DSB (Austria) – D135.026 2025-0.768.263

28 January 2026

Xz:

{{DPAdecisionBOX

|Case_Number_Name=D135.026 2025-0.768.263
|ECLI=

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=

|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=

|Initial_Contributor=
|
}}The DPA ruled that Microsoft Corporation unlawfully installed tracking cookies on a pupil’s device when using Microsoft 365 Education without valid consent and ordered the company to cease such processing.
== English Summary ==

=== Facts ===
The Federal Ministry of Education, Science and Research provides Austrian federal schools with access to Microsoft 365 Education for IT-supported teaching.

The Microsoft Corporation (the controller) is a leading global technology company that develops and provides Microsoft 365 Education for the education sector. The Microsoft Corporation operates worldwide and is headquartered in the United States. Microsoft Ireland Operations Limited is a subsidiary of the controller, however, fundamental decisions that significantly influence the direction, design, and operation of Microsoft products are taken at the controller’s headquarters.

The data subject was a pupil attending an Austrian school that used Microsoft 365 Education for teaching purposes. She was provided with a school Microsoft account and, while logged into this account and creating a document using the browser-based version of Microsoft Word, several cookies were installed on her device. These cookies were set without her consent, and the controller made no attempt to obtain such consent. Schools had little or no possibility to influence or configure the cookie settings.

The data subject’s representatives lodged a complaint with the Austrian Data Protection Authority (DSB), alleging violations of [[Article 6 GDPR]] in connection with the installation of tracking cookies without a legal basis, as well as violations of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 28 GDPR#3|Article 28(3) GDPR]].

=== Holding ===
The Austrian Data Protection Authority (DSB) held that the Microsoft Corporation qualifies as a controller within the meaning of [[Article 4 GDPR#7|Article 4(7) GDPR]], as it determines the purposes and means of processing in connection with Microsoft 365 Education. In assessing controllership, the DSB examined the relationship between Microsoft Corporation and Microsoft Ireland Operations in light of the CJEU’s broad interpretation of the concept of controller.

Referring to [[CJEU – C-604/22 – IAB Europe|settled CJEU case law]], the DSB emphasized that data protection liability may arise where an entity issues binding guidelines, technical specifications, protocols, or contractual frameworks governing data processing, even if the actual processing is carried out by another entity. [[CJEU – C-683/21 – Nacionalinis visuomenės sveikatos centras|Likewise]], active involvement in the development of a digital product and the specification of key parameters suffices to establish controllership, even where technical implementation is delegated to another body.

Microsoft Corporation’s influence extends beyond mere strategic oversight. It developed Microsoft 365 Education, continues to lead its technical development, sets binding corporate guidelines, and determines the technical and organizational parameters of data processing, including the use of cookies for its own business and analytical purposes. So, the DSB concluded that Microsoft Corporation must be regarded as a controller under [[Article 4 GDPR#7|Article 4(7) GDPR]].

The DSB further found that the cookies set during the use of Microsoft 365 Education constitute personal data within the meaning of [[Article 4 GDPR#1|Article 4(1) GDPR]], as they enable the individualization of users and may be combined with additional information. These cookies were not technically necessary, as they served analytics, tracking, and operational purposes rather than the provision of the expressly requested service.

As no valid consent was obtained and no other legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]] applied, the processing was unlawful and violated the principles of lawfulness and fairness under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. In particular, reliance on legitimate interests under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] was excluded due to the prior breach of [https://eur-lex.europa.eu/eli/dir/2002/58/oj/eng e-privacy] consent requirements.

Consequently, the DSB ordered the controller to cease the use of technically unnecessary cookies without valid consent within four weeks.

== Comment ==
”Share your comments here!”

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the German original. Please refer to the German original for more details.

<pre>

dsb

Barichgasse 40-42
A-1030 Wien
Tel .: *43-1-52152 0

Datenschutz
behörde

E-Mail: dshf@dsb.ov.at

Ref. no .: D135.026
2025-0.768.263

NOYB -European Center for Digital Rights

by email:

DECISION
SPRUCH
The data protection authority decides on the data protection complaint lodged by [name
of data protection authority] (complainant), represented by [name of data protection
authority], represented by NOYB – European Center for Digital Rights on June 4, 2024
against Microsoft Corporation (respondent), represented by [name of data protection,
authority] for violation of Art. 6 GDPR (lawfulness of processing) in connection with the
installation of tracking cookies and subsequent data processing without a legal basis, as
well as for a violation of Art. 5(1)(a) GDPR (principle of lawfulness and good faith) and Art.
28(3) GDPR (processing in excess of the scope of the processing contract) as follows:
weiters auch wegen einer Verletzung von Art. 5 Abs. 1 lit. a USGVu (Grundsatz von RechtmaBigkeit
sowie Treu und Glauben) und Art. 28 Abs. 3 DSGVO (Verarbeitung in Überschreitung der
Auftragsverarbeitung) wie folgt:
1. The complaint is upheld and it is determined that the respondent violated the
lawfulness of processing and the principle of lawfulness and good faith by
processing the complainant’s personal data in connection with the use of cookies in
the “Microsoft 365 Education” product without the necessary permission under
Article 6(1) of the GDPR.
2. The complaint regarding the alleged infringement under Article 28(3)(a) GDPR is
dismissed as unfounded.
3. The respondent is ordered to refrain from using technically unnecessary cookies
within a period of four weeks, failing which enforcement measures will be taken, unless
there is a suitable basis for permission (consent) and personal data of the complainant
is processed as a result. As technically unnecessary

– 2 –

The following cookies are required: MC1, FPC, MSFPC,

MicrosoftApplicationsTelemetryDeviceId, and ai-session.

Legal basis: Article 2(1), Article 4(7), Article 5(1)(a), Article 6(1), Article 28, Article 51(1), Article 57(1)(f), Article 58(2), and Article 77(1) of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4 May 2016, p. 1; Sections 18(1) and

24(1) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Section 165 of the

Federal Act enacting a Telecommunications Act (Telecommunications Act 2021 – TKG

2021), Federal Law Gazette I No. 190/2021 as amended.

REASONING

A. Submissions of the Parties and Procedural History

A.0. A complaint related to the present proceedings, alleging a violation of the right to information, was filed simultaneously with the
Data Protection Authority and was conducted under file number D135.027. This proceeding was terminated by

decision of October 9, 2025, file number 2025-0.477.534, D135.027.

A.1. In her initial submission of June 4, 2024, and subsequent statement of August 30, 2024,

the minor complainant (hereinafter referred to as BF) alleged a violation of Article 6 GDPR

(Lawfulness of processing) in connection with the installation of tracking cookies and

subsequent data processing without a legal basis, as well as a violation of

Article 5(1)(a) GDPR (principle of lawfulness and fairness) and Article 28(3) GDPR (processing exceeding the scope of data processing).

In summary, it was argued that BF is a student at a school in

Austria, and that this school uses Microsoft software called

“Microsoft 365 Education”. BF has a school account linked to Microsoft with the associated email address: . During the

use of her Microsoft school account and the creation of a Word document in the online

browser version of “Microsoft 365 Education” on July 31, 2023, several cookies, specified in more detail in the complaint, were installed on the BF’s device.

The BF did not give her consent for these cookies.

The complaint is expressly directed against the BG and not against Microsoft Ireland Operations

Limited. The BG is, in any case, the controller for the processing of personal data that is the subject of the complaint. Several attachments, including

evidence of the use of cookies, were also included with the statements. – 3 –

A.2. In a statement dated July 26, 2024, the BG contested the BF’s allegations. Essentially, it was argued that Microsoft was merely a (sub-)processor.

A.3. On April 4, 2025, a hearing of representatives of the BG (German Association of Civil Servants) took place in the premises of the Data Protection Authority in connection with the proceedings under file number 135.027. The transcript of the hearing was submitted to the

present proceedings and is known to all parties.

A.4. In a statement dated June 5, 2025, the BG, now represented by legal counsel, initially referred

to the hearing and the statements in the proceedings under file number 135.027 and additionally argued

that if Microsoft, as a data processor, uses cookies for the provision of Microsoft 365 Education, these are absolutely necessary. Microsoft has designed certain cookies

so that they can be used for both strictly necessary and non-essential purposes (dual-purpose cookies), e.g., MUID, MC1. Microsoft’s internal guidelines

would only permit the use of these dual-purpose cookies in data processing scenarios
in accordance with the documented instructions of the data controller.

No tracking takes place with the Microsoft 365 Education product.

A.5. In its statement of July 7, 2025, the BF argued, in summary, that even with multi-purpose cookies,

consent would have to be obtained if one of the purposes required consent.

Furthermore, no data processing of any kind is apparent. No other

entity involved in the use of Microsoft 365 Education had any knowledge of these cookies.

B. Subject of the Complaint

B.1. The subject of the complaint is whether the BG violated the lawfulness of the processing

as well as the principles of lawfulness and fairness by processing the BF’s personal data without

consent in connection with the use of cookies in the
product “Microsoft 365 Education”.

Furthermore, the subject of the complaint is whether the BG violated Article 28(3)(a) GDPR

by processing the BF’s personal data beyond the scope of the data processing agreement.

B.2. If a legal violation is found, the issuance of a data processing agreement

pursuant to Article 58(2) GDPR must be examined.

C. Findings of Facts

C.1. The Federal Ministry of Education, Science and Research provides Austrian (federal)

schools with several cloud services through private cloud service providers for IT-supported teaching.

For this purpose, the Federal Ministry of Education, Science and Research for the – 4 –

Republic of Austria has concluded a framework agreement, which includes terms of use, among other things, with the
European branch of the BG (Microsoft Ireland Operations Limited or Microsoft Austria EDU).

Evaluation of Evidence C.1: The findings are based on the documents attached to the appeal of June 4,

2024. The findings are undisputed.

C.2. The BF is an institution that uses the software

Microsoft 365 Education for teaching purposes. Microsoft 365 Education includes several different Microsoft

products and services, such as Microsoft Word, Microsoft Teams, and Microsoft SharePoint. The BF was provided
with an email address and cloud storage in this context.
… Evaluation of Evidence C.2: The findings made are indisputably based on the file,

in particular on the appeal of June 4, 2024.

C.3. Cookies allow the collection of information generated by a website and stored via an internet user’s browser. They are small files or text information (usually less than one kilobyte) that a website places on the hard drive of an internet user’s computer or mobile device via their browser.

A cookie allows the website to “remember” the user’s actions or preferences.

Most web browsers support cookies, but users can configure their browsers to reject them. They can also delete cookies at any time.

Websites use cookies to identify users, remember their customers’ preferences, and allow users to complete tasks without having to re-enter information when they navigate to another page or revisit the website later.

Cookies can also be used to collect information based on online behavior for targeted

advertising and marketing. For example, companies use software to track
user behavior and create personal profiles that allow them to show users

advertising tailored to their previous searches.

Evaluation of evidence C.3: The factual findings regarding the fundamental

functioning of cookies are taken from the Advocate General’s Opinion of 21 March
2010, C-673/17, paragraphs 36 et seq. with further references. Since this is a general, case-independent technical

description of the functions of cookies, these statements were to be included at the

factual level – and not in the legal assessment.

C.4. In connection with the use of Microsoft 365 Education with the BF’s email address,

cookies were set at least on July 31, 2023, and – 6 –

the functionality of the respective cookies from the submission of June 4, 2024, is comprehensible and
consistent with the official research at https://cookiedatabase.org/ and

https://cookiesearch.org/. Furthermore, the BF has substantiated its claims by referring to the

respective statements of the BG and the Microsoft corporation. In contrast, the

BG has not raised any substantial objections to the BF’s submissions.

The finding that no consent for their use exists is based on the

submissions of the BF, in particular the complaint of June 4, 2024, and the documents attached therein.

The BG has not denied this during the proceedings or argued that

consent existed.

The finding that actors other than the BG have no possibility of configuring
the cookies is based on the statement made by the BG’s representative during their questioning on

April 4, 2025, in the proceedings under file number D135.027 (question 18d), as well as the evidence attached to the BF’s appeal.

C.5. The Federal Ministry of Education provides the following information, among others, at
https://www.bmb.gv.at/Themen/schule/schulrecht/ds.html#08 (Data Protection Declaration):

[…] Framework conditions for the use of private cloud services in IT-supported teaching

IT-supported teaching has long been an essential element in most education systems. As in IT application scenarios in other areas of society, the increasing importance of cloud services from private users (such as Apple, Google, Microsoft) is being observed. Due to the size of the user base (1.2 million students, 120,000 teachers at 6,000 schools), a hosting solution that scales efficiently for this size is (currently) not feasible in public data centers for every processing activity (such as student mailboxes, distance learning tools, etc.). Relocating the servers to Individual school locations or a BYOD solution on the student’s own device would lead to significantly higher IT security risks than operation with a private cloud service provider […]”.

The aforementioned website refers to the document “Microsoft Cloud Services for Austrian
Schools – FAQ” (under the link Data Protection Information). This document provides, among other things, the following

information:

[…] – 7 –

The document “Microsoft Cloud Services for Austrian Schools – FAQ” forms the basis for the

findings of fact.

Evaluation of Evidence C.5: The findings are based on an official

search conducted at https://www.bmb.gv.at/Themen/schule/schulrecht/ds.html#08. The document accessed was

Data Protection Information (PDF, 85 KB) (May 2022) under the heading Microsoft Office 365

(Last accessed on November 6, 2025). – 8 –

C.6. BG is a leading global technology company, primarily known for its Windows operating system. BG is particularly active in the area of

developing and providing software solutions, including Microsoft Education 365 for

the education sector.

The Microsoft Group has several branches worldwide. BG’s headquarters are located
in the USA. Microsoft Ireland Operations Limited is a subsidiary of BG.

Fundamental decisions are made at BG’s headquarters, which significantly influence the direction and

activities of its international branches. BG is involved in the introduction
of new products in markets such as the EEA.

Microsoft Education 365 was developed in the USA. Its further development also takes place

primarily in the USA by BG. Company policies are

set by BG.

Evaluation of Evidence C.6: The findings regarding BG’s fundamental activities and its branches are generally known and undisputed. The findings regarding the

group relationship (parent and subsidiary) are based on the testimony of the parent company (BG) on

April 4, 2025, in proceedings under file number D135.027.

The findings that fundamental decisions are made at the parent company’s headquarters

and that the parent company is involved in the introduction of new products in markets such as the EEA

are based on several factors:

From the perspective of the data protection authority, it is reasonable to assume, based on general experience,

that the parent company, rather than other smaller locations within the Microsoft Group, determines the fundamental

group strategy and decides to what extent the introduction of products (such as

Microsoft 365 Education) is pursued within certain markets. The established influence of the parent company on the international locations of the Microsoft Group is not diminished by the fact that the specific details of the product introductions within a particular market are left to the respective

subsidiaries (such as Microsoft Ireland Operations Limited). The conclusion of the Data Protection Authority is also supported by the fact that BG is a controlling parent company and that such a large corporation requires a central body

which makes key decisions and determines the corporate strategy.

The findings that Microsoft 365 Education was developed in the USA and that its further development is also carried out by BG are based on the hearing of BG on April 4, 2025, in the proceedings under file number D135.027. – 9 –

D. From a legal perspective, this leads to the following:

Regarding the distribution of roles

D.1. General information on the distribution of roles

First, the data protection role of the respective BG must be determined, since the data subject rights provided for in Chapter III

GDPR are expressly directed only at the controller pursuant to Article 4(7)
GDPR.

According to Article 4(7) GDPR, a “controller” is the natural or legal person, public authority,

agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law.

The status as a controller can therefore arise, pursuant to Article 4(7), first sentence, GDPR, from the fact that an entity, acting in its own interest, i.e., for its own purposes, (de facto) influences the processing of personal data and thus participates in the decision on the purposes and means of such processing (see CJEU 10 July 2018, C-25/17, para. 68).

The status as a controller can therefore arise, according to Article 4(7), first sentence, GDPR, from the fact that an entity, acting in its own interest, i.e., for its own purposes, (de facto) influences the processing of personal data and thus participates in the decision on the purposes and means of such processing (see CJEU 10 July 2018, C-25/17, para. 68). Furthermore, the status as a controller pursuant to Article 4(7), second sentence,
GDPR can also arise from the fact that a national regulation or Union law designates an entity as the controller and the scope of data processing is expressly or implicitly

defined therein (see CJEU 27 February 2025, C-638/23, para. 40).

Based on these considerations, the following must be noted for the present case:

D.2. Division of Roles in the Matter

Role of the BG

As established, when using Microsoft Education 365, data is processed for unspecified

“legitimate business activities” concerning the Microsoft Group. In this
context, the following are cited, among others: internal reporting and business modeling, combating

fraud, cybercrime or cyberattacks, and improving core functionality with regard to

accessibility, data protection, or energy efficiency (see Statement of Facts C.5).

It was also decided that when using Microsoft Education 365,
cookies with different functionalities are set or read (see

Statement of Facts C.4). – 10 –

Without prejudice to its potential role as a (sub-)processor for the mere provision of a
technical solution, the BG processes personal data for its own purposes to the extent described in Statement of Facts C.5 (internal reporting and business modeling, combating fraud,

cybercrime or cyberattacks, and improving core functionality with regard to
accessibility, data protection, or energy efficiency).

“` These pursued purposes are inherently in the interest of the BG, and the data processing for these purposes is carried out at least partially via cookies and similar technologies (see

Foundations of Facts C.4.).

This conclusion is consistent with the case law of the CJEU, according to which actors in

different phases of data processing can be involved to varying degrees

(see CJEU 29 July 2019, C-40/17, paras. 70 et seq.).

The BG’s assertion that the activities described in Facts C.5

merely constitute a “customer-oriented marketing FAQ document” is unconvincing. Firstly,

this information was published by Microsoft itself, and secondly,
the BF also submitted evidence of the

use of cookies for specific purposes in its initial submission of June 4, 2024 (see Statement of Facts C.4).

The BG itself admits to acting as the data controller for some purposes.

Relationship between the BG and Microsoft Ireland Operations

The relationship between the BG and Microsoft Ireland Operations will now be examined.

The CJEU held that for data protection liability, it is sufficient that an

entity sets guidelines, instructions, technical specifications,

protocols, and contractual obligations regarding data processing that enable both the provider of a website or
application and data brokers or advertising platforms to lawfully process the personal data

of a user of a website or application (see CJEU 7 March 2024,

Cj 604/22, paras. 62 et seq.).

In another case, the CJEU reaffirmed the broad understanding of a data controller. Accordingly, it is sufficient for liability if an entity played an active role in the

development of a mobile application and specified certain parameters of the

application, even if the development was carried out by another entity (see CJEU
5 December 2023, Cj 683/21, paras. 28 et seq. and 32 et seq.).

In light of the aforementioned case law, the same applies to the BG:

As established, the BG makes the fundamental decisions for the Microsoft corporation and

significantly influences the direction of its international subsidiaries. Furthermore, the BG is involved in the – 11 –

introduction of new products in markets such as the EEA, and the further development and
coordination of Microsoft 365 Education is carried out by the BG. The company guidelines are set by the

BG (see statement of facts C.6).

The BG’s influence is not limited to business or strategic matters. As

explained above, data is processed for its own business purposes when using Microsoft Education 365. Since the BG, according to its own statements, developed

Microsoft Education 365 and continues to be significantly involved in its further development, it also influences

the technical and organizational specifications of the associated data processing.

This conclusion is not affected by the BG’s statement during the hearing on April 4, 2025, in the proceedings under file number D135.027, that the company guidelines developed by the BG

are “adapted to the European market by Microsoft Ireland Operations”

and that, therefore, the Irish subsidiary has an influence on data processing in connection with Microsoft Education 365.

As the CJEU has already stated, participation in the decision on the purposes and

means of data processing can take various forms and can result from a

joint decision by two or more entities, as well as from concurring
decisions by such entities. In the latter case, these decisions must

complement each other in such a way that each of them has a concrete effect on the decision on the

processing purposes and means. Furthermore, it does not preclude joint controllership
that the decisions are made to different extents and at different stages (i.e.,

points in time) of the data processing (see CJEU 7 March 2024, C-604/22, paras. 58 et seq.).

In light of the above considerations, BG must therefore be classified as a controller under Article 4(7)

GDPR.

While the influence of Microsoft Ireland Operations may lead to joint controllership

with BG; Since Microsoft Ireland Operations is not a party to the present

proceedings, this will not be discussed further.

D.3. Regarding Point I of the Ruling (Infringement of Lawfulness)

The BG is responsible for the personal data it receives from the BF as a result of its use of Microsoft
Education 365 and processes for its own purposes (see point D.2).

The material scope of Article 2(1) GDPR – and thus the success of this complaint

– fundamentally requires that “personal data” is processed.

According to the legal definition in Article 4(1) GDPR, “personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”) – 12 –

A natural person is considered identifiable if they can be identified, directly or indirectly,
in particular by reference to an identifier such as a name, an identification number,

location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

In the case of Google Analytics, the data protection authority has already ruled—in accordance with the jurisprudence of the European Data Protection Supervisor (EDPS)—that cookies containing a unique, randomly generated value (random number) and set for the purpose of identifying and singling out individuals meet the definition in Article 4(1) GDPR. In particular,

it can never be ruled out that the cookie values and the IP address of a person’s terminal equipment are combined with additional information at any point in the processing chain, for example,

when the data subject registers on a website with their email address or full name. (See the decision of the Data Protection Authority of December 22, 2021, file number D155.027, 2021-

0.586.257, available on the Data Protection Authority’s website, as well as the decision of April 22, 2022, file number D155.026, 2022-0.298.191, confirmed in this respect by the Federal Administrative Court in its ruling of March 10, 2023,

see file numbers W137 2254817-1/46E / W137 2264614-1/32E; regarding the personal data processing of Google Analytics

cookies, see also the decision of the European Data Protection Supervisor (EDPS) against the European Parliament of January 5, 2022, file number 2020-1013, p. 13).

These considerations can be applied to the present case, since the Use

of Microsoft 365 Education on July 31, 2023, cookies with unique, randomly generated values were set and read on the BF’s device (see Statement of Facts C.3 and C.4). Subsequently, corresponding information from the BF’s device was transmitted to the BG’s servers.

As an interim conclusion, it must therefore be stated that the user identification

numbers in question qualify as personal data (in the form of an online identifier) pursuant to Art. 4 No. 1 GDPR.

The BG’s statement of February 21, 2025, that

only data containing pseudonymized

identifiers would be processed for the creation of aggregated statistics, does not alter these conclusions.

Even assuming that only such processing takes place,

removing the personal reference for statistical purposes necessarily requires that the data

first be transmitted to the BG. be transmitted. The BF has provided clear evidence for this data transmission

(see Statement of Facts C.3. and C.4.). – 13 –

Furthermore, the Data Protection Authority has already clarified that the removal of personal data
constitutes a processing operation within the meaning of Article 4(2) GDPR and is therefore subject to the material

scope of application of the GDPR (see Data Protection Authority, December 5, 2018, Ref: DSB-D123.270/0009-

DSB/2018).

Data processing is considered lawful if at least one of the conditions stipulated in Article 6(1) GDPR is met. However, as a preliminary question, it must be examined whether the

requirements of Section 165(3) of the Telecommunications Act 2021 (TKG 2021) have been complied with, according to which, in summary, consent must be obtained for “technically

non-essential cookies”.

D.3.1. Regarding Technical Necessity

As a preliminary question, it must be determined whether the cookies in question are technically necessary.

According to Section 165 Paragraph 3 of the German Telecommunications Act (TKG) 2021 (formerly Section 96 Paragraph 3 TKG 2003), the collection of data is “only permissible

if the user has actively given their consent based on clear and comprehensive information. This does not preclude technical storage or access
if the sole purpose is to carry out the transmission of a message over a

communication network or if this is strictly necessary for the provider of an information society service

explicitly requested by the user to provide that service.”

Neither Directive 2002/58/EC nor the (current) TKG 2021 contains a list of what

concretely constitutes “technically necessary cookies”. However, the opinion

04/2012 on the exemption of cookies from the consent requirement of the former Article 29 Working Party contains
criteria for assessing whether cookies within the meaning of Article 5(3) of Directive 2002/58/EC are technically

necessary:

According to Article 5(3), informed consent is not required for cookies

if they meet one of the following criteria: Criterion A: The cookie is used

“where its sole purpose is to carry out the transmission of a message over an

electronic communications network.” Criterion B: The cookie is used “where it is strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide

that service.”

Web analytics are statistical audience targeting tools for websites that often rely on cookies. These tools are primarily used by website owners to estimate the number

of unique visitors, identify the most important search terms that lead to a website via search engines, or detect website navigation problems. Today’s
analytics tools use numerous different models for data collection

and analysis, each with different privacy risks. A first-party analytics system based on first-party

cookies undoubtedly carries different risks than an external analytics system based on third-party cookies. Furthermore, there are tools that use first-party

cookies while the analysis is performed by a third party.

This third party is considered a joint controller or processor, depending on whether it uses the data for its own purposes or—if this is unlawful—due to technical or contractual arrangements. While these tools are often considered “essential” for website operators, they are not strictly necessary for a function explicitly requested by the user (or participant).

Strictly speaking, the user can access all website functions even if

such cookies are deactivated. Consequently, these cookies do not fall under the
exemption according to criterion A or B.

It should be noted that the exception contained in Section 165 Paragraph 3 of the German Telecommunications Act (TKG) 2021, “provision of an
expressly requested information society service” (and the associated

wording “absolutely necessary”), must be interpreted restrictively. For the permissibility of cookies,

this means that they must be absolutely necessary for the provision of the service and there must be a clear
connection to the service expressly requested by the subscriber or user (see Riesz in Riesz/Schilchegger (eds.), TKG (2016) § 96 para. 48). The

opinion of the former Article 29 Working Party also states that when applying Criterion B, it must be examined

what is absolutely necessary from the user’s perspective, not the service provider’s.

The technical necessity of the cookies in question, at least those mentioned in point 3,

for the operation of the website is not apparent to the Authority.

Insofar as the Authority asserts in its opinion of June 5, 2025, that Microsoft does not place or use

any cookies for administrative and/or business operations, it has failed to provide evidence for this claim. As established, at least

some of the cookies set clearly serve Microsoft’s business purposes (see statement of facts

C.5), such as website analytics.

Setting or reading cookies that analyze website usage or

measure reach is therefore not technically necessary, which is why

prior consent must be obtained in any case (see again the opinion 04/2012 on the exemption of cookies from the consent requirement of the former Article 29 Working Party, as well as the FAQ of the
Data Protection Authority on cookies and data protection, dated May 3, 2023, question 5, and the case law of the Federal Administrative Court cited therein).

D.3.2. On consent in general

The next step is to check whether the requirements of Section 165 Paragraph 3 of the Telecommunications Act 2021 (TKG 2021) have been met,
according to which consent must be obtained for “cookies that are not technically necessary”.

The conditions for consent within the meaning of the Telecommunications Act (TKG) are primarily governed by Article 4, point 11, and Article 7 of the GDPR (see, in detail, the decision of the Data Protection Authority of November 30, 2018, file number: DSB-

D122.931/0003-DSB/2018). It can be inferred from the wording of Article 4, point 11, in conjunction with Article 7 of the GDPR that – 15 –

data protection consent is only valid if the following conditions are
fully met (see the EDPB Guidelines 05/2020 on consent pursuant to Regulation

2016/679 V1.1, paragraphs 11 et seq.):

– Voluntariness;

– Specificity;

– Informed consent;

– Unambiguous expression of will in the form of a statement or

another unambiguous affirmative action.

Taking into additional consideration Article 7(4) in conjunction with Recital 43 GDPR, consent

must not be made conditional on the performance of a contract, even though consent is not necessary for the performance of

that contract.

Recital 42, sentence 5 requires a genuine or free choice by the data subject and that the data subject is thereby able to refuse or withdraw consent without suffering any disadvantage.

D.3.4. Regarding consent in the specific case

In the present case, no consent was obtained for the setting and reading of cookies, as well as for the subsequent

data processing. The existence of consent was also not claimed by the BG.

Therefore, an examination of the criteria is unnecessary. Furthermore, no other indications can be found

that legally valid consent was obtained from the BF.

Consequently, the data processing resulting from the setting or reading of cookies cannot be based on Article 6(1)(a) GDPR due to the lack of consent.

The other grounds for processing under Article 6(1) GDPR (and thus also any possible

“further processing” under Article 6(4) GDPR) are also not applicable.

This applies in particular to legitimate interests under Article 6(1)(f) GDPR. A balancing of interests cannot favor the controller if the

data processing is the result of a violation of secondary legislation or Section 165(3) of the German Telecommunications Act (TKG)

2021.

… At the same time, the CJEU has already held that, in the interplay between Directive
2002/58/EC and the GDPR, reliance on Article 6(1)(f) GDPR is only possible if

the conditions for lawful processing under the eData Protection Directive are also met

(Judgment of 17 June 2021, C-597/19, from paragraph 97). Therefore, if a case falls under both Directive

2002/58/EC and the GDPR, compliance with the requirements of Directive 2002/58/EC must be taken into account when considering whether legitimate interests exist under Article 6(1)(f) GDPR (see paragraphs 113, 114 and 118). In other words, only when the

lawfulness of the processing is affirmed under Directive 2002/58/EC does the question even arise

of whether legitimate interests can be invoked under Article 6(1)(f) GDPR

(cf. generally on the question of “subsequently” invoking legitimate interests when consent is invalid,

see also Zavadil/Rohner, Legitimate Interests as a Salvation for an Invalid

Declaration of Consent, ZD 2022, 312; Krusche, Cumulation of Legal Bases for

Data Processing, ZD 2020, 237).

As a result, the processing of personal data without a legal basis under

Article 6(1) GDPR is taking place. It is therefore unlawful

processing of personal data.

D.3.5. On the Principle of Lawfulness and Fairness

Article 5(1)(a) GDPR contains three different principles, which are, however, inextricably

interrelated.

Not every violation of specific provisions of the GDPR automatically constitutes a

violation of a principle under Article 5(1) GDPR.

The principle of lawfulness of processing under Article 5(1)(a) GDPR is closely

related to Article 6(1) GDPR, as it further specifies the requirements for the lawfulness of

processing. Even under a narrow interpretation (cf. Herbst in

4
Kühling/Buchner (eds), GDPR/BDSG (2024) Art. 5 para. 8), it must be assumed that a
violation of the principle of lawfulness of processing under Art. 5 para. 1 lit. a GDPR

exists if – as is the case here – no legal basis for processing under Art. 6 para. 1

GDPR exists (cf. also Recital 40 GDPR). Therefore, a violation of the principle of

lawfulness of processing under Art. 5 para. 1 lit. a GDPR was established.

The principle of fairness (referred to as “fairness” in the English version)

is an overriding and binding principle according to which personal data may not be processed

in a manner that is unjustifiably harmful,

unlawfully discriminatory, unexpected, or misleading to the data subject. In this context, the
reasonable expectations of the data subjects must also be taken into account (see Recital 47 GDPR).

If a controller carries out data processing for which

consent within the meaning of Article 6(1)(a) GDPR would actually be necessary, but this consent has not been obtained, this has a direct impact on the data subject’s autonomy in decision-making. – 17 –

If the controller is required to obtain consent from the data subject, the lawfulness of the data processing concerning them depends on their consent, which

can also be withdrawn at any time.

The situation would be different, for example, in the case of legal bases for processing where a data subject

does not have such strong decision-making power. In the public sector, for instance, both Article 6(1)(c) and (e) GDPR will often be conceivable. In the case of these legal bases for processing,

the data subject has less control over whether they wish to consent.

A breach of the principle of processing in good faith regularly occurs
when the data subject’s decision-making is impaired and, for the data subject,

the exercise of data subject rights is made more difficult or even

impossible. In such cases, the processing is regularly

unjustifiably harmful, unexpected, and/or misleading for the data subject (see also EDPB Guidelines 4/2019, V2.0, paragraphs 69 et seq.).

Since no consent was obtained in this case, this affected both the

decision-making autonomy of the data controller and its ability to exercise its data subject rights (in particular, the possibility of withdrawing consent). The data controller therefore had less choice,

and there was a clear imbalance of power (see again EDPB Guidelines 4/2019, V2.0,

paragraph 70).

As a result, there is also a violation of the principle of processing in good faith within the meaning of Article 5(1)(a) GDPR.

The decision was therefore rendered accordingly.

D.4. Regarding point II of the ruling (dismissal)

Pursuant to Article 28(3) GDPR, processing by a processor is carried out on the basis of

a contract or other legal instrument under Union or Member State law, which binds the processor in relation to the controller

and which specifies the subject matter and duration of the processing, the nature and purpose of the processing, the type

of personal data, the categories of data subjects, and the obligations and rights of the controller.

As established, in the present case, BG processed personal data as

the controller. The data protection authority is of the opinion that it did so from the very beginning of the

data processing in this capacity and not as a processor.

The complaint was therefore dismissed on this point. – 18 –

D.5. Regarding Point III of the Ruling (Performance Agreement)

Insofar as Microsoft Education 365 is provided and the data processing is carried out exclusively for

school purposes, the data protection authority considers this to be no unlawful

data processing.

However, the situation is different with regard to the use of (tracking) cookies:

According to established case law of the Federal Administrative Court (BVwG), data contained in cookies constitutes

personal data within the meaning of Article 4(1) GDPR (see, most recently, BVwG, August 13, 2025, W291 2272970-

1 with further references).

This consideration can be applied to the present case, especially since it is possible to link the
data to the BF user account.

Prior consent is required for the use of cookies that are not technically necessary.

Cookies for advertising, tracking, or analysis purposes are not technically necessary (see

(See also BVwG, loc. cit.). Such consent is not present in the case at hand.

Pursuant to Art. 58 para. 2 lit. f GDPR, the BG was therefore ordered to prohibit future

processing that occurs within the framework of technically unnecessary cookies without a suitable

legal basis (consent).

The cookies MC1, FPC, MSFPC, MicrosoftApplicationsTelemetryDeviceId, and ai-session are considered technically unnecessary.

Insofar as the deletion of the BF’s personal data was requested, it should be noted that

such an order to comply with the BG was already issued in the proceedings under file number D135.027.

Therefore, there is no room for another, identical order to comply.

A period of four weeks appears appropriate to comply with the order to comply, which is why

the decision was rendered accordingly.

INSTRUCTIONS ON LEGAL REMEDIES

An appeal against this decision may be filed in writing with the Federal Administrative Court within four weeks of service.

The appeal must be submitted to the Data Protection Authority and must contain:

– the designation of the contested decision (file number, subject)

– the name of the respondent authority,

– the grounds on which the claim of illegality is based,

– the request, and

– the information necessary to assess whether the appeal was filed in a timely manner.

The Data Protection Authority has the option, within two months, to either amend its decision by issuing a preliminary ruling on the appeal or to submit the appeal, along with the case file, to the Federal Administrative Court.

An appeal against this decision is subject to a fee. The fixed fee for a

such submission, including attachments, is €50. The fee must be paid to the Austrian tax office’s account, specifying the

purpose of payment.

The fee must generally be transferred electronically using the “Tax Office Payment” function. The recipient must be the Austrian Tax Office – Special Responsibilities Department, or

selected (IBAN: ). Furthermore, the following information must be provided:

Tax number/tax account number 10 999/9102, the tax type “EEE – Appeal Fee”, the
date of the assessment notice as the relevant period, and the amount.

If your bank’s e-banking system does not have the “Tax Office Payment” function,

the eps procedure in FinanzOnline can be used. An electronic transfer can

only be avoided if no e-banking system has been used previously (even if the taxpayer has an internet connection). In this case, payment must be made by

payment order, ensuring correct allocation. Further information

can be obtained from the tax office and in the handbook “Electronic Payment and Notification of Payment of Self-Assessed Taxes”.

Payment of the fee must be proven when filing a complaint with the

Data Protection Authority by means of a payment receipt attached to the submission or a

printout confirming the issuance of a payment order. If the fee is not paid
or not paid in full, a notification will be sent to the responsible tax office.

A timely and admissible appeal to the Federal Administrative Court has

suspensive effect. The suspensive effect may be excluded in the operative part of the decision

or excluded by a separate decision.

January 21, 2026

For the Head of the Data Protection Authority:
</pre>

Data Protection Day 2026: keeping children’s personal data safe online

FTC Secures Settlement Banning Growth Cave Defendants from Marketing and Selling Business Opportunities and Credit Repair Programs