Microsoft breaches data protection law in the Netherlands because of the way its Windows 10 operating system processes personal information, according to a report.
The Dutch Data Protection Authority (DPA) also said users were not clearly informed about what data the technology giant was using.
There were four million active devices in Holland using Windows 10, it said.
Microsoft said it was "a priority" for the company to comply with Dutch law.
The DPA said that sanctions could be imposed if Microsoft failed to resolve the issues but did not detail what they might be.
The report claims that Windows 10 users "lack control of their data" because of the approach of Microsoft.
"It turns out that Microsoft's operating system follows about every step you take on your computer. That results in an intrusive profile of yourself," said Wilbert Tomesen, vice-chairman of the DPA.
"What does that mean? Do people know about this? Do they want this? Microsoft needs to give users a fair opportunity to decide about this themselves."
Microsoft responded in a blog post.
It said that its latest update did give users of Windows 10 the opportunity to learn about privacy controls, and that users were informed in various documents and statements about why it processed data, including the performance of the device and apps installed.
"Windows collects data so that we can be responsive to your needs and interests," wrote Marisa Rogers, Microsoft's Windows and devices group privacy officer.
Ms Rogers later added that the company was "listening and responding" to feedback both from customers and regulators.
The technology giant also published a list of DPA claims that it said were inaccurate.