Data protection information pursuant to Art. 12 et seq. GDPR in the context of the use of Microsoft Teams (MS Teams) for external communication partners
Pursuant to Artt. 12 et seq. GDPR (General Data Protection Regulation), we are obliged to inform you about the processing of personal data required for the use of Microsoft Teams (hereinafter referred to as “MS Teams”), insofar as we decide on the means and purposes of the processing of personal data within the scope of the use of the software as the controller within the meaning of Art. 4 No. 7 GDPR. Please refer to the following information for the relevant information.
Microsoft Teams is a platform for chats, online conferences (audio / video), screen sharing and file transfers. In addition, this communication platform offers the possibility of conducting group conferences (video/audio) and numerous other functions such as file transfers, recording functions etc.
Responsible authorities
In accordance with the provisions of the Telecommunications Act (TKG), the software provider responsible for processing your personal data in the context of communication via MS Teams is Microsoft Corporation with its registered office at One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter “Microsoft”).
The software provider Microsoft informs you about the processing of your personal data under the following link:
https://privacy.microsoft.com/en-gb/privacystatement
If, in the context of the use of the MS Teams software, we decide on the means and purposes of the processing, e.g. in the context of information on the recording of video chats or conversations, creation of a group for sharing documents and files via SharePoint or processing of information on the duration of participation in a conference by the communication partners (additional functions), we are the responsible body in terms of data protection for the processing of your personal data taking place in this context and take all precautions to protect your personal data in accordance with the legal provisions for this case.
Contact details of the responsible body in the context of the use of additional functions:
Wöhler Brush Tech GmbH
Wöhler-Platz 2
33181 Bad Wünnenberg
Germany
Phone: +49 2953 73-300
Mail: [email protected]
Represented by:
Dipl.-Ing. Matthias Peveling
Daniel Horenkamp, MBA
Data Protection Officer
Questions regarding data protection can be addressed to our data protection officer:
Dipl.-Wirt.-Ing. Oliver Baldner
bITs GmbH
Detmolder Straße 204
33100 Paderborn
Germany
Phone: +49 5251 688 94 80
Mail: [email protected]
Purposes of the data processing of personal data and the legal basis
The processing of personal data is necessary for the use of the MS Teams application.
The processing is generally carried out on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in conjunction with Art. 6 lit. b GDPR. Art. 6 lit. b GDPR and, in the context of an application procedure, if applicable in conjunction with. § Section 26 of the German Federal Data Protection Act (BDSG) for the purpose of communicating with business partners and/or interested parties and, if applicable, for the purpose of establishing an employment relationship (in the context of a job interview).
The legitimate interest is that we want to offer our interlocutors an opportunity to communicate via a modern means of communication.
If a processing activity should take place within the scope of the use of the additional functions that cannot be based on the legitimate interest of the controller pursuant to Art. 6 (1) (f), you will be asked in advance to give your consent. In this case, the processing takes place on the basis of Art. 6 para. 1 lit. a GDPR.
Legal basis for the transfer of data to a non-EU country
If personal data is transferred to a third country (in particular the USA) in the course of using the software, the data is transferred on the basis of the standard contractual clauses. These can be found under the following link:
https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
Categories of personal data processed
In the context of the use of the MS Teams application, the following categories of personal data are processed:
- Data required to conduct a Teams conference (surname, first name, e-mail address, team membership, roles and rights).
- Data for displaying a user status and read confirmations (chat)
- Created chat messages
- Voice memos
- Image and sound data in video and audio conferences
- Contents of screen shares
- Files shared by uploading
- Created calendar entries
- Status of tasks (assigned, submitted, due, feedback)
- Content created and edited in Word, Excel, PowerPoint and OneNote
entries in surveys
- Technical usage data to provide MS Teams functionality and security, and features built into Teams
As a matter of principle, the responsible body does not store the image and sound data of (video) conferences. If this is done in individual cases, consent is obtained.
Recipients of your personal data
All files, content and comments posted by users in MS Teams are accessible to the people with whom they are shared. These can be individuals or members of a team or channels in a team.
All participants in a video conference have access in the sense of seeing, hearing and reading the content of the video conference, chats, shared files and screen shares.
In a chat, all participants have access to entered content and shared files. The provider Microsoft has access to the data generated during the use of Teams, insofar as this is necessary for the fulfilment of its obligation within the framework of the contract for commissioned processing concluded with the responsible party in accordance with Art. 28 of the GDPR. The processing of personal data in Microsoft Teams and connected products is generally and predominantly carried out on servers located in Germany. However, it is possible that so-called telemetry data, a type of diagnostic data, is also processed in the USA.
In addition, US authorities may have access to the data processed by the processor under US law.
Some functions of MS Teams (additional functions) go beyond the mere provision of a video conferencing solution and therefore take place under our responsibility (e.g. provision of information about the duration of participation in a conference by the communication partners). If personal data is processed by Microsoft in the context of the use of these functions, Microsoft carries out this processing as part of a commissioned processing for the responsible party, i.e. us.
The use of Microsoft Teams for functions for which we are responsible takes place under a contract for commissioned processing. This means that the provider processes Microsoft personal data exclusively on our behalf. Accordingly, Microsoft may only use the data in accordance with our instructions and for agreed purposes and not for its own purposes, i.e. neither for advertising nor to pass it on to unauthorised third parties.
However, when using MS Teams, data may also be processed on servers in the USA. This is less about the content of chats, video conferences, appointments and tasks, user accounts and team memberships, but about data that serve to ensure and improve the security and function of the platform.
According to the current legal situation in the USA, US authorities have almost unrestricted access to all data on servers in the USA. Users are not informed of this and have no legal means of defending themselves against it. However, the risks arising from this access by US authorities are likely to be rather low. The fewest requests, if any, are likely to concern business accounts.
In order to strengthen the rights of data subjects in the event of requests by the US authorities, Microsoft has reacted and taken supplementary measures. This is a supplementary agreement called “Addendum to Additional Safeguards”. This can be accessed under the following link:
https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
The relevant information can be found in Appendix C to the Addendum to the Microsoft Products and Services Privacy Policy (see above).
You can find more information on data processing by Microsoft in the following sources:
The current privacy policy of Microsoft can be viewed here:
https://privacy.microsoft.com/en-gb/privacystatement
Duration of storage
The storage of data processed in connection with the holding of a conference by teams, as well as content created and shared, comments, chat messages, voice messages assigned, edited and submitted content and calendar entries, ends as soon as the conference participant revokes his or her consent in whole or in part or objects to processing. In all other respects, the personal data that you have provided to us will be deleted if the purposes of the processing have ceased to apply and there are no statutory retention obligations.
Deletion from Microsoft’s systems is complete from the time an account or content is deleted by the responsible party after between 90 and 180 days.
The period of between 90 and 180 days also applies to the deletion of files by the user himself. Sound and image data from video and audio conferences are not recorded and stored by the responsible body.
Data subject rights / right of appeal
In accordance with Art. 15 of the GDPR, you have the right to request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category of personal data processed by you, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of the rights to rectification, erasure, restriction of processing or objection, the existence of a right of complaint to a supervisory authority, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details.
In accordance with Art. 16 of the GDPR, you have the right to request the correction of inaccurate or the completion of your personal data stored by us without delay.
In accordance with Art. 17 of the GDPR, you have the right to request the deletion of your personal data stored by us, unless there is a legal basis that entitles or obliges us to continue storing the data.
In accordance with Art. 18 of the GDPR, you have the right to request the restriction of the processing of your personal data if
- the accuracy of the personal data is contested by you for a period of time which allows us to verify the accuracy of the personal data,
- the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data
- we no longer need the personal data for the purposes of processing, but you need the data to assert, exercise or defend legal claims
- you have objected to the processing pursuant to Article 21 (1) of the GDPR, as long as it has not yet been determined whether our legitimate reasons outweigh your reasons.
In accordance with Art. 20 of the GDPR, you have the right to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller.
In accordance with Art. 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of personal data concerning you violates the GDPR.
Right to withdraw consent
In accordance with Art. 7 (3) of the GDPR, you have the right to revoke your consent at any time. This means that we may no longer process the data based on this consent in the future. The lawfulness of the processing carried out on the basis of the consent until the revocation is not affected by the revocation.
Right of objection
If your personal data is processed on the basis of legitimate interests pursuant to Article 6 (1) sentence 1 lit. f of the GDPR, you have the right to object to the processing of your personal data pursuant to Article 21 of the GDPR, provided that there are grounds for doing so that arise from your particular situation.
Sources from which your personal data originates
We collect your personal data from the following sources:
- Data that you have provided to us yourself in the course of using MS Teams,
- Data you have provided to us in the context of the business contact.
Provision of your personal data
The provision of your personal data is voluntary. You are not obliged to provide your data. You will not suffer any disadvantages from not providing your personal data. In the event of non-consent, we will work with you to find alternative ways to contact you personally.