Privacy Notice for those affected* when participating in online meetings via services from Microsoft
The General Data Protection Regulation [GDPR] stipulates that persons whose data is collected must be informed about the respective processing context in accordance with Articles 13 and 14 of the GDPR to ensure fair and transparent processing. With the following information, we provide you with an overview of the processing of your personal data in connection with the use of telephone conferences, video meetings, chats, or training courses/webinars (hereinafter referred to as online meetings) arranged by us using products of Microsoft Ireland Operations Ltd. or Microsoft Corporation (in particular "Teams", hereinafter referred to as: "Tools").
Please note that this information only informs you about our processing of your personal data when you use Microsoft applications together with us at our instigation.
* e.g. customers, interested parties, employees
Who is responsible for the data processing?
The controller within the meaning of Art. 4 No. 7 GDPR is regularly the company through which you have been invited in direct connection with the implementation of online meetings. Please refer to the following information to find out which company this is:
Notes
Regardless of which Scheer Group company invites you to an online meeting, the contractual partner of Microsoft Ireland Operations Ltd. is Scheer GmbH. This company provides a large part of the infrastructural services that are required on our part to conduct online meetings.
To the extent that you access the Microsoft website, the "Teams" provider is responsible for processing. However, a call to the website is only necessary for the use of Teams to download the software for the use of Teams. If you do not want to or cannot use the Teams app, you can also use Teams via your browser. The service will then be provided via the Teams website to that extent.
For what purposes, i.e., for what and on what legal basis do we process your data?
We use the Tools to schedule and conduct communication and collaboration among people via conference calls, video conferences, online meetings, chats, and/or training/webinars (hereinafter Online Meetings).
The tools are services of Microsoft Ireland Operations Ltd. (Ireland) and, respectively, Microsoft Corporation (USA). Therefore, please note that in the following we will only inform you about the processing carried out by us. About the processing by Microsoft, we recommend a supplementary consideration of the information provided by Microsoft (see below).
The legal bases for processing differ depending on the relationship you have with us as a participant. The following constellations may occur:
- Insofar as personal data of employees of Scheer GmbH or a company of the Scheer Group in Germany is processed (incl. applicants), Section 26 (1) sentence 1 of the German Federal Data Protection Act [BDSG] forms the legal basis for the processing, insofar as the processing is necessary for the establishment and processing. For our companies outside the Federal Republic of Germany, the country-specific data protection regulations for employee data protection apply, if any, as well as the provisions of the GDPR.
- For other participants in online meetings, insofar as these are conducted in the context of contractual relationships or for the initiation of a contract, Art. 6 (1) p. 1 lit. b) GDPR forms the legal basis for the processing.
If no contractual relationship exists between us and you as the data subject or third parties participate, the legal basis is Art. 6 (1) p. 1 lit. f) GDPR. This is particularly the case if we have a legitimate interest in processing your personal data and the processing is an elementary part of the tool use.
What data is processed?
When using the tools, different types of data are processed. The scope of the data depends on the data you provide before or during participation in an online meeting.
The following personal data are subject to processing:
- User details: Display name, first name, last name, phone (optional), email address, profile picture (optional), department (optional), preferred language.
- Meeting metadata: Date, time, topic, status information, participant IP address, meeting ID, location, device/hardware information.
- For recordings (optional): MP4 file of the video, audio- and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.
- When dialing in with the telephone: information on the incoming and outgoing call number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be stored.
- Text, audio- and video data: You may have the option of using the chat, question or survey functions in an online meeting. In this respect, the text entries you make are processed to display them in the online meeting and, if necessary, to log them. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device are processed accordingly for the duration of the meeting. You can switch off or mute the video camera or microphone yourself at any time via the tool applications.
To join an online meeting or enter the meeting room, you must at least provide information about your name or display name.
To what extent is your data processed?
We use the tools to conduct online meetings. If we want to record online meetings, you will be informed transparently in advance and - if necessary - asked for consent. In addition, a notice is provided by the tool as soon as the recording is started and for as long as the recording lasts.
Insofar as it is necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this is usually not the case. In the case of webinars, we may also process the questions asked by webinar participants for the purposes of recording and following up on webinars.
User files shared in chats are stored in the OneDrive for Business account of the user who shared the data. Files shared by team members in a channel are stored on the Sharepoint site of that team.
If you are registered as a user with Microsoft for the tools, then reports on online meetings (meeting metadata, phone dial-in data, questions and answers in webinars, polling function in webinars) may be stored with Microsoft.
The possibility of software-based attention monitoring that exists in online meeting tools is deactivated on our part. We do not use automated decision-making in the sense of Art. 22 GDPR.
Who gets access to your data?
Personal data processed in connection with participation in online meetings is generally known to the participants in the respective online meeting. Thus, video, image, sound and/or photo recordings of the participants in a video conference as well as, if applicable, documents relating to the content, shared screens as well as participant lists and chats are disclosed to the participants in the web conference.
Furthermore, based on the need-to-know principle, data within our group of companies is only made available to those departments that require it to fulfill the aforementioned purposes (e.g., marketing, sales, project staff, accounting for billing, IT for secure operation of the infrastructure). Please note, however, that the content of online meetings and contact data of participants may also be intended for disclosure to customers, interested parties or third parties.
Other recipients could also be those to whom we are legally obliged to disclose in some way (e.g. public bodies and institutions), for the enforcement of outstanding claims (e.g. lawyer), for which you have given us your consent (e.g. as a reference), or such service providers who necessarily support us in the provision of services, such as the provider of the respective tool for the online meeting. We have concluded a contract processing agreement with providers who work for us in the context of contract processing, which complies with the requirements of Art. 28 GDPR.
Third country transfers
In principle, no processing takes place outside the EU, as we have limited the storage location to data centers in the EU within the scope of our possibilities. However, we cannot exclude the routing of data via internet servers that are located outside the EU. This may be the case in particular if participants in the online meeting are located in a third country. We also have no influence on the system-side processing of technical information such as device/hardware information (e.g., IP address, operating system data of the end device as well as time and date of access) by the service provider.
Since our group of companies also includes companies in third countries (e.g., Switzerland) or service providers (e.g., Microsoft) with company headquarters, parent company or a data center in third countries support us in individual cases, a transfer cannot be ruled out. In such cases, we ensure within the scope of our possibilities that only such data is accessed as is necessary for the performance of the specific task and that appropriate security measures (e.g., adequacy decision of the EU Commission, EU standard contractual clauses) have been taken.
The level of data protection is guaranteed vis-à-vis Microsoft by the conclusion of supplemented EU standard data protection clauses and technical-organizational measures. Among other things, data is encrypted during transport over the Internet and generally protected from disclosure to third parties. In addition, Microsoft Corporation (USA) has submitted to the adequacy decision for the EU-USA data protection framework adopted by the European Commission on July 10, 2023. This decision concludes that the U.S. ensures an adequate level of protection - compared to that of the European Union - for personal data transferred from the EU to U.S. companies participating in the EU-US data protection framework.
With respect to personal data stored by Microsoft in the U.S. and Europe that may be subject to government requests for information from authorities in the U.S., Microsoft warrants in a statement (2020, July 20th) that such orders will be challenged in court that would allow access to personal data. In addition, as part of a legal settlement, Microsoft has acquired the right to disclose transparent reports on the number of U.S. national security orders directed to Microsoft, furthermore, new policies have been put in place within the U.S. government that have restricted the use of secrecy orders (Cf. (german) news.microsoft.com/de-de/stellungnahme-zum-urteil-des-eugh-was-wir-unseren-kunden-zum-grenzueberschreitenden-datentransfer-bestaetigen-koennen/). The level of data protection is considered sufficient when measured against the anticipated content of the online meetings.
Further information from Microsoft (as of August 2023) can be found here, among other places:
https://privacy.microsoft.com/de-de/privacystatement
https://www.microsoft.com/de-de/trust-center/privacy/gdpr-overview
https://news.microsoft.com/de-de/datenschutz-und-sicherheit-in-microsoft-teams-nutzer/ (as of April 2020)
Further information on data security and data protection at Teams can be found here, among other places: https://www.microsoft.com/en-us/microsoft-365/blog/2020/04/06/microsofts-commitment-privacy-security-microsoft-teams/
What rights do you have as a data subject?
You have a variety of rights regarding the processing of your personal data within the scope of the respective regulations (especially Art. 15-21 GDPR):
- Right to information,
- Right of rectification,
- Right of deletion,
- Right to restriction of processing
- Right to data portability.
- You also have the right to be subject to an individual decision that is not exclusively automated.
- Right to complain to a competent data protection supervisory authority.
The right to information and the right of deletion are subject to legal restrictions. You also have the right to object to the processing of your personal data for direct marketing purposes. If we process your data for the protection of legitimate interests, you may object to this processing if reasons arise from your particular situation that speak against data processing.
How long will your data be stored?
As a matter of principle, we delete personal data when there is no longer any need for further storage. A requirement may exist, in particular, if the data is still needed to fulfill contractual services, to check and grant or defend against warranty and, if applicable, guarantee claims. In the case of statutory retention obligations, deletion will only be considered after expiry of the respective retention obligation.
Data Protection Officer
If you have any questions regarding data protection, please contact our data protection officer at the above address with the addition "attn. data protection officer" or electronically at: datenschutz@scheer-group.com.
Other notes
As the recipient of this information, please inform other persons affected by this in your company if they participate in online meetings via our tools. We reserve the right to update this information as necessary. You can also request an updated version from us at any time.
Notice as of: September 2023