Hesse's data protection commissioner Michael Ronellenfitsch says that Microsoft Office 365 must not be used in the standard configuration at schools, reports Heise Online.
I explain in this post why this should be so and what alternative there is.
Microsoft Office 365
Office 365 from Microsoft is a software package with Outlook, Word, Excel and PowerPoint, among others. To enable users with different devices to access their programmes and files, this service runs in the cloud. And this is exactly where the problem lies. Even if the cloud, including the personal data, is located in Germany, access by third parties cannot be ruled out. This could be, for example, authorities in the USA, who could gain access to the data in certain cases.
The fact that access by third parties cannot be ruled out is only one point in the data protection impact assessment. I will not go into the fact that thousands of telemetry data are collected by Office 365 and also, for example, Windows 10 and transmitted to Microsoft here.
This means that not only the use of G Suite for Education, as I already reported in my blog post from 03.06.2019, is not GDPR-compliant, but also the use of Microsoft Office 365.
Alternative solution proposal
We ourselves have been using the open source software (OSS) LibreOffice as a GDPR-compliant alternative to Microsoft Office for years. In conjunction with a Nextcloud, also a GDPR-compliant OSS, we use the option of accessing our centrally stored data from a wide range of devices.
Of course, the data is stored on servers in Germany in a certified data centre, safe from access by third parties and, of course, DSGVO-compliant.
Fazit
We also recommend to our schools as customers that they use open source software either on their own servers in the schools or in data centres located in Germany. On the one hand, this saves costs because there are no licence fees for the proprietary software, and on the other hand, it is a DSGVO-compliant solution. We have already discussed such proposed solutions with one of the data protection officers of the school authorities in Berlin and have been given the green light.
