Microsoft 365

1. Microsoft Ireland Operations Limited One Microsoft Place, South County Business Park, Leopardstown Dublin 18, Ireland
2. Microsoft Corporation One Microsoft Way Redmond, Washington 98052
3. Data protection topic page with FAQ and contact options from Microsoft
4. Data protection information at Microsoft Microsoft privacy policy
5. Own purposes

• Billing and account management
• Remuneration
• Internal reporting and modeling
• Combating fraud
• Cybercrime or cyberattacks
• Improvement of core functionality in terms of accessibility, data protection or energy efficiency
• Financial reporting
• Compliance with legal obligations

Data categories

1. Documents and files
2. Tasks and solutions
3. Communication data
4. Basic personal data
5. Authentication data
6. Contact information
7. Profiling
8. Log file with accesses
9. System generated log files

Categories of data subjects

• For data categories 1-9: Persons who use or administer Microsoft 365
• For data categories 1-3,6: Persons identifiable in communication and documents

• Student Administration (Primuss)
• Personnel administration (also for affiliated institutes – personnel database)
• Guest administration (guest database)
• Identity and access management (Microsoft Active Directory)
• Data generated by users themselves in the form of files, texts, audio and video

The account data will be deleted 90 days after deletion of the account on request or after objection, the user data 90 days after deletion of the content data, after discontinuation of the necessity, the log and logging data after 180 days.

Purposes Purchase and use of Microsoft 365 as a tool for teaching, research and administration on the basis of the Bavarian Higher Education Act (BayHSchG) Art. 2 BayHSchG and the provisions of the General Data Protection Regulation (GDPR) Art. 6 (1) e, Art. 6 (3) and Art. 6 (4) DSVGO.
This includes the use of licensed products and services, provision of updates, ensuring information security and technical and customer-related support.
In addition, disclosure for the following purposes by Microsoft:

1. Billing and account management
2. Remuneration
3. Internal reporting and modeling
4. Combating fraud
5. Cybercrime or cyberattacks
6. Improvement of core functionality in terms of accessibility, data protection or energy efficiency
7. Financial reporting
8. Compliance with legal obligations
9. Statistical evaluations

Legal basis

• For teaching
  • Art. 6 para.
    1 lit.
    e GDPR in conjunction with Art. 4 BayDSG (Art. 55 para. 2 BayHSchG)
• For employees and staff:
  • Art. 6 para.
    1 lit.
    b or c GDPR in conjunction with Art. 81 GDPR in conjunction with Art. 103 No. 2 BayBG (or in corresponding application pursuant to Art. 145 para. 2 BayBG)
• Legal basis for disclosure
  • For licensed persons Art. 6 para.
    1 lit.
    b GDPR and Art. 49 para.
    1 lit c GDPR (for purposes 1. and 6.)
  • For purposes that are not contractually required, Art. 5 para.
    1 sentence 1 no. 2 BayDSG and Art. 49 para.
    1 lit.
    d GDPR (for purposes 2.-5.,7.,8.)
• For statistical evaluations
  • Art. 6 para.
    1 lit.
    e GDPR in conjunction with. Art. 4 BayDSG (Art. 10 para. 1 BayHSchG, Art. 7 BayHO)

Coburg University of Applied Sciences is obliged to provide the individual system operators with the categories of personal data for the provision of services for research and teaching.
Without this, it is not possible to carry out research and teaching.

The account and user data is transferred to Microsoft Ireland Operations Limited for exclusive storage on servers in Germany on the basis of the contractual agreement on order processing.
For the aforementioned purposes of Microsoft Corporation (such as security measures), data is transferred to the USA on the basis of EU standard data protection clauses. Sub-processors who have access to parts of the data are active worldwide.
Data is transferred and processed on the basis of the EU standard contractual clauses.
Microsoft takes these into account in the Microsoft Products and Services Data Protection Addendum (DPA).

• Right to information: Upon request and after verification of identity, e.g. by personal interview, information about the personal data stored in the requested system will be provided if it is confirmed that personal data is processed in this system.
• Correction: If incorrectly recorded data is detected, it must be corrected.
  This requires a notification to the respective data management system:
  • Students => Student Office studienangelegenheiten@hs-coburg.de
  • Staff => Personnel department datenpflege@hs-coburg.de
  • Contributors => it-service@hs-coburg.de
• Deletion: The immediate deletion of data in individual systems can be requested if at least one of the following cases applies
  • Unlawful processing
  • Revocation of a given consent and lack of another legal basis
  • Valid objection
  • The purpose for which the data was collected no longer exists

  and the processing is based on consent, i.e. there is no legal requirement or the processing is necessary for the protection of legal claims or public interest (tasks, archive purposes, scientific or historical research) or public authority.
  Deletion will also not take place if the right to freedom of expression and information is impaired.
  Information will be provided on the execution of the deletion upon request.
  Furthermore, deletion will also take place without a request if the period specified under Duration of storage has been reached.

• Restriction of processing: A user can request the restriction of processing, i.e. processing may no longer take place unless explicit consent has been given, if
  • personal data is stored incorrectly,
  • the processing is unlawful and erasure has not been requested,
  • objection has been lodged and this has not been clarified,
  • The purpose for which the data was collected no longer exists, but the data subject still needs the data to assert, exercise or defend legal claims.

  You will be informed about the lifting of the restriction of processing.

• Right to object: A user has the right to object to the processing of personal data on grounds relating to his or her particular situation, provided that the processing is carried out in the public interest or in the exercise of official authority or a legitimate interest, i.e. without consent.
  The objection may not be opposed by the assertion, exercise or defense of legal claims.
  If the use of the service and thus the processing is necessary for research and teaching, an objection is invalid.
  If compelling legitimate grounds override the interests, rights and freedom of the objecting party, the objection is also invalid.
• Right to data portability: A user has the right to receive personal data collected with consent or on the basis of a contract, which is not used for the performance of a task carried out in the public interest or in the exercise of official authority, in a structured, commonly used and machine-readable format, provided that the processing is automated.
• Right to lodge a complaint: Pursuant to Article 77 GDPR, a user has the right to lodge a complaint with the competent supervisory authority.
  The competent supervisory authority for Bavarian public bodies is the Bavarian State Commissioner for Data Protection.