By Luis Rijo
Publication Date: 2025-11-17 07:43:00
The Hessian Data Protection Commissioner concluded on November 15, 2025, that Microsoft 365 cloud services can operate in compliance with the General Data Protection Regulation, marking a significant shift from the authority’s position three years earlier when it identified seven critical deficiencies in Microsoft’s data processing agreements.
According to Professor Dr. Alexander Roßnagel, the Hessian Data Protection and Freedom of Information Commissioner, the 137-page assessment represents the outcome of negotiations that began in January 2025. “We have constructively examined under what conditions practical and data protection-compliant use of M365 is possible in the interests of users,” Roßnagel stated in the official announcement. The finding provides organizations and public authorities in Hesse with fundamental legal certainty for deploying Microsoft 365 products.
