CORE THESIS The central question is no longer whether Microsoft 365 is permitted or prohibited in the abstract, but under which contractual, technical and organisational conditions its deployment remains defensible today. These conditions have changed substantially since 2022.

In March 2024, the European Data Protection Supervisor determined that one of the most powerful institutions in the world had violated data protection law through its use of Microsoft 365.¹ What made the finding politically charged was not the result itself — it was the institution affected. Not a mid-sized company with an overstretched IT department, but the European Commission. What followed was a process of orders, lawsuits and negotiations lasting more than a year, ending in July 2025 with a closing decision: the EDPS found the measures taken to be sufficient and closed the enforcement proceedings.² The consequence does not fall on Microsoft. It falls on everyone who uses the product.

No other software package is as deeply embedded in German working life as Microsoft 365. Companies, public authorities, schools, universities — the platform runs everywhere. Since November 2022, however, a determination by the German Data Protection Conference (DSK) has stood in the room, declaring that proof of data protection-compliant operation on the basis of the contractual documents at the time could not be furnished.³ How is this tension to be resolved?

Three theatres, three very different trajectories. In Baden-Württemberg, a serious attempt failed. In Brussels, the EU Commission itself became the subject of proceedings. And in Hesse, an authority arrived at a finding that no one had previously dared to make. Anyone who wants to understand why the answer to the question of M365’s data protection compliance remains so unsatisfyingly vague must look at all three.

Five years at a glance: the decisive turning points

What has happened over the past five years cannot be reduced to a single trajectory. There have been setbacks, course corrections and unexpected developments — on both the regulatory and the vendor side.

2020	DSK initial assessment (Sept.): M365 not GDPR-compliant4 BayLDA, BW, Hesse, Saarland: DSK assessment “insufficiently differentiated”5 6
2022	DSK determination (Nov.): proof of compliance not furnishable7 8 9 LfDI BW (Apr.): schools should migrate to alternatives10 11
2023	Microsoft EU Data Boundary Phase 1 launched (Jan.)12 EU-US Data Privacy Framework: adequacy decision (July)13 14
2024	EU Data Boundary Phase 2 (Jan.)15 EDPS: EU Commission’s use of M365 infringes data protection law (March)16 17
2025	EU Data Boundary Phase 3 completed (Feb.)18 EDPS closes proceedings against EU Commission (July)19 20 21 HBDI Hesse: M365 can be used in compliance with data protection law (Nov.)22 23

Taking stock: what has changed — and what has not?

Since November 2022, much has changed — some things fundamentally, others less than they might appear at first glance.²⁴ The question is what holds up legally.

WHAT HAS CHANGED SINCE 2022 In July 2023, the EU-US adequacy decision under the Data Privacy Framework entered into force, creating for the first time since the Schrems II judgment a reliable legal basis for data transfers to the United States. In February 2025, Microsoft completed the build-out of the EU Data Boundary: for the services covered, customer data and personal data are now generally stored and processed within the EU/EFTA area, albeit with limited exceptions (including certain security-related telemetry data). The Data Protection Addendum was substantially revised most recently in September 2025 and specifically addresses the DSK’s 2022 critique. In November 2025, the Hessian Commissioner for Data Protection and Freedom of Information became the first German supervisory authority to declare that GDPR-compliant deployment of M365 is possible under certain conditions. And the EDPS proceedings against the EU Commission were closed in July 2025, after the EDPS found the measures taken to be sufficient.

This does not mean, however, that everything has been resolved — and anyone who believes so has only read half of the debate. The CLOUD Act²⁵ continues to enable US authorities, under narrow statutory conditions (court order), to access data held by US corporations — even when that data resides on European servers.^{26 27} The EU-US DPF is under political pressure; a renewed challenge before the CJEU is considered likely.²⁸ The DSK determination of 2022 has not been formally rescinded — and although it is not legally binding, the regulatory landscape will remain fragmented until a nationwide reassessment follows.²⁹ And even those who have all of this under control: a correctly drafted DPA does not replace lived technical governance. What this means in practice is shown by three cases — and none of them unfolds as one would expect.

Three case studies: what theory means in practice

Three cases — and all three end differently. The GDPR is the same everywhere. The reason the assessments diverge nonetheless lies in timing, negotiation status and the starting position of the relevant authority.

Case 1: Baden-Württemberg — when a pilot project hits its limits

Baden-Württemberg made a serious attempt. From autumn 2020 to April 2021, the State Ministry of Education tested a specially configured version of Microsoft 365 (hereinafter: M365) for school operations, together with the State Commissioner for Data Protection and Freedom of Information (LfDI) Dr. Stefan Brink, an international consulting firm and Microsoft. Telemetry was reduced, additional security mechanisms implemented, accounts restricted to teaching staff.³⁰

In April 2021, Dr. Brink communicated the result to the Ministry of Education: a GDPR-compliant configuration could not be achieved despite all efforts.³¹ In his press release of 25 April 2022, the LfDI asked the known M365-using schools to offer alternatives by the summer holidays 2022 and to prepare the transition.³² In supervisory terms, this was a formal call to migrate, not an immediately enforceable prohibition order — combined with the announcement that complaints would be pursued in a targeted manner after the summer holidays.

This did not amount to an immediately enforceable ban; in practice, however, a transitional phase emerged in which many schools continued to operate even though the LfDI had demanded migration.^{33 34} The Ministry of Education and the LfDI agreed that schools without incoming complaints would not be actively pursued for the time being. Microsoft products remained in use at around a thousand schools. The school sector thus exemplifies how far data protection assessment and administrative reality can diverge: the supervisory criticism was unambiguous, yet the actual exit remained limited.³⁵

The 2021 failure is not a verdict on Microsoft 365 in 2025. At that time, neither the EU Data Boundary nor the revised DPA existed — both no longer exist in their original form. Anyone applying the same review today works with different documents under a different legal framework. That does not change the fact that the pilot project failed. But it changes the question of what that failure still means today.

Case 2: EDPS investigation into the EU Commission — an instructive compliance process

In May 2021, the European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski opened an investigation. The subject: the European Commission’s use of Microsoft 365 under the Interinstitutional Licensing Agreement (ILA 2021). After almost three years, in its decision of 8 March 2024 the EDPS found several violations of Regulation (EU) 2018/1725³⁶ — the data protection law applicable to EU institutions.

The findings were concrete and far-reaching. The licensing agreement left open for which purpose which data is processed — a basic prerequisite for any data protection-compliant processor relationship. In addition, neither Microsoft’s binding-to-instructions was documented in a secured form, nor did adequate arrangements exist for transfers to third countries without an adequacy decision. Safeguards against unauthorised disclosures: likewise not demonstrated.^{37 38}

The EDPS ordered the suspension of certain data transfers from 9 December 2024 and required processing to be brought into line with applicable data protection law by that date. Both the EU Commission and Microsoft filed actions before the General Court of the EU (Cases T-262/24 and T-265/24). The orders nevertheless remained in force.^{39 40}

The proceedings concluded in July 2025: after extensive contractual, technical and organisational adjustments and a compliance report by the Commission dated December 2024, the EDPS determined on 11 July 2025 that the violations had been remedied, and closed the enforcement proceedings.^{41 42 43}

What this proceeding shows is ambiguous — and that is interesting. Even the EU Commission, with its own data protection officer and professional structures, failed for years to deploy M365 in a compliant manner. That should reassure no one. At the same time, the proceedings did not end with a prohibition but with a finding that the violations had been remedied. M365 is therefore not a product that fundamentally cannot be operated in a GDPR-compliant manner — but one for which the requirements are high. A methodological caveat must be noted: the EDPS proceedings ran under Regulation (EU) 2018/1725, the data protection law for EU institutions, not under the GDPR. What both regimes require in terms of contractual structure and technical governance is structurally comparable, however.

Case 3: HBDI Hesse — first supervisory reassessment in Germany

On 15 November 2025, the Hessian Commissioner for Data Protection and Freedom of Information (HBDI) Prof. Dr. Alexander Roßnagel published a 137-page report.^{44 45} His conclusion: following intensive negotiations with Microsoft since January 2025, GDPR-compliant deployment of Microsoft 365 in Hesse is possible under certain legal and organisational conditions.

What tipped the scales was the interplay of several factors — none of which alone would have been decisive. The Data Protection Addendum in its current version of September 2025,⁴⁶ a special DPA for public-sector bodies in Hesse (DPA-öS), the EU-US adequacy decision,^{47 48} the completed EU Data Boundary^{49 50} and supplementary documentation from Microsoft (M365 Kit, data taxonomy). The HBDI did not conduct a technical examination of individual M365 services — this is a legal assessment of the contractual framework against the yardstick of the General Data Protection Regulation (GDPR).⁵¹

LIMITATION The HBDI report is not a universal blanket clearance for the entire German market. It applies primarily to bodies based in Hesse, assesses the contractual framework and not the technical security of individual services. Controllers must continue to carry out their own risk assessments, a data protection impact assessment (DPIA) and configuration measures.

Why DSK and HBDI reached different conclusions

The juxtaposition of the DSK determination and the HBDI reassessment is often read in the debate as a contradiction — as if two authorities had assessed the same thing and arrived at opposite results. This falls short. Both bodies examined different contractual instruments on the basis of different legal frameworks, at different points in time and with different negotiation status. The German data protection system is not internally contradictory in this — the starting position has changed, and the assessment has tracked that change.

When the DSK rendered its judgement in November 2022, it had before it the DPA in the version of 15 September 2022 — a contractual text that had emerged under entirely different framework conditions.^{52 53} An EU-US Data Privacy Framework did not yet exist; that came only in 2023. The EU Data Boundary had not yet begun; Phase 1 launched on 1 January 2023.^{54 55} What the DSK found were seven concrete gaps — among them a lack of clarity about Microsoft’s own processing purposes and inadequate accountability obligations. This was no quibble, but the core of Art. 28 GDPR.⁵⁶

The HBDI report of November 2025, by contrast, assesses the DPA in the version of 1 September 2025 as well as a DPA-öS specifically negotiated for Hessian public-sector bodies. Since 2022, not only have these contractual documents been substantially revised — the transatlantic legal framework has also changed with the EU-US Data Privacy Framework (hereinafter: DPF),^{57 58} and with the EU Data Boundary Microsoft has made structurally different data residency commitments.^{59 60} The HBDI reviewed each of the seven DSK criticisms anew and concluded that, under the new conditions, they may be considered resolved.^{61 62}

One point is not to be overlooked here: the DSK determination of November 2022 is formally still in force. It explicitly refers to the data protection addendum in the version of 15 September 2022 — it cannot be readily applied to the revised versions.^{63 64}

Anyone playing DSK 2022 off against HBDI 2025 is ultimately comparing two different sets of facts. The DSK assessed the DPA of September 2022 — before the DPF, before the completed EU Data Boundary, before the revised contractual framework. The HBDI assessed the DPA of September 2025 — including a DPA-öS specifically negotiated for Hessian public-sector bodies and after all these developments. The genuinely relevant question is therefore not which authority had the better argument — but: On which contractual basis am I operating today, and does my supervisory authority consider that sufficient?

NOTE: DPF DOES NOT REPLACE GOVERNANCE Even after an adequacy decision, it remains to be examined whether the specific data recipient is actively certified and whether the actual processing corresponds to the documented contractual and configuration status. The adequacy decision legitimises the transfer — it does not replace data protection governance in the individual case.

The supervisory landscape

Germany has no uniform data protection law on the M365 question. As a coordination conference, the DSK has no directive authority over the state authorities — each authority decides independently and may depart from DSK positions.⁶⁵ The following overview summarises what is publicly known — bearing in mind that the silence of some authorities is often just as revealing as their official pronouncements.

Authority	DSK position	M365 assessment	Methodological background
DSK	Determination Nov. 2022	Standard use: proof not furnishable	Assessment of the DPA of Sept. 2022 — 7 criticisms regarding Art. 28 GDPR
HBDI Hesse	Divergent, Nov. 2025	Usable under conditions	DPA Sept. 2025 + DPA-öS; DPF; EU Data Boundary; no technical review
BayLDA Bavaria	Critical, pragmatic	Risk-based individual case review	Lead role in MS negotiations 2020–22; no blanket ban, but review obligation
LfDI BW	Differentiated	Schools: migration recommended; tolerated where no alternative	Pilot project 2020/21 without GDPR-compliant outcome; case-by-case consideration

What this means in practice depends on where one sits — literally. The relevant state authority determines the concrete starting position. Hesse today has a different supervisory starting position than Bavaria or Bremen — the law is the same GDPR everywhere — the differences arise from the regulatory assessment of the contractual and configuration status.^{66 67 68} Anyone operating outside Hesse continues to move without a clear regulatory green light and must document their own risk with diligence.^{69 70}

What remains: three lessons for practice

1. Data protection questions on cloud products are dynamic, not static

Applying a 2022 compliance verdict to today’s facts is roughly equivalent to using a security audit for Windows Vista as the basis for a current procurement decision. New contractual instruments, a changed transatlantic legal framework and diverging regulatory assessments are not an academic problem — they compel an update.^{71 72} Anyone who decided “too risky” at the time should review again today. Anyone who decided “defensible” should also do so.

2. Contract law does not replace technical governance

Expressly no technical examination of individual M365 services — that is how the HBDI describes its report.⁷³ What is assessed is the contractual framework; responsibility for configuration, Copilot functions (i.e. the AI assistance functions integrated into M365, which require their own configuration and where appropriate a separate DPIA; particular attention to prompt management, logging control and Graph API access restrictions) and documentation rests with the using entity.^{74 75} A signed DPA alone therefore does not suffice as long as the technical implementation is not in order.^{76 77 78}

3. Regulatory positions are influential, but not the last word

The DSK cannot issue prohibition orders — no court, no enforcement authority. Only the relevant state authorities can take action in the individual case, in accordance with rule-of-law procedures.⁷⁹ What the DSK can do: raise the pressure to act through determinations to such an extent that many organisations de facto act as if a ban existed. Fines, prohibition orders, public determinations with significant signalling effect — that is the toolkit supervisory authorities actually have.^{80 81}

What matters now

Five measures that make the difference — not as a checklist, but as a minimum requirement:

• Review and update the DPA: Is the September 2025 version on hand? For public-sector bodies in Hesse: is the DPA-öS agreed or requested?

• Verify DPF certification: The EU-US Data Privacy Framework can only be relied upon if the specific data recipient — here Microsoft — is actively certified there. The authoritative participant list is maintained by the US Department of Commerce.⁸² This status must be reviewed on an occasion-based basis.

• Document the technical configuration: Telemetry data level set to “Required”? Optional connected experiences deactivated? M365 Admin Center settings documented? Copilot functions individually assessed?

• Update DPIA and records of processing activities: Update the records of processing activities on the basis of the Microsoft taxonomy and the M365 Kit. A DPIA (Art. 35 GDPR) is required in particular where special categories of data are processed.

• Establish legal monitoring: Track EU-US DPF developments (possible CJEU challenge), monitor DSK reassessment, review Microsoft’s annual “Government Requests for Customer Data Report”.

What this means

Microsoft 365 cannot today be cleared across the board — nor can it be rejected across the board. What matters is the contractual basis on which, the configuration in which and the supervisory starting position under which the product is specifically deployed. That is unsatisfying for everyone who expects clear rules — and probably unavoidable in an area where technology, law and politics change faster than any regulatory assessment.

What applied in 2022 no longer applies unchanged. Microsoft’s DPA is today a fundamentally different document than the one the DSK had before it at the time.^{83 84} With the completed EU Data Boundary, Microsoft has cast its data residency commitments into infrastructure.^{85 86} The EU-US DPF has stabilised the transatlantic legal basis — albeit not secured in the long term.^{87 88} And Hesse, as the first federal state, has put on record in a 137-page report what was long considered impossible.^{89 90 91 92}

Uncomfortable residual questions remain nonetheless. The US nexus has not vanished — the CLOUD Act⁹³ continues to give US authorities theoretical access to data held by US corporations, even when that data resides on European servers.^{94 95} Max Schrems has announced a challenge to the EU-US DPF.⁹⁶ And the DSK determination of 2022 formally remains in force — a nationwide reassessment is pending.^{97 98 99}

SUMMARY FOR DECISION-MAKERS Anyone deploying M365 needs: (1) a current DPA (status September 2025), (2) verified DPF certification status for Microsoft, (3) a documented technical configuration, (4) a DPIA for high-risk processing operations, (5) ongoing legal monitoring. Anyone who has these five points cleanly documented stands on defensible ground. Full legal certainty is unlikely in this area for the foreseeable future; what is decisive, therefore, is demonstrably documented diligence — those who can prove that stand on defensible ground. These five points do not replace a technical review of the individual services; they create the foundation for it.

Glossary of abbreviations

All abbreviations are spelled out in the text on first use. The following overview is provided for quick orientation.

Abbreviation	Meaning
BayLDA	Bavarian State Office for Data Protection Supervision
BfDI	Federal Commissioner for Data Protection and Freedom of Information
CLOUD Act	Clarifying Lawful Overseas Use of Data Act (US federal law, 2018)
DPA	Data Protection Addendum (Microsoft products and services)
DPA-öS	Data Protection Addendum for public-sector bodies (Hesse-specific version, 2025)
DPF / EU-US DPF	EU-US Data Privacy Framework (successor to the EU-US Privacy Shield, in force since July 2023)
DSK	Datenschutzkonferenz (German Conference of Independent Federal and State Data Protection Authorities)
DPIA	Data Protection Impact Assessment (Art. 35 GDPR)
GDPR / DSGVO	General Data Protection Regulation (Regulation (EU) 2016/679)
EDPS	European Data Protection Supervisor
EEA	European Economic Area
HBDI	Hessian Commissioner for Data Protection and Freedom of Information
ILA	Interinstitutional Licensing Agreement
LfD NI	State Commissioner for Data Protection Lower Saxony
LfDI	State Commissioner for Data Protection and Freedom of Information
LfDI BW	State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
M365	Microsoft 365 (formerly: Microsoft Office 365)
TOM	Technical and organisational measures (Art. 25, 32 GDPR)

Bibliography

Sources are organised below by category. Full citations including access dates are provided in the footnotes. Primary sources (regulatory documents, court and authority decisions) are listed separately.

Primary sources: regulatory decisions and official documents

DSK: Determination on the use of Microsoft 365, 24 November 2022 https://datenschutzkonferenz-online.de/media/dskb/2022_24_11_festlegung_MS365.pdf

DSK: Final report of the DSK working group “Microsoft Online Services” (58 pages, 2 November 2022) https://www.datenschutzkonferenz-online.de/media/dskb/2022_24_11_festlegung_MS365_abschlussbericht.pdf

DSK: Summary of the final report (November 2022) https://www.datenschutzkonferenz-online.de/media/dskb/2022_24_11_festlegung_MS365_zusammenfassung.pdf

HBDI Hesse: M365 report (137 pages, 15 November 2025) https://datenschutz.hessen.de/sites/datenschutz.hessen.de/files/2025-11/hbdi_bericht_m365_2025_11_15.pdf

HBDI Hesse: Press release: “Microsoft 365 can be used in compliance with data protection law” (November 2025) https://datenschutz.hessen.de/presse/hbdi-microsoft-365-kann-datenschutzkonform-genutzt-werden

BayLDA Bavaria: Press release: “DSK assessment insufficiently differentiated — improvements nevertheless required” (October 2020) https://www.datenschutz-bayern.de/presse/20201002_365.pdf

BayLDA Bavaria: Guidance: Microsoft as processor in the deployment of Microsoft 365 https://www.datenschutz-bayern.de/datenschutzreform2018/Handreichung_MS_365.pdf

LfDI BW: Recommendation to refrain from using the reviewed version of MS 365 in schools (May 2021) https://www.baden-wuerttemberg.datenschutz.de/lfdi-raet-aufgrund-hoher-datenschutzrechtlicher-risiken-von-der-nutzung-der-geprueften-version-von-microsoft-office-365-an-schulen-ab/

LfDI BW: Press release: call for migration to alternatives (25 April 2022) https://www.baden-wuerttemberg.datenschutz.de/microsoft-365-teams-raus-aus-schulen-in-baden-wuerttemberg/

LfD Lower Saxony: Guidance on dealing with the Microsoft DPA for M365 (September 2023) https://www.lfd.niedersachsen.de/startseite/infothek/presseinformationen/einsatz-von-microsoft-365-praxis-tipps-fur-vertrage-mit-microsoft-225722.html

BfDI: Brief notice: Adequacy decision on the EU-US Data Privacy Framework entered into force (July 2023) https://www.bfdi.bund.de/SharedDocs/Kurzmeldungen/DE/2023/17_Angemessenheitsbeschluss-EU-US-DPF.html

EDPS: Decision in Case 2021-0518: European Commission’s use of Microsoft 365 infringes data protection law (8 March 2024) https://www.edps.europa.eu/press-publications/press-news/press-releases/2024/european-commissions-use-microsoft-365-infringes-data-protection-law-eu-institutions-and-bodies_en

HBDI Hesse: Information on the EU-US Data Privacy Framework https://datenschutz.hessen.de/datenschutz/internationaler-datentransfer/eu-us-data-privacy-framework

LfD Lower Saxony: The CJEU’s Schrems II judgment and its significance for data transfers to third countries https://www.lfd.niedersachsen.de/startseite/themen/internationaler_datenverkehr/das_schrems_ii_urteil_des_eugh_und_seine_bedeutung_fur_datentransfers_in_drittlander/

EUR-Lex: CJEU (Grand Chamber), Judgment of 16 July 2020 (Case C-311/18, ECLI:EU:C:2020:559) — Schrems II https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62018CJ0311

European Commission: Adequacy decision EU-US Data Privacy Framework (10 July 2023) https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721

Vendor documentation

Microsoft News Center: EU Data Boundary: Announcement and Phase 1 (15 December 2022) https://news.microsoft.com/de-de/microsoft-eu-datengrenze-cloud-2023/

Microsoft News Center: EU Data Boundary Phase 3 completed (27 February 2025) https://news.microsoft.com/de-de/microsoft-schliesst-richtungsweisende-eu-datengrenze-ab-und-bietet-mehr-datenresidenz-und-transparenz/

Microsoft Learn: EU Data Boundary — Official technical documentation (as of February 2025) https://learn.microsoft.com/en-us/privacy/eudb/eu-data-boundary-learn

Commentary and expert contributions

BDO Legal: Is Microsoft 365 GDPR-compliant in deployment? Status after the DSK decision (January 2024) https://www.bdolegal.de/de-de/erweiterte-suche/aktuelles/2023/ist-microsoft-365-datenschutzkonform-einsetzbar

IHK München: Interview with BayLDA President Michael Will: “The contract with Microsoft is not enough” https://www.ihk-muenchen.de/de/Service/Recht-und-Steuern/Datenschutz/Die-EU-Datenschutz-Grundverordnung/Microsoft-365-Interview-mit-Michael-Will-BayLDA.html

Dr. Datenschutz: HBDI Hesse: Microsoft 365 can be used in compliance with data protection (December 2025) https://www.dr-datenschutz.de/hbdi-hessen-microsoft-365-ist-datenschutzkonform-nutzbar/

Dr. Datenschutz: Microsoft’s EU Data Boundary: progress with caution (2025) https://www.dr-datenschutz.de/microsofts-eu-data-boundary-fortschritt-mit-vorsicht/

Datenschutz-Notizen: Hesse clears the way for Microsoft 365 (December 2025) https://www.datenschutz-notizen.de/datenschutz-hessen-macht-den-weg-frei-fuer-microsoft-365-4257377/

Lindbergh Legal: Microsoft 365 in Hesse 2025: GDPR compliance under clear conditions (November 2025) https://lindbergh.legal/2025/microsoft-365-in-hessen-datenschutzkonform-unter-klaren-bedingungen/

RA Köllner: The DSK decision on M365 in November 2022 — exposition and background https://www.rakoellner.de/2022/11/die-entscheidung-der-datenschutzkonferenz-zu-microsoft-365-im-november-2022-darstellung-inhalt-und-hintergruende/

RA Köllner: HBDI report November 2025: summary and measures https://www.rakoellner.de/2025/11/zusammenfassung-und-massnahmen-aus-dem-hbdi-bericht-zum-datenschutzkonformen-einsatz-von-microsoft-365-stand-november-2025/

RA Köllner: EU Commission brings M365 use into compliance with data protection law (July 2025) https://www.rakoellner.de/2025/07/die-europaeische-kommission-bringt-die-nutzung-von-microsoft-365-in-einklang-mit-den-datenschutzvorschriften-fuer-eu-institutionen-und-einrichtungen/

Luther Lawfirm: EU Data Boundary: significance for European customers (September 2025) https://www.luther-lawfirm.com/newsroom/blog/detail/eine-cloud-fuer-europa-was-bedeutet-die-einfuehrung-der-microsoft-eu-data-boundary-fuer-europaeische-kunden-von-microsoft-diensten-wie-azure-dynamics-365-und-microsoft-365

activeMind.legal: EU-US Data Privacy Framework: comprehensive guide (2025) https://www.activemind.legal/de/guides/eu-us-data-privacy-framework/

Stiftung Datenschutz: DatenschutzWoche of 17 November 2025 (summary of the HBDI report) https://stiftungdatenschutz.org/veroeffentlichungen/datenschutzwoche/detailansicht/datenschutzwoche-vom-17-november-2025-655

Datenschutzticker: HBDI: M365 use compliant with data protection (November 2025) https://www.datenschutzticker.de/2025/11/hbdi-einsatz-von-microsoft-365-datenschutzkonform/

Datenschutzticker: EDPS closes Microsoft 365 proceedings against EU Commission (EDPS decision: 11 July 2025; report: August 2025) https://www.datenschutzticker.de/2025/08/edps-schliesst-microsoft-365-verfahren-gegen-eu-kommission/

Althammer & Kill: EU Commission’s use of M365 infringes data protection law (March 2024) https://www.althammer-kill.de/aktuelles/news/detail/einsatz-von-microsoft-365-durch-die-eu-kommission-verstoesst-gegen-das-datenschutzrecht

Ferner-Alsdorf: Microsoft 365 in Hesse 2025: GDPR compliance confirmed by HBDI (November 2025) https://www.ferner-alsdorf.de/microsoft-365-in-hessen-2025-datenschutzkonformitaet-durch-hbdi-bestaetigt/

BornCity: EU data protection authority: EU Commission’s M365 use infringes GDPR (March 2024) https://borncity.com/blog/2024/03/11/eu-datenschtzer-eu-kommission-verstt-mit-microsoft-365-gegen-dsgvo-untersagung-bis-dez-2024/

reuschlaw: Microsoft 365: more data protection through the EU Data Boundary https://www.reuschlaw.de/news/microsoft-365-mehr-datenschutz-durch-das-eu-data-boundary/

Supplementary primary sources

LfDI BW: Notes on further proceeding regarding the use of Microsoft 365 in schools (transitional arrangement) https://www.baden-wuerttemberg.datenschutz.de/ms-365-schulen-hinweise-weiteres-vorgehen/

dataprivacyframework.gov: Participant list EU-US Data Privacy Framework: Microsoft Corporation (active certification) https://www.dataprivacyframework.gov/participant/6474

EDPS: Press release: European Commission brings use of Microsoft 365 into compliance with data protection rules for EU institutions and bodies (28 July 2025) https://www.edps.europa.eu/press-publications/press-news/press-releases/2025/european-commission-brings-use-microsoft-365-compliance-data-protection-rules-eu-institutions-and-bodies

Legal notice: This article serves general information purposes and does not constitute legal advice. For a legally sound assessment in a specific case, consultation with a specialised data protection lawyer is recommended. As of: March 2026.

1. EDPS, Decision of 8 March 2024, Case 2021-0518: European Commission’s use of Microsoft 365 infringes data protection law for EU institutions and bodies. Available at: https://www.edps.europa.eu/press-publications/press-news/press-releases/2024/european-commissions-use-microsoft-365-infringes-data-protection-law-eu-institutions-and-bodies_en (accessed March 2026). ↩

2. EDPS, Press release: European Commission brings use of Microsoft 365 into compliance with data protection rules for EU institutions and bodies, 28 July 2025. Available at: https://www.edps.europa.eu/press-publications/press-news/press-releases/2025/european-commission-brings-use-microsoft-365-compliance-data-protection-rules-eu-institutions-and-bodies (accessed March 2026). ↩

3. DSK, Determination on the use of Microsoft 365, 24 November 2022. Available at: https://datenschutzkonferenz-online.de/media/dskb/2022_24_11_festlegung_MS365.pdf (accessed March 2026). ↩

4. See above, fn. 3. ↩

5. BayLDA, Press release: DSK assessment insufficiently differentiated — improvements nevertheless required, October 2020. Available at: https://www.datenschutz-bayern.de/presse/20201002_365.pdf (accessed March 2026). ↩

6. BayLDA, Guidance: Microsoft as processor in the deployment of Microsoft 365. Available at: https://www.datenschutz-bayern.de/datenschutzreform2018/Handreichung_MS_365.pdf (accessed March 2026). ↩

7. See above, fn. 3. ↩

8. DSK, Final report of the DSK working group “Microsoft Online Services”, 2 November 2022 (58 pages). Available at: https://www.datenschutzkonferenz-online.de/media/dskb/2022_24_11_festlegung_MS365_abschlussbericht.pdf (accessed March 2026). ↩

9. DSK, Summary of the final report, November 2022. Available at: https://www.datenschutzkonferenz-online.de/media/dskb/2022_24_11_festlegung_MS365_zusammenfassung.pdf (accessed March 2026). ↩

10. LfDI BW, Recommendation following completion of the pilot project: refrain from using the reviewed version of MS 365 in schools, May 2021. Available at: https://www.baden-wuerttemberg.datenschutz.de/lfdi-raet-aufgrund-hoher-datenschutzrechtlicher-risiken-von-der-nutzung-der-geprueften-version-von-microsoft-office-365-an-schulen-ab/ (accessed March 2026). ↩

11. LfDI BW, Press release of 25 April 2022 — call for migration by summer holidays 2022. See also fn. 38 on notes regarding further proceeding. Available at: https://www.baden-wuerttemberg.datenschutz.de/microsoft-365-teams-raus-aus-schulen-in-baden-wuerttemberg/ (accessed March 2026). ↩

12. Microsoft News Center, Announcement of the EU Data Boundary, 15 December 2022; Phase 1 launched on 1 January 2023. Available at: https://news.microsoft.com/de-de/microsoft-eu-datengrenze-cloud-2023/ (accessed March 2026). ↩

13. BfDI, Brief notice: Adequacy decision on the EU-US Data Privacy Framework entered into force, July 2023. Available at: https://www.bfdi.bund.de/SharedDocs/Kurzmeldungen/DE/2023/17_Angemessenheitsbeschluss-EU-US-DPF.html (accessed March 2026). ↩

14. European Commission, Adequacy decision on the EU-US Data Privacy Framework, 10 July 2023. Available at: https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721 (accessed March 2026). ↩

15. See above, fn. 12. ↩

16. See above, fn. 1. ↩

17. Althammer & Kill, EU Commission’s use of Microsoft 365 infringes data protection law, March 2024. Available at: https://www.althammer-kill.de/aktuelles/news/detail/einsatz-von-microsoft-365-durch-die-eu-kommission-verstoesst-gegen-das-datenschutzrecht (accessed March 2026). ↩

18. Microsoft News Center, EU Data Boundary Phase 3 completed, 27 February 2025. Available at: https://news.microsoft.com/de-de/microsoft-schliesst-richtungsweisende-eu-datengrenze-ab-und-bietet-mehr-datenresidenz-und-transparenz/ (accessed March 2026). ↩

19. RA Köllner, The European Commission brings the use of Microsoft 365 into compliance with the data protection rules for EU institutions, July 2025. Available at: https://www.rakoellner.de/2025/07/die-europaeische-kommission-bringt-die-nutzung-von-microsoft-365-in-einklang-mit-den-datenschutzvorschriften-fuer-eu-institutionen-und-einrichtungen/ (accessed March 2026). ↩

20. Datenschutzticker, EDPS closes Microsoft 365 proceedings against EU Commission (EDPS decision: 11 July 2025; report: August 2025). Available at: https://www.datenschutzticker.de/2025/08/edps-schliesst-microsoft-365-verfahren-gegen-eu-kommission/ (accessed March 2026). ↩

21. See above, fn. 2. ↩

22. HBDI, M365 report of 15 November 2025 (137 pages). Available at: https://datenschutz.hessen.de/sites/datenschutz.hessen.de/files/2025-11/hbdi_bericht_m365_2025_11_15.pdf (accessed March 2026). ↩

23. HBDI, Press release: Microsoft 365 can be used in compliance with data protection law, 14/15 November 2025. Available at: https://datenschutz.hessen.de/presse/hbdi-microsoft-365-kann-datenschutzkonform-genutzt-werden (accessed March 2026). ↩

24. See above, fn. 3. ↩

25. CLOUD Act (Clarifying Lawful Overseas Use of Data Act), Pub. L. 115-141, 23 March 2018, 18 U.S.C. § 2713: “A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.” Full text: uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title18-section2713 ↩

26. Microsoft Learn, EU Data Boundary — Official technical documentation, as of February 2025. Available at: https://learn.microsoft.com/en-us/privacy/eudb/eu-data-boundary-learn (accessed March 2026). ↩

27. Luther Lawfirm, A cloud for Europe: significance of the Microsoft EU Data Boundary for European customers, September 2025. Available at: https://www.luther-lawfirm.com/newsroom/blog/detail/eine-cloud-fuer-europa-was-bedeutet-die-einfuehrung-der-microsoft-eu-data-boundary-fuer-europaeische-kunden-von-microsoft-diensten-wie-azure-dynamics-365-und-microsoft-365 (accessed March 2026). ↩

28. activeMind.legal, EU-US Data Privacy Framework: comprehensive guide, 2025. Available at: https://www.activemind.legal/de/guides/eu-us-data-privacy-framework/ (accessed March 2026). ↩

29. See above, fn. 3. ↩

30. See above, fn. 10. ↩

31. See above, fn. 10. ↩

32. See above, fn. 11. ↩

33. See above, fn. 11. ↩

34. LfDI BW, Notes on further proceeding regarding the use of Microsoft 365 in schools in Baden-Württemberg. Available at: https://www.baden-wuerttemberg.datenschutz.de/ms-365-schulen-hinweise-weiteres-vorgehen/ (accessed March 2026). ↩

35. See above, fn. 11. ↩

36. See above, fn. 1. ↩

37. See above, fn. 1. ↩

38. See above, fn. 17. ↩

39. See above, fn. 1. ↩

40. BornCity (Günter Born), EU data protection authority: EU Commission’s Microsoft 365 use infringes GDPR, March 2024. Available at: https://borncity.com/blog/2024/03/11/eu-datenschtzer-eu-kommission-verstt-mit-microsoft-365-gegen-dsgvo-untersagung-bis-dez-2024/ (accessed March 2026). ↩

41. See above, fn. 19. ↩

42. See above, fn. 20. ↩

43. See above, fn. 2. ↩

44. See above, fn. 22. ↩

45. See above, fn. 23. ↩

46. See above, fn. 22. ↩

47. See above, fn. 14. ↩

48. HBDI, Information on the EU-US Data Privacy Framework. Available at: https://datenschutz.hessen.de/datenschutz/internationaler-datentransfer/eu-us-data-privacy-framework (accessed March 2026). ↩

49. See above, fn. 18. ↩

50. See above, fn. 26. ↩

51. See above, fn. 22. ↩

52. See above, fn. 3. ↩

53. See above, fn. 9. ↩

54. See above, fn. 14. ↩

55. See above, fn. 12. ↩

56. See above, fn. 8. ↩

57. See above, fn. 13. ↩

58. See above, fn. 14. ↩

59. See above, fn. 12. ↩

60. See above, fn. 18. ↩

61. See above, fn. 22. ↩

62. RA Köllner, Summary and measures from the HBDI report on the GDPR-compliant deployment of Microsoft 365, November 2025. Available at: https://www.rakoellner.de/2025/11/zusammenfassung-und-massnahmen-aus-dem-hbdi-bericht-zum-datenschutzkonformen-einsatz-von-microsoft-365-stand-november-2025/ (accessed March 2026). ↩

63. See above, fn. 3. ↩

64. See above, fn. 8. ↩

65. RA Köllner (Raphael Köllner), The DSK decision on Microsoft 365 in November 2022, December 2022. Available at: https://www.rakoellner.de/2022/11/die-entscheidung-der-datenschutzkonferenz-zu-microsoft-365-im-november-2022-darstellung-inhalt-und-hintergruende/ (accessed March 2026). ↩

66. See above, fn. 5. ↩

67. See above, fn. 6. ↩

68. IHK München, Interview with BayLDA President Michael Will: The contract with Microsoft is not enough. Available at: https://www.ihk-muenchen.de/de/Service/Recht-und-Steuern/Datenschutz/Die-EU-Datenschutz-Grundverordnung/Microsoft-365-Interview-mit-Michael-Will-BayLDA.html (accessed March 2026). ↩

69. LfD Lower Saxony, Guidance on dealing with the Microsoft DPA for M365, September 2023. Available at: https://www.lfd.niedersachsen.de/startseite/infothek/presseinformationen/einsatz-von-microsoft-365-praxis-tipps-fur-vertrage-mit-microsoft-225722.html (accessed March 2026). ↩

70. BDO Legal, Is Microsoft 365 GDPR-compliant in deployment? Status after the DSK decision, January 2024. Available at: https://www.bdolegal.de/de-de/erweiterte-suche/aktuelles/2023/ist-microsoft-365-datenschutzkonform-einsetzbar (accessed March 2026). ↩

71. See above, fn. 70. ↩

72. Dr. Datenschutz, HBDI Hesse: Microsoft 365 can be used in compliance with data protection, December 2025. Available at: https://www.dr-datenschutz.de/hbdi-hessen-microsoft-365-ist-datenschutzkonform-nutzbar/ (accessed March 2026). ↩

73. See above, fn. 22. ↩

74. Lindbergh Legal (Claudia Bischof), Microsoft 365 in Hesse 2025: GDPR compliance under clear conditions, November 2025. Available at: https://lindbergh.legal/2025/microsoft-365-in-hessen-datenschutzkonform-unter-klaren-bedingungen/ (accessed March 2026). ↩

75. Ferner-Alsdorf (Alper Doğan), Microsoft 365 in Hesse 2025: GDPR compliance confirmed by HBDI, November 2025. Available at: https://www.ferner-alsdorf.de/microsoft-365-in-hessen-2025-datenschutzkonformitaet-durch-hbdi-bestaetigt/ (accessed March 2026). ↩

76. Dr. Datenschutz, Microsoft’s EU Data Boundary: progress with caution, 2025. Available at: https://www.dr-datenschutz.de/microsofts-eu-data-boundary-fortschritt-mit-vorsicht/ (accessed March 2026). ↩

77. See above, fn. 27. ↩

78. reuschlaw, Microsoft 365: more data protection through the EU Data Boundary. Available at: https://www.reuschlaw.de/news/microsoft-365-mehr-datenschutz-durch-das-eu-data-boundary/ (accessed March 2026). ↩

79. See above, fn. 65. ↩

80. See above, fn. 65. ↩

81. See above, fn. 17. ↩

82. dataprivacyframework.gov, Participant list EU-US Data Privacy Framework: Microsoft Corporation (active certification). Available at: https://www.dataprivacyframework.gov/participant/6474 (accessed March 2026). ↩

83. See above, fn. 22. ↩

84. See above, fn. 62. ↩

85. See above, fn. 18. ↩

86. See above, fn. 26. ↩

87. See above, fn. 13. ↩

88. See above, fn. 28. ↩

89. See above, fn. 22. ↩

90. Datenschutz-Notizen (Philip Kroll), Hesse clears the way for Microsoft 365, December 2025. Available at: https://www.datenschutz-notizen.de/datenschutz-hessen-macht-den-weg-frei-fuer-microsoft-365-4257377/ (accessed March 2026). ↩

91. Stiftung Datenschutz, DatenschutzWoche of 17 November 2025 — Summary of the HBDI report. Available at: https://stiftungdatenschutz.org/veroeffentlichungen/datenschutzwoche/detailansicht/datenschutzwoche-vom-17-november-2025-655 (accessed March 2026). ↩

92. Datenschutzticker, HBDI: M365 use compliant with data protection, November 2025. Available at: https://www.datenschutzticker.de/2025/11/hbdi-einsatz-von-microsoft-365-datenschutzkonform/ (accessed March 2026). ↩

93. See above, fn. 25. ↩

94. See above, fn. 27. ↩

95. See above, fn. 76. ↩

96. See above, fn. 28. ↩

97. See above, fn. 3. ↩

98. LfD Lower Saxony, The CJEU’s Schrems II judgment and its significance for data transfers to third countries. Available at: https://www.lfd.niedersachsen.de/startseite/themen/internationaler_datenverkehr/das_schrems_ii_urteil_des_eugh_und_seine_bedeutung_fur_datentransfers_in_drittlander/ (accessed March 2026). ↩

99. CJEU (Grand Chamber), Judgment of 16 July 2020, Case C-311/18 (ECLI:EU:C:2020:559) — Schrems II. Available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62018CJ0311 (accessed March 2026). ↩