Skip to main content

MS Privacy policy


1. Data privacy statement for the use of Microsoft 365

Applications

You have an invitation to use a Microsoft Office application, such as Microsoft Teams, Microsoft SharePoint Online, Microsoft Forms (hereinafter referred to as M365) by acameo GbR, Doblerstr. 11, 72074 Tuebingen, Germany (hereinafter referred to as "we" or "us") as the responsible party within the meaning of the respective applicable data protection laws.

Microsoft Office 365 is a productivity, collaboration and exchange platform for individual users, teams, communities and networks, which can be used both within the acameo GbR and with external partners on a cross-company basis.

With the use of M365, personal data are processed. Please note that this data privacy statement only informs you about the processing of your personal data by us when using Microsoft applications in cooperation with us. If you need information about Microsoft's processing of your personal data, please read the appropriate declaration.

Microsoft privacy statement: https://privacy.microsoft.com/en-us/privacystatement

You can access our general data privacy statement at any time by visiting https://www.acameo.de/en/privacy-policy


1. Information on the processing and on categories of personal data subject to processing in the context of the use of M365

Certain information is already automatically processed when using M365. In the following we have specified for you exactly which personal data are processed and on which legal basis this is done:

1.1 Your IP address used to access the Microsoft Office 365 applications

Legal bases for this are Article 6 para. 1 a), b) and f) (German) General Data Protection Regulation (GDPR), as well as Article 88 GDPR in conjunction with the national laws on employee data protection.

1.2 Your user name (access data to Microsoft Office 365 applications), data within the scope of the so-called multi-factor authentication, which you have stored yourself in your Microsoft account (e.g. optionally the (private) mobile phone number).

Legal basis for this is Article 6 para. 1 c).

1.3 Identification features: Information identifying you as user, sender, recipient of data within M365. This includes in particular the following master data: name, first name, official contact data such as telephone number, e-mail address, official fax number, insofar as provided by you or if it was transmitted by your organization. This information is always visible in your profile, but in particular also in Outlook for you and other M365 users, and can be customized by you.

Legal basis for this is Article 6 para. 1 a), b), c) and f) GDPR.

1.4 Data required for authentication, license use, logging and misuse detection. M365 processes all user activities, such as time of access, date, type of access, details regarding data/files/documents accessed and all activities related to use, such as creating, modifying, deleting a document, setting up a team (and channels in teams), taking notes in the notebook, starting a chat, replying in the chat.

Legal basis for this is Article 6 para. 1 b) and c) GDPR.

1.5 User data: User data collected by you or from you. This includes in particular communication content (text, audio, video), files created by you or to be created by you. This depends on the application you use in M365. If audio or video content is recorded, you will be notified of this.

Legal basis for this is Article 6 para. 1 b) and f) GDPR.

1.6 Data backups and archiving: The data collected from or about you is stored in our data backup. This serves to restore the system and the data itself. In addition, your data will be (partially) archived, if this is required by law.

Legal basis for this is Article 6 para. 1 c) GDPR.

2. Transfer and transmission of data

Apart from the cases explicitly mentioned in this data privacy statement, your personal data will only be disclosed without your express prior consent if it is legally permissible or necessary. This may be the case, for example, if such processing is necessary to protect vital interests of the user or another natural person.

2.1 Data provided by you during registration will be shared within our Group for internal administrative purposes, including joint customer and supplier support, to the extent necessary. Legal basis for this is Article 6 para. 1 f) GDPR.

Any possible transfer of personal data is justified by the fact that we have a legitimate interest in disclosing such data for administrative purposes within our Group and that your rights and interests in the protection of your personal data in accordance with Article 6 para. 1 lit. f) GDPR do not prevail.

2.2 Should it be necessary to clarify an illegal or abusive use of M365 or for legal prosecution, personal data will be disclosed to law enforcement or other authorities and, if applicable, to injured third parties or legal advisors. However, this only occurs if there are indications of illegal or abusive behavior. A transfer can also take place if this serves the enforcement of terms of use or other legal claims. We are also legally obliged to provide information to certain public bodies on request. These are criminal prosecution authorities, authorities that pursue administrative offences for which fines have been imposed, and financial authorities.

Any transfer of personal data is justified by the fact that

(1) processing is necessary to fulfil a legal obligation to which we are subject pursuant to Article 6 para. 1 lit. c) GDPR in conjunction with national legal requirements for the disclosure of data to criminal prosecution authorities, or

(2) we have a legitimate interest in transferring such data to the aforementioned third parties if there are indications of abusive behavior or in order to enforce our legal claims, and your rights and interests in the protection of your personal data within the meaning of Article 6 para. 1 lit. f) GDPR do not prevail

or (3) we process data on basis of Article 88 GDPR in connection with nationally applicable data protection law on the employment relationship to uncover criminal offences.

2.3 We depend on Microsoft for the use of M365. Microsoft is a so-called processor of orders and is subject to our instructions as the responsible party in the sense of the GDPR when processing personal data within the framework of Microsoft Office 365 applications used by us. In accordance with our legal obligations, we have entered into contractual agreements with Microsoft and other contract processors for the transfer of data. Processing of personal data by Microsoft takes place on servers located in the EU.

2.4 In the course of further expansion of our business, it may happen that the structure of our company changes by changing its legal form, by forming, acquiring or selling subsidiaries, parts of companies or components of companies. In such transactions, if necessary, such information may be transferred to another legal entity along with the part of the business to be transferred. Whenever personal information is transferred to third parties to the extent described above, we will ensure that this is done in accordance with this data privacy statement and applicable data protection laws.

Any disclosure of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances as required and that your rights and interests in the protection of your personal data do not prevail in the sense of Article 6 para. 1 lit. f) GDPR.

3. Transfer of data to third countries

A transfer to third countries, by commissioning contract processors and third parties, cannot be ruled out when using M365. In such a case, we have taken appropriate guarantees to protect your data. You can obtain a copy of these guarantees from the Data Protection Officer on request.

4. Change of purpose

Processing of your personal data for purposes other than those described above will only be carried out to the extent permitted by law or if you have consented to the changed purpose of data processing. In the event of further processing for purposes other than those for which the data were originally collected, we will inform you of these other purposes prior to further processing and we will also provide you with any other relevant information.

5. Period of data storage

We delete, block or make anonymous your personal data as soon as they are no longer required for the purposes for which we have collected or used them in accordance with the above paragraphs. Subject to statutory deletion and retention periods, we store your personal data for the duration of the contractual relationship with you. Login data and IP addresses are deleted after 90 days at the latest. Your data will also be stored in data backups. These are regularly and operationally reasonably overwritten.

6. Your rights as data subject

6.1 Right of access to data and information

You have the right to obtain from us, at any time and upon request, information on personal data processed by us and relating to you, within the scope of Article 15 GDPR. To do this, you can submit an application by post or by e-mail to the address below.

6.2 Right to correction of inaccurate data

You have the right to ask us to immediately correct any personal data concerning you if it is inaccurate. To do so, please contact us at the addresses indicated below.

6.3 Right of deletion of data

You have the right, under the conditions described in Article 17 GDPR, to request us for the deletion of personal data referring to you. To exercise your right of deletion, please contact us at the addresses indicated below.

6.4 Right to restriction of processing

You are entitled to demand that we restrict processing in accordance with Article 18 GDPR. To exercise your right to limit processing, please contact us at the addresses indicated below.

6.5 Right to data transferability

You have the right to access any personal data concerning you provided to us in a structured, common, machine-readable format in accordance with Article 20 GDPR.
To exercise your right to data transferability, please contact us at the addresses indicated below.

7. Right to object

You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you, which is carried out on the basis of Article 6, paragraph 1, a), e) or f) GDPR, in accordance with Article 21 GDPR. We will stop processing your personal data unless we can prove compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.

8. Right to lodge a complaint

You also have the right to lodge complaints with the competent supervisory authority.Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Postfach 10 29 32, 70025 Stuttgart, Germany
Koenigstrasse 10a, 70173 Stuttgart, Germany
Phone +49 711/61 55 41 – 0
Fax: +49 711/61 55 41 – 15
Email: poststelle@lfdi.bwl.de
Internet: https://www.baden-wuerttemberg.datenschutz.de

9. Contact

If you have any questions or comments regarding our handling of your personal data or if you would like to exercise any of the rights mentioned in points 6 and 7 as a data subject, please contact our data protection department:

Michael Hohl (externer Datenschutzbeauftragter, ITtechNews)
acameo GbR
Doblerstr. 11
72074 Tuebingen, Germany
Phone +49 (0) 7071 8609229
Email datenschutz@acameo.de

If you have any questions or comments on the practical handling and operation of M365, please contact the acameo contact who invited you to use it.

10. Changes to this data privacy statement

We always keep this data privacy statement up to date. Therefore, we reserve the right to change it from time to time and to update it if changes occur in the collection, processing or use of your data. The current version of the data privacy statement is always available at https://www.acameo.de/en/microsoft-data-privacy-statement

Version: March 2021