We would like to inform you about the collection, processing and storage of your personal data when using Microsoft 365 services. We use Microsoft 365 services to provide and operate workstations and to communicate with internal and external communication partners.
Name and contact details of the responsible person
Phone: +352 74 92 921
Fax: +352 74 00 44
Name and contact details of the data protection officer
DURY Compliance & Consulting GmbH
Other data controllers and their data protection officers
Microsoft Ireland Operations Limited
One Microsoft Place, South County Business Park, Leopardstown Dublin 18, Ireland,
One Microsoft Way Redmond, Washington 98052
Topic page with FAQ and contact options from Microsoft
Data that we process and that we collect from you
The data we collect and process depends on how you use Microsoft 365 services.
Purpose of processing
Obtaining and using Microsoft 365 as a tool for operating workplaces and for communicating with internal and external communication partners (Microsoft Teams). This includes the use of the licensed products and services, provision of updates, ensuring information security, and technical and customer support. Statistics on usage are also compiled.
Including disclosure for the following Microsoft purposes:
· Billing and account management
· Internal reporting and modeling
· Combating fraud
· Cybercrime or cyberattacks
· Improving core functionality in terms of accessibility, privacy, or energy efficiency
· Financial reporting
· Compliance with legal obligations
What data is processed?
When using Microsoft 365 services, the following categories of data are processed in particular:
1. documents and files
3. communication data
4. basic personal data
5. authentication data
6. contact information
8. log file with accesses
9. system generated log data
Legal basis for processing
Insofar as we process personal data, the following legal bases apply to the processing:
· For persons who are identifiable in communication and documents Art. 6 (1) lit. b DSGVO, if it concerns the initiation or implementation of a contractual relationship or Art. 6 (1) lit. f DSGVO. In these cases, our interest is in the effective execution of online meetings or the effective assignment of documents to the relevant parties.
· for those individuals who use Microsoft 365 in the role as a
Employee furthermore Art. 6 para. 1 lit. b DSGVO
Legal bases for disclosure to Microsoft (beyond commissioned processing).
· for licensed persons Art. 6 para. 1 lit. b DSGVO as well as Art. 49 para. 1 lit. c DSGVO (1. and 6.)
· for contractually unnecessary purposes Art. 49 para. 1 lit. d DSGVO (2.-5.,7.,8.)
Categories of affected persons
· for data categories 1-9 People who use or administer Microsoft 365
· for data categories 3, 8, 9 persons identifiable in communication and documents
Categories of recipients of your personal data
· Microsoft Ireland Operations Limited, for the purpose of order processing and contract performance
· Microsoft Corporation, for order processing and contract fulfillment and its own purposes.
· as well as their subcontracted processors and support service providers
Transfer to third countries
Some of the service providers we use (in particular Microsoft) are U.S. companies that also have parts of the data processed in third countries (in this case, the U.S.). As such, they are subject to U.S. law. Under certain circumstances, they are obliged to disclose data to U.S. authorities. In individual cases, this may also include your personal data. As an E.U. citizen, you cannot defend yourself against these measures in the same way as would be possible in the E.U.
Our service providers all assure a high priority with regard to data protection, have assured extensive protection and security measures and have concluded contracts with us with so-called standard data protection clauses.
· Microsoft Corporation
Standard data protection clauses with additional safeguards for commissioned processing.
When processing for its own purposes, the GDPR applies directly to Microsoft.
Standard data protection clauses
· for Eurobase GmbH
Withdrawals Art. 49 para. 1 lit c DSGVO for purposes 1. and 6. (contract performance)
Re-exceptions Art. 49 para. 1 lit. d DSGVO for purposes 2.-5., 7., 8. (Microsoft’s own purposes)
Duration of storage
As a matter of principle, we delete personal data if there is no need for further storage. A requirement may exist in particular if the data is still needed in order to fulfill contractual services, to check and grant or defend against warranty and, if applicable, guarantee claims. In the case of statutory retention obligations, deletion will only be considered after expiry of the respective retention obligation.
Your rights in relation to data processing
You have the following rights with regard to data processing at Eurobase GmbH:
The right to information about which data we process about you (Art. 15 DSGVO)
You have a right to information about which of your data is processed by us. Upon request, we will be happy to inform you about the data in question. In addition, you will receive further information to the extent defined by law.
The right to rectify your data if they are incorrect in content (Art. 16 GDPR)
You have a right to have your data corrected. This is particularly the case if facts subsequently change, such as the surname and marital status in the event of marriage. In this case, we will correct any changed data.
Right to erasure (‘right to be forgotten’) (Art. 17 GDPR)
If data is no longer required or if processing takes place in an individual case without it being necessary in this way, you have a right to have the data deleted. In these cases, we will delete your data immediately. In certain cases, however, there may be a retention obligation, so that unfortunately your data cannot be deleted or cannot be deleted completely. However, we will then only retain your data for the intended retention purpose and will of course not use it for any other purpose (see section 4.).
The right to restrict the processing of your data (Art. 18 DSGVO)
If the data is subject to a retention obligation, we are unfortunately unable to delete the data. In this case, we restrict processing to the greatest extent possible. Processing is also restricted if you request correction of the data and it is not yet clear to what extent changes are to be made. Restriction of processing usually means that the data is only stored but blocked for other purposes. Access by employees is generally no longer possible.
The right to data portability (Art. 20 GDPR)
The right to so-called data portability allows you to request data that you have provided to us yourself.
The right to object to processing based on Art. 6(1)(f) DSGVO (Art. 21 DSGVO).
We will of course stop processing your data at any time if the objection is justified. This is the case if your interest in the discontinuation outweighs our interest in the processing. Therefore, please inform us of the reason for your objection.
Right of complaint to supervisory authority
You have the right to address any questions or complaints to a supervisory authority, in particular in the EU Member State of your habitual residence, place of work and/or place of the alleged infringement.
The supervisory authority responsible for us is:
Commission nationale pour la protection des données
15, Boulevard du Jazz
Tel.: (+352) 26 10 60-1