ePrivacy Directive, controllers cannot fall back on legitimate interests under Art 6(1)(f) GDPR. This affects not only Microsoft 365 deployments but any SaaS or web-based service in the EEA that places non-essential cookies in a user’s browser.
Transparency obligations of corporate customers. The decisions make clear that controllers using third-party cloud services remain fully responsible for the information and access obligations under Art 13, 14 and 15 GDPR. The DSB expressly noted that the BMBWF apparently did not have full visibility into the processing carried out by Microsoft, which makes compliance with Art 13 and 14 GDPR practically impossible. Corporate customers should therefore insist on detailed, auditable information from their providers, in particular as regards cookies, log data and onward transfers to third parties – failing which, both their own information notices and their answers to access requests will likely be incomplete.
Outlook. The decisions are not yet final and were challenged before the Federal Administrative Court (Bundesverwaltungsgericht). Irrespective of the outcome of any appeal, the line of reasoning is consistent with earlier findings of the German DSK and the Dutch SLM Rijk DPIAs concerning Microsoft 365, and adds a further layer of regulatory pressure on hyperscalers to provide their European customers with the contractual transparency, configuration options and segregation of purposes required to make GDPR-compliant use of their cloud products possible.
Article provided by INPLP member: Stephan Winklbauer (AHW Law, Austria)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Mai 2026
- April 2026
- März 2026
- Februar 2026
- Jänner 2026
- Dezember 2025
- November 2025
- Oktober 2025
- September 2025
- August 2025
- Juli 2025
- Juni 2025
- Mai 2025
- April 2025
- März 2025
- Februar 2025
- Jänner 2025
- Dezember 2024
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010