Data protection alarm: Hesse and the risks of Microsoft 365!

Data protection alarm: Hesse and the risks of Microsoft 365!

What’s new from Hesse? At the end of May 2024, the Hessian Commissioner for Data Protection and Freedom of Information (HBfDI) published its activity report. It contains exciting insights and valuable tips for those responsible for data protection who have to find their way in this globally networked digital world. Not only the challenges of digital parking space monitoring are discussed, but also the use of Microsoft 365 - a topic that concerns many companies.

The report takes a critical look at the current data protection standards at Microsoft 365. According to the Data Protection Conference (DSK), companies needed an additional agreement to existing order processing contracts with the technology giant. This must be negotiated individually, which is a challenge, especially for smaller companies. The HBfDI has already developed a successful concept for the data protection-compliant use of Microsoft Teams. However, those responsible must also implement their own deletion routines in order to meet the requirements. However, information about the concept is not available in the report, but the HBfDI plans to develop further concepts for other Microsoft products in 2025 to shed light on it.

MS 365 – A double-edged sword

So far, so good – but the use of Microsoft 365 remains tricky. While Microsoft has a strong presence in many companies, the issue of data protection compliance remains a hotly debated topic. How dr-datenschutz.de reported, a data protection impact assessment (DPIA) from the Netherlands in 2018 was not very optimistic and attested that Office 365 was processing unlawful data. The DSK also sees legal risks in the use of Microsoft 365, particularly with regard to transparent data processing and the transfer of personal data to third countries. Although Microsoft has made adjustments to the data protection addendum and introduced the so-called EU Data Boundary, skepticism remains because the responsibility for data protection-compliant use ultimately lies with the companies themselves.

What does that mean for Hessian companies? A thorough analysis of specific applications could help avoid legal gray areas. The Blog from SRD lawyers offers useful tips on best practice for the implemented use of Microsoft 365. The most important thing: transparent documentation and careful consideration of the risks are the be-all and end-all.

Practical challenges in data protection

In addition to the digitalization of the workplace, other topics are also discussed. For example, the HBfDI has dealt with digital parking space surveillance. This concerns legal questions about automated decision-making that arise from the use of video surveillance to control the maximum parking time. Complaints from citizens show that the legal framework still needs to be viewed critically.

Another example is the use of a palm vein scanner in a blood donation facility in Hesse. A complaint from a donor led to intervention by the HBfDI, which determined that consent to the processing of biometric data was not given voluntarily. Accordingly, an alternative was offered in order to be able to be identified with an identity card. Such measures clearly show how sensitively data protection must be interpreted in everyday life and that solutions cannot be easy.

Conclusion

Overall, the HBfDI activity report offers a comprehensive overview of the challenges and current developments in data protection in Hesse. The reports on digital surveillance and data protection-compliant technology applications make it clear that the road to a holistic solution is still long. Companies should be aware of their responsibility and take their data protection seriously. Help and advice is available, but you need your own mind and a clever strategy.

Read more about the HBfDI's activity report here.