Austria: Austrian Data Protection Authority issued its ruling following investigation into Microsoft over alleged violation of GDPR in handling of children's data

On 8 October 2025, the Austrian Data Protection Authority ruled on a complaint regarding Microsoft’s handling of children's data under the General Data Protection Regulation (GDPR). The Authority found that the Federal High School and the Federal Ministry for Education, Science and Research, acting as joint controllers, violated the complainant’s right of access (Article 15 GDPR) and right to be informed (Article 13 GDPR) by failing to provide complete and timely information on data processed through Microsoft Education 365, including cookies and third-party data transfers. Both entities were ordered to provide full access to all personal data, including content, log, and cookie data, and to fully inform the complainant within ten weeks. Microsoft Corporation was also found to have infringed the complainant’s right of access by not providing complete information on cookie data, its own processing purposes, and transfers to third parties such as LinkedIn, OpenAI, and Xandr. Microsoft was ordered to provide comprehensive and understandable access to all personal data it received and processed within four weeks. The Authority further required the Federal High School, the Ministry, and Microsoft to review and delete any technically unnecessary cookie data associated with the complainant’s account within ten weeks. The complaint against the Education Directorate was dismissed, as it was not considered a controller.