Federal and state government data protection officials see little room to use Microsoft's Windows 10 operating system in accordance with the law. "It is the responsibility of the responsible person to ensure and document that Windows 10 data protection requirements are met at all times," the test scheme just released said. It should be noted whether and, if appropriate, "what personal data is transferred to Microsoft" and whether such transfers have a legal basis.
Practically, however, this is an almost impossible task accepts the Data Protection Conference (DSC) in the paper. Various studies have shown that it is not possible to completely prevent telemetry data transfer "by configuring Windows 10" at this time. Because the transfers were encrypted, "there is no detailed knowledge of the nature of the data being transmitted by an independent body." It would therefore be necessary to use "technical measures to prevent unauthorized transmission".
With any update reviewing?
In addition, "for the sake of constantly changing and adding to Microsoft's functionality," there is also a need to continuously monitor "whether an update audit is needed". In principle, according to the DRGS, the principle of data minimization should be respected. If the transfer proves to be inadmissible, it must be 'left unattended', which must be ensured 'by appropriate and appropriate measures'. It should also be noted that Microsoft is sending data to the United States and thus to a "third country" outside the EU. The DSK indicates that the legitimacy of the Privacy Shield used for these transmissions has been raised and complaints have been lodged.
Inspector's Summary: Only if the "residual risk" is "durable" by applying the measures outlined can the operating system or certain functions of it be used. In principle, the question of whether Windows 10 is compatible with data protection cannot be answered given the variety of editions, versions, functionalities and configurations made. Each user should check their installation on their own. If, for example, employee data is also processed, special legislation should be observed.
The license plate scan is warned
The DSK also punishes him "Overuse" of the license plate scanning systems by prosecutors as a "violation of Basic Law". This will also violate the right of citizens to information self-determination. Guards urge police and prosecutors to "refrain from comprehensive and non-discriminatory collection, storage and evaluation of motor vehicles" and to erase illegally stored data. In further resolutions, commissioners, for example, oppose the transfer of sensitive data to unauthorized third parties through health applications and provide information on the use of AI systems in hospital sector companies and messengers.