Data Protection Information for the Use of Microsoft 365 Applications
We would like to inform you about the processing of personal data in connection with the use of Microsoft 365 applications. This data protection information only informs you about the processing of your personal data by us if you use Microsoft applications together with us. If you require information about the processing by Microsoft, you can view the corresponding declaration under the following link: https://privacy.microsoft.com/de-de/privacystatement.
1. Name and contact details of the data controller
The controller within the meaning of data protection law ("we") is:
Name and address:
fka GmbH
Steinbachstraße 7
52074 Aachen
Deutschland
Contact:
Telefon: +49 241 8861 0
Fax: +49 241 8861 110
E-Mail: This email address is being protected from spambots. You need JavaScript enabled to view it.
Website: www.fka.de
Further information about the company as well as details of the authorized representatives can be found at: fka.de/en/imprint.html.
2. Contact details of the data protection officer
Our data protection officer can be contacted for inquiries and other data protection concerns using the following contact details:
fka GmbH
- Data protection officer -
Steinbachstraße 7, 52074 Aachen
E-Mail: This email address is being protected from spambots. You need JavaScript enabled to view it.
3. Categories of personal data, purposes, and legal bases for data processing
As part of our business activities, we use Microsoft 365 applications such as Teams, SharePoint, Forms (hereinafter "M365"), to which you will receive an invitation from us. M365 is a productivity, collaboration and exchange platform for individual users, teams, communities and networks that can be used across organisational units. When you use M365, personal data about you is processed.
(a) Categories of personal data
Various types of data are processed when you use M365. The scope of this data depends, among other things, on which application is used and what data you provide. Certain information is already processed automatically as soon as you use M365.
The following personal data may be processed:
- Personal basis/identification/contact data: Data that enables the unique identification of the data subject (e.g. first name, surname, address, telephone number, profile picture, username; organisation/company);
- Content data: text files and entries, documents, presentations, tables, audio and video files/-data, appointment and resource management data, e-mail communication, etc. entered in M365;
- Usage data: Data relating to information on personal use of M365, (e.g. websites visited, time and type of access, information on data, files and documents accessed, data on the creation, modification, deletion of a document, making of notes, chat entries and responses);
- Meta/telemetry data: Data relating to the devices and access points used by the user (e.g. log files and other protocol data, IP addresses, device and hardware information, location data released by the user, audio and video data of a live transmission).
M365 services are not intended to process special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g. genetic or biometric data, data on religious beliefs or health data). However, we cannot prevent such special categories of personal data from being entered into or shared via the M365 services by users (e.g. when participants share data about an illness as part of a Teams meeting) and therefore necessarily process them.
(b) Purposes of the data processing
We process your personal data to the extent necessary to ensure the customer or supplier relationship that exists or is to be established between you or your employer and us, or any other relationship between you and us, in an efficient manner. In particular, we use M365 applications for the following purposes:
- Teams: With the meeting functions of Teams, including chat and telephony functions, we can enable participation via video/audio in virtual meetings, training courses and telephone calls. Teams is also used as a collaboration and exchange platform for project work for communication and collaboration.
- Forms/Polls: The poll function allows us to conduct voluntary surveys and polls on business and project organisation.
- Sharepoint: We use Sharepoint as part of our business and administrative activities to share/provide information and to share and edit files, documents, tables, etc.
- OneNote: We use the application as a virtual notebook for centralised storage of meeting notes and personal records.
- Planner: We use the application to organise tasks for individuals and teams.
If necessary, we use other M365 applications, the purposes of which can be found in the application descriptions. Your data is processed in order to be able to use the respective M365 product for the stated purposes.
Apart from data categories that are always technically or organisationally necessary for the provision or operation of the M365 services (e.g. IP addresses, user IDs), only data that you have provided yourself will be processed.
Furthermore, your data may be processed for the purposes of information security and to ensure the functional security and stability of the IT systems.
(c) Legal basis for data processing
The legal basis depends on the reason or purpose for which the M365 products and the individual functions are used.
Consent (Art. 6 para. 1 lit. a) GDPR)
We process certain data only with your prior, express consent. This may be the case, for example, if a Teams meeting is recorded after prior notification. In principle, there is neither a contractual nor a legal obligation to provide your data. Consent is voluntary and can be revoked in whole or in part at any time with effect for the future. This does not affect the lawfulness of the processing that has already taken place prior to the cancellation.
Contract fulfilment (Art. 6 para. 1 lit. b) GDPR)
If the use of personal data is based on a contract with you or if the use takes place to initiate a contractual relationship at your instigation, the legal basis is Art. 6 para. 1 lit. b) GDPR.
Fulfilment of a legal obligation
Insofar as we are subject to legal requirements and must process your data to fulfil these legal obligations, Art. 6 para. 1 lit. c) GDPR is the legal basis for processing. This may be the case, for example, if we are legally obliged to provide information to a specific public authority (e.g. a law enforcement agency) or are subject to statutory retention obligations that make it necessary to store your data.
Safeguarding our legitimate interests or those of a third party
In addition, we may process your data to protect our legitimate interests or the interests of third parties on the basis of Art. 6 para. 1 lit. f) GDPR. The aforementioned legal basis allows us to process your data if your interests as the data subject do not take precedence over our interests in individual cases.
Our legitimate interests include the effective conduct of meetings, optimisation of our business processes, in particular by using device-independent Office documents for smooth collaboration within teams.
Special categories of personal data (Art. 9 (2) GDPR)
If you share special categories of personal data (see section 3 (a) above) in an M365 service, we base the processing on consent within the meaning of Art. 9 para. 2 lit. a) GDPR.
Automated decision-making
Automated decision-making within the meaning of Art. 22 GDPR is not used.
4. Duration of storage
We only store your personal data for as long as necessary and delete or anonymise it as soon as it is no longer required for the purposes for which we collected and processed it in accordance with the above paragraphs or the applicable statutory retention periods have expired. Log files are deleted after 90 days at the latest, unless we are authorised (e.g. during an ongoing legal dispute) or obliged to retain them for a longer period. You can delete content data that you have provided to M365 products yourself, provided there are no reasons to the contrary, such as statutory retention obligations or internal guidelines and instructions. Real-time data, such as audio and video transmissions in the context of Teams meetings, are not stored at all, unless the meeting is recorded in exceptional cases.
5. Recipients/Categories of recipients
We have implemented a roles and rights management system to ensure that your personal data is only accessible to a limited number of employees who need to know this data for the aforementioned processing purposes.
If necessary, we have commissioned external service providers as part of our business purposes or cooperation with you or your employer. We have ensured through contractual agreements that the data protection requirements are complied with and that data is only processed in accordance with our instructions and for the specified purposes.
The personal data that we collect or process about you may be forwarded to recipients who may be located inside or outside the European Economic Area ("EEA"). For recipients located outside the EEA, we have taken appropriate measures to ensure compliance with the requirements of data protection laws, such as entering into appropriate EU Commission standard contractual clauses or certification under the EU-US Data Privacy Framework.
Microsoft is used as a processor for the provision of the M365 services and the associated data processing. If individual data is processed outside the EU, Microsoft ensures data protection compliance by agreeing the EU standard contractual clauses. Microsoft has also certified itself under the EU-US Data Privacy Framework. Further information on data processing by Microsoft can be found in the MS Trust Centerand the MS Privacy Policy.
6. Rights of the Data Subject
Any person affected by the processing has the right
- in accordance with Art. 7 para. 3 GDPR, to withdraw consent given to us at any time. As a result, we may no longer continue the data processing that was based on this consent in the future. However, this does not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal. Please note that we may have to continue to store certain data for the fulfillment of legal requirements or in the context of legal prosecution (see section 4);
- in accordance with Art. 21 GDPR, to object to the processing of personal data if the personal data is processed on the basis of legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR, provided that there are reasons for this arising from the particular situation of the data subject;
- to request information about the personal data processed by us in accordance with Art. 15 GDPR;
- in accordance with Art. 16 GDPR, to request the rectification of inaccurate personal data or the completion of incomplete personal data stored by us without undue delay;
- in accordance with Art. 17 para. 1 GDPR, to demand the deletion of the personal data stored by us in the cases mentioned therein, unless the processing is necessary for one of the cases mentioned in Art. 17 para. 3 GDPR;
- in accordance with Art. 18 GDPR, to demand the restriction of the processing of personal data in the cases specified therein, in particular if the data subject has objected to the processing in accordance with Art. 21 GDPR, as long as it has not yet been determined whether our legitimate reasons outweigh those of the data subject;
- where the processing is based on consent or on a contract and the processing is carried out by automated means, in accordance with Art. 20 GDPR, to receive the personal data that the data subject has provided to us in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from us; and
- to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. As a rule, the data subject can contact the supervisory authority of their usual place of residence or workplace or our company headquarters.
Last update: 02/2024