Data protection Microsoft 365 applications

Microsoft 365 is a productivity, collaboration and exchange platform for individual users, teams, communities and networks that can be used across organizational units.

init[ AG für digitale Kommunikation and its subsidiaries ]init[.DCP Digital Communication Portugal and Ironforge Consulting AG, Switzerland, (hereinafter referred to as "we" or "us") use the Microsoft 365 applications Teams, Stream, Forms, Lists and Teams-Teams (hereinafter referred to as M365) as described below.

This Privacy Notice applies if we have invited you to one of these applications and you use one of these applications together with us. This information also applies to all employees of ]init[AG für digitale Kommunikation and its subsidiaries as well as to freelancers commissioned by us. 

Person responsible

When an M365 application is used by ]init[ AG for digital communication, the responsible party is

]init[ AG für digitale Kommunikation
Köpenicker Str. 9
10997 Berlin

Tel: +49 30 97006 200
Fax: +49 30 97006 135

E-Mail: init@init.de
Web: www.init.de

When an M365 application is used by ]init[.DCP - Digital Communication Portugal, the responsible party is

]init[. DCP - Digital Communication Portugal, Unipessoal Lda,Avenida
da Liberdade Nr. 38 2º 1269-039 – Lissabon, Portugal
Fon: +351 929 341 653
E-Mail: init.dcp@init.pt
Web: www.init.pt

When ironforge Consulting AG uses an M365 application, the responsible party is

Ironforge Consulting AG
Thunstrasse 164
3074 Muri b. Bern
Fon: +41 31 511 23 24
E-Mail: info@ironforge.ch
Web: www.ironforge.ch

Purpose of data processing

Microsoft Teams

We use the Microsoft Teams tool to conduct telephone conferences, online meetings, video conferences and/or webinars (hereinafter: "online meetings").

Microsoft Forms

We use Microsoft Forms to conduct surveys, polls and quizzes (hereinafter: "surveys").

Microsoft Stream

Microsoft Stream is used by us for training, education, learning, screencasts, recording of recurring processes and videos in the area of onboarding (hereinafter "knowledge transfer").

Microsoft Lists

Microsoft Lists allows all ]init[ employees to create individual lists to organize themselves and their own tasks and share them with colleagues (hereinafter "organization").

Microsoft Teams-Teams

Microsoft Teams can be used by all employees and freelancers, in particular for exchanging information (chats), storing information (documents, images, graphics), editing files together, planning tasks and for joint meetings (hereinafter "information exchange").

Type of processing

The following information is already processed automatically as soon as you use M365:

Log files, protocol data and metadata (e.g. IP address, time of participation, device/hardware information).

We have listed below which other personal data is processed in the individual applications:

Microsoft Teams

We process the following data as part of our online meetings via Microsoft Teams:

• Communication data (e.g. your e-mail address, telephone number) 
• Personal master data (e.g. first name, surname, profile picture)
• Content of the online meeting (image and sound and, if you are appearing in person, your verbal and/or written contributions, chat function). 
• Authentication data 

To enable the display of video and playback of audio, the data from the microphone of your end device and any video camera on the end device will be processed for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time via the "Microsoft Teams" applications.

Microsoft Forms

We process the following data as part of our surveys via Microsoft Forms:

• Communication data (e.g. your e-mail address, telephone number)
• Your answers to questions

Answers can be requested anonymously or identifiably (e.g. in mandatory employee surveys).

Microsoft Stream

We process the following data as part of our knowledge transfer via Microsoft Stream:

• Communication data (e.g. your e-mail address, telephone number)
• Video content (image and sound and, if you appear in person, your comments and "Like" information). If the camera has been deactivated, only your audio track will be recorded.

Microsoft Lists

We process the following data as part of the employee organization:

• Communication data such as business e-mail address, telephone number
• Personal master data such as first name, surname, profile picture
• Content data that is entered in the list

Microsoft Teams-Teams

When using Teams teams, we process the following data:

• Communication data such as business e-mail address, telephone number
• Personal master data such as first name, surname, profile picture
• Content of the information exchange, image and sound and if you appear in person your contributions in word and / or writing, chat function

Scope of processing

Microsoft Teams

We use Microsoft Teams to conduct online meetings. If we want to record online meetings, we will inform you transparently in advance and - if necessary - ask for your consent.

If it is necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this will not usually be the case.

Microsoft Forms

We use Microsoft Forms to conduct surveys. The information you enter in the survey forms is stored under password protection to ensure that third parties cannot access it and that only we can evaluate the survey responses for the purpose stated in the form.

Microsoft Stream

We use Microsoft Stream for knowledge transfer. Corresponding recordings of e.g. training courses can be stored in Microsoft Stream for internal use.

Microsoft Lists

We use Microsoft Lists for the self-organization of employees. In particular, they can create task lists for structured work at their own request and also share these with colleagues.

Microsoft Teams-Teams

We use Microsoft Teams teams for the exchange of information between employees and with freelancers to facilitate joint project work, in particular to be able to work together on documents/files and to exchange information with each other.

Automated decision-making within the meaning of Art. 22 GDPR does not take place.

Legal basis for data processing

Insofar as personal data of employees of ]init[ AG and its subsidiaries are processed, the data processing is based on Section 26 BDSG.

If an M365 application is used for the fulfillment of our contractual obligations, the data processing is based on Art. 6 para. 1 lit. b) GDPR.

If there is no contractual relationship, the data processing is based on Art. 6 para. 1 lit. f) GDPR. In this case, we are interested in the effective implementation of "online meetings", "surveys" and "knowledge transfer".

Deletion of data

We generally delete or anonymize personal data when there is no need for further storage/identification. A requirement may exist in particular for documentation purposes and if the data is still required in order to fulfill contractual services, to check and grant or defend against warranty and guarantee claims. In the case of statutory retention obligations, deletion will only be considered after expiry of the respective retention obligation.

Recipients / forwarding of data

Personal data that is processed in connection with participation in an M365 application will not be passed on to third parties unless it is intended to be passed on.

Microsoft Teams, Forms and Stream are part of Microsoft Office 365. Microsoft Office 365 is software from Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399 USA. You can find Microsoft's own version on data protection when using M365 applications here: Datenschutzerklärung von Microsoft – Microsoft-Datenschutz.

Data processing outside the European Union

The provider of the aforementioned Microsoft services is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. The parent company is Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA. Data processing outside the European Union (EU) does not take place, as we have limited our storage location to data centers in the European Union. However, we cannot rule out the possibility that data may be routed via internet servers located outside the EU. This may be the case in particular if participants in an M365 application are located in a third country.

An adequacy decision by the EU Commission, the Trans-Atlantic Data Privacy Framework (TADPF), is in place for the USA. Microsoft Corporation has certified itself in accordance with the TADPF and has therefore undertaken to comply with European data protection principles. In addition, we have concluded an order processing agreement with Microsoft as the provider of the M365 applications in accordance with Art. 28 GDPR, including the standard contractual clauses of the European Commission, and have agreed additional measures, even if data flows from Europe to the USA are not contractually provided for.

With regard to the use of Microsoft Teams for communication, Microsoft itself is the controller as a telecommunications provider. Accordingly, Microsoft has included the following new paragraph (p. 11 penultimate paragraph) in its DPA of 01.01.2023 regarding telecommunications data

"Telecommunications Data | To the extent Microsoft processes Traffic Data, Content Data and other Personal Data in the provision of products and services that are considered telecommunications services under applicable law, specific legal obligations may apply. Microsoft will comply with all telecommunications-specific laws and regulations applicable to its provision of the Products and Services, including breach notification laws, data protection laws, and telecommunications secrecy laws."

We have sent Microsoft a side letter to clarify the above passage and to clarify Microsoft's responsibility.

The data is TLS-encrypted during transport over the Internet and thus protected against unauthorized access by third parties. Transmission takes place via Hypertext Transfer Protocol Secure (HTTPS). HTTPS is a communication protocol on the World Wide Web that is used to transmit data in a tap-proof manner. The synchronization of diagnostic and telemetry data has been deactivated.

Your rights as a data subject

• Right to information (Art. 15 GDPR)
  You have the right to request confirmation as to whether personal data concerning you is being processed. If this is the case, you have a right to information about this personal data and to the information listed in detail in Art. 15 GDPR.
• Right to rectification (Art. 16 GDPR)
  You have the right to demand the immediate correction of incorrect personal data concerning you and, if necessary, the completion of incomplete data.
• Right to erasure (Art. 17 GDPR)
  You have the right to demand that personal data concerning you be deleted immediately if one of the reasons listed in Art. 17 GDPR applies.
• Right to restriction of processing (Art. 18 GDPR)
  You have the right to request the restriction of processing if one of the conditions listed in Art. 18 GDPR is met, e.g. if you have lodged an objection to the processing, for the duration of the examination by the controller.
• Right to data portability (Art. 20 GDPR)
  In certain cases, which are listed in detail in Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format or to request the transmission of this data to a third party.
• Right of withdrawal (Art. 7 GDPR)
  If the processing of data is based on your consent, you are entitled to withdraw your consent to the processing of your personal data at any time in accordance with Art. 7 (3) GDPR. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.

Right to object to the collection of data in special cases and to direct marketing (Art. 21 GDPR)

If data processing is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions. The respective legal basis on which processing is based can be found in this privacy policy. If you object, we will no longer process your personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defense of legal claims (objection pursuant to Art. 21 (1) GDPR).

If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing. If you object, your personal data will subsequently no longer be used for the purpose of direct marketing (objection pursuant to Art. 21 (2) GDPR).

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you are of the opinion that the processing of data concerning you violates data protection regulations. The right to lodge a complaint can be exercised in particular with a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement.

Assertion of your rights

Unless otherwise described above, please contact the data protection officer in writing (by post or e-mail) to assert your rights as a data subject.

Copyright and confidentiality

Contents are protected by copyright and may not be reproduced or passed on to third parties - not even in part - without the prior written consent of ]init[. Recording or screenshots of online meetings, surveys, knowledge transfer, organization and the exchange of information, e.g. on audio or video tapes, is not permitted unless permitted above.

Please ensure that you do not share, discuss or communicate any confidential or sensitive information in the M365 applications described above. This applies equally to personal data that is not required for the fulfillment of tasks or purposes.

Data Protection Officer of ]init[ AG

]init[ AG für digitale Kommunikation
z. Hd. Datenschutzbeauftragter
Köpenicker Str. 9
10997 Berlin
datenschutz@init.de

As of: July 2024