Overview
sprungmarken_marker_18844
Privacy Policy for the Use of M365
Contents
This privacy policy is to inform you about the processing of your personal data and your rights according to data protection legislation. According to Article 4, No. 1 of the EU General Data Protection Regulation (GDPR), personal data are all data referring to an identified or identifiable natural person.
1. Controller and Data Protection Commissioner
According to the GDPR (Art. 4, No. 7) and other data protection regulations, the controller is:
Karlsruhe Institute of Technology (KIT)
Kaiserstraße 12, 76131 Karlsruhe
Germany
Tel.: +49 721 608-0
Fax: +49 721 608-44290
E-Mail: info∂kit edu
Karlsruhe Institute of Technology is a public corporation represented by its President. Our Data Protection Commissioner can be contacted at datenschutzbeauftragte∂kit.edu or by ordinary mail with “Die Datenschutzbeauftragte“ (the Data Protection Commissioner) being indicated on the envelope.
2. Type of Data Processing
a. Scope and purpose: We process your personal data, namely, your
- first name, last name, KIT account,
- organizational unit, and your
- office address, phone number, and office email address
for the purpose of supplying a cloud-based communication and collaboration solution. At the time this information is made available, the following applications of M365 are used at KIT:
- M365 Entra ID;
- Office applications;
- MS Teams;
- MS OneDrive;
- MS SharePoint Online;
- MS OneNote;
- MS Planner;
- MS Forms;
- MS To Do;
- MS Lists;
- MS Whiteboard;
- MS Exchange Hybrid;
- MS Copilot;
- MS Visio;
- MS Project;
- MS Power Platform;
- MS Clipchamp;
- MS Loop
When using applications of M365, additional personal data are processed depending on the functions used:
-
Communication data (video streams, audio streams, chat contents, metadata);
-
activity data;
-
IP address and other device information;
-
personal data in documents and files;
-
access protocols and other diagnosis data;
-
other personal data required for the use of specific functions.
Further details on the scope and purpose are given in Annex 1 “Data, Purposes, and Storage Periods.”
b. Recipients: At KIT, access to the data above will be given in particular to the staff members in charge from KIT’s information technology center, the Scientific Computing Center (SCC) of KIT, who are assigned the roles of administrators. To the extent to which you communicate with other persons, these persons will be recipients of the personal data disclosed by you. For the use of M365, we are cooperating with an external contractor “Microsoft Ireland Operations Limited“ (One Microsoft Place, South County Business Park, Carmanhall And Leopardstown, Dublin, D18 P521, Ireland) under a contract. This contractor works exclusively according to our instructions. This is guaranteed by strict contractual regulations, technical and organizational measures, and additional controls. Microsoft processes the data for purpose of fulfilling the contract and stores the data on servers within the European Union. More details can be found in Annex 2 “Supplier / Processor”.
According to archiving regulations, documents must be offered to the KIT Archives before they are deleted. The KIT Archives will then decide on taking over the documents, thus ensuring the legitimate interests of the data subjects according to the State Archiving Act (Landesarchivgesetz Baden-Württemberg, LArchG) and the other pertinent regulations.
c. Transmission of data abroad: In case a transmission of personal data to a country outside of the EU / EEA will be required on an individual basis, data will be transmitted to Microsoft based on an adequacy decision according to Art. 45 GDPR and (to the extent to which this decision is not or no longer applicable) based on standard data protection clauses adopted by the EU Commission to adequately guarantee an appropriate data protection level according to Art. 46, par. 2, c GDPR. Data transmission to a person in the third country with whom communication takes place will be subject by way of exception to Art. 49, par. 1, letters b, c, and d GDPR.
d. Legal basis:
- When using M365 services in connection with your work, the legal basis is Art. 6, par. 1, e and par. 3, b GDPR in conjunction with Art. 15, par. 1 of the State Data Protection Act (Landesdatenschutzgesetz, LDSG), as data protection is required for work under your employment contract.
- As regards KIT’s university tasks, the legal basis results from Art. 6, par. 1, e, and par. 3, b GDPR in conjunction with Art. 12 of the Act of Baden-Württemberg on Universities and Colleges (Landeshochschulgesetz) in conjunction with Arts. 2 and 20 of the KIT Act (KIT-Gesetz).
- To fulfill the other tasks of KIT, the legal basis results from Art. 6, par. 1, e and par. 3, b GDPR in conjunction with Art. 4 of the State Data Protection Act (LDSG) in conjunction with Art. 2 of the KIT Act.
- As regards optional uses, the legal basis is Article 6, par. 1, a GDPR (consent).
e. Storage period:
The personal data will be stored as long as they will be needed for the above purposes. The storage period of log data is given by the manufacturer. As per 01/2025, this storage period is 30 days. For log data classified potentially safety-relevant by the manufacturer, the maximum storage period is 180 days. After these periods, the log data will be erased automatically from the system.
In case a more detailed description is possible, details can be found in Annex 1 “Data, Purposes, and Storage Periods.”
According to Art. 5, par. 1, e GDPR in conjunction with Art. 8, par. 2 State Archiving Act (LArchG) and Arts. 3 and 2 LArchG, the data will be taken over by the KIT Archives upon their decision and archived permanently as a rule.
3. Your Rights
As far as your personal data are concerned, you have the following rights:
- Right to revoke your consent with effect for the future, provided that processing is based on a consent according to Art. 6, par. 1, sub-par. 1, a GDPR (Art. 7, par. 3 GDPR).
- Right to confirmation whether data about you are processed and right to information about the data processed and about the data processing, as well as right to obtain copies of the data (Article 15 GDPR).
- Right to rectification or completion of incorrect or incomplete data (Article 16, GDPR).
- Right to immediate erasure of your personal data (Article 17 GDPR).
- Right to restriction of processing (Article 18 GDPR).
- Right to data portability in a structured, standard, and machine-readable format, if processing is based on a consent according to Article 6, par. 1, sub-par. 1, a GDPR or Art. 9, par. 2, a GDPR or on an agreement according to Art. 6, par. 1, sub-par. 1, b (Article 20 GDPR).
- Right to object to the future processing of your personal data, if the data are processed according to Art. 6, par. 1, e or f GDPR (Art. 21 GDPR).
In addition, you have the right to complain about the processing of your personal data by KIT with its supervisory authority (Article 77 GDPR). According to Art. 25, par. 1 LDSG (State Data Protection Act), the supervisory authority of KIT according to Art. 51, par. 1 GDPR is: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (https://www.baden-wuerttemberg.datenschutz.de/, in German).
4. Annexes
4.1 Annex 1 „Data, Purposes, and Storage Periods“
Please find below further specific information on the type of data processing in connection with the use of M365:
| # | Purpose of processing (including designation of the M365 services) |
Categories of personal data | Storage period |
| 1. |
M365 Entra ID directory service Cloud-based identity and access management service for the administration of user identities and the control of applications and data both in the cloud and on the PC |
Basic data:
Log data of user activities: Registration logs, consisting of: Accessing application, user ID, IP address, status successful / not successful, resource ID (M365 service), time of registration, place of registration (derived from IP address), operation system, browser version
Log data of administration activities: Activity protocols: Date and time of an activity, protocol service, category and name of activity, status of activity (success or failure) |
Basic data as outlined in the Deprovisioning Regulations Deprovisionierungsordnung_20171221.PDF (in German).
|
| 2. |
Meetings (online) with both internal and external participants (MS Teams):
|
|
The storage period depends on the Teams storage regulations that are defined centrally. According to these regulations, recordings of meetings are stored for a standard period of 60 days, provided that this period has not been shortened or extended by the user who initiated the recording. |
| 3. |
Product stability and improvement (by diagnosis data) (M365): Diagnosis of support cases and safety incidents. |
|
The storage period of diagnosis data depends on the description given in other processing activities, because diagnosis data do not arise in an isolated manner, but in connection with another processing activity. |
| 4. |
Increase in work efficiency (MS Word, Excel, PowerPoint, OneNote, Publisher Access, Project, Visio, Forms, Power Platform, Clipchamp, Loop, Whiteboard): Supply of applications for business purposes. |
|
As this processing activity describes the productivity apps from a purely functional perspective and processing of the data in the individual apps is described by separate processing activities, the storage period of comments, authors, changes, etc. in files depends on the storage period of the files of these separate processing activities. For the storage period of certain contents, it is therefore referred to the corresponding processing activities.
|
| 5. |
Meetings (online) with internal participants exclusively (MS Teams): Supply of audio and video conferencing and collaboration functionalities (see also meetings (online) with both external and internal participants, purpose #1) |
|
The storage period depends on the centrally defined Teams data storage regulation. The standard storage period of recordings of meetings is 60 days, unless this period has been shortened or extended by the user who initiated the recording. |
| 6. |
Speech transmission (MS Teams): Supply of audio communications services |
|
Audio signals are streamed rather than stored, unless an audio transmission is recorded. The standard storage period of the recording is 60 days, provided that the user who initiated the recording has not shortened or extended this period. |
| 7. |
Direct messages and group communication (MS Teams): Supply of functions for collaboration based on chats. |
|
The storage period can be defined by the administrator in the form of a group regulation and set by the individual users. Microsoft permits selection of the following storage periods by the user: 7 days, 30 days, 90 days, 1 year, 5 years, or never (i.e. no erasure of the data). The effective standard setting is “never”, i.e. no erasure of the data, with the user having the possibility to select other storage periods. When erasing an account (according to the deprovisioning regulation) or a team, the corresponding chats will be erased as well. |
| 8. |
Collaboration functionality (MS Teams): Supply of functions for collaboration via channels |
|
Data remain stored until they are erased by manual erasure of the channel or data (see # 9) |
| 9. |
Support of collaboration (MS SharePoint, MS OneDrive): Storage and access management to support collaboration |
|
SharePoint Online: OneDrive: |
| 10. |
Tasks and planning (Planner, MS To Do, MS Lists): Planning and organization of tasks for individuals and/or teams
|
|
No automatic erasure setting |
| 11. |
Data security (MS Defender): Protection of data and IT systems against unauthorizes acces, change or erasure |
see defender categories below | see defender categories below |
| 11a. | Defender for Endpoint | Files (name, size, hash), processes, registry data, network connections, device information (IDs, OS version) |
Portal: 180 days Advanced hunting: 30 days |
| 11b. | Defender for Identity | Active directory and network events for the detection of suspect identity activities | 180 days |
| 11c. | Defender for Office 365 (Plan 1) | Email and meta data, alerts, audit logs, quarantine, reports, submissions, real-time detections |
Alerts: 90 days Email: 30 days Audit: 7 days Quarantine: 30 days |
| 11d. | Defender for Office 365 (Plan 2) | All Plan 1 data plus action center, automated investigation and response (AIR), advanced hunting, campaigns, incidents, threat analytics |
Action Center: 180 days AIR: 60 days Advanced hunting: 30 days Attack simulation: 18 month |
| 11e. | Defender for Cloud Apps | Network information, OAuth app use, user and app audit data, file meta data / contents | Up to 180 days |
| 11f. | Defender XDR / Microsoft 365 Defender | Alerts, incidents, cases, configuration data from associated services |
Alerts/incidents: 180 days Advanced hunting: 30 days Cases: permanent |
| 12. |
Facilitating contract execution by Microsoft (M365): Supply of system-generated protocol data produced by user interactions with M365 functions as well as of diagnosis data (if the diagnosis data function is activated) and meta data for the provision of aggregated data |
|
System-generated protocol data and diagnosis data are subject to the storage period given for the purpose of processing in this document |
| 13. |
AI-supported productivity (MS Copilot Chat): Use of AI for daily activities to search for, summarize, and generate contents |
|
Contents generated by users are stored by the users until erasure |
4.2 Annex 2 „Supplier / Processor“
Depending on the purpose of processing for which the supplier is hired, we share certain personal data (to the extent required) with the following subcontractors:
|
(Sub)Contractor |
Jurisdiction of the (Sub)Contractor |
Reason for Involvement of (Sub)Contractor |
|
Microsoft Ireland Operations Ltd.: |
Ireland |
Supply of M365; |
|
Microsoft Corp.: |
USA |
Supply of M365; |
|
Other subcontractors of Microsoft Ireland Operations Ltd., which are listed for the corresponding service in the latest version of the list of subcontractors under https://www.microsoft.com/en-us/trust-center/privacy/data-access . |
See linked list |
Supply of M365; |