The data protection officers of the federal and state governments see little room to use Microsoft's Windows 10 operating system in conformity with the law. "It is the responsibility of the person responsible to ensure and document that the data protection requirements of Windows 10 are complied with at all times," they write in a test scheme that has just been published. It should be noted whether and, if appropriate, "which personal data is transmitted to Microsoft" and whether these transfers have a legal basis.
Practically, however, this is an almost impossible task admits the data protection conference (DSK) in the paper. Various studies have shown that it is currently not possible to completely prevent the transmission of telemetry data "by configuring Windows 10". Since the transfers were encrypted, "there is no detailed knowledge of the nature of the data transmitted from an independent body". It would therefore be necessary to use "technical measures to prevent unauthorized transmission".
With every update re-examination?
In addition, "because of Microsoft's ever-changing and adding functionality", it should also be continuously monitored "as to whether a re-audit is required on the occasion of an update". In principle, according to the DSGVO, the principle of data minimization should be observed. If a transfer proves to be inadmissible, it must be "left undone", which must be ensured "with appropriate and appropriate measures". It should also be noted that Microsoft sends data to the United States and thus in "a third country" outside the EU. The DSK points out that the legitimacy of the Privacy Shield used for these transmissions was raised and complaints were made.
The summary of the inspectors: Only if "the residual risk" is "bearable" by the implementation of the outlined measures could the operating system or certain functions of it be used. In general, the question of whether Windows 10 complies with data protection, can not be answered in view of the variety of editions, versions, functionalities and configurations made. Every user has to check his installation himself. If, for example, employee data are also processed, special legal regulations would have to be observed.
License plate scanning reprimanded
The DSK also reprimands the "excessive use" of systems for vehicle license plate scanning by prosecutors as "violation of the Basic Law". This would also violate the right to informational self-determination of citizens. The guards call on the police and prosecutors to "refrain from the comprehensive and indiscriminate collection, storage and evaluation of motor vehicles" and to delete the unlawfully stored data. In further resolutions, the commissioners, for example, oppose the disclosure of sensitive data to unauthorized third parties through health apps and provide information on the use of AI systems in companies and messengers in the hospital sector.