In the think tank (TT05), experts examined whether the use of Microsoft 365 cloud services (M365) at universities and colleges in Baden-Württemberg complies with the General Data Protection Regulation (GDPR) and what risks are associated with it. An evaluation of alternative options to M365 did not fall within its remit. This assessment enables university management to weigh up and decide on the introduction of M365.

In the course of the analysis, the experts in the think tank came to the conclusion that the task was beyond the scope of a normal think tank and required more in-depth consideration. In order to systematically deal with the associated data protection risks of processing personal data in M365, a data protection impact assessment (DPIA) was to be drawn up in accordance with Art. 35 para. 1 GDPR. As a result, the think tank's mandate was changed to an M365 implementation project (UP M365) with the specific aim of "preparing a DPIA".

As a result of this implementation project, an external service provider drafted a sample DPIA that can be used by all participating universities in Baden-Württemberg in an adapted form. In addition, a legal opinion was drawn up that deals with the data protection-compliant use of M365 at a university.

For copyright reasons, the results of the UP M365 are not freely accessible.

The resulting network in the state will continue to exchange information on suitable procedures for the use of M365. To this end, the participants continue to seek exchange with similar initiatives.