Deutsch Intern
  • 50-jähriges Jubiläum des Rechenzentrums
Information Technology Centre

Microsoft 365 privacy information

Summary

  • The University of Würzburg manages applications available through https://myapps.microsoft.com/uni-wuerzburg.de or enables access to third-party services.
  • When using Microsoft's online services, a digital footprint is created.
  • In addition to the University, Microsoft Ireland Operations Limited and Microsoft Corporation in particular are processing personal data.
  • Your Microsoft Education account profile and status is generally visible to all members and within Teams to invited guests to enable collaboration and communication.
  • Teams also allow external users to communicate with you or you to communicate with them.

Controller

Julius-Maximilians-University of Würzburg
(body governed by public law)

Its president represents the university.

Sanderring 2, 97070 Würzburg, Germany

Telephone +49931-31-0
Fax  +49931-31-82600

Contact details of the data protection officer

data protection officer of Julius-Maximilians-University of Würzburg
Sanderring 2
97070 Würzburg, Germnay
Telephone +49931-31-0
datenschutz@uni-wuerzburg.de

Controller and their data protection officers (in addition to the licensee)

Microsoft Ireland Operations Limited 

One Microsoft Place, South County Business Park, Leopardstown Dublin 18, Ireland

Microsoft Corporation  

One Microsoft Way Redmond, Washington 98052, United States of America

Data protection

Microsoft privacy help & learning and contact

Rights of the data subject

General

With regard to the processing of your personal data, you, as a data subject, have the following rights under Art. 15 e.g. GDPR to:

  • You can request information  about whether we process personal data from you. If this is the case, you have the right to information about these personal data as well as to other information related to the processing (Art. 15 GDPR). Please note that in certain cases this right of access may be limited or excluded (see in particular Art. 10 BayDSG).
  • In the event that personal data about you is no longer (no longer) accurate or incomplete, you may request a correction  and, if necessary,  completion of such data (Art. 16 GDPR).
  • If the legal requirements are met, you can request the deletion of your personal data (Art. 17 GDPR) or the restriction of the processing of this data (Art. 18 GDPR). However, the right to erasure under Art. 17 sec. 1 and 2 GDPR does not suceed, if the processing of personal data is necessary for the performance of a task in the public interest or excecuted by an official authority (Art. 17 sec. 3(3) (b GDPR).
  • If you have consented to the processing or if there is a contract for data processing and the data processing is carried out by means of automated procedures, you may have the right to data portability  (Art. 20 GDPR).
  • You have the right to complain to a supervisory authority within the meaning of Article 51 GDPR about the processing of your personal data. The Bavarian State Commissioner for Data Protection, Wagmüllerstraße 18, 80538 Munich, is responsible for the supervisory authority for Bavarian public authorities.

Purposes and legal bases of the processing

Purposes

Subscription and use solution Microsoft 365 for extensive collaboration and communication as a tool for teaching, research and administration. 
This includes the use of licensed products and services, providing updates, ensuring information security, and technical and customer support. Statistics on usage are also generated.
And disclosure maybe also possible for the following purposes of Microsoft:

a) Billing and account management 
b) Interal and reseller compensation 
c) Internal reporting and modeling 
d) Combating fraud 
e) Cybercrime or cyberattacks 
f) Improving core functionality related to accessibility, privacy, or energy efficiency 
g) Financial reporting 
h) Compliance with legal obligations 

Legal basis

For the university and persons identifiable in communications and documents: Art. 6.1e GDPR in conjunction with. Art. 4 BayDSG (in particular Art. 3a ArbStättV, Art. 13 BayBGG, Art. 11.1 BayEGovG, Art. 13.7 TMG, Art. 6.1 BayDSG, Art. 10.1 BayHSchG, Art. 7 BayHO, Art. 20a GG, Art. 3, 3a, 141 BayVerf). 

For the persons who use Microsoft 365 in the role as an employee furthermore Art. 6.1b GDPR in conjunction with. Art. 4 BayDSG (§ 106 Gewerbeordnung, employment contract, collective agreement), civil servants furthermore Art. 6.1c GDPR i.V.m. Art. 4 BayDSG (Art. 33.5 GG, civil service law)

Legal basis for disclosure to Microsoft (beyond data processing)

  • For licensed persons Art. 6.1b GDPR (a) and f).)
  • For purposes not contractually required, Art. 5.1.1.2 BayDSG (b), c), d) e), g), h))

Categories of personal data

  1. Documents and files
  2. Tasks and solutions
  3. Communication data
  4. Basic personal data for the account, that can be enriched with user-generated data
  5. Authentication data
  6. Contact information
  7. Profiling
  8. Log file with accesses
  9. System generated log data
  10. Device information (including information on the software used or the service used)
  11. Product feedback (including information about the device used and the software or service used)

Categories of data subjects

  • For categories of personal data 1-12 data subjects who use or administer Microsoft 365
  • For categories of personal data 3, 8, 9, 11, 12 data subjects, identifiable in communication and documents

Recipients 

Reference to the appropriate or suitable safeguards for international data transfers

Period of stored data

  • 90 days after erasure dof the account on request or after objection (categories of personal data 4-7) 
  • 90 days after erasure of content data, after the personal data are no longer necessary in relation to the purposes (categories of personal data 1-3) 
  • 180 days for the categories of personal data 8 and 9
  • Event-related for categories of personal data 10 and 11