Dirección General de Innovación y Formación del Profesorado – Complaint Upheld (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Dirección General de Innovación y Formación del Profesorado faced a complaint upheld regarding its agreement with Microsoft for cloud services. This matters because it raises concerns about how personal data is handled in educational settings and the need for compliance with data protection laws.
What happened
A complaint was upheld against the Dirección General de Innovación y Formación del Profesorado for failing to meet several GDPR requirements in its agreement with Microsoft.
Who was affected
Students and educators using the cloud services provided by Microsoft were indirectly affected by the compliance issues.
What the authority found
The authority found that the educational institution did not adopt necessary measures to protect personal data, violating multiple GDPR provisions.
Why this matters
This ruling emphasizes the need for educational institutions to ensure compliance with data protection laws when using third-party services. It serves as a warning for all organizations handling personal data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In November 2020, the Regional Ministry of Education and Sports of Andalusia, acting as controller, entered into a collaboration agreement with Microsoft Ireland Operations Limited, acting as processor, for the provision of cloud-based educational services to public schools wishing to use them. The services covered by the agreement included Microsoft Office Online applications, such as Outlook, Word, Excel, PowerPoint and OneNote, as well as Exchange, Forms, OneDrive, SharePoint, Teams and Sway. These services provided communication, collaboration, productivity and cloud storage functionalities for the education sector. Under the agreement, Microsoft Ireland Operations Limited had access to personal data under the responsibility of the controller in order to provide the relevant cloud-based educational services. In March 2023, the DPA received a complaint alleging several infringements of the GDPR and the Spanish data protection framework. The complaint concerned, in particular: - Article 25 GDPR, on data protection by design and by default, due to the alleged failure to adopt appropriate technical and organisational measures to reduce the risk that users would upload special categories of personal data, inappropriate images or audiovisual material to the system. - Article 13 GDPR, concerning the information to be provided to data subjects when their personal data is collected. - Articles 44–49 GDPR, concerning international transfers of personal data to third countries or international organisations without the required safeguards, conditions or derogations. - Article 30 GDPR, due to the alleged lack of adequate information in the controller’s record of processing activities regarding international data transfers. - Article 35 GDPR, concerning the alleged absence of a data protection impact assessment in relation to the use of the cloud-based educational services. The DPA upheld the complaint and found that the controller infringed the GDPR because it had not imp
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Dirección General de Innovación y Formación del Profesorado in ES
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Dirección General de Innovación y Formación del Profesorado - Spain (2025). Retrieved from cookiefines.eu
Last updated: