- The University of Würzburg manages applications available through https://myapps.microsoft.com/uni-wuerzburg.de or enables access to third-party services.
- When using Microsoft's online services, a digital footprint is created.
- In addition to the University, Microsoft Ireland Operations Limited and Microsoft Corporation in particular are processing personal data.
- Your Microsoft Education account profile and status is generally visible to all members and within Teams to invited guests to enable collaboration and communication.
- Teams also allow external users to communicate with you or you to communicate with them.
Julius-Maximilians-University of Würzburg
(body governed by public law)
Sanderring 2, 97070 Würzburg, Germany
Contact details of the data protection officer
data protection officer of Julius-Maximilians-University of Würzburg
97070 Würzburg, Germnay
Controller and their data protection officers (in addition to the licensee)
Microsoft Ireland Operations Limited
One Microsoft Place, South County Business Park, Leopardstown Dublin 18, Ireland
One Microsoft Way Redmond, Washington 98052, United States of America
Rights of the data subject
With regard to the processing of your personal data, you, as a data subject, have the following rights under Art. 15 e.g. GDPR to:
- You can request information about whether we process personal data from you. If this is the case, you have the right to information about these personal data as well as to other information related to the processing (Art. 15 GDPR). Please note that in certain cases this right of access may be limited or excluded (see in particular Art. 10 BayDSG).
- In the event that personal data about you is no longer (no longer) accurate or incomplete, you may request a correction and, if necessary, completion of such data (Art. 16 GDPR).
- If the legal requirements are met, you can request the deletion of your personal data (Art. 17 GDPR) or the restriction of the processing of this data (Art. 18 GDPR). However, the right to erasure under Art. 17 sec. 1 and 2 GDPR does not suceed, if the processing of personal data is necessary for the performance of a task in the public interest or excecuted by an official authority (Art. 17 sec. 3(3) (b GDPR).
- If you have consented to the processing or if there is a contract for data processing and the data processing is carried out by means of automated procedures, you may have the right to data portability (Art. 20 GDPR).
- You have the right to complain to a supervisory authority within the meaning of Article 51 GDPR about the processing of your personal data. The Bavarian State Commissioner for Data Protection, Wagmüllerstraße 18, 80538 Munich, is responsible for the supervisory authority for Bavarian public authorities.
Purposes and legal bases of the processing
Subscription and use solution Microsoft 365 for extensive collaboration and communication as a tool for teaching, research and administration.
This includes the use of licensed products and services, providing updates, ensuring information security, and technical and customer support. Statistics on usage are also generated.
And disclosure maybe also possible for the following purposes of Microsoft:
a) Billing and account management
b) Interal and reseller compensation
c) Internal reporting and modeling
d) Combating fraud
e) Cybercrime or cyberattacks
f) Improving core functionality related to accessibility, privacy, or energy efficiency
g) Financial reporting
h) Compliance with legal obligations
For the university and persons identifiable in communications and documents: Art. 6.1e GDPR in conjunction with. Art. 4 BayDSG (in particular Art. 3a ArbStättV, Art. 13 BayBGG, Art. 11.1 BayEGovG, Art. 13.7 TMG, Art. 6.1 BayDSG, Art. 10.1 BayHSchG, Art. 7 BayHO, Art. 20a GG, Art. 3, 3a, 141 BayVerf).
For the persons who use Microsoft 365 in the role as an employee furthermore Art. 6.1b GDPR in conjunction with. Art. 4 BayDSG (§ 106 Gewerbeordnung, employment contract, collective agreement), civil servants furthermore Art. 6.1c GDPR i.V.m. Art. 4 BayDSG (Art. 33.5 GG, civil service law)
Legal basis for disclosure to Microsoft (beyond data processing)
- For licensed persons Art. 6.1b GDPR (a) and f).)
- For purposes not contractually required, Art. 184.108.40.206 BayDSG (b), c), d) e), g), h))
Categories of personal data
- Documents and files
- Tasks and solutions
- Communication data
- Basic personal data for the account, that can be enriched with user-generated data
- Authentication data
- Contact information
- Log file with accesses
- System generated log data
- Device information (including information on the software used or the service used)
- Product feedback (including information about the device used and the software or service used)
Categories of data subjects
- For categories of personal data 1-12 data subjects who use or administer Microsoft 365
- For categories of personal data 3, 8, 9, 11, 12 data subjects, identifiable in communication and documents
- Microsoft Ireland Operations Limited, for the purpose of data processing and contract performance
- Microsoft Corporation, for the purpose of data processing and contract performance and own purposes
- as Microsofts Online Services Subprocessor and Microsofts Commercial Support Subcontractors
Reference to the appropriate or suitable safeguards for international data transfers
- For the university
Art. 49.1c GDPR for purposes a) and f)
Art. 49.1d GDPR for purposes b), c), d), e), g), h).
- Microsoft Corporation
Standard Contractual Clauses (Processors) with Additional Safeguards Addendum
When processing for its own purposes, the GDPR applies directly to Microsoft.
- Subprocessors and Subcontractors
Standard Contractual Clauses (Processors)
Period of stored data
- 90 days after erasure dof the account on request or after objection (categories of personal data 4-7)
- 90 days after erasure of content data, after the personal data are no longer necessary in relation to the purposes (categories of personal data 1-3)
- 180 days for the categories of personal data 8 and 9
- Event-related for categories of personal data 10 and 11