Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Outlook Web App (OWA) is the web based email client of Microsoft 365/Exchange, providing email, calendar, contacts, and tasks in a browser. Part of the Microsoft 365 suite, it processes email content, attachments, and calendar data on Microsoft infrastructure. GDPR compliance follows the Microsoft 365 DPA framework.
Outlook Web App (OWA) is the browser based email client of Microsoft 365 and Exchange Online. It provides email, calendar, contacts, tasks, and integration with other Microsoft 365 services. As part of the Microsoft 365 ecosystem, OWA inherits the same data processing framework, DPA, and compliance certifications. OWA sets authentication cookies, session tokens, and telemetry cookies from Microsoft domains.
OWA processes email content which is inherently personal and often sensitive. The GDPR implications mirror those of Microsoft 365 broadly: Microsoft acts as processor under the DPA with SCCs, EU Data Boundary is available, and diagnostic data collection can be configured. Legal basis is contract performance for employee email. If OWA links are embedded on public websites, cookie consent applies. Practical steps: accept the Microsoft DPA, configure diagnostic settings, enable EU Data Boundary, implement email retention policies via Microsoft Purview, train staff on email data protection.
Websites using Outlook Web App (OWA) must obtain user consent under GDPR regulations.
DPIA considerations
DPIA recommended as part of broader Microsoft 365 assessment. Email content is inherently sensitive. Assess: email data categories, attachment sensitivity, calendar sharing, telemetry collection, Microsoft subprocessors.
Sample consent text
This site embeds Outlook Web App components. Cookies may be set by Microsoft. Data is processed per the Microsoft DPA. You can manage consent via cookie settings.
Third-party domains contacted
outlook.office.comoutlook.office365.comlogin.microsoftonline.comattachments.office.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cadata | authentication | Session | OWA session cookie maintaining the webmail authenticated state. |
| ESTSAUTH | authentication | Session | Azure AD authentication token for Outlook Web App. |
| UC | functionality | 1 year | Stores Outlook user interface state preferences. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Same as Microsoft 365: MUID, ESTSAUTH, AADSSO, MC1, MS0, SignInStateCookie from login.microsoftonline.com and outlook.office.com.
For internal employee email, no (contract performance). Analytics/telemetry cookies may need consent. Embedded OWA components on public sites need ePrivacy consent.
Contract performance (Art. 6(1)(b)) for employee email. Legitimate interest for security. Consent for optional telemetry.
Part of Microsoft 365. EU Data Boundary available. DPA with SCCs. See Microsoft 365 entry for full details.
Recommended as part of broader Microsoft 365 assessment. Email inherently processes sensitive personal data.
Accept Microsoft DPA. Configure diagnostic data. Enable EU Data Boundary. Set email retention policies via Purview. Train staff.
ProtonMail (Swiss, encrypted), Tutanota/Tuta (German, encrypted), Posteo (German), Mailbox.org (German), Infomaniak Mail (Swiss).
Document Microsoft authentication and telemetry cookies. Reference Microsoft DPA. Same framework as Microsoft 365.