Data protection information on Microsoft 365 for employees and guests

Data protection is a special concern for us. Therefore, we would like to briefly explain to you in the following data protection information which data we process and for what purposes and on what legal basis this is done. In addition, you will receive information about contact persons and your rights in connection with data processing.

When using Microsoft365 software, Leuphana's responsibility includes only the provision of the software and web tools licensed to you for business purposes. In addition, Microsoft processes further data in the context of the use of Microsoft365 services and websites. We have no influence on this data processing, so that Microsoft is solely responsible for this under data protection law. Processing by Microsoft for its own purposes cannot be completely ruled out. Leuphana does not monitor performance and behaviour. The collection and transmission of diagnostic data and the "Microsoft Viva Insights" application (formerly "Microsoft Workplace Analytics") have been disabled in the configurations.

Purposes and legal basis of data processing

1. Authentication (EntraID or OAuth)

For authentication to the M365 services or other IT services of Leuphana, we use the following data from you within a separate directory service ("EntraID")

• Account data with name data, university e-mail address, other e-mail aliases, group membership, (cloud) password

and also when logging logins using OAuth to other Leuphana IT services in log files

• The data collected includes the assignment to the account, the time of login, an identification number of the login (OICD session ID), success/failure of the login, the IP address of your browser and the authentication method used.

The legal basis for the technically necessary processing for the provision and licensing of business IT systems for employees in an employment relationship is Sections 3 sentence 1 no. 1, 12 para. 1 Niedersächsisches Datenschutzgesetz (NDSG) in conjunction with Art. 6 para. 1 sentence 1 lit. e, para. 2 of the General Data Protection Regulation (GDPR) in conjunction with Section 88 para. 1 Niedersächsisches Beamtengesetz (NBG) and for civil servants Section 3 sentence 1 no. 1 NDSG in conjunction with Art. 6 para. 1 sentence 1 lit. e), para. 2 GDPR in conjunction with Section 88 para. 1 NBG.

2. Use of the services

The Microsoft 365 software can be used by employees as a collaboration platform. If you use the software for business purposes, we use the following categories of data to provide the services:

• Names and contents of documents and files
• Tasks and solutions (e.g. work processes, elaborations, coordination, etc. in administration and teaching)
• Communication data (who has been in contact with whom and when?)
• Communication content (e.g. text chat, audio, video communication)
• Personal basic data, optionally extended by self-entered data
• Authentication and licensing data
• Contact information
• Unique identification numbers and signatures (e.g. IP addresses)
• Log files with access times
• System-generated log data
• Device information (e.g. MAC address, including information on the software used or the service used)
• Product feedback (including information on the device used and the software or service used)

This data processing is carried out for the purpose of the licensed provision of work tools to support the administration for comprehensive internal collaboration and communication as an aid for teaching, research and administration. This includes the official use of the licensed products and services, the provision of updates, ensuring information security and the provision of technical and user-related support. We process your data insofar as this is necessary for the fulfilment of the tasks assigned to you and thus for the performance of the employment relationship.

The legal bases for employees in an employment relationship are Sections 3 sentence 1 no. 1, 12 para. 1 NDSG in conjunction with Art. 6 para. 1 sentence 1 lit. e), para. 2 GDPR in conjunction with Section 88 para. 1 NBG and for civil servants Section 3 sentence 1 no. 1 NDSG in conjunction with Art. 6 para. 1 sentence 1 lit. e), para. 2 GDPR in conjunction with Section 88 para. 1 NBG.

The partial statistical analysis serves the economic provision of a secure system as a tool for teaching, research and administration by an experienced and reliable provider. The legal basis for this processing is Section 3 sentence 1 no. 1 NDSG, Section 3 para. 1 no. 1 Niedersächsisches Hochschulgesetz (NHG), Section 7 para. 1 Niedersächsische Landeshaushaltsordnung (Nds. LHO).

In addition, Microsoft also processes personal data under its own responsibility for the following purposes:

Billing and account management, compensation, internal reporting and modelling, combating fraud, cybercrime or cyberattacks, improving core functionality in terms of accessibility, data protection or energy efficiency, financial reporting and compliance with legal obligations to which Microsoft is subject.

The exceptional disclosure to Microsoft, which cannot be completely ruled out and which may also result in a transfer to the United States of America, is carried out to fulfil our contract with Microsoft in the interests of our employees on the basis of Art. 49 para. 1 lit. c) GDPR.

Further information on data transfers to the operator and protection guarantees can be found below in the section "Transfer to third countries".

General information

Even if you do not make use of your rights below, the data categories will be stored as follows:

• 90 days after deletion of the content data (data categories 2 a. to d.)
• 90 days after deletion of the account or after objection (data categories 1 a. and 2 e. to g.)
• 180 days for log files and system-generated log data (data categories 1 b. and 2 i. and j.)

Otherwise, the data will only be stored for as long as is necessary for the above-mentioned purposes. This does not apply if a longer storage or retention period is required by law or is necessary for the enforcement of rights within the statutory limitation periods. If data is only stored for the aforementioned purposes, data access is limited to the extent necessary for this purpose.

We generally keep your data to ourselves and only make it available to those employees who need it for their work as part of the fulfilment of their duties. This does not apply if we are legally obliged to pass it on. In addition, we reserve the right to have some of these activities, such as the provision of Microsoft 365 services, carried out by third-party providers, provided that they offer sufficient guarantees that suitable technical and organisational measures are implemented in such a way that data processing is carried out in accordance with legal requirements and ensures the protection of your rights. We have commissioned Microsoft to provide this by way of order processing. In addition, Microsoft processes data for its own purposes, as described above.

For its own purposes, Microsoft provides a topic page with a contact option:

https://privacy.microsoft.com/de-de/privacystatement#mainnoticetoendusersmodule

However, if you do not provide your data, you may not be able to participate in official events if these require a corresponding Microsoft365 account for authentication.

Automated decision-making including profiling within the meaning of Art. 22 para. 1 and 4 GDPR does not take place.

Transfer to third countries

Microsoft Corporation is a globally active US company, so that it cannot be ruled out that personal data will be transferred to the USA. We would like to point out that data may be processed outside the European Union as a result of the transfer to the service provider.

The data is generally stored on European servers. The transfer to the United States of America takes place on the basis of standard data protection clauses in accordance with Art. 46 para. 2 lit. c) GDPR, which are previously authorised by the EU Commission. In addition, Microsoft has made a contractual commitment to us to provide further security guarantees and measures to protect the data and the data subjects.

Your right to object according to Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you. In this case, we will no longer process this data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

Your further rights

You have the right to request information from us about the processing of data concerning you. In addition to a copy of the data, this right to information also includes the purposes of the data processing, the data recipients and the storage period.

If incorrect data is processed, you can demand that we rectify this data immediately. If the legal requirements according to Art. 17 or 18 GDPR are met, you also have the right to immediate erasure or restriction of processing of the data. Please note that it may not be possible to restrict the processing of data.

To exercise your above rights, please contact:

Leuphana Universität Lüneburg
Medien- und Informationszentrum (MIZ)
Timo Leder
Universitätsallee 1
21335 Lüneburg
Email: timo.leder@leuphana.de

If you have any further questions, our data protection officer will be happy to advise you. If you have any complaints regarding data protection, please contact a data protection authority of your choice.

Directly responsible for Leuphana University Lüneburg is:

Die Landesbeauftragte für den Datenschutz Niedersachen
Prinzenstraße 5
30159 Hannover
Email: poststelle@lfd.niedersachsen.de

When using Microsoft365 software, Leuphana is solely responsible for providing the software and web tools licensed for you as part of your studies. In this respect, Leuphana has administrative access to the processed data. However, Microsoft also processes other data as part of the use of Microsoft365 services and websites. We have no influence on this data processing, meaning that Microsoft is solely responsible for this under data protection law. Processing by Microsoft for its own purposes cannot be completely ruled out.

Purposes and legal basis of data processing

1. Authentication (EntraID or OAuth)

For authentication to the M365 services or other IT services of Leuphana, we use the following data from you within a separate directory service ("EntraID")

• Account data with name data, university e-mail address, other e-mail aliases, group membership, (cloud) password

and also when logging logins using OAuth to other Leuphana IT services in log files

• The data collected includes the assignment to the account, the time of login, an identification number of the login (OICD session ID), success/failure of the login, the IP address of your browser and the authentication method used.

The legal basis for the technically necessary processing for the provision and licensing of university IT systems support in studies for members and relatives who are not in an employment or service relationship with Leuphana is Section 3 sentence 1 no. 1 Niedersächsisches Datenschutzgesetz (NDSG), Art. 6 para. 1 sentence 1 letter e), para. 2 and 3 EU General Data Protection Regulation (GDPR) in conjunction with Section 3 para. 1 no. 1 Niedersächsisches Hochschulgesetz (NHG) in conjunction with Section 20 para. 1 sentence 4 Privacy Protection Regulations of the Leuphana University of Lüneburg (DSO).

Insofar as authentication for use in the context of courses and examinations is required for your participation, the processing is additionally based on Section 17 para. 1 sentence 1, para. 4 NHG in conjunction with Section 20 para. sentence 4 DSO.

2. Use of the services

The Microsoft 365 software can optionally be used by students as a collaboration platform as part of their studies or courses. If you use the software as part of your studies, we use the following categories of data to provide the services:

• Names and contents of documents and files
• Tasks and solutions (e.g. work processes, elaborations, coordination, etc. in administration and teaching)
• Communication data (who has been in contact with whom and when?)
• Communication content (e.g. text chat, audio, video communication)
• Personal basic data, optionally extended by self-entered data
• Authentication and licensing data
• Contact information
• Unique identification numbers and signatures (e.g. IP addresses)
• Log files with access times
• System-generated log data
• Device information (e.g. MAC address, including information on the software used or the service used)
• Product feedback (including information on the device used and the software or service used)

This data processing is carried out for the purpose of the licensed provision of IT systems for internal collaboration and communication as a tool for teaching and study support. This includes the study-related use of the licensed products and services, the provision of updates, ensuring information security and the provision of technical and user-related support. We process your data insofar as this is necessary for the provision in the context of teaching and studying.

The legal basis for the necessary processing for internal university provision and licensing for study support for members who are not in a service or employment relationship with Leuphana is Section 3 sentence 1 no. 1 NDSG, Art. 6 para. 1 sentence 1 letter e), para. 2 and 3 GDPR in conjunction with Section 3 para. 1 no. 1 NHG in conjunction with Section 20 para. 4 DSO.

Insofar as the use is necessary for you in the context of courses and examinations for your participation, the processing is additionally based on Section 17 para. 1 sentence 1, para. 3 NHG in conjunction with Section 16 para. 1 sentence 1, para. 3 DSO and the relevant General Assessment Regulations.

The partial statistical analysis serves the economic provision of a secure system as a tool for teaching, research and administration by an experienced and reliable provider. The legal basis for this processing is Section 3 sentence 1 no. 1 NDSG, Section 3 para. 1 no. 1 NHG, Section 7 para. 1 Niedersächsische Landeshaushaltsordnung (Nds. LHO).

In addition, Microsoft also processes personal data under its own responsibility for the following purposes:

Billing and account management, compensation, internal reporting and modelling, combating fraud, cybercrime or cyberattacks, improving core functionality in terms of accessibility, data protection or energy efficiency, financial reporting and compliance with legal obligations to which Microsoft is subject.

The exceptional disclosure to Microsoft, which cannot be completely ruled out and which may also result in a transfer to the United States of America, is made to fulfil our contract concluded with Microsoft in the interest of the members and affiliates of Leuphana on the basis of Art. 49 para. 1 lit. c) GDPR.

Further information on data transfers to the operator and protection guarantees can be found below in the section "Transfer to third countries".

General information

Even if you do not exercise your rights below, the data categories will be stored as follows:

• 90 days after deletion of the content data (data categories 2 a. to d.)
• 90 days after deletion of the account or after objection (data categories 1 a. and 2 e. to g.)
• 180 days for log files and system-generated log data (data categories 1 b. and 2 i. and j.)

Otherwise, the data will only be stored for as long as is necessary for the above-mentioned purposes. This does not apply if a longer storage or retention period is required by law or is necessary for the enforcement of rights within the statutory limitation periods. If data is only stored for the aforementioned purposes, data access is limited to the extent necessary for this purpose.

We generally keep your data to ourselves and only make it available to those employees who need it for their work as part of the fulfilment of their duties. This does not apply if we are legally obliged to pass it on. In addition, we reserve the right to have some of these activities, such as the provision of Microsoft 365 services, carried out by third-party providers, provided that they offer sufficient guarantees that suitable technical and organisational measures are implemented in such a way that data processing is carried out in accordance with legal requirements and ensures the protection of your rights. We have commissioned Microsoft to provide this by way of order processing. In addition, Microsoft processes data for its own purposes, as described above.

For its own purposes, Microsoft provides a topic page with a contact option:

https://privacy.microsoft.com/de-de/privacystatement#mainnoticetoendusersmodule

However, if you do not provide your data, you may not be able to participate in official events if these require a corresponding Microsoft365 account for authentication.

Automated decision-making including profiling within the meaning of Art. 22 para. 1 and 4 GDPR does not take place.

Transfer to third countries

Microsoft Corporation is a globally active US company, so that it cannot be ruled out that personal data will be transferred to the USA. We would like to point out that data may be processed outside the European Union as a result of the transfer to the service provider.

The data is generally stored on European servers. The transfer to the United States of America takes place on the basis of standard data protection clauses in accordance with Art. 46 para. 2 lit. c) GDPR, which are previously authorised by the EU Commission. In addition, Microsoft has made a contractual commitment to us to provide further security guarantees and measures to protect the data and the data subjects.

Your right to object according to Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you. In this case, we will no longer process this data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

Your further rights

You have the right to request information from us about the processing of data concerning you. In addition to a copy of the data, this right to information also includes the purposes of the data processing, the data recipients and the storage period.

If incorrect data is processed, you can demand that we rectify this data immediately. If the legal requirements according to Art. 17 or 18 GDPR are met, you also have the right to immediate erasure or restriction of processing of the data. Please note that it may not be possible to restrict the processing of data.

To exercise your above rights, please contact:

Leuphana Universität Lüneburg
Medien- und Informationszentrum (MIZ)
Timo Leder
Universitätsallee 1
21335 Lüneburg
Email: timo.leder@leuphana.de

If you have any further questions, our data protection officer will be happy to advise you. If you have any complaints regarding data protection, please contact a data protection authority of your choice.

Directly responsible for Leuphana University Lüneburg is:

Die Landesbeauftragte für den Datenschutz Niedersachen
Prinzenstraße 5
30159 Hannover
Email: poststelle@lfd.niedersachsen.de

We process your personal data (hereinafter referred to as "data") in accordance with the legal requirements and would like to do so in a transparent manner. 

When using Microsoft 365 software, Leuphana's responsibility covers only the provision of the content made available to you. In addition, Microsoft processes further data in the context of the use of Microsoft 365 services and websites. We have no influence on this data processing, so Microsoft is solely responsible for it under data protection law. Processing by Microsoft for its own purposes cannot be completely ruled out. Performance and behaviour monitoring by Leuphana does not take place. The collection and transmission of diagnostic data have been disabled in the configurations.

The use is voluntary. If you would like to use alternative forms of collaboration together with us, please speak to your contact person at our company. Leuphana also offers alternative tools and platforms for use with external persons.

Purposes and legal bases of data processing

You can use the Microsoft 365 software as a collaboration platform for a specific collaboration with Leuphana. For this purpose, however, you must create a guest account in order to be able to authenticate yourself to our systems and to enable an assignment of the releases granted to you to your person.

If you create a guest account and use the content we share with you, we use the following categories of data:

• Names and contents of documents and files
• Tasks and solutions (e.g. workflows, elaborations, coordination, etc. in administration and teaching)
• Communication data (who has been in contact with whom and when?)
• Communication content (e.g. text chat, audio, video communication)
• Basic personal data (surname, first name), optionally supplemented by self-entered information (profile picture)
• Authentication data (email address, password)
• Contact information (email address)
• Unique identification numbers and signatures (e.g. IP addresses)
• Log files with access times
• System generated log data
• Device information (e.g. MAC address, including information about the software used or the service used)

This data processing is carried out for the purpose of providing access-protected information when collaborating and communicating with external persons in teaching, research and administration. This includes the cooperative use of the content we have shared with you, ensuring information security, and providing technical and user support. In the context of your use of the access granted to you, the use is based on your voluntarily declared consent. The legal basis is therefore Art. 6 para. 1 sentence 1 letter a of the European General Data Protection Regulation (GDPR).

Insofar as you have given your consent to the processing of your personal data, your consent will be recorded and stored in machine-readable form together with the exact time at which it was given. We store this data for the legally required documentation of your consent.

In addition, Microsoft also processes personal data under its own responsibility for the following purposes:

Billing and account management, compensation, internal reporting and modelling, combating fraud, cybercrime, or cyberattacks, improving core functionality in terms of accessibility, privacy, or energy efficiency, financial reporting, and complying with legal obligations to which Microsoft is subject.

For more information on data transfers to the operator and protection guarantees, please see the section "Transfer to third countries" below.

General information

Even if you do not make use of your rights below, the data categories will be stored as follows:

• 90 days after deletion of content data (data categories a. to d.)
• 90 days after deletion of the account or after objection (data categories e. to g. )
• 180 days for log files and system-generated log data (data categories i. and j.)

Apart from that, the data will only be stored as long as is necessary for the aforementioned purposes. This does not apply if, in derogation thereof, a longer storage or retention period is required by law or is necessary for legal enforcement within the statutory limitation periods. If data is only retained for the aforementioned purposes, access to the data is limited to what is necessary for this purpose.

As a matter of principle, we keep your data to ourselves and only make it available to those employees who need it for their work within the scope of fulfilling their tasks. This does not apply if we are legally obliged to disclose it. In addition, we reserve the right to have some of these activities, such as the provision of Microsoft 365 services, carried out by third-party providers, provided that they offer sufficient guarantees that appropriate technical and organisational measures are implemented in such a way that the data processing is carried out in accordance with the legal requirements and ensures the protection of your rights. We have engaged Microsoft by way of contract processing to provide this. In addition, Microsoft processes for its own purposes as set out above.

Microsoft provides a topic page with a contact option for its own purposes:

https://privacy.microsoft.com/en-us

We would like to inform you that the provision of your data is neither legally nor contractually required. If you do not consent to the processing of your data, this will not have any negative consequences for you.

Automated decision-making including profiling as defined in Art. 22 para. 1 and 4 GDPR does not take place.

Transfer to third countries

Microsoft Corporation is a globally active US company, so that it cannot be ruled out that personal data may reach the USA, where there is no high standard of data protection comparable to that in the EU. For example, the company or its subcontractors are not subject to external supervision by bodies comparable to the European data protection authorities. Furthermore, the legal possibilities for affected persons to influence data processing or obtain information are less extensive than in the scope of application of the GDPR. This also applies to the limited legal protection options for EU citizens in the USA, especially with regard to the exceptional access to the data by state agencies such as security authorities.

In principle, the data rests on European servers. The transfer to the United States of America takes place on the basis of standard data protection clauses pursuant to Art. 46 para. 2 lit. c) GDPR, which are approved in advance by the EU Commission. In addition, Microsoft has contractually committed itself to further safeguards and measures to protect the data and the data subjects vis-à-vis us.

Your right to withdraw your declaration of consent

You have the right to revoke your consent at any time with effect for the future. This means that the lawfulness of the processing that took place on the basis of the consent until the revocation is not affected. The declaration of revocation can be made informally and does not require any justification. If you revoke your consent, you will not suffer any disadvantages as a result. However, you will no longer be able to access the previously accessible data.

Your further rights

You have the right to request information from us about the processing of data relating to you. In addition to a copy of the data, this right to information also includes the purposes of the data processing, the data recipients and the storage period.

If incorrect data is being processed, you can demand that we correct this data without delay. If the legal requirements according to Art. 17 or 18 GDPR are met, you also have the right to immediate deletion or restriction of the processing of the data. Please note that restricted processing of the data may not be possible.

Furthermore, you can make use of your right to data portability under the conditions of Art. 20 GDPR.

To exercise your above rights, please contact:

Leuphana Universität Lüneburg
Medien- und Informationszentrum (MIZ)
Timo Leder
Universitätsallee 1
21335 Lüneburg
Email: timo.leder@leuphana.de

If you have any further questions, our data protection officer will be happy to advise you. If you have any complaints regarding data protection, please contact a data protection authority of your choice.

Directly responsible for Leuphana University Lüneburg is:

Die Landesbeauftragte für den Datenschutz Niedersachen
Prinzenstraße 5
30159 Hannover
Email: poststelle@lfd.niedersachsen.de