A new Dutch Government report has concluded that Vole broke GDPR rules. The Dutch were concerned how information handled by 300,000 of its workers was processed by Microsoft's Office ProPlus suite. This software is installed on PCs and connects to Office 365 servers.
Vole was apparently collecting telemetry and other content from its Office applications, including email titles and sentences where translation or spellchecker was used, and secretly storing the data on systems in the United States.
This could mean that Microsoft will have to pay tens of millions of dollars in fines although the Dutch are being nice about it and working with Microsoft to fix the situation, and are using the threat of a fine to get its Volish attention.
Microsoft doesn't say what information it gathers on users and doesn't provide an option for turning off diagnostic and telemetry data sent by its Office software to the company as a way of monitoring how well it is functioning and identifying any software issues.
Vole has tried to make the system GDPR compliant by storing Office documents on servers based in the EU. But it collected other data that contained private information and some of that data still ended up in the US.
And while the report's researchers say that it is inevitable that users will supply Microsoft with their IP address and email headers as part of making the system work, there is no need for the company to store that information.
The dossier found that Microsoft tracks around 25,000 different types of "event" and has a team of 20 to 30 engineers who analyse the data.
The issue affects those with ProPlus subscriptions of Office 2016 and Office 365 and the online version of Office 365.
In a statement, a Microsoft spokesperson told us: "We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.