09.04.2020 | KPMG Law Insights

Online collaboration tools and data protection – Are universities allowed to use such services?

Online collaboration tools and data protection – Are universities allowed to use such services?

Sustaining teaching is one of the great challenges universities face in times of no-contact laws. The digital collaboration tools from various providers could help – if the universities manage to dispel the concerns of the data protection authorities. Many universities are currently turning to the experts at KPMG with this task.

Empty lecture halls, closed libraries – the Corona crisis poses major challenges for university teaching. In times when all personal contact is to be avoided or even forbidden, universities must offer their students alternatives to regular university life in order to maintain teaching.

Digital learning offers an opportunity to do just that. However, many universities lack the nationwide infrastructure to enable learning from home. Whereas universities previously had unlimited time to test the digitization of learning processes and gradually integrate it into everyday study, things now have to move quickly in view of the current situation.

Many universities see a contribution to this digital teaching in the services of large, primarily U.S. providers. The applications offer a wide range for both sharing materials and networking with fellow students and faculty, as well as centralized storage of shared content. However, the introduction of these applications is still meeting with concerns, especially from data protection officers and supervisory authorities.

High data protection requirements

When using such services, personal data is collected at various points, for example through the use of user accounts. Data protection law – both the GDPR and state data protection laws – place high demands on the protection of this data. Strict standards are applied in particular to the international transfer of data, as here from German universities to the respective U.S. company. In order for a transfer of data to the U.S. to take place, the receiving companies in the U.S. must ensure an appropriate adequate level of data protection. Many of the major U.S. providers are already certified as data-processing service providers through their participation in the so-called “EU-US Privacy Shield,” which is intended to ensure precisely this appropriate level of protection.

Nevertheless, data protection supervisory authorities sometimes take a critical view of the use of such products, especially in universities. Due to a lack of transparency on the part of many companies, there is a risk that data protection regulations will be disregarded and that personal data will be processed unlawfully.

Central points of criticism by data protectionists

The data protection authorities have criticized the non-transparent handling of user data in particular. A review commissioned by the Dutch Ministry of Justice had revealed that at least one provider, for example, collects telemetry data, transmits it to its U.S. servers and processes it there without adequately informing the clients or users.

There is also criticism of the lack of or unclear demarcation between the respective responsibilities of the university as the client and the service provider as the processor. In the view of the data protection experts, the service providers do not sufficiently disclose to the universities or the users which data are collected in detail and for which purposes they are processed. For example, there is a fear of profiling with the habits of the users of the services. Such potentially unlawful data processing by the service provider could also be imputed to the universities. As the client, they remain responsible for the time being and must monitor the contracted company with regard to compliance with data protection.

Data protection experts also have concerns about the CLOUD Act. This allows U.S. authorities to request user data from companies, for example for law enforcement purposes, without consulting German authorities.

However, some companies have already reacted to this criticism and improved their services in terms of data protection. Responsibilities were redefined and greater transparency was created with regard to data storage locations and access options. Some service providers now also see themselves as strong defenders of civil liberties against unauthorized requests by U.S. authorities for European citizens’ data.

These examples clearly show that although there is a need for further action from a data protection perspective when using online services from U.S. providers, many companies are nevertheless showing a willingness to cooperate and adapt to regulatory requirements. One reason for this is likely to be that both the European and German markets, including the education sector, continue to be seen as commercially very important.

A question of concrete implementation

In our view, the legality of the use of such online services by universities ultimately depends only on the design of the specific usage scenario in line with data protection requirements.

The experts at KPMG AG Wirtschaftsprüfungsgesellschaft and KPMG Law are increasingly receiving requests from universities and other educational institutions to use online collaboration platforms and similar services in the wake of current developments and the urgency to provide learners with alternative learning options. Although educational institutions are usually confronted with the reservations of supervisory authorities and official data protection officers right from the start and are therefore very familiar with the argumentation structures, we were able to gain good experience in the dialog with the supervisory authorities and the data protection officers of the universities and identify more far-reaching options for action that enable the universities to implement their set goals. In many cases, concerns are raised that are not based on a general illegality of use, but on risks that arise only from the inadequate design of the contractual documents and processes of the providers’ standard offerings (according to the supervisory authority’s assessment). It is therefore possible to take legal precautions and technical measures in the specific design of the use that minimize these risks and thus adequately protect the rights and freedoms of students and employees of the University.

Through interdisciplinary collaboration between attorneys and technical consultants, we develop comprehensive and multidisciplinary coordinated packages of measures that can be used by educational institutions as part of a data protection impact assessment.
This includes technical concepts adapted to the specific situation, which serve, for example, to minimize the amount of personal data and the associated risk of retraceability to a specific person. KPMG Law also draws up lines of argument and opinions as part of its legal support for projects. In these, the concerns raised are compared with the concrete planned use, taking into account all the legal bases and legal design options that come into question. In a large number of cases, the remaining legal risks ultimately turn out to be manageable and the concerns of data protection officers – with the application of appropriate measures – can be eliminated.


The use of online collaboration tools at universities was widely discussed even before the current situation due to the Corona pandemic began. The steady change in the perception of digital concepts and the efforts of providers have led to more favorable conditions for the use of such online services, according to our data protection experts. Universities can use these developments now to master the times of crisis and drive forward the digitization of teaching in Germany, taking into account measures that are necessary in the specific case.

Explore #more

13.06.2024 | Press releases

Handelsblatt and Best Lawyers honor KPMG Law Experts

Best Lawyers has once again identified the best commercial lawyers in Germany for 2024 exclusively for Handelsblatt. A total of 28 lawyers were honored by…

27.05.2024 | KPMG Law Insights

Agreement on ecodesign regulation: products to become more sustainable

After lengthy negotiations, the Council and Parliament of the European Union reached a provisional agreement on the Ecodesign Regulation on the night of December 5,…

22.05.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

17.05.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: When the family business is to be sold

Around 38,000 family businesses are currently handed over each year. In most cases, the change of ownership takes place within the family. But more and…

03.05.2024 | KPMG Law Insights

Doubts about inability to work? What employers can do

The certificate of incapacity for work (AU certificate) serves as proof of incapacity for work due to illness. However, only if the certificate meets certain…

27.03.2024 | KPMG Law Insights

EU Buildings Directive: life cycle greenhouse potential becomes relevant

On March 12, 2024, the EU Parliament approved the amendment to the EU Buildings Directive. The directive obliges member states and, indirectly, building owners and…

19.03.2024 | Business Performance & Resilience, KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

The EU member states agreed on the CSDDD, the EU Supply Chain Directive, on March 15, 2024. Germany abstained from the vote. Negotiators from the…

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | Business Performance & Resilience, PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…


Sebastian Hoegl, LL.M. (Wellington)

Senior Manager
Specialist lawyer for IT law
LL.M. (Wellington)

Heinrich-von-Stephan-Straße 23
79100 Freiburg im Breisgau

tel: +49 761 769999-20

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.