The conference of the independent data protection authorities of the federal and state governments (DSK) recently put the data protection-compliant use of Windows 10 to the test. The result: only with an acceptable residual risk and sufficient legal reviews is it okay for companies to use Windows 10 from a data protection point of view. In this context, it is also important to create a processing activity for the use of Windows 10. This must also unequivocally document the verification of the data protection use according to the test scheme!
In a public test scheme of the DSK for the use of Windows 10, the authorities see little scope for the use of this operating system in companies. In contrast to earlier Windows versions, with Windows 10 it is only possible to prevent the data transfer between the PC and Microsoft in the USA to a limited extent. The transmitted data include technical parameters, log files, but also personal data, so-called “telemetry data”. Due to the encryption used, it is not possible to precisely determine which sensitive information is being transmitted. Despite encrypted transmission, data exchange with Microsoft is only permitted if there is a corresponding legal basis.
Microsoft Privacy Shield
Microsoft is certified according to the Privacy Shield. This means that according to the EU Commission, personal data may be transmitted to Microsoft USA. According to the supervisory authorities, there are currently still concerns and lawsuits that have already been filed against the legality of the Privacy Shield. The measures listed here when using Windows 10 should therefore be carried out in any case in order to minimize the risk of a data breach in your company. Whether the EU-US Privacy Shield will continue to exist as a valid legal basis for data processing in the USA remains to be seen at the moment. It is quite possible that this legal basis will no longer apply in the future or that it will continue to exist in a completely revised manner.
Configuration of Windows 10 and the problem with the updates
With a standard installation, many operating system settings are not set in such a way that only minimal personal data is transmitted to the USA. The possible data protection settings differ depending on the Windows 10 edition used. The information security working group of the German research institutions has published a practical guide for the various configuration options and can be viewed here.
Since Windows 10 is automatically provided with regular updates from a security point of view, this also results in the problem that after each update installation there is a risk that the system will change data protection settings. Thus, the data protection settings would have to be checked again after each update. From a practical point of view, however, this is a difficult task.
Notes on data protection compliant use
Various studies show that it is currently not possible to completely prevent the transfer of personal data by changing the configuration. Therefore, the following tasks primarily arise for you to ensure the data protection compliance of Windows 10 as well as possible.
Creation of a processing activity in docu-safe
If you are using Windows 10 in your company and have not yet created any processing activities for it, this must be done. The detailed description of the processing activity is important. This includes describing the type, scope, circumstances and purposes of the processing. As always, we will be happy to prepare this for you.
Check of the technical configuration in company use by the IT department
We urgently recommend that you use the published guidelines / Orient (see above) to check the technical parameters of the Windows 10 installations used in your company and to document the check and the technical parameters. For us, this proof of verification is the decisive basis for documenting the legality of data processing!
Examination and documentation of the legality of the data transfers
The transfer of personal data must be checked for legality. As long as the transmission has a legal basis, a company can use Windows 10. If this cannot be determined, then the legitimate use of Windows 10 is to be regarded as extremely critical. Here, too, we are happy to support you in the documentation and in the verification of the verification of the legality of the data transmission and document this for you.
We are happy to support you in the data protection-compliant use of various systems and also train your IT staff on this topic. Contact us.
Unser Team – Ihr Vorteil | Hier stellen wir uns vor.
Unser Team besteht aus erfahrenen Juristen, Webspezialisten, IT-Experten, zertifizierten Datenschutz- und Informationssicherheitsbeauftragten. Mit unserer Erfahrung, Expertise und erprobten Verfahren, helfen wir Unternehmen, praxisnahe Lösungen im Bereich Datenschutz und IT-Sicherheit zu finden. So helfen wir beispielsweise bei der Umsetzung der DSGVO oder der Einführung von Informationssicherheitsmanagementsystemen (ISMS).
This post is also available in: German