Data protection information
for online meetings, telephone/video conferences and webinars via ‘Microsoft Teams’
In accordance with the provisions of Articles 13 and 14 of the General Data Protection Regulation (GDPR), we would like to inform you below about the processing of personal data in connection with the use of Microsoft Teams (hereinafter referred to as ‘Teams’).
Purpose of the processing
We use the ‘Microsoft Teams’ tool to conduct telephone conferences, online meetings and/or video conferences (hereinafter referred to as ‘online meetings’).
The tool also offers the possibility to share the screen, record conversations, save chat content and, depending on the version used, to transcribe conversation content and have it summarised into a conversation log using artificial intelligence.
The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South Country Business Park, Leopardstown, Dublin 18, Ireland. The parent company is Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, which is based in the USA.
Responsible for data processing
The controller for data processing directly related to the organisation of online meetings is Kathrin Rehwald, Online Business & Office Services, Warthebergstr. 26, 34466 Wolfhagen, GERMANY.
We are not subject to any legal obligation to appoint a data protection officer.
Scope of the processing
We use Microsoft Teams to conduct online meetings. If we wish to record an online meeting, we will inform you transparently before the recording begins and – if necessary – ask for your consent. The fact of the recording will also be displayed to you in the Teams app.
If it is necessary for the purpose of logging the results of an online meeting, we will download and save any chat content afterwards.
We also use Microsoft Copilot for Microsoft 365 (hereinafter referred to as ‘Copilot’). This is an assistant function with artificial intelligence that makes it possible to transcribe video calls and summarise the most important content in the form of a call log. If we have the call content transcribed, we will inform you transparently in advance and – if necessary – ask for your consent.
Various types of data are processed when you use Microsoft Teams. The scope of the data also depends on what data you provide before or when participating in an online meeting, whether you share your screen, for example, and whether the video call is recorded or transcribed.
The following personal data is processed:
User details: first name, surname, telephone (optional), password (optional), email address, profile picture (optional), department (optional).
Meeting metadata: Topic, description (optional), participant IP addresses, device/hardware information.
For recordings (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.
When dialling in by telephone: details of the incoming and outgoing telephone number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be saved.
Text, audio and video data: You may have the opportunity to use the chat, question or survey functions in an online meeting. In this respect, the entries you make or views you grant are processed in order to display them in the online meeting and, if necessary, to log them. If transcription is switched on, your voice is also recorded and spoken words are written down in text and summarised using artificial intelligence. To enable the display of video and playback of audio, the data from the microphone of your end device and from any video camera of the end device are processed accordingly for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time via the ‘Teams applications’.
The conference tools collect all the data that you provide to use the tool (email address, name, telephone number if applicable). If content is exchanged, uploaded or made available in any other way during the conference (e.g. screen sharing), this is also processed on Microsoft’s servers.
Copilot accesses content and context via Microsoft Graph. The tool uses a combination of LLMs (Large Language Models), an AI (Artificial Intelligence) algorithm that uses deep learning techniques and large datasets to understand, summarise, predict and generate content. To do this, Copilot receives real-time access to the respective business customer’s data from Microsoft Graph in order to generate company-specific and contextualised answers. Copilot can access all data stored in the respective tenant and use this information for the analysis. A tenant is an isolated instance in Microsoft cloud services such as Azure, Office 365 or Microsoft 365 that is assigned to an individual customer or organisation. Only the data for which the individual user has at least one display authorisation is displayed.
Legal basis for data processing
The legal basis for data processing when organising online meetings is Art. 6 para. 1b GDPR, insofar as the meetings are held within the framework of contractual relationships. If neither a contract nor pre-contractual measures are involved and you have given us your express consent to this data processing, the legal basis is Art. 6 para. 1a GDPR. Consent given can be revoked at any time with effect for the future (see section Rights as a data subject). If the processing is carried out to fulfil legal obligations and the processing is necessary and legally permissible, the data processing is based on Art. 6 para. 1c GDPR. In addition, in justified circumstances, the processing may also be based on Art. 6 para. 1f GDPR (legitimate interest).
Recipients / disclosure of data
Personal data that is processed in connection with participation in online meetings is not passed on to third parties unless it is intended to be passed on. Please note that content from online meetings and face-to-face meetings is often used to communicate information with customers, interested parties or third parties and is therefore intended to be passed on.
Other recipients: Microsoft necessarily receives knowledge of the above-mentioned data insofar as this is provided for in our order processing contract with Microsoft.
Otherwise, data will only be passed on to recipients outside the company if this is permitted or required by law, if the transfer is necessary for processing and thus for the fulfilment of the contract or, at your request, for the implementation of pre-contractual measures, if we have your consent or if we are authorised to provide information. Under these conditions, recipients of personal data may be, for example
Public bodies and institutions (e.g. public prosecutor’s office, police, supervisory authorities, tax office) if there is a legal or official obligation,
Recipients to whom the disclosure is directly necessary for the establishment or fulfilment of a contract, such as credit agencies.
Location of data processing
Microsoft is a service whose parent company is based in the USA. The processing of data during video calls takes place regularly within the European Economic Area.
Microsoft 365 calls and also Microsoft Copilot for Microsoft 365 calls to the LLM (Large Language Model) are routed to the nearest data centres in the region, but can also call other regions where capacity is available at times of high usage. For users from the European Union (EU), Microsoft has taken additional security precautions to comply with the EU data border (https://learn.microsoft.com/de-de/privacy/eudb/eu-data-boundary-learn). EU traffic remains within the EU data boundary, while global traffic can be sent to the EU and other countries or regions for LLM processing. (https://learn.microsoft.com/de-de/copilot/microsoft-365/microsoft-365-copilot-privacy).
In order to ensure an appropriate level of data protection, an order processing agreement has been concluded with Microsoft as part of the General Terms and Conditions, as well as additional EU standard contractual clauses as a further guarantee. Microsoft is also actively certified in accordance with the EU-US Data Privacy Framework, an agreement between the USA and the European Union (https://www.dataprivacyframework.gov/list). The agreement is intended to ensure that European data protection standards are complied with during processing. Further information on data processing on the Microsoft website can be found in Microsoft’s privacy policy (https://privacy.microsoft.com/de-de/privacystatement).
Otherwise, personal data will only be transferred to countries outside the European Economic Area or to an international organisation if this is necessary for the processing and thus fulfilment of the contract or, at your request, for the implementation of pre-contractual measures, if the transfer is required by law or if you have given us your consent.
Safeguards
Microsoft 365 and Copilot fulfil Microsoft’s existing privacy, security and compliance obligations to Microsoft 365 commercial customers, including the General Data Protection Regulation and the European Union Data Boundary.
Prompts, responses and data accessed through Microsoft Graph will not be used to train basic LLMs, including those used by Copilot, according to Microsoft.
Microsoft promises to handle the data to which AI is given access responsibly and has created internal guidelines for this purpose: Microsoft AI Principles and the Microsoft Responsible AI Standards: https://www.microsoft.com/de-de/ai/principles-and-approach.
Copilot works with several protective measures, including, but not limited to, blocking harmful content, recognising protected material and blocking prompt injection (jailbreak attacks).
Further information on data processing and data security by Microsoft in general can be found here: https://privacy.microsoft.com/en-gb/privacystatement. Further information on data processing and data security specifically in connection with the use of Copilot can be found here: https://learn.microsoft.com/de-de/copilot/microsoft-365/microsoft-365-copilot-privacy.
Automated decision-making
In principle, we do not use fully automated decision-making in accordance with Art. 22 GDPR to establish, fulfil or implement the business relationship or for pre-contractual measures. If we use these procedures in individual cases, we will inform you of this separately or obtain your consent if this is required by law.
Necessity of the provision of personal data
The provision of personal data by you is primarily voluntary, including for the decision on the conclusion of a contract, the fulfilment of a contract or for the implementation of pre-contractual measures. However, we can only make a decision in the context of contractual measures if you provide personal data that is necessary for the conclusion of the contract, the fulfilment of the contract or pre-contractual measures.
Your rights as a data subject
You have the right to information about the personal data concerning you. You can contact us at any time to request information. In the case of a request for information that is not made in writing, we ask for your understanding that we may require proof from you that you are the person you claim to be. Furthermore, you have a right to rectification or erasure or to restriction of processing, insofar as you are legally entitled to do so. Finally, you have the right to object to processing within the scope of the statutory provisions. You also have the right to data portability within the framework of the data protection regulations. You have the right to complain to a data protection supervisory authority about the processing of personal data by us.
Deletion of data
We delete the data we have collected about you as soon as you ask us to delete it, you revoke your consent to its storage or the purpose for data processing no longer applies and there are no other overriding reasons in accordance with the applicable data protection laws, such as statutory retention obligations, to the contrary. In the case of statutory retention obligations, erasure will only be considered after expiry of the respective retention obligation.