Privacy policy for the use of Microsoft Teams

State 04.10.2021

The Karlsruhe Institute of Technology (KIT) uses "Microsoft Teams" as part of "Microsoft 365". This cloud-based tool from Microsoft includes chats, video conferencing, telephony, sharing and editing of files, and enables flexible electronic communication. This also involves the processing of personal data within the meaning of Article 4(1) of the EU General Data Protection Regulation (GDPR), as the data relates to an identified or identifiable natural person. If the service is used in a way that goes beyond guest participation in video conferences, the creation of a personal Microsoft account is a requirement. Depending on the functions used, additional personal data will be processed.
 

1. Controller 

The controller of data processing within the meaning of the GDPR and other data protection legislation:

Karlsruhe Institute of Technology
Kaiserstraße 12
76131 Karlsruhe
Germany
Phone: +49 721 608-0
Fax: +49 721 608-44290
E-mail: info∂kit.edu

KIT is a corporation governed by public law. It is represented by the President, Prof. Dr.-Ing. Holger Hanselka.

Our Data Protection Officer can be contacted at datenschutzbeauftragter∂kit.edu or by ordinary mail with “Die Datenschutzbeauftragte” (the data protection officer) being indicated on the envelope.
 

2. Account creation

In order to use the Service as a person affiliated with KIT via KIT's Microsoft 365 tenant, with all features made available therewith, it is necessary to create and use a personal Microsoft account for this purpose. The following data will be processed:

  • First name
  • Last name
  • E-mail address
  • KIT-Account
  • Organisational Unit
  • Country of use (Germany – DE)
     

3. Processing for the features of the service

Feature-dependent, additional personal data is processed when using Microsoft Teams:

  • Communication data (video stream, audio stream, chat content, metadata)
  • Activity data
  • IP address and other device information
  • Personal data in documents and files
  • Access logs and other diagnostic data
  • Other personal data required for the use of specific features

If you participate in a "Teams meeting", personal data of the participants of the meeting will be processed to the extent required for this purpose. The video and audio data recorded via the camera and microphone of your device are transmitted to servers of Microsoft's Azure cloud together with your IP address and other device information. The video and audio data is forwarded to the end devices of the meeting participants.

In any case, the video and audio data contain your image or voice as personal data, since the data refers to you as an identified or identifiable natural person. In addition, the content of the conversation, the chat content and your display name may allow conclusions to be drawn about your person. IP address, browser configuration and other device information also generally provide information about yourself.
 

4. Recipients

Microsoft (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA) processes the data for the performance of the contract with KIT and stores it on servers in the European Union.

Usage-dependent, Microsoft's subcontractors are also recipients of personal data.

If you communicate with other persons, they are recipients of the personal data you disclose.
 

5. Legal basis

When used in the employment context, the legal basis is Article 88(1) GDPR in conjunction with Section 15(1) Landesdatenschutzgesetz Baden-Württemberg (LDSG, State data protection act of the state Baden-Württemberg), as the data processing is necessary for the performance of the employment relationship.

When using Microsoft Teams for tasks of higher education, the legal basis is Article 6(1)(e), (3)(b) GDPR in conjunction with Section 12 Landeshochschulgesetz (LHG, Higher Education Act of the state Baden-Württemberg) in conjunction with Sections 2, 20 KIT-Gesetz.

When Microsoft Teams is used to fulfill the other tasks of KIT, the legal basis is Article 6(1)(e), (3)(b) GDPR in conjunction with Section 4 LDSG in conjunction with Section 2 KIT-Gesetz.
 

6. Storage duration

Your personal data processed for the purpose of managing your Microsoft account will remain stored as long as the account exists. After initiating the deletion of the account, this personal data will be deleted after 90 days.

The retention period for the usage-related data depends on the necessity for the services. This data is deleted after 90 days if it is no longer required.

The system-generated log data are deleted after a period of 180 days.
 

7. Third country transfer

If, in individual cases, it is necessary to transfer personal data to a country outside the EU / EEA, the transfer occurs in relation to Microsoft on the basis of the standard data protection clauses of the EU Commission as a safeguard for an adequate level of data protection within the meaning of Article 46(2)(c) GDPR or, in relation to the person in the third country with whom the communication takes place, as an exceptional case pursuant to Article 49(1)(b), (c) or (d) GDPR.
 

8. Rights

You have the following rights regarding your personal data:

  • the right to obtain confirmation as to whether data concerning you is being processed and information on the data processed, further information on data processing, and copies of data (Article 15 GDPR)
  • the right to rectify or complete inaccurate or incomplete data (Article 16 GDPR)
  • the right to erasure of data concerning you without undue delay (Article 17 GDPR)
  • the right to restriction of processing (Article 18 GDPR)
  • the right to object to the future processing of the data concerning you which is based on Article 6(1) point (e) or (f) GDPR (Article 21 GDPR)

Please note that the above rights may be restricted in certain cases (see in particular Sections 8 to 11 LDSG or 13 (4) LDSG).

You also have the right to lodge a complaint with a supervisory authority about the processing of the personal data concerning you by Karlsruhe Institute of Technology (KIT) (Article 77 GDPR). Supervisory authority of KIT in the sense of Article 51(1) GDPR is according to Section 25(1) LDSG:

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg)

Street address:       

Lautenschlagerstraße 20
70173 Stuttgart
Germany

Postal address:   

Post office box 10 29 32
70025 Stuttgart
Germany
Phone: +49 711/615541-0
Fax: +49 711/615541-15
E-mail: poststelle∂lfdi bwl de