A student represented by noyb – Complaint Upheld (Austria, 2025)

Complaint Upheld
Datenschutzbehörde8 October 2025Austria
final
Complaint Upheld

Austria's Data Protection Authority upheld a complaint against Microsoft 365 Education for using tracking cookies without consent. The authority found that Microsoft provided unclear information about its data practices. This ruling stresses the importance of obtaining user consent before placing cookies and being transparent about data usage.

What happened

Microsoft 365 Education used tracking cookies without obtaining proper consent from users.

Who was affected

Students and users of Microsoft 365 Education who were tracked without their knowledge.

What the authority found

The authority ruled that Microsoft violated GDPR by placing cookies before obtaining user consent and failing to provide clear information.

Why this matters

This decision reinforces the requirement for companies to obtain consent for cookies and be transparent about data processing. It serves as a warning for businesses to review their cookie policies.

GDPR Articles Cited

AI-verified

Art. 13(GDPR)
Art. 15(GDPR)
Art. 12(1) GDPR
View original scraped data
Art. 12(1) GDPR
Art. 13(GDPR)
Art. 15(GDPR)

Original data from scraper before AI verification against source document.

Entities Involved

A student represented by noyb
Microsoft Corporation
Federal Ministry of Education, Science and Research
A Federal Gymnasium
Source verified 19 March 2026
articles corrected
entity split needed
Austria enforcementDatenschutzbehörde actionsAll A student represented by noyb actions
Full Legal Summary
Detailed

Microsoft 365 Education used tracking cookies without consent and provided vague explanations about data processing, including interactions with third parties like LinkedIn and OpenAI.

Outcome

Complaint Upheld

A data subject complaint that was upheld by the DPA.

Violations (3)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Third-Party Cookies Without Consent
critical

Third-party tracking cookies or scripts are loaded without obtaining prior user consent.

Art. 13, 14 GDPR

Unclear Cookie Information
high

The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.

Art. 12, 13 GDPR

Related Enforcement Actions (0)

No other enforcement actions found for A student represented by noyb in AT

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Minister for Legal Protection

2022 · DPA RbOverijssel

unknown (claimant)

2021 · DPA OLGLinz

CNIL

2019 · Court of Justice of the European Union

Details

Decision Date

8 October 2025

Authority

Datenschutzbehörde

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified
Cookie relevance: 80%

Cite as: Cookie Fines. A student represented by noyb - Austria (2025). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: