Microsoft Office 365 harbours data protection problems

Date of publication

Hesse's data protection commissioner Michael Ronellenfitsch says that Microsoft Office 365 must not be used in the standard configuration at schools, reports Heise Online.

I explain in this post why this should be so and what alternative there is.

Microsoft Office 365

Office 365 from Microsoft is a software package with Outlook, Word, Excel and PowerPoint, among others. To enable users with different devices to access their programmes and files, this service runs in the cloud. And this is exactly where the problem lies. Even if the cloud, including the personal data, is located in Germany, access by third parties cannot be ruled out. This could be, for example, authorities in the USA, who could gain access to the data in certain cases.

The fact that access by third parties cannot be ruled out is only one point in the data protection impact assessment. I will not go into the fact that thousands of telemetry data are collected by Office 365 and also, for example, Windows 10 and transmitted to Microsoft here.

This means that not only the use of G Suite for Education, as I already reported in my blog post from 03.06.2019, is not GDPR-compliant, but also the use of Microsoft Office 365.

Alternative solution proposal

We ourselves have been using the open source software (OSS) LibreOffice as a GDPR-compliant alternative to Microsoft Office for years. In conjunction with a Nextcloud, also a GDPR-compliant OSS, we use the option of accessing our centrally stored data from a wide range of devices.

Of course, the data is stored on servers in Germany in a certified data centre, safe from access by third parties and, of course, DSGVO-compliant.


We also recommend to our schools as customers that they use open source software either on their own servers in the schools or in data centres located in Germany. On the one hand, this saves costs because there are no licence fees for the proprietary software, and on the other hand, it is a DSGVO-compliant solution. We have already discussed such proposed solutions with one of the data protection officers of the school authorities in Berlin and have been given the green light.


Profile picture for user DeepL

DeepL is a deep learning company that develops AI systems for languages. The company, based in Cologne, Germany, was founded in 2009 as Linguee, and introduced the first internet search engine for translations. Linguee has answered over 10 billion queries from more than 1 billion users.

Profile picture for user manfred.woeller

Manfred Wöller

Manfred Wöller is a TÜV-certified data protection officer who makes data protection requirements technically feasible as part of the team. He is also a passionate vegan cook who takes care of the physical well-being at community events.