MS Teams is a microsoft Ireland Ltd. service ("Microsoft"). It cannot be ruled out that data may be transferred to Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399, USA in the USA. Microsoft can also perform remote maintenance access from other third countries. We have concluded the European Commission's standard data protection clauses with Microsoft. For more information, see point 4.
If you visit the MS Teams or Microsoft website, Microsoft is responsible for data processing. However, a visit to the website is only necessary to use MS Teams in order to download the software for the use of MS Teams.
If you don't want or can't use the MS Teams app, you can also use MS Teams through your browser. The service is then also provided via the WEBSITE of MS Teams.
What data is being processed?
When using MS Teams, different types of data are processed. The amount of data also depends on what data you enter before or when you participate in an online meeting. The following personal data are the subject of processing:
e.B. display name ("display name"), e-mail address, profile picture (optional), preferred language
e.B. date, time, meeting ID, phone numbers, location
Text, audio and video data:
You may have the option to use the chat function in an online meeting. In this respect, the text entries you make will be processed to display in the online meeting. To enable video to be displayed and audio played, the data from your device's microphone and any video camera from the device will be processed accordingly during the duration of the meeting. You can turn off or mute the camera or microphone yourself via the MS Teams applications at any time.
What do we process your data for (purpose of processing) and on what legal basis?
Scope of processing
We use MS Teams to conduct online meetings, telephone and video conferencing, webcasts, etc. To participate in an online meeting or enter the "meeting room", you can also use a pseudonym.
The chat content is logged when using MS Teams. We store the chat content for a period of one month. If it is necessary for the purpose of logging the results of an online meeting, we can also log the chat content for an extended period of time, but at the latest until the intended purpose is fulfilled. However, this will not usually be the case.
If we wish to record meetings, we will communicate this transparently in advance and, if necessary, ask for your consent. You'll also see the fact of recording in the Teams app or in the Web browser view. The organizer can also specify which participants are eligible to record.
In the case of webcasts, we may also process the questions asked by the participants for the purpose of recording and following up webcasts. You can also make use of the ability to share a share with your screen. In this case, we are aware of the data and content you share through your screen.
Insofar as personal data of employees of our company is processed, Section 26 of the German Data Code (BDSG) is the legal basis for data processing. If, in connection with the use of MS Teams, personal data is not necessary for the establishment, execution or termination of the employment relationship, but is nevertheless an elementary component in the use of MS Teams, Article 6 (1) lit. f GDPR is the legal basis for data processing. In these cases, we are interested in the effective conduct of online meetings.
Furthermore, the legal basis for data processing in the conduct of online meetings is Art. 6 sec. 1 lit.b GDPR, insofar as the meetings are carried out in the context of contractual relations.
If there is no contractual relationship, the legal basis is Art. 6 sec. 1 lit. f GDPR. Here, too, we are interested in effectivelyconducting online meetings.
Who gets my data?
In our company, only those people who need it for the smooth running of the online meetings have access to your data, i.e. e.B. the organizers and participants in meetings from our company. There may also be several specialist departments in our company, depending on which services or products you receive from us. Furthermore, our IT department has access to your data for only technical processing.
Personal data that is processed in connection with participation in online meetings will not be passed on to third parties unless they are intended for disclosure. Please note that content from online meetings as well as at personal meeting meetings is often used precisely to communicate information with customers, interested parties or third parties and is therefore intended for distribution.
As a provider of MS Teams, Microsoft will necessarily become aware of the above-date data as far as this is provided for in our order processing agreement with MS Teams. Service providers used by us may also be recipients of data about you in the context of order processing in accordance with Art. 28 GDPR.
We may be required to disclose certain data to the appropriately authorised bodies within the scope of our legal obligations.
Is data transferred to a third country or to an international organisation?
Data processing outside the European Union (EU) does not, in principle, take place, as we have limited our location to data centres in the European Union. However, we cannot rule out the possibility that data is routed or stored via Internet servers located outside the EU. This may be the case in particular if participants are in an online meeting in a third country.
A secure level of data protection is ensured by the conclusion of complementary EU standard data protection clauses and technical-organisational measures. When using standard privacy clauses, we aim to implement additional measures to protect your data where necessary. For this purpose, the data is encrypted during transmission over the Internet and at rest and thus protected from unauthorized access by third parties. Microsoft uses standard technologies, such as TLS and SRTP, to encrypt all data during transmission between users' devices and Microsoft data centers, as well as between Microsoft data centers. This includes messages, files (video, audio, etc.), meetings and other content. Dormant corporate data in Microsoft data centers is also encrypted in a way that enables organizations to decrypt content when needed. MS Teams also uses TLS and MTLS to encrypt instant messages. All server-to-server traffic requires MTLS, whether traffic is limited to the internal network or exceeds the internal network perimeter. For more information on how Microsoft Teams encrypts the data, visit https://docs.microsoft.com/de-de/microsoftteams/teams-security-guide.
With regard to personal data stored by Microsoft in the United States and Europe, which may be subject to regulatory requests for information from u.S. authorities, Microsoft warrants in a statement dated July 20, 2020 that such injunctions will be challenged in court that would allow access to personal information. In addition, as part of a legal settlement, Microsoft has acquired the right to disclose transparent reports on the number of Us national security instructions addressed to Microsoft, and new guidelines have been introduced within the US government that have restricted the use of nondisclosure orders (see https://news.microsoft.com/de-de/stellungnahme-zum-urteil-des-eugh-was-wir-unseren-kunden-zum-grenzueberschreitenden-datentransfer-bestaetigen-koennen/). The level of data protection is considered sufficient in relation to the expected content of our MS Teams meetings, which usually do not contain any personal data outside the names of the persons participating in the videoconference.
However, we hereby expressly point out that MS Teams is a service provided by a provider from the United States. The processing of personal data thus also takes place in a third country, which is currently considered to be unsafe under data protection law within the meaning of the GDPR. This can create risks for users, as, for example, the enforcement of the rights concerned may be more difficult. Negotiations are being conducted at political, data protection and bilateral levels to resolve the situation. However, no results are available at this time. If you personally decide that you cannot be afforded sufficient protection in this legal situation (in accordance with the judgment of the ECJ), it is currently not possible to participate in an online meeting via MS Teams.
How long will my data be stored?
We generally delete personal data if there is no requirement for further storage. A requirement may exist in particular if the data is still needed in order to fulfil contractual services, to check and grant or rebut warranty claims and, if necessary, guarantee claims. In the case of statutory retention obligations, deletion is only possible after the expiry of the respective retention obligation.
What data protection rights do I have?
Every data subject has the right to information under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restrict processing under Article 18 GDPR, the right to object under Article 21 GDPR and the right to data portability under Article 20 GDPR. In the case of the right of access and the right of cancellation, the restrictions under Sections 34 and 35 of the German Data Code (BDSG) apply. In addition, there is a right of appeal to a competent data protection supervisory authority (Article 77 GDPR).
You can revoke your consent to the processing of personal data at any time to us. This also applies to the revocation of declarations of consent given to us before the General Data Protection Regulation was applied, i.e. before 25 May 2018. Please note that the revocation will only work for the future. Processing carried out prior to revocation is not affected.
Is there an obligation to provide data?
The provision of your personaldata is not required by law or contract at first, nor are you obliged to provide this data. To attend an online meeting or enter the meeting room, you must at least provide information about your name. If you do not wish to do so, your participation in our online meetings is unfortunately not possible.
To what extent is there automated decision-making?
Automated decision-making in the form of Art. 22 GDPR is not used.
Is profiling taking place?
We do not process your data with the aim of evaluating certain personal aspects automatically.