sprungmarken_marker_19027

Privacy Policy for KIT Students Using M365

(Version: 4192.2600 ) Privacy Policy According to Article 13 of the General Data Protection Regulation (GDPR)

This privacy policy is to inform you about the processing of your personal data and your rights according to data protection legislation. According to Article 4, No. 1 of the EU General Data Protection Regulation (GDPR), personal data are all data referring to an identified or identifiable natural person.

1. Controller and Data Protection Commisioner

According to the GDPR (Art. 4, No. 7) and other data protection regulations, the controller is:

Karlsruhe Institute of Technology (KIT)
Kaiserstraße 12, 76131 Karlsruhe
Germany
Phone: +49 721 608-0
Fax: +49 721 608-44290
Email: info∂kit edu

Karlsruhe Institute of Technology is a public corporation represented by its President. Our Data Protection Commissioner can be contacted at datenschutzbeauftragte∂kit.edu or by ordinary mail with “Die Datenschutzbeauftragte“ (the Data Protection Commissioner) being indicated on the envelope.

2. Type of Data Processing

a. Scope and purpose: We process your personal data, namely, your

KIT account
Email addresses
In case of reverse pseudonymization of students: First name, last name

for the purpose of supplying a cloud-based communication and collaboration solution. At the time this information is made available, the following applications of M365 are provided for students at KIT:

M365 Entra ID;
Office applications;
MS Teams;
MS OneDrive;
MS SharePoint Online;
MS OneNote;
MS Planner;
MS To Do;
MS Lists;
MS Whiteboard;
MS Copilot;
MS Visio;
MS Project;
MS Power Platform;
MS Clipchamp;
MS Loop.

When using applications of M365, additional personal data are processed depending on the functions used:

Communication data (video streams, audio streams, chat contents, meta data);
activity data;
IP address and other device information;
personal data in documents and files;
access protocols and other diagnosis data;
other personal data required for the use of specific functions.

Further details on the scope and purpose are given in Annex 1 “Data, Purposes, and Storage Periods.”

b. Recipients: At KIT, access to the data above will be given in particular to the staff members in charge from KIT’s information technology center, the Scientific Computing Center (SCC) of KIT, who are assigned the roles of administrators. To the extent to which you communicate with other persons, these persons will be recipients of the personal data disclosed by you.

For the use of M365, we are cooperating with the external contractor “Microsoft Ireland Operations Limited“ (One Microsoft Place, South County Business Park, Carmanhall And Leopardstown, Dublin, D18 P521, Ireland) under a contract. This contractor works exclusively according to our instructions. This is guaranteed by strict contractual regulations, technical and organizational measures, and additional controls. Microsoft processes the data for purpose of fulfilling the contract and stores the data on servers within the European Union. More details can be found in Annex 2 “Supplier / Processor”.

According to archiving regulations, documents must be offered to the KIT Archives before they are erased. The KIT Archives will then decide on taking over the documents, thus ensuring the legitimate interests of the data subjects according to the State Archiving Act (Landesarchivgesetz Baden-Württemberg, LArchG) and the other pertinent regulations.

c. Transmission of data abroad: In case a transmission of personal data to a country outside of the EU / EEA will be required on an individual basis, data will be transmitted to Microsoft based on an adequacy decision according to Art. 45 GDPR and (to the extent to which this decision is not or no longer applicable) based on standard data protection clauses adopted by the EU Commission to adequately guarantee an appropriate data protection level according to Art. 46, par. 2, c GDPR. Data transmission to a person in the third country with whom communication takes place will be subject by way of exception to Art. 49, par. 1, letters b, c, and d GDPR.

d. Legal basis:

When using M365 services in connection with your work, the legal basis is Art. 6, par. 1, e and par. 3, b GDPR in conjunction with Art. 15, par. 1 of the State Data Protection Act (Landesdatenschutzgesetz, LDSG), as data protection is required for work under your employment contract.
As regards KIT’s university tasks, the legal basis results from Art. 6, par. 1, e, and par. 3, b GDPR in conjunction with Art. 12 of the Act of Baden-Württemberg on Universities and Colleges (Landeshochschulgesetz) in conjunction with Arts. 2 and 20 of the KIT Act (KIT-Gesetz).
To fulfill the other tasks of KIT, the legal basis results from Art. 6, par. 1, e and par. 3, b GDPR in conjunction with Art. 4 of the State Data Protection Act (LDSG) in conjunction with Art. 2 of the KIT Act.
As regards optional uses, the legal basis is Article 6, par. 1, a GDPR (consent).

e. Storage period: The personal data will be stored as long as they will be needed for the above purposes. The storage period of log data is given by the manufacturer. As per 01/2025, this storage period is 30 days. For log data classified potentially safety-relevant by the manufacturer, the maximum storage period is 180 days. After these periods, the log data will be erased automatically from the system.
In case a more detailed description is possible, details can be found in Annex 1 “Data, Purposes, and Storage Periods.”
According to Art. 5, par. 1, e GDPR in conjunction with Art. 8, par. 2 State Archiving Act (LArchG) and Arts. 3 and 2 LArchG , the data will be taken over by the KIT Archives upon their decision and archived permanently as a rule.

3. Your Rights

As far as your personal data are concerned, you have the following rights:

Right to revoke your consent with effect for the future, provided that processing is based on a consent according to Art. 6, par. 1, sub-par. 1, a GDPR (Art. 7, par. 3 GDPR).
Right to confirmation whether data about you are processed and right to information about the data processed and about the data processing, as well as right to obtain copies of the data (Article 15 GDPR).
Right to rectification or completion of incorrect or incomplete data (Article 16, GDPR).
Right to immediate erasure of your personal data (Article 17 GDPR).
Right to restriction of processing (Article 18 GDPR).
Right to data portability in a structured, standard, and machine-readable format, if processing is based on a consent according to Article 6, par. 1, sub-par. 1, a GDPR or Art. 9, par. 2, a GDPR or on an agreement according to Art. 6, par. 1, sub-par. 1, b (Article 20 GDPR).
Right to object to the future processing of your personal data, if the data are processed according to Art. 6, par. 1, e or f GDPR (Art. 21 GDPR).

In addition, you have the right to complain about the processing of your personal data by KIT with its supervisory authority (Article 77 GDPR). According to Art. 25, par. 1 LDSG (State Data Protection Act), the supervisory authority of KIT according to Art. 51, par. 1 GDPR is: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (https://www.baden-wuerttemberg.datenschutz.de/, in German).

4. Annexes

4.1 Annex 1 “Data, Purposes, and Storage Periods“

Please find below further specific information on the type of data processing in connection with the use of M365:

#	Purpose of processing (inkl. Benennung der entsprechenden M365 Dienste)	Categories of personal data	Storage period
1.	M365 Entra ID directory service Cloud-based identity and access management service for the administration of user identities and the control of applications and data both in the cloud and on the PC	Basic data: First name Last name Account name Organization / Business Unit Address Phone number, email address Public key (SMIME) Log data of user activities: Registration logs, consisting of: Accessing application, user ID, IP address, status successful / not successful, resource ID (M365 service), time of registration, place of registration (derived from IP address), operation system, browser version Log data of administration activities: Activity protocols: Date and time of an activity, protocol service, category and name of activity, status of activity (success or failure)	Storage period of basic data attributes: 210 days after exmatriculation. (Deactivation of the account 180 days after exmatriculation, erasure of the account 30 days after deactivation.) The storage period of log data is given by the manufacturer. As per December 2025, it amounts to 30 days. For log data classified potentially safety-relevant by the manufacturer, the maximum storage period is 180 days. After these periods, the log data will be erased automatically from the system.
2.	Meetings (online) with both internal and external participants (MS Teams): Organization of meetings, PR work (see meetings (online) with internal participants exclusively under purpose # 5)	Name; Contact data; Participation Contents (audio and video, chat, speech transcription).	The storage period depends on the Teams storage regulations that are defined centrally. According to these regulations, recordings of meetings are stored for a standard period of 60 days, provided that this period has not been shortened or extended by the user who initiated the recording.
3.	Produktstabilität und Verbesserung (durch Diagnosedaten) (M365): Diagnose von Supportfällen und Sicherheitsvorfällen.	Product and service use data (error reports, crash data); Product and service performance data (application performance data).	The storage period of diagnosis data depends on the description given in other processing activities, because diagnosis data do not arise in an isolated manner, but in connection with another processing activity.
4.	Increase in work efficiency (MS Word, Excel, PowerPoint, OneNote, Publisher Access, Project, Visio, Forms, Power Platform, Clipchamp, Loop, Whiteboard): Supply of applications for business purposes.	Employee contact data (name, email address); Contents data (files, comments, profiles, such as signatures, etc.); Software setup and inventory data (software settings defined by the user).	As this processing activity describes the productivity apps from a purely functional perspective and processing of the data in the individual apps is described by separate processing activities, the storage period of comments, authors, changes, etc. in files depends on the storage period of the files of these separate processing activities. For the storage period of certain contents, it is therefore referred to the corresponding processing activities. The software settings of MS OneDrive and MS SharePoint are described under Section 9: Support of collaboration (MS SharePoint, MS OneDrive).
5.	Meetings (online) with internal participants exclusively (MS Teams): Supply of audio and video conferencing and collaboration functionalities (see also meetings (online) with both external and internal participants, purpose #1)	Name; Contact data; Participation Contents (audio and video, chat, speech transcription).	The storage period depends on the centrally defined Teams data storage regulation. The standard storage period of recordings of meetings is 60 days, unless this period has been shortened or extended by the user who initiated the recording.
6.	Speech transmission (MS Teams): Supply of audio communications services	Name; Contact data; Participation Contents (audio and video, chat, speech transcription).	Audio signals are streamed rather than stored, unless an audio transmission is recorded. The standard storage period of the recording is 60 days, provided that the user who initiated the recording has not shortened or extended this period.
7.	Direct messages and group communication (MS Teams): Supply of functions for collaboration based on chats	Name; Contact data; Participation Contents (chat, files).	The storage period can be defined by the administrator in the form of a group regulation and set by the individual users. Microsoft permits selection of the following storage periods by the user: 7 days, 30 days, 90 days, 1 year, 5 years, or never (i.e. no erasure of the data). The effective standard setting is “never”, i.e. no erasure of the data, with the user having the possibility to select other storage periods. When erasing an account (according to the deprovisioning regulation) or a team, the corresponding chats will be erased as well.
8.	Collaboration functionality (MS Teams): Supply of functions for collaboration via channels	Name; Contact data; Participation Contents (audio and video, chat, speech transcription).	Data remain stored until they are erased by manual erasure of the channel or data (see # 9)
9.	Support of collaboration (MS SharePoint, MS OneDrive): Storage and access management to support collaboration	Contents data (documents, table calculations, presentations, etc.) Contact data (name, email address)	SharePoint Online: Erasure of SharePoint sites: Persons who generated teams / team sites / channels can erase them if the contents are no longer required. Presently, SharePoint Online sites are not erased automatically. OneDrive: KIT’s Deprovisioning Regulations apply. 30 days upon the erasure of the KIT account, OneDrive directories are moved to the OneDrive trash bin for 93 days. Certain contents of the OneDrive directories can be erased by the persons assigned. Presently, no storage period has been activated for the automatic erasure of contents.
10.	Tasks and planning (Planner, MS To Do, MS Lists): Planning and organization of tasks for individuals and/or teams	Contact data (name, email address) Contents data (form responses)	No automatic erasure setting
11.	Data security (MS Defender): Protection of data and IT systems against unauthorized access, change or erasure	See defender categories below	See defender categories below
11a.	Defender for Endpoint	Files (name, size, hash), processes, registry data, network connections, device information (IDs, OS version)	Portal: 180 Tage Advanced Hunting: 30 Tage
11b.	Defender for Identity	Active directory and network events for the detection of suspect identity activities	180 days
11c.	Defender for Office 365 (Plan 1)	Email and meta data, alerts, audit logs, quarantine, reports, submissions, real-time detections	Alerts: 90 days Email: 30 days Audit: 7 days Quarantine: 30 days
11d.	Defender for Office 365 (Plan 2)	All Plan 1 data plus action center, automated investigation and response (AIR), advanced hunting, campaigns, incidents, threat analytics	Action center: 180 days AIR: 60 days Advanced hunting: 30 days Attack simulation: 18 month
11e.	Defender for Cloud Apps	Network information, OAuth app use, user and app audit data, file meta data / contents	Bis zu 180 Tage
11f.	Defender XDR / Microsoft 365 Defender	Alerts, incidents, cases, configuration data from associated services	Alerts/incidents: 180 days Advanced hunting: 30 days Cases: Permanent
12.	Facilitating contract execution by Microsoft (M365): Supply of system-generated protocol data produced by user interactions with M365 functions as well as of diagnosis data (if the diagnosis data function is activated) and meta data for the provision of aggregated data	System-generated protocol data Diagnosis data Meta data	System-generated protocol data and diagnosis data are subject to the storage period given for the purpose of processing in this document
13.	AI-supported productivity (MS Copilot chat): Use of AI for daily activities to search for, summarize, and generate contents	Contents data (files, chats, meta data) Proofs of authorization (Org-ID (Azure Active Directory object-ID / Entra ID object ID))	Contents generated by users are stored by the users until erasure

4.2 Annex 2 “Supplier / Processor“

Depending on the purpose of processing for which the supplier is hired, we share certain personal data (to the extent required) with the following subcontractors:

(Sub)Contractor	Jurisdiction of the (Sub)Contractor	Reason for Involvement of (Sub)Contractort
Microsoft Ireland Operations Ltd.:	Ireland	Supply of M365
Microsoft Corp.:	USA	Supply of M365
Other subcontractors of Microsoft Ireland Operations Ltd., which are listed for the corresponding service in the latest version of the list of subcontractors under https://www.microsoft.com/en-us/trust-center/privacy/data-access	See linked list	Supply of M365

Overview