Information on data protection in accordance with Art. 13 GDPR from Microsoft Teams for external parties
When using Microsoft 365 and Microsoft Teams, personal data (hereinafter also referred to as “data”) is processed, although this sometimes happens in the background and is not necessarily recognizable.
For example, we are obliged under Art. 13 GDPR to provide you with certain information on the processing of your data. This data protection information therefore explains to you which data processing we carry out in the course of an online meeting.
1. Controller and data protection officer
68169 Mannheim Germany
Fon: +49 621 4909 9670
Managing directors: Stefanie Kraus, Elzbieta Wiankowska, Dennis Jantos
Register court: Local court Mannheim
Register number: HRB 748234
Value added tax identification number in accordance with § 27 a of the Value Added Tax Act: DE363430484.
You can contact our data protection officer as follows
Ms. Christina Grewe, lawyer
Phone: 0621 377036 40
2. Details on data processing
We are using Microsoft 365 for various purposes. The main purpose is to simplify collaboration between us and our customers. Functions are used to create and save content, plan appointments and communicate. In order to achieve an equally effective exchange of information with external parties, guests (without a Microsoft 365 account) should also be able to use the functions of Microsoft 365. The processing of personal data is therefore used to process contracts and collaborate on projects.
The use of Teams pursues the following objectives in particular: simplified and uncomplicated communication between employees and customers through the transmission of meetings in real time and direct exchange in chat, easier and more efficient group work, flexibility and collaboration independent of location and time. Depending on the case, personal data such as name and e-mail address are processed. Participation can take place as a guest.
Alternatively, a link to the meeting can be provided for one-time participation. It is not necessary to open a user account or enter personal data. However, you can enter your name. In either case, usage data such as the IP address will be processed.
When using Microsoft 365, diagnostic data is transmitted to Microsoft so that the services as a whole can be provided (error-free). The processing of diagnostic data also serves to improve and update the software by importing new versions. Finally, the processing also serves to ensure the security of the services and rapid troubleshooting by Microsoft.
The permissibility of the data processing described is mainly based on Art. 6 para. 1 f) GDPR (protection of legitimate interests). Loady GmbH would like to make working with customers location-independent, efficient and flexible, optimize work processes and promote digitalization. The focus is also on better planning of work capacities, simplified communication and the error-free and uninterrupted provision of services. In individual cases, the permissibility of processing may be based on Art. 6 para. 1 a) GDPR (consent). In this case, you will be expressly asked by Loady GmbH whether you agree to the data processing.
Your data will be stored for the first time when the invitation to work in the Microsoft 365 environment is sent. The duration depends primarily on the statutory retention obligations with regard to certain documents and processes and on the legitimate interest of Loady GmbH. Chat content in Microsoft Teams is regularly stored for 14 days. Your personal guest access and its content will be deactivated by us after the end of the conversation, unless a further conversation is intended. Microsoft Corporation will then retain the data for a certain period of time. These retention periods can be viewed at the following URL: Data retention, deletion, and destruction in Microsoft 365 – Microsoft Service Assurance | Microsoft Learn
Your personal data may be passed on to or viewed by various recipients as part of the use of Microsoft 365. This includes in particular all employees of loady GmbH.
Loady GmbH does not intend to transfer your personal data to a third country outside the EU or the EEA. However, this may occur in the context of a project, especially if you are located in such a country. Diagnostic data is also regularly sent to the Microsoft Corporation and analyzed there. This data is stored in countries recognized as secure under data protection law. However, due to the CLOUD Act, it cannot be ruled out that US authorities may gain access to this data. If data is transferred to the USA, standard data protection clauses have been agreed with Microsoft in accordance with Art. 46 para. 2 c) GDPR. Information on the standard data protection clauses can be found on the website of the European Commission: https://ec.europa.eu/info/index_de. You can find more information on data processing at Microsoft Corporation here: https://www.microsoft.com/de-de/trust-center/privacy.
4. Rights of data subjects
You have the right to access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR) and data portability (Art. 20 GDPR). If your personal data is processed on the basis of Art. 6 para. 1 f) GDPR, you have the right to object if there are grounds relating to your particular situation.
You can exercise these rights at any time. However, this does not mean that they will be fulfilled. For example, we cannot delete your data if we are obliged to store it due to legal regulations.
If you have given your consent to the processing of your personal data and revoke it, the processing carried out up to the time of this revocation remains unaffected.
You have the right to lodge a complaint with the competent supervisory authority at any time.