Austria: Austrian Data Protection Authority opened investigation into Microsoft over alleged violation of GDPR in handling of children's data

On 4 June 2024, the Austrian Data Protection Authority opened an investigation into Microsoft over an alleged violation of the General Data Protection Regulation (GDPR) in the handling of children's data. The complainant, a minor student, filed a data protection complaint through her father and legal representative NOYB. The complaint was directed against her school, the Education Directorate, the Ministry of Education, and Microsoft Corporation. She alleged that her right of access under GDPR Article 15 (right of access) was violated. Specifically, she claimed the respondents failed to provide complete information about the data processed through Microsoft Education 365. She also argued that her right to be informed under GDPR Article 13 was infringed, as she claims that she was not properly or fully notified about how her data was handled when using the Microsoft software. Additionally, she asserted her right to erasure under GDPR Article 17 for data processed unlawfully. This included the use of tracking cookies and the transfer of her data to third parties without a proper legal basis. The complaint sought to force the respondents to comply with these GDPR rights through an official decision from the Data Protection Authority.