Erfurt (dpa/th) - Thuringia's State Data Protection Commissioner Lutz Hasse wants to talk to business associations and authorities about the implementation of a decision by the data protection conference on the Office software of the US company Microsoft. "This resolution is aimed at all authorities and all companies," Hasse told the German Press Agency. According to Hasse, the consequence could be that the software can no longer be used. However, he now wants to find out how widespread it is in the business community and discuss the effects of the decision with the Chamber of Industry and Commerce, among others.

The Data Protection Conference (DSK) recently found that data protection officers are unable to provide proof that the 'Microsoft 365' software is operated in compliance with data protection regulations. Microsoft subsequently announced that it was taking the concerns on board. "However, we consider many of the DSK's data protection assessments and conclusions to be fundamentally wrong," Microsoft said in a statement following the DSK's decision.

Cornelia Haase-Lerch, Managing Director of the Erfurt Chamber of Industry and Commerce, expressed her concern. "Microsoft 365 products are indispensable for companies. Solutions must be found together with the business community so that Microsoft applications can be used in Germany and the European Union in compliance with the law," she explained when asked. Software components of 365 include Word and Excel.

Ambiguities in data processing

The background to this is that, in the opinion of data protection experts, it is unclear to what extent the US company processes personal data. Hasse explained that, according to Microsoft, personal data is used for its own purposes. However, it is not yet clear from whom exactly this data is collected and for what purposes it is processed.

Hasse explained the consequences of the DSK decision using the example of schools: according to data protection regulations, the head teacher is responsible. Even if the principal were to obtain parental consent for the use of the software, this would be ineffective in the opinion of the Data Protection Conference. This is because the parents would have to give their informed consent. However, the head teacher could not provide sufficient information about the data protection aspects because Microsoft does not disclose how and for what purpose the personal data is processed.

Microsoft, on the other hand, asserted that the software can be used in compliance with data protection regulations. The company also warns that a "sprawling supervisory approach" is slowing down digitalization in Germany and "paralyzing and overburdening those responsible, e.g. school principals, in the preparation of a data protection impact assessment".

Hasse made it clear that we now need to think about how to implement the DSK decision in a proportionate manner and in what timeframe. "However, the end of the process is clear, namely that there must be an alternative product - unless Microsoft brings light into the darkness," he said. He is also considering offering advice on alternatives. "I understand the need that is now arising and we want to try to get through this calmly."