Microsoft Corporation – Complaint Upheld (Austria, 2026)

The Federal Ministry of Education, Science and Research provides Austrian federal schools with access to Microsoft 365 Education for IT-supported teaching. The Microsoft Corporation (the controller) is a leading global technology company that develops and provides Microsoft 365 Education for the education sector. The Microsoft Corporation operates worldwide and is headquartered in the United States. Microsoft Ireland Operations Limited is a subsidiary of the controller, however, fundamental decisions that significantly influence the direction, design, and operation of Microsoft products are taken at the controller's headquarters. The data subject was a pupil attending an Austrian school that used Microsoft 365 Education for teaching purposes. She was provided with a school Microsoft account and, while logged into this account and creating a document using the browser-based version of Microsoft Word, several cookies were installed on her device. These cookies were set without her consent, and the controller made no attempt to obtain such consent. Schools had little or no possibility to influence or configure the cookie settings. The data subject’s representatives lodged a complaint with the Austrian Data Protection Authority (DSB), alleging violations of Article 6 GDPR in connection with the installation of tracking cookies without a legal basis, as well as violations of Article 5(1)(a) GDPR and Article 28(3) GDPR. The Austrian Data Protection Authority (DSB) held that the Microsoft Corporation qualifies as a controller within the meaning of Article 4(7) GDPR, as it determines the purposes and means of processing in connection with Microsoft 365 Education. In assessing controllership, the DSB examined the relationship between Microsoft Corporation and Microsoft Ireland Operations in light of the CJEU’s broad interpretation of the concept of controller. Referring to settled CJEU case law, the DSB emphasized that data protection liability may arise where an entity