Austria: Austrian Data Protection Authority issued its ruling following investigation into Microsoft concerning use of tracking cookies in Microsoft 365 Education

On 21 January 2026, the Austrian Data Protection Authority upheld a complaint filed by a pupil, represented by the European Center for Digital Rights (noyb), against Microsoft regarding the use of tracking cookies in Microsoft 365 Education. The decision relates to the installation and use of non-essential cookies on the device of a minor using Microsoft 365 Education at an Austrian school. The Authority found that Microsoft had processed personal data through tracking cookies without a valid legal basis, in breach of Article 6(1) of the GDPR and the principles of lawfulness and fairness under Article 5(1)(a) of the GDPR. The Authority also found that no valid consent had been obtained, as required under national telecommunications law. The Authority ordered Microsoft to stop using non-essential tracking cookies, including those used for analytics, telemetry, and advertising purposes, in relation to the complainant within 4 weeks.