Germany
France
Spain
United Kingdom
Turkey
Italy
Hungary
Romania
South Africa
Switzerland
USA
Canada
Mexico
Brasil
China
India
Indonesia
Japan
South Korea
Thailand
Privacy information for collaboration and communication using Microsoft 365
With this notice we inform you about the processing of your personal data by Microsoft 365. Microsoft 365 is - viewed abstractly - a collection and compilation of various tools and applications created in the platform for the purpose of collaboration, security, data protection and the processing of various data. The core of this compilation primarily comprises the tools Exchange Online (e-mail, calendar, address book, tasks), SharePoint Online (storage, processing, application platform) and Microsoft Teams (collaboration, chat, meeting and telephony), as well as Whiteboard as a digital whiteboard. Complementing these are security tools such as the Defender product suite, Intune as an app and device management tool.
This privacy statement does not cover third-party applications and interfaces that have been connected to the Microsoft 365 platform. For this, we refer to the separate privacy statements within the non-Microsoft 365 applications.
1. Who is responsible for data processing?
The responsible party within the meaning of data protection law is the respective ElringKlinger group division and the respective department that uses Microsoft 365 and processes your data.
If you have any questions relating to data privacy, please contact the Group Privacy Officer:
ElringKlinger AG
Max-Eyth-Straße 2
72581 Dettingen/Erms
Germany
data.safety[at]elringklinger.com
For questions regarding information security and the technical as well as organizational measures, please contact the Chief Information Security Officer (CISO) of the ElringKlinger Group Michael Hohl (2QD) as follows:
Glb.informationsecurity[at]elringklinger.com
ElringKlinger AG is responsible under data protection law for all companies and controlled investments of the ElringKlinger Group.
The group entities include the following companies that have also been included in the Microsoft 365 environment as affiliates:
2. What personal data is processed and for what purposes?
Purpose of processing
The purpose of the processing is to provide a modern workplace using Microsoft 365, which offers an optimal solution for collaboration and communication within and outside the ElringKlinger Group. Another purpose is the provision and secure and smooth operation of Microsoft 365 and its tools.
Collaboration here is understood to mean, for example, joint work on files, e-mail communication, meetings, live broadcasts and innovative tools.
The provision and smooth operation of Microsoft 365 is also one of the purposes for which personal data is processed. This processing includes, among other things, the logs or administrative events created by the system (e.g. log files about the login and user actions) and the metadata about calls and meetings, which are used for error, support, statistical and verification purposes. For this purpose, a disclosure of the information is made to Microsoft, which is authorized by the responsible party to ensure this operation.
3. What types of personal data?
Personal data is processed in the course of using Microsoft 365. Personal data can be processed automatically or through input by users.
Personal data is processed in the context of User ID-based (with Microsoft 365 user account of ElringKlinger) as well as non-User ID-based processes (Business2Business users, e.g. external persons without Microsoft 365 user account of ElringKlinger).
Data could also be processed in third-party apps. These are currently disabled.
For the purpose of collaboration with or between users and guests (user ID-based operations) within the tenant as well as secure IT operations, the following personal data is processed from them:
1. Documents and files
Various types of documents and files can be processed.
2. Communication data of the user
Chat, video telephony, live transmissions of sound and, if necessary, image and screen, photo
3. Communication data generated by the system
Time, location, jitter value, data transfer rate, IP address, device designation
4. Basic personal data for the account (the user account) can be supplemented with user-generated data
First name, last name, address, UPN (User principal name; technical user name), telephone number, position, organization, mail address, telephone and fax number.
5. Authentication data
Login data, password, username, time, place
6. Contact information
Professional contact, work, and organizational information (e.g., name, email, company, personnel number, photo if applicable, etc.) and private contact information (home phone numbers and address).
7. Profiling
Risk profile in the context of cybersecurity and IT security (e.g. identity protection)
8. Log file with accesses
Metadata and Administrative Events
9. System generated log data
Telemetry and diagnostic data created by the software.
10. Device information
(including information on the software used or the service used)
11. Cookies
For the purpose of secure and stable provision of the services, technically necessary cookies are used. These small cookies that are attached to the browser are, for example, authentication cookies for single sign-on.
4. Categories of data subjects
We transfer your data within the affiliated companies of the ElringKlinger Group for further processing based on appropriate purposes whenever this is needed. We only deploy of centralized Microsoft 365 tenant, which is managed by ElringKlinger AG.
Summary of categories of people:
- Employees
- Former employees
- Freelance employees
- Applicants
- Works Councils
- Representative for severely disabled persons
- Data protection staff and coordinators
- Trainees and students
- Interns
- Customers
- Leads (future customers)
- External (e.g. service providers, consultants, third parties)
- Suppliers
- Partners and companies
- Affiliated companies of ElringKlinger AG
5. Legal basis for the processing of personal data
The legal basis for the operation of Microsoft 365 are based on:
- Employees Art. 6 para. 1 p. 1. lit. b i.V.m. Employment contract, i.V.m. Art. 88 DSGVO
- External user groups Art. 6 para. 1 p. 1 lit. b DSGVO in conjunction with corresponding contracts;
The processing for purposes of IT security (esp. log files and metadata) as well as cookies (cookies and §25 para. 2 TTDSG) are based on Art. 6 para. 1 lit. b i.V.m. Employment contract. The legitimate interests pursued by the responsible parties include the following:
- Detection of improper use;
- IT security and continuous improvement of services.
If image and sound recordings are made at internal events, this is done on the basis of Art. 6 (1) a) DSGVO (consent).
Processing in individual
Identity Management
As part of identity management with Azure Active Directory /Entra-ID (AAD), identities, devices and applications are processed centrally in Microsoft 365. In particular, all identities linked to Microsoft 365 are processed with the ElringKlinger environment, as well as guests. This enables to securely access and use various Microsoft 365 applications.
Data categories
1-11
Other legal bases for the use
| Art. 6 para. 1 p. 1 lit. a DSGVO, Art. 88 DSGVO | Image of the employee(s) |
| Art. 6 para. 1 p. 1 lit. a DSGVO, Art. 88 DSGVO | Location of the employee(s) (e.g. in case of loss of the managed device via Intune, MFA). |
Email, calendar and tasks
In the context of data processing related to emails, calendar data and tasks in particular in the Exchange hybrid environment.
Data categories
1,2,3,4,5,6,7,8,9,10
Further legal bases for the use
| Art. 6 para. 1 p. 1. lit. b DSGVO i.V.m employment contract or future employment contract | Employees, applicants |
| Art. 6 para. 1 p. 1 lit. b DSGVO in conjunction with the respective contract | External persons, for contract performance or contract initiation |
| Art. 6 para. 1 p. 1 lit. b, f DSGVO | External persons, applicants |
Communication: Chat
Chat communication is used to communicate between employees and members and also guests. In addition to chats, content such as files can also be shared and edited together with Microsoft Teams.
Data categories
1-11
Further legal bases for the use
| Art. 6 para. 1 p. 1. lit. b DSGVO i.V.m employment contract or future employment contract | Employees, applicants |
| Art. 6 para. 1 p. 1 lit. b, a DSGVO | Business partners |
| Art. 6 para. 1 p. 1 lit. a DSGVO | Online application interviews with applicants = to chat |
| Art. 6 para. 1 p. 1 lit. a DSGVO | External persons |
| Art. 6 para. 1 p. 1 lit. a DSGVO, Art. 88 DSGVO | Image of the employee, audio files |
Communication: Video conferencing
In the context of video conferencing with Microsoft Teams, both Microsoft Teams Meetings and Microsoft Live Events are used.
Data categories
1,3,4,5,6,7,9,10,11
Further legal bases for the use
| Art. 6 para. 1 p. 1. lit. b DSGVO in connection with employment contract or future employment contract | Employees, applicants |
| Art. 6 para. 1 p. 1 lit. a DSGVO | Online application interviews with applicants |
| Art. 6 para. 1 p. 1 lit. b, a DSGVO | Business partners |
Art. 6 para. 1 p. 1 lit. a DSGVO Art. 6 para. 1 p. 1 lit. a DSGVO | External persons |
| Art. 6 para. 1 p. 1 lit. b, a DSGVO | Attendance reports Deletion 90 days after the end of the meeting |
Collaboration on documents and files
In the context of collaboration on documents and files, SharePoint Online is mostly used, whether directly or in the background.
Data categories
1,2,4,5,9,10
Further legal bases for the use
| Art. 6 para. 1 p. 1. lit. b DSGVO in connection with employment contract or future employment contract | Employees, applicants |
| Art. 6 para. 1 p. 1 lit. b, a DSGVO | Business partners/individuals |
| Art. 6 para. 1 p. 1 lit. a,f DSGVO | External persons |
Surveys
Within Microsoft 365, surveys can be created and conducted using Form. In the context of this, the department conducting the survey, the purpose and the deletion period are specified for each survey.
Processing in SharePoint Online is then based on the following legal bases, depending on the survey:
Further legal bases for the use
| Art. 6 para. 1 p. 1. lit. b, a DSGVO at b i.V.m employment contract or future employment contract | Employees, applicants |
| Art. 6 para. 1 p. 1 lit. b, a DSGVO | Business partners/individuals |
| Art. 6 para. 1 p. 1 lit. a, f DSGVO | External persons |
Safety functions
As part of the secure and stable deployment of Microsoft 365, security tools from the Microsoft 365 package are used. These are known as Defender.
The Defender products are designed to secure the modern workplace around Windows and Office, i.e. the Microsoft 365 environment up to the end device. This includes cybersecurity tools from antivirus to antispam and protection of emails and their attachments.
Data categories
1-13
Legal basis
| Art. 6 para. 1 p. 1. lit. b DSGVO i.V.m employment contract or future employment contract | Employees, applicants |
| Art. 6 para. 1 p. 1 lit. b, e DSGVO | External persons |
| Art. 6 para. 1 p. 1 lit. b, e DSGVO | Service providers |
International data transfer
In the course of data processing, international data transfer may occur. This is data transfer in case of support and in case of cybersecurity incident.
- Reverse exceptions Art. 49 para. 1 lit c DSGVO for purposes a and f (see under "Disclosure of data").
- Reverse Exceptions Art. 49(1)(d) GDPR for purposes b, c, d, g, h (see at (Disclosure of Data).
- When processing for the purpose of provision, the GDPR applies directly to Microsoft as a data processor:
- Subprocessor
- Standard data protection clauses with additional safeguards for commissioned processing
For telemetry and diagnostic data, the standard of the DPA and the current EU standard contractual clauses, Art. 46 Para. 1 DSGVO for the chaining of Microsoft Ireland Inc. to Microsoft Corporation is relied upon. It was reduced by configuration the collection and processing of telemetry and diagnostic data to a minimum and also the storage in the environment. From the end of 2023, this data will only be processed in Europe and there will no longer be any data transfer to the USA for personal data in this area.
Microsoft Corporation
- Standard data protection clauses with additional safeguards for commissioned processing between Microsoft Ireland and Microsoft Corporation.
- As of July 10, 2023, the EU-US Data Privacy Framework also applies as an adequacy decision as the legal basis for Microsoft to transfer data to the US.
6. To which recipients or categories of recipients do we disclose your data within the scope of this processing activity?
ElringKlinger Group
We share your data as needed and based on a purpose within the ElringKlinger Group on the basis of commissioned data processing. For example, only one Microsoft 365 tenant is used in a
centralized manner and managed by ElringKlinger AG and its IT staff.
Processor
We also pass on your personal data to service providers commissioned by us as part of contract processing (including, for example, to Microsoft Ireland Operations Ltd.). These include, among others, the IT service providers commissioned by the responsible party as part of their administrative activities (e.g. as part of support and maintenance work).
Third
External parties receive data in individual cases, insofar as this is permitted and necessary for the above-mentioned purposes. These include, among others, the IT service providers commissioned by the data controller as part of their administrative activities (e.g. as part of support and maintenance work).
In addition, we transmit your personal data, as far as legally required, in individual cases to authorities as far as legally necessary.
7. How do we transfer data outside Europe?
We transfer data on the basis of standard contractual clauses in conjunction with order processing agreements. In addition, there is a transfer of pseudonymized telemetry and diagnostic data from Microsoft Ireland to Microsoft Corp. on the basis of EU standard contractual clauses.
8. How long do we store your data?
We store your data for as long as it is required for the use of Microsoft 365 or as long as there is a purpose or legal basis. A central backup solution at a German service provider is used as cloud backup to secure the Microsoft 365 environment (Exchange, SharePoint, etc.).
Position data or location data explicitly released by the user are processed exclusively during the meeting. This data is not stored beyond this time.
Metadata from calls and meetings are stored for a maximum of 120 days (depending on the date). Here, too, the data is automatically deleted after the periods have expired. It is not possible to adjust the time limits for live events (120 days) and teams meetings/calls (90) days. However, these are needed for the stability of the system, support and also to defend against attacks in this vector. Only certain authorized and monitored administrators have access.
Logged administrative events are stored for 180 days and then automatically deleted.
E-mails and attachments are kept within the legal retention periods and then deleted if there are no other purposes.
The personal data processed by security tools and by other tools serving IT security are kept for 180 days and then subject to deletion. In individual cases and in the event of security incidents, some data may be kept longer in order to investigate the incident and prevent future ones.
Under certain circumstances, your data must also be retained for longer, for example in connection with a corresponding official or court order in the form of a so-called litigation hold, which includes a prohibition on data deletion for the duration of the proceedings.
9. Technical-organizational measures
In the context of processing your personal data, we have carried out a risk analysis for the processing and, based on this, introduced risk-adjusted technical and organizational measures. These measures are regularly reviewed and adapted to the existing risks.
Among other things, we have taken the following measures:
- Data classification
- Monitoring and supervision of the environment
- Use of Customer Lockbox for access to customer data
- Deactivation of the feedback function
- Restriction of the functions of the connected and optionally connected services
- Contractual measures and supplementary agreements
ElringKlinger AG has implemented an integrated management system for data protection and information security and has this audited and certified externally on a regular basis on the basis of ISO 27001 or the industry information security standard VDA-TISAX.
Microsoft Entra ID (formerly:Azure Active Directory (AAD)) and Single-ign-on (SSO)
Azure Active Directory (new: Microsoft Entra ID) (ADD) is used in particular as Microsoft's identity system. This makes it possible to control and monitor access to applications, files and devices according to the need-to-know principle. In addition, we use MFA to secure the accounts. Furthermore, ADD enables automatic logon to devices managed by ElringKlinger.
For more TOMs, see Appendix 1.
10. What data protection rights do you have?
In the following, we enumerate the rights to which you are entitled under data protection law, which you can assert against the person responsible at any time and free of charge.
You can find out how to contact the data protection officer and the person responsible under point 1.
Right to information
You have the right to obtain information from us about the processing of your personal data.
Right of rectification
You have the right to request that we correct any inaccurate or incomplete personal data relating to you.
Right to erasure
You have the right to request the erasure of your data if the conditions set out in Art. 17 DSGVO are met. According to this, you can, for example, demand the deletion of your data insofar as it is no longer necessary for the purposes for which it was collected. In addition, you can demand deletion if we process your data on the basis of your consent and you later revoke this consent.
Right to restriction of processing
You have the right to request the restriction of the processing of your data if the conditions of Art. 18 DSGVO are met. This is the case, for example, if you dispute the accuracy of your data. You can then request the restriction of processing for the duration of the verification of the accuracy of the data.
Right to data portability
If the data processing is based on consent or contract performance and is also carried out using automated processing, you have the right to receive your data in a structured, common and machine-readable format and to transfer it to another data processor.
Right of revocation
If the data processing is based on consent, you have the right to revoke the data processing under consent with effect for the future at any time free of charge.
Right to complain
You also have the right to complain to a data protection supervisory authority about the processing of your data.
Right to object
Data subjects have the right to object to data processing at any time on grounds relating to their particular situation, insofar as this is based on the legal basis of "legitimate interest". If data subjects exercise their right to object, the processing of their data will be discontinued unless - in accordance with the legal requirements - compelling legitimate grounds for further processing can be demonstrated that override the data subjects' rights.