The federal and state data protection officers have reported concerns about widespread software from the US group Microsoft – and made a decision. According to the Thuringian state data protection officer, this has far-reaching consequences.

Erfurt (dpa/th) – Thuringia’s state data protection officer Lutz Hasse wants to talk to business associations and authorities about the implementation of a decision of the data protection conference on the office software of the US group Microsoft. “This decision is aimed at all authorities and all companies,” said Hasse of the German Press Agency. According to Hasse, the consequence could be that the software can no longer be used. However, he first wants to find out how widespread it is in business and talk to the Chamber of Commerce and Industry about the effects of the decision.

The data protection conference (DSK) recently determined that data protection officers cannot provide evidence that the Microsoft 365 software is operated in compliance with data protection regulations. Microsoft then announced that they would take the concerns first. “However, we consider many of the data protection assessments and the conclusions of the DSK to be fundamentally wrong,” said a statement from Microsoft after the DSK decision.

The general manager of the Erfurt Chamber of Industry and Commerce, Cornelia Haase-Lerch, expressed concern. “The products from Microsoft 365 are indispensable for companies. Solutions must be found together with the economy so that applications from Microsoft can be used in Germany and the European Union in a legally compliant manner,” she explained on request. Software components from 365 include Word and Excel.

The background is that, according to data protection officials, it is unclear to what extent the US company processes personal data. Hasse explained that, according to Microsoft, personal data would be used for its own purposes. From whom exactly this data is collected and for which own purposes it is processed is so far unclear.

Hasse explained the consequences of the DSK decision using the example of the schools: According to data protection rules, the headmaster is responsible there. Even if the latter were to obtain parental consent for the use of the software, the data protection conference believed that it would be ineffective. The parents would have to give informed consent. However, the headmaster cannot provide sufficient information about the data protection aspects because Microsoft does not disclose how and for what purpose the personal data is processed.

Microsoft, on the other hand, asserted that the software can be used in compliance with data protection regulations. The company also warns that an “excessive supervisory approach” would slow down digitization in Germany and paralyze and overwhelm “those responsible (e.g. school principals when preparing a data protection impact assessment)”.

Hasse made it clear that one now has to think about how to implement the DSK decision proportionately and in what period of time. “But the end of the process is certain, namely that there must be an alternative product – unless Microsoft sheds light on it,” he said. He is also thinking about advice on alternatives. “I understand the need that is occurring now and we want to try to pull this off calmly.”