The Federal Reservation Conference of the Confederation and the Lander (DSK) has on 22. September with a short majority decided that currently "No privacy use of Microsoft Office 365 is possible". She followed an evaluation of her working group administration of 15. July. This had increased over half a year as to whether the privacy policy and online business conditions for the cloud-based software package with Article 28 of the Data Protection Basic Regulation (DSGVO) are compatible with order data processing.
This is not the case in the opinion of the supervisory authorities. Anyone who uses the cloud variant about Word, Excel or PowerPoint is therefore not legal compliant. The Rhineland-Palatinate Data Protection Officer Dieter Kugelmann referred on Wednesday, without calling more details. The internally controversial position paper and the foundations for the coming in it are now available to our site.
Type and processing of the data unclear
Already the types of personal data and the purpose, why they are processed, stay in the online service terms (east) and the "Data Processing Addendum" From January unclear, the controllers. Therefore, it is not possible to determine, if applicable, separate data protection requirements and risk levels. Such information actually had to be apparent from the contract processing agreement.
In this context, the DSK recommends Microsoft, "to reduce the degree of abstraction and freelance" to use, which may be customizable. Maybe the purposes, for which the data was needed, can be named in individual cases.
Microsoft refers within the privacy policy for online services to be responsible for itself in connection with legitimate own business activities and names them too. But the body criticizes that it "still not clearly visible" may be, "which other personal data are processed in this context".
No legal basis for telemetry
In addition, there is no further legal basis for the transfer of other personal information from the user to Microsoft – such as collecting telemetry diagnostic data – in addition to the order processing agreement, it is called in the paper. This is particularly for Prekar, if these also made data from staff or burgers for the purposes mentioned. In this environment, a must "A sustainable secure use of the software" be possible and a benefit of information underlyed in view of the fundamental rights increased requirements.
as "Not sufficiently concrete" If the inspectors ame the ie of Microsoft’s that processed data could also be disclosed outside the customer’s volumes, if this was prescribed by law. This exception can be referred to in accordance with the law of the EU or a Member State as well as possibly existing legal assistance agreement with third countries. In this context, above all, the effects of the cloud act, which the US company underly, "Not sufficiently clarified".
Works against risks open
In the Internet business conditions, Microsoft is not sufficient according to the analysis, "which offers the risk appropriate mains of the offered online service for the processing of personal data". The Group expects the responsible person to decide solely whether security obligations corresponded to the requirements. He can not be objectively assessed this on the basis of the information provided.
In the traps where Microsoft itself processes the role of the responsible persuasion and data for own purposes, these became "not deleted", complains the DSK. It should be trained to understand that these measured values are not part of the order processing. Nevertheless, to question how long these were kept.
Eight privacy workers were against it
The details of the rules for the transfer of personal data to subcontractors states the supervisors. So that’s the case provided "prior written consent of the customer" only sufficient if there is an overview of the currently approved further service providers. Microsoft had to proactively use a mechanism about push messages here to inform its own clientele here over updates.
The data protection officers of Bavaria, Baden-Wurttemberg, Hessen and the Saarland and the Bavarian State Office for Privacy Supervision declared on Friday not to share the overall assessment, "because they fail to undifferentiated". However, it welcomed that the DSK unanimously used a new working group in order to achieve sustainably privacy corrections in the dialogue with the software forecast.
The EU Data Protection Officer Wojciech Fiewiorowski had investigated the performance of EU bodies with Microsoft and had come to similar results like DSK. He demanded that Microsoft user information is only stored in the EU. The roles of all those involved with all rights and obligations had to be clearly regulated. The best way to look for alternatives, the "Allow high privacy standards".