Microsoft Corporation – Complaint Upheld (Austria, 2026)
Microsoft tracked a pupil's online activity using cookies without getting her permission. This matters because it shows that companies must ask for consent before collecting personal data, especially in educational settings.
What happened
Microsoft placed tracking cookies on a pupil's device while she used Microsoft 365 Education without obtaining her consent.
Who was affected
The pupil attending an Austrian school that utilized Microsoft 365 Education for teaching purposes was affected.
What the authority found
The Austrian Data Protection Authority found that Microsoft had no valid legal basis for processing the pupil's personal data, violating GDPR rules.
Why this matters
This ruling highlights the importance of obtaining consent for data collection in schools. Companies providing educational tools should ensure they have proper consent mechanisms in place.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Federal Ministry of Education, Science and Research provides Austrian federal schools with access to Microsoft 365 Education for IT-supported teaching. The Microsoft Corporation (the controller) is a leading global technology company that develops and provides Microsoft 365 Education for the education sector. The Microsoft Corporation operates worldwide and is headquartered in the United States. Microsoft Ireland Operations Limited is a subsidiary of the controller, however, fundamental decisions that significantly influence the direction, design, and operation of Microsoft products are taken at the controller's headquarters. The data subject was a pupil attending an Austrian school that used Microsoft 365 Education for teaching purposes. She was provided with a school Microsoft account and, while logged into this account and creating a document using the browser-based version of Microsoft Word, several cookies were installed on her device. These cookies were set without her consent, and the controller made no attempt to obtain such consent. Schools had little or no possibility to influence or configure the cookie settings. The data subject’s representatives lodged a complaint with the Austrian Data Protection Authority (DSB), alleging violations of Article 6 GDPR in connection with the installation of tracking cookies without a legal basis, as well as violations of Article 5(1)(a) GDPR and Article 28(3) GDPR. The Austrian Data Protection Authority (DSB) held that the Microsoft Corporation qualifies as a controller within the meaning of Article 4(7) GDPR, as it determines the purposes and means of processing in connection with Microsoft 365 Education. In assessing controllership, the DSB examined the relationship between Microsoft Corporation and Microsoft Ireland Operations in light of the CJEU’s broad interpretation of the concept of controller. Referring to settled CJEU case law, the DSB emphasized that data protection liability may arise where an entity
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (2)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Microsoft Corporation in AT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Microsoft Corporation - Austria (2026). Retrieved from cookiefines.eu
Last updated: