Windows is currently running on 78% of all computers that have Internet access. Microsoft also offers many software solutions for companies. But what data is transferred to the American software giant and to what extent? And can the system even be used in a manner that complies with data protection laws in view of such data transfers to the USA?

You can find out everything you need to know here.

The importance of telemetry data

Raw data is collected under the collective term telemetry. Due to the connection of most computers to the Internet, the software usually transmits this data quite simply in the background to the software manufacturer's servers.

The subject of the collected data may be information about operating system activities and thus the system state of a computer system. The purpose of this data is to optimize the software product or to detect errors. The problem that is often discussed, especially with regard to Windows 10, is: The log data may also contain personal data (user account, IP address, location, Internet activities, user preferences, etc.). This personal data is then transmitted to servers in the USA, but these provide not (yet) the same level of protection. as those within the EU.

From a data protection perspective, the question immediately arises here: Can Windows be used in the company in a data protection-compliant manner?

Revoke consents

Systems such as Windows like to package the collection of telemetry data under fine-sounding phrases such as "improving the customer experience". The user's consent is obtained for such procedures. You can revoke this consent at any time in the system settings.

In addition, you should also take a critical look at the respective privacy policy. Here you should pay particular attention to the extent to which data about interaction with the product and data about the devices used are generally collected. Furthermore, you should also pay attention to the purposes of the processing and the processing entities.

Data collections from the software manufacturer must be checked for compliance with the GDPR.

Telemetry monitoring

To check the telemetry component of Windows 10, the German Federal Office for Information Security (BSI) provides a technical solution. "The developed "System Activity Monitor" (SAM) enables detailed recordings of the system and application behavior of Windows telemetry for research purposes. The release is part of a comprehensive security analysis in which the BSI is investigating security-critical functions of the operating system. The goal is to be able to assess the security and residual risks for using Windows 10, to identify framework conditions for secure use of the operating system, and to create practically usable recommendations for hardening and secure use of Windows 10." according to the BSI.

The evaluation of this system must then be examined in terms of data protection law.

Telemetry can be switched off?

A BSI security analysis came 2018 still came to the conclusion that switching off the transmission of telemetry data was technically possible, but hardly feasible for the simple user. In addition, individual Windows applications can also collect and send data without the central telemetry service.

At Activity Report of the Bavarian State Office for Data Protection from 2019 (under Section 3.4), however, we came to the conclusion that the collection of telemetry data can at least be completely disabled under Windows 10 Enterprise.

Do you need support in the area of data protection in your company? Our team of experts is ready to help you in word and deed!

DSB buchen