A German Commissioner for Data Protection and Freedom of Information in the German state Hesse declared that Windows 10 and Office 365 apps are not compliant with the GDPR regulations for use in schools.
The problem lies in telemetry both cloud-connected solutions and data sent back to Microsoft in the USA. This data ranges from standard software diagnostics to user content in Windows applications including sentences from documents and email subject lines.
Some time ago Microsoft has provided a special version of these applications that have used servers in European data centers to store the data, but recently this permission was revoked and the data is now again being sent back to the USA.
Hesse’s data protection commissioner, Michael Ronellenfitsch said that they have a special responsibility in regard to permissibility and traceability of personal data processing. He also said that once the telemetry issue is resolved in a comprehensible and GDPR compliant manner, Office 365 will be again allowed for use in schools.
Ronellenfitsch warned that these rules apply for Google and Apple cloud solutions too. All of the mentioned providers have not been completely transparent so far regarding their cloud solutions data processing.
Until Microsoft starts sending the data back to data centers located in the EU, German schools have the option to switch back to Windows 7 and retail versions of Office 2016.
The ruling in the German language can be found here.