Microsoft Ireland Operations Limited – Complaint Upheld (Ireland, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Data Protection Commission upheld a complaint against Microsoft Ireland for not providing a user with access to their files after their account was suspended. This matters because it shows that companies must be transparent about account actions and provide users with their data when requested.
What happened
Microsoft Ireland suspended a user's OneDrive account and did not provide access to their files or reasons for the suspension.
Who was affected
A user whose OneDrive account was suspended and who requested access to their files.
What the authority found
The Data Protection Commission found that Microsoft did not comply with GDPR rules regarding user access to their personal data.
Why this matters
This case highlights the need for companies to be clear and transparent when handling user accounts and data requests. Businesses should ensure they have processes in place to respond to access requests properly.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Microsoft Ireland Operations Limited (the controller) suspended a user’s (the data subject) OneDrive account in February 2020 for a serious breach of the controller’s Services Agreement after scanning software allegedly discovered child abuse imagery (CSEAI) across the data subject’s account. The data subject subsequently made an access request for the files in the suspended account but the controller informed them that the account was locked and declined to provide the files or the reason for the suspension of the account, mentioning only that there was a serious violation of its Service Agreement. The data subject filed a complaint with the Norwegian DPA (Datatilsynet), which was passed to the Irish DPA (DPC) as the competent lead supervisory authority. The controller permanently deleted the data subject’s account in line with its standard data retention policy in February 2021. In its response to the DPA, the controller claimed that the discovery of CSEAI by an image-matching technology was subject to human review. Furthermore, it claimed that it relied on Article 15(4) GDPR for declining to provide the requested data to the data subject. Moreover, the controller responded to DPA inquiries specifying that it did not have knowledge as to whether a police investigation had taken place. Following these exchanges, the controller informed the data subject of the reason for his account’s suspension. The controller further informed the DPA that the data subject’s access requests were interpreted by the controller’s customer service team as requests to reactivate the account and were not forwarded to the privacy response team. The data subject protested that the controller, among other things, removed private files from other family members’ computers, suspended access to files which did not contain offending material, locked his account without providing reasons and made the data subject responsible for files that others uploaded in his shared folders. The DPA f
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Microsoft Ireland Operations Limited in IE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Microsoft Ireland Operations Limited - Ireland (2025). Retrieved from cookiefines.eu
Last updated: