A student represented by noyb – Complaint Upheld (Austria, 2025)
A student used Microsoft 365 Education provided by her school. Her father, as her legal representative, asked for full information and access to all personal data used by the software, but received incomplete answers. Still, from these answers it was clear that tracking cookies were used without consent, and logs showed interaction with third parties like LinkedIn, OpenAI, and Xandr. Essentially, the data subject complained that the school, Microsoft, and Ministry did not provide complete access to the requested data. In addition to this, it was argued that the student never received full access to information under Article 13 GDPR, especially regarding cookies and data transfers. A major point also concerned Microsoft explanations as they were far too vague, for example mentioning “business model analytics” and “internal reporting” without providing explanations. Moreover, the alleged violations were not fixed promptly, even after repeated requests. On the other hand, the school and the Ministry argued that they did provide access, and could not give more detailed information because they were also not given access by Microsoft. They also stated they had little to no control over technical details, which were in the hands of Microsoft. The Education Authority claimed not to be involved at all in providing Microsoft 365 to schools. Microsoft affirmed that certain processing for legitimate business activities is allowed and not harmful, for example relating to security and analytics. On top of that, according to Microsoft, the cookie lists and general documentation provided to the data subjects should have been sufficient to comply with information obligations. They added to this that the school and Ministry were the entities having a say on overall use of the software. The DPA dismissed the complaint directed to the Education Authority, as it was not found responsible for Microsoft Education 365’s operations. The DPA held that the school and the Ministry, acti
GDPR Articles Cited
Entities Involved
A student used Microsoft 365 Education provided by her school. Her father, as her legal representative, asked for full information and access to all personal data used by the software, but received incomplete answers. Still, from these answers it was clear that tracking cookies were used without consent, and logs showed interaction with third parties like LinkedIn, OpenAI, and Xandr. Essentially, the data subject complained that the school, Microsoft, and Ministry did not provide complete access to the requested data. In addition to this, it was argued that the student never received full access to information under Article 13 GDPR, especially regarding cookies and data transfers. A major point also concerned Microsoft explanations as they were far too vague, for example mentioning “business model analytics” and “internal reporting” without providing explanations. Moreover, the alleged violations were not fixed promptly, even after repeated requests. On the other hand, the school and the Ministry argued that they did provide access, and could not give more detailed information because they were also not given access by Microsoft. They also stated they had little to no control over technical details, which were in the hands of Microsoft. The Education Authority claimed not to be involved at all in providing Microsoft 365 to schools. Microsoft affirmed that certain processing for legitimate business activities is allowed and not harmful, for example relating to security and analytics. On top of that, according to Microsoft, the cookie lists and general documentation provided to the data subjects should have been sufficient to comply with information obligations. They added to this that the school and Ministry were the entities having a say on overall use of the software. The DPA dismissed the complaint directed to the Education Authority, as it was not found responsible for Microsoft Education 365’s operations. The DPA held that the school and the Ministry, acti
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (3)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for A student represented by noyb in AT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. A student represented by noyb - Austria (2025). Retrieved from cookiefines.eu
Last updated: