Data protection information when using Microsoft 365

We would like to inform you about the collection, processing and storage of your personal data when using Microsoft 365 services. We use Microsoft 365 services to provide and operate workstations and to communicate with internal and external communication partners.

Name and contact details of the responsible person

Eurobase GmbH
17, Fausermillen
6689 Mertert
Phone: +352 74 92 921
Fax: +352 74 00 44

Name and contact details of the data protection officer

DURY Compliance & Consulting GmbH
Obertorstraße 1
66111 Saarbrücken

Other data controllers and their data protection officers

Microsoft Ireland Operations Limited
One Microsoft Place, South County Business Park, Leopardstown Dublin 18, Ireland,
Microsoft Corporation
One Microsoft Way Redmond, Washington 98052
Topic page with FAQ and contact options from Microsoft

Data that we process and that we collect from you

The data we collect and process depends on how you use Microsoft 365 services.

Purpose of processing

Obtaining and using Microsoft 365 as a tool for operating workplaces and for communicating with internal and external communication partners (Microsoft Teams). This includes the use of the licensed products and services, provision of updates, ensuring information security, and technical and customer support. Statistics on usage are also compiled.
Including disclosure for the following Microsoft purposes:
·       Billing and account management
·       Compensation
·       Internal reporting and modeling
·       Combating fraud
·       Cybercrime or cyberattacks
·       Improving core functionality in terms of accessibility, privacy, or energy efficiency
·       Financial reporting
·       Compliance with legal obligations

What data is processed?

When using Microsoft 365 services, the following categories of data are processed in particular:
1.     documents and files
2.     tasks
3.     communication data
4.     basic personal data
5.     authentication data
6.     contact information
7.     profiling
8.     log file with accesses
9.     system generated log data

Legal basis for processing

Insofar as we process personal data, the following legal bases apply to the processing:
·       For persons who are identifiable in communication and documents Art. 6 (1) lit. b DSGVO, if it concerns the initiation or implementation of a contractual relationship or Art. 6 (1) lit. f DSGVO. In these cases, our interest is in the effective execution of online meetings or the effective assignment of documents to the relevant parties.
·       for those individuals who use Microsoft 365 in the role as a
Employee furthermore Art. 6 para. 1 lit. b DSGVO
Legal bases for disclosure to Microsoft (beyond commissioned processing).
·       for licensed persons Art. 6 para. 1 lit. b DSGVO as well as Art. 49 para. 1 lit. c DSGVO (1. and 6.)
·       for contractually unnecessary purposes Art. 49 para. 1 lit. d DSGVO (2.-5.,7.,8.)

Categories of affected persons
·       for data categories 1-9 People who use or administer Microsoft 365
·       for data categories 3, 8, 9 persons identifiable in communication and documents

Categories of recipients of your personal data
·       Microsoft Ireland Operations Limited, for the purpose of order processing and contract performance
·       Microsoft Corporation, for order processing and contract fulfillment and its own purposes.
·       as well as their subcontracted processors and support service providers

Transfer to third countries

Some of the service providers we use (in particular Microsoft) are U.S. companies that also have parts of the data processed in third countries (in this case, the U.S.). As such, they are subject to U.S. law. Under certain circumstances, they are obliged to disclose data to U.S. authorities. In individual cases, this may also include your personal data. As an E.U. citizen, you cannot defend yourself against these measures in the same way as would be possible in the E.U.
Our service providers all assure a high priority with regard to data protection, have assured extensive protection and security measures and have concluded contracts with us with so-called standard data protection clauses.
·       Microsoft Corporation
Standard data protection clauses with additional safeguards for commissioned processing.
When processing for its own purposes, the GDPR applies directly to Microsoft.
·       Subprocessor
Standard data protection clauses
·       for Eurobase GmbH
Withdrawals Art. 49 para. 1 lit c DSGVO for purposes 1. and 6. (contract performance)
Re-exceptions Art. 49 para. 1 lit. d DSGVO for purposes 2.-5., 7., 8. (Microsoft’s own purposes)

Duration of storage

As a matter of principle, we delete personal data if there is no need for further storage. A requirement may exist in particular if the data is still needed in order to fulfill contractual services, to check and grant or defend against warranty and, if applicable, guarantee claims. In the case of statutory retention obligations, deletion will only be considered after expiry of the respective retention obligation.

Your rights in relation to data processing

You have the following rights with regard to data processing at Eurobase GmbH:

The right to information about which data we process about you (Art. 15 DSGVO)
You have a right to information about which of your data is processed by us. Upon request, we will be happy to inform you about the data in question. In addition, you will receive further information to the extent defined by law.

The right to rectify your data if they are incorrect in content (Art. 16 GDPR)
You have a right to have your data corrected. This is particularly the case if facts subsequently change, such as the surname and marital status in the event of marriage. In this case, we will correct any changed data.

Right to erasure (‘right to be forgotten’) (Art. 17 GDPR)

If data is no longer required or if processing takes place in an individual case without it being necessary in this way, you have a right to have the data deleted. In these cases, we will delete your data immediately. In certain cases, however, there may be a retention obligation, so that unfortunately your data cannot be deleted or cannot be deleted completely. However, we will then only retain your data for the intended retention purpose and will of course not use it for any other purpose (see section 4.).

The right to restrict the processing of your data (Art. 18 DSGVO)
If the data is subject to a retention obligation, we are unfortunately unable to delete the data. In this case, we restrict processing to the greatest extent possible. Processing is also restricted if you request correction of the data and it is not yet clear to what extent changes are to be made. Restriction of processing usually means that the data is only stored but blocked for other purposes. Access by employees is generally no longer possible.

The right to data portability (Art. 20 GDPR)
The right to so-called data portability allows you to request data that you have provided to us yourself.

The right to object to processing based on Art. 6(1)(f) DSGVO (Art. 21 DSGVO).
We will of course stop processing your data at any time if the objection is justified. This is the case if your interest in the discontinuation outweighs our interest in the processing. Therefore, please inform us of the reason for your objection.

Right of complaint to supervisory authority
You have the right to address any questions or complaints to a supervisory authority, in particular in the EU Member State of your habitual residence, place of work and/or place of the alleged infringement.
The supervisory authority responsible for us is:

Commission nationale pour la protection des données
15, Boulevard du Jazz
L-4370 Belvaux
Tel.: (+352) 26 10 60-1