Information on how personal data is processed within the context of the use of Microsoft Teams
Who is responsible for processing data?
Dr. Schumacher GmbH
Am Roggenfeld 3
Tel.: +49 5664 9496-0
Fax: +49 5664 8444
How can our Data Protection Officer be contacted?
You can reach our Data Protection Officer at the following contact address:
What data do we process from you?
When video conferences are held in Microsoft Teams, we process the following data:
- Communication data (e.g. your email address, if you provide it in a person-specific way)
- Personal master data (if you provide this on a voluntary basis)
- Contents of the meeting (if you appear in person with contributions in speech and / or writing).
- Image and sound data
- Authentication data
- Log files, log data
- Metadata (e.g. IP address, time of participation, etc.)
- Profile data (e.g. your username, if you provide this on a voluntary basis)
For what purposes and on what legal basis do we process your personal data?
For implementing the contractual relationship – Art. 6 (1) (b) GDPR or for implementing the employment relationship – Section 26 (1) Federal Data Protection Act (BDSG)
Microsoft Teams allows us to hold video conferences with you or within the organization. These act as a substitute for on-site appointments, meetings, or are used for training purposes, for example.
Generally speaking, video conferences are not recorded. However, if a video conference is recorded by way of exception, you must provide your consent in advance (Art. 6 (1) (a) GDPR).
Who has access to your personal data (internal and external)?
Internal bodies: Participating employees, IT department
External bodies: Processors, Microsoft, external parties who are also invited to the video conference, if such a case may arise.
We do not independently transfer personal data to a third country. That being said, this kind of transfer cannot be completely ruled out to the extent that Microsoft Ireland, as a company of a US parent company, is required to do so.
In addition to the standard contractual clauses and an order processing agreement, we have also agreed extensive regulations on data protection for Microsoft online services (Data Protection Addendum, DPA) with Microsoft. It is agreed that Microsoft will store the data exclusively in Germany. The processing by Microsoft is subject to the GDPR provisions under European Union law.
Protecting your personal data is important to us. Nevertheless, there are potential risks that cannot be completely ruled currently, despite the existing data protection and data security measures put in place in connection with the processing. In particular, these include:
- the potential processing by Microsoft of your personal data beyond the purpose of order fulfillment, which in turn could lead to it being obtained by third parties.
- the potential inability to enforce your right of access against Microsoft Corporation in a sustainable manner.
You can find more information about enforcing your rights with Microsoft here: privacy.microsoft.com/en-gb/privacystatement
If a participant in the event is located in a third country, data will also be transferred to the respective third country.
How long do we store your personal data for?
Contents of the video conference such as sound, image and text data are not processed further after the end of the video conference and are deleted when the session ends. The exception to this is possible recordings, which we inform you about separately. It’s necessary for the system to temporarily store log file data for the login process to enable the requested documents to be delivered to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session. We also store this data for a period of 90 days.
Would you be disadvantaged in any way if you chose not to provide us with the data?
If you do not provide us with the data, we will unfortunately not be able to invite you to a video conference or allow you to participate in it.
What are your rights?
If the legal requirements are met, you have the right:
- to request information about what data of yours is processed by us (Art. 15 GDPR);
- to have your data amended or deleted, insofar as this does not conflict with our legitimate interest or a legal obligation to process it (Art. 16, 17 GDPR);
- to restrict the processing of your data (Art. 18 GDPR);
- to be able to claim data transferability (Art. 20 GDPR).
Information on your right of withdrawal: If you have given your consent to certain processing activities, you can withdraw this consent at any time with effect for the future. This withdrawal will not affect data that has already been processed.
Information on your right to object: If we process your data on the basis of legitimate interest, you can also object to this processing at any time in accordance with Art. 21 GDPR.
To assert your rights, you can contact us using the contact details listed above
Does automated decision making/profiling take place?
No automated decision making or profiling is performed.
Where can you make a complaint about the processing of your personal data?
If you believe that we are processing your data unlawfully, you have the right to complain to the responsible supervisory authority. The responsible body is:
The Hessian Commissioner for Data Protection and Freedom of Information
PO Box 3163
Telephone: +49 611 1408 - 0