Data protection information on Microsoft 365 for employees and guests

Data protection is a special concern for us. Therefore, we would like to briefly explain to you in the following data protection information which data we process and for what purposes and on what legal basis this is done. In addition, you will receive information about contact persons and your rights in connection with data processing.

Data protection information for employees

We process your personal data (hereinafter referred to as "data") in compliance with the "Framework Service Agreement on the Introduction and Use of IT Systems" (in German: "Rahmendienstvereinbarung zur Einführung und Anwendung von EDV-Systemen") of 16 August 2010 in accordance with the legal requirements and would like to do so in a transparent manner. 

When using Microsoft 365 software, Leuphana's responsibility covers only the provision of the software and web tools licensed to you for official purposes. In addition, Microsoft processes further data in the context of the use of Microsoft 365 services and websites. We have no influence on this data processing, so Microsoft is solely responsible for it under data protection law. Processing by Microsoft for its own purposes cannot be completely ruled out. Performance and behaviour monitoring by Leuphana does not take place. The collection and transmission of diagnostic data as well as the application "Microsoft Viva Insights" (formerly "Microsoft Workplace Analytics") have been switched off in the configurations.

Name and contact details of the controller:

Contact details of the data protection officer:

Leuphana Universität Lüneburg
vertreten durch den Präsidenten
Universitätsallee 1
21335 Lüneburg

Leuphana Universität Lüneburg
- Datenschutzbeauftragter -
Universitätsallee 1
21335 Lüneburg
E-Mail: dsb@leuphana.de

Purposes and legal basis of data processing

The Microsoft 365 software can be used by employees as a collaboration platform. If you use the software for official purposes, we use the following categories of data to provide the services:

  • Names and contents of documents and files
  • Tasks and solutions (e.g. work processes, elaborations, coordination, etc. in administration and teaching)
  • Communication data (who was in contact with whom and when?)
  • Communication content (e.g. text chat, audio, video communication)
  • Basic personal data, optionally supplemented by self-entered information
  • Authentication and licensing data
  • Contact information
  • Unique identification numbers and signatures (e.g. IP addresses)
  • Log files with access times
  • System-generated log data
  • Device information (e.g. MAC address, including information on the software or service used)
  • Product feedback (including information on the device used and the software or service used)

This data processing is carried out for the purpose of the licensed provision of work tools to support administration for comprehensive internal collaboration and communication as a tool for teaching, research and administration. This includes the in-service use of the licensed products and services, provision of updates, ensuring information security and providing technical and user support. We process data from you insofar as this is necessary for the performance of the tasks assigned to you and thus for the implementation of the employment relationship.

The legal bases for employees in an employment relationship are Section 3 p. 1 No. 1, 12 para. 1 NDSG in conjunction with. Art. 6 para. 1 p. 1 lit. e, para. 2 GDPR in conjunction with.  Section 88 para. 1 NBG and for civil servants Section 3 p. 1 no. 1 NDSG in conjunction with. Art. 6 para. 1 p. 1 lit. e, para. 2 GDPR in conjunction with Section 88 para. 1 NBG.

The partial statistical evaluation serves the economic provision of a secured system as a tool for teaching, research and administration by an experienced and reliable provider. The legal basis for this processing is Section 3 p. 1 no. 1 NDSG, Section 3 para. 1 no. 1 NHG, Section 7 para. 1 Nds. LHO.

In addition, Microsoft also processes Personal Data under its own responsibility for the following purposes:

Billing and account management, compensation, internal reporting and modeling, combating fraud, cybercrime, or cyberattacks, improving core functionality related to accessibility, privacy, or energy efficiency, financial reporting, and complying with legal obligations to which Microsoft is subject.

The exceptional disclosure to Microsoft, which cannot be completely ruled out and which may also result in a transfer to the United States of America, is made for the fulfillment of our contract concluded with Microsoft in the interest of the employees on the basis of Art. 49 para. 1 lit. c GDPR.

For more information on data transfers to the operator and protection guarantees, please see the section "Transfer to third countries" below.

General information

Even if you do not make use of your rights below, the data categories will be stored as follows:

  • 90 days after deletion of the content data (data categories a. to d.)
  • 90 days after deletion of the account or after objection (data categories e. to g.)
  • 180 days for log files and system-generated log data (data categories i. and j.)

Apart from that, the data will only be stored as long as it is necessary for the aforementioned purposes. This does not apply if, in derogation thereof, a longer storage or retention period is required by law or is necessary for legal enforcement within the statutory limitation periods. If data is only retained for the aforementioned purposes, access to the data is limited to what is necessary for this purpose.

As a matter of principle, we keep your data to ourselves and only make it available to those employees who need it for their work within the scope of fulfilling their tasks. This does not apply if we are legally obliged to disclose it. In addition, we reserve the right to have some of these activities, such as the provision of Microsoft 365 services, carried out by third-party providers, provided that they offer sufficient guarantees that appropriate technical and organisational measures are implemented in such a way that the data processing is carried out in accordance with the legal requirements and ensures the protection of your rights. We have engaged Microsoft by way of contract processing to provide this. In addition, Microsoft processes for its own purposes as set out above.

Contact details of Microsoft:

Contact details within Europe:

Microsoft Corporation
Attn: Chief Privacy Officer
1 Microsoft Way
Redmond, Washington 98052
USA

Microsoft Ireland Operations, Ltd.
Attn: Data Privacy
1 Microsoft Place
South County Business Park
Leopardstown
Dublin 18, D18 P521
Ireland

For its own purposes, Microsoft provides a topic page with a contact option:

https://privacy.microsoft.com/en-us

However, if you do not provide your information, you may not be able to participate in official events that require you to have a Microsoft 365 account to authenticate.

Automated decision-making including profiling in the sense of Art. 22 para. 1 and 4 GDPR does not take place.

Transfer to third countries

Microsoft Corporation is a globally active US company, so that it cannot be ruled out that personal data may reach the USA, where there is no high standard of data protection comparable to that in the EU. For example, the company or its subcontractors are not subject to external supervision by bodies comparable to the European data protection authorities. Furthermore, the legal possibilities for affected persons to influence data processing or obtain information are less extensive than in the scope of application of the GDPR. This also applies to the limited legal protection options for EU citizens in the USA, especially with regard to the exceptional access to the data by state agencies such as security authorities.

In principle, the data rests on European servers. The transfer to the United States of America takes place on the basis of standard data protection clauses pursuant to Art. 46 para. 2 lit. c) GDPR, which are approved in advance by the EU Commission. In addition, Microsoft has contractually committed itself to further safeguards and measures to protect the data and the data subjects vis-à-vis us.

Your right to object according to Art. 21 GDPR

You have the right to object to the processing of personal data relating to you at any time on grounds relating to your particular situation. In this case, we will no longer process this data unless we can substantiate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims.

Your further rights

You have the right to request information from us about the processing of data relating to you. In addition to a copy of the data, this right to information also includes the purposes of the data processing, the data recipients and the storage period.

If incorrect data is being processed, you can demand that we correct this data without delay. If the legal requirements according to Art. 17 or 18 GDPR are met, you also have the right to immediate deletion or restriction of the processing of the data. Please note that restricted processing of the data may not be possible.

To exercise your above rights, please contact:

Leuphana Universität Lüneburg
Medien- und Informationszentrum (MIZ)
Timo Leder
Universitätsallee 1
21335 Lüneburg
Email: timo.leder@leuphana.de

If you have any further questions, our data protection officer will be happy to advise you. If you have any complaints regarding data protection, please contact a data protection authority of your choice.

Directly responsible for Leuphana University Lüneburg is:

Die Landesbeauftragte für den Datenschutz Niedersachen
Prinzenstraße 5
30159 Hannover
Email: poststelle@lfd.niedersachsen.de

Data protection information for guests

We process your personal data (hereinafter referred to as "data") in accordance with the legal requirements and would like to do so in a transparent manner. 

When using Microsoft 365 software, Leuphana's responsibility covers only the provision of the content made available to you. In addition, Microsoft processes further data in the context of the use of Microsoft 365 services and websites. We have no influence on this data processing, so Microsoft is solely responsible for it under data protection law. Processing by Microsoft for its own purposes cannot be completely ruled out. Performance and behaviour monitoring by Leuphana does not take place. The collection and transmission of diagnostic data have been disabled in the configurations.

The use is voluntary. If you would like to use alternative forms of collaboration together with us, please speak to your contact person at our company. Leuphana also offers alternative tools and platforms for use with external persons.

Name and contact details of the person responsible:

Contact details of the data protection officer:

Leuphana Universität Lüneburg
vertreten durch den Präsidenten
Universitätsallee 1
21335 Lüneburg

Leuphana Universität Lüneburg
- Datenschutzbeauftragter -
Universitätsallee 1
21335 Lüneburg
E-Mail: dsb@leuphana.de

Purposes and legal bases of data processing

You can use the Microsoft 365 software as a collaboration platform for a specific collaboration with Leuphana. For this purpose, however, you must create a guest account in order to be able to authenticate yourself to our systems and to enable an assignment of the releases granted to you to your person.

If you create a guest account and use the content we share with you, we use the following categories of data:

  • Names and contents of documents and files
  • Tasks and solutions (e.g. workflows, elaborations, coordination, etc. in administration and teaching)
  • Communication data (who has been in contact with whom and when?)
  • Communication content (e.g. text chat, audio, video communication)
  • Basic personal data (surname, first name), optionally supplemented by self-entered information (profile picture)
  • Authentication data (email address, password)
  • Contact information (email address)
  • Unique identification numbers and signatures (e.g. IP addresses)
  • Log files with access times
  • System generated log data
  • Device information (e.g. MAC address, including information about the software used or the service used)

This data processing is carried out for the purpose of providing access-protected information when collaborating and communicating with external persons in teaching, research and administration. This includes the cooperative use of the content we have shared with you, ensuring information security, and providing technical and user support. In the context of your use of the access granted to you, the use is based on your voluntarily declared consent. The legal basis is therefore Art. 6 para. 1 sentence 1 letter a of the European General Data Protection Regulation (GDPR).

Insofar as you have given your consent to the processing of your personal data, your consent will be recorded and stored in machine-readable form together with the exact time at which it was given. We store this data for the legally required documentation of your consent.

In addition, Microsoft also processes personal data under its own responsibility for the following purposes:

Billing and account management, compensation, internal reporting and modelling, combating fraud, cybercrime, or cyberattacks, improving core functionality in terms of accessibility, privacy, or energy efficiency, financial reporting, and complying with legal obligations to which Microsoft is subject.

For more information on data transfers to the operator and protection guarantees, please see the section "Transfer to third countries" below.

General information

Even if you do not make use of your rights below, the data categories will be stored as follows:

  • 90 days after deletion of content data (data categories a. to d.)
  • 90 days after deletion of the account or after objection (data categories e. to g. )
  • 180 days for log files and system-generated log data (data categories i. and j.)

Apart from that, the data will only be stored as long as is necessary for the aforementioned purposes. This does not apply if, in derogation thereof, a longer storage or retention period is required by law or is necessary for legal enforcement within the statutory limitation periods. If data is only retained for the aforementioned purposes, access to the data is limited to what is necessary for this purpose.

As a matter of principle, we keep your data to ourselves and only make it available to those employees who need it for their work within the scope of fulfilling their tasks. This does not apply if we are legally obliged to disclose it. In addition, we reserve the right to have some of these activities, such as the provision of Microsoft 365 services, carried out by third-party providers, provided that they offer sufficient guarantees that appropriate technical and organisational measures are implemented in such a way that the data processing is carried out in accordance with the legal requirements and ensures the protection of your rights. We have engaged Microsoft by way of contract processing to provide this. In addition, Microsoft processes for its own purposes as set out above.

Contact details of Microsoft:

Contact details within Europe:

Microsoft Corporation
Attn: Chief Privacy Officer
1 Microsoft Way
Redmond, Washington 98052
USA

Microsoft Ireland Operations, Ltd.
Attn: Data Privacy
1 Microsoft Place
South County Business Park
Leopardstown
Dublin 18, D18 P521
Ireland

Microsoft provides a topic page with a contact option for its own purposes:

https://privacy.microsoft.com/en-us

We would like to inform you that the provision of your data is neither legally nor contractually required. If you do not consent to the processing of your data, this will not have any negative consequences for you.

Automated decision-making including profiling as defined in Art. 22 para. 1 and 4 GDPR does not take place.

Transfer to third countries

Microsoft Corporation is a globally active US company, so that it cannot be ruled out that personal data may reach the USA, where there is no high standard of data protection comparable to that in the EU. For example, the company or its subcontractors are not subject to external supervision by bodies comparable to the European data protection authorities. Furthermore, the legal possibilities for affected persons to influence data processing or obtain information are less extensive than in the scope of application of the GDPR. This also applies to the limited legal protection options for EU citizens in the USA, especially with regard to the exceptional access to the data by state agencies such as security authorities.

In principle, the data rests on European servers. The transfer to the United States of America takes place on the basis of standard data protection clauses pursuant to Art. 46 para. 2 lit. c) GDPR, which are approved in advance by the EU Commission. In addition, Microsoft has contractually committed itself to further safeguards and measures to protect the data and the data subjects vis-à-vis us.

Your right to withdraw your declaration of consent

You have the right to revoke your consent at any time with effect for the future. This means that the lawfulness of the processing that took place on the basis of the consent until the revocation is not affected. The declaration of revocation can be made informally and does not require any justification. If you revoke your consent, you will not suffer any disadvantages as a result. However, you will no longer be able to access the previously accessible data.

Your further rights

You have the right to request information from us about the processing of data relating to you. In addition to a copy of the data, this right to information also includes the purposes of the data processing, the data recipients and the storage period.

If incorrect data is being processed, you can demand that we correct this data without delay. If the legal requirements according to Art. 17 or 18 GDPR are met, you also have the right to immediate deletion or restriction of the processing of the data. Please note that restricted processing of the data may not be possible.

Furthermore, you can make use of your right to data portability under the conditions of Art. 20 GDPR.

To exercise your above rights, please contact:

Leuphana Universität Lüneburg
Medien- und Informationszentrum (MIZ)
Timo Leder
Universitätsallee 1
21335 Lüneburg
Email: timo.leder@leuphana.de

If you have any further questions, our data protection officer will be happy to advise you. If you have any complaints regarding data protection, please contact a data protection authority of your choice.

Directly responsible for Leuphana University Lüneburg is:

Die Landesbeauftragte für den Datenschutz Niedersachen
Prinzenstraße 5
30159 Hannover
Email: poststelle@lfd.niedersachsen.de