Email
Main Content

Microsoft 365 - Privacy information

Summary

The University Computer Center manages the applications available via Microsoft 365 on behalf of Philipps-Universität Marburg or enables access to third-party services. This access is currently limited to Microsoft 365 Apps for Education (formerly Office 365).

Provision of this service requires a personal education user account with Microsoft.

When using Microsoft's online services, data is transferred to third parties and usage data is generated and processed by The University and third parties.
In addition to The University, Microsoft Ireland Operations Limited and Microsoft Corporation, in particular, are involved in the processing of personal data.

The processing of your data described here only takes place when you request the creation of your educational user account with Microsoft via the corresponding web form.

Data subject rights

General

With regard to the processing of your personal data, you as a data subject are entitled to the following rights pursuant to Art. 15 et seq. GDPR:

  • You may request information as to whether we are processing personal data about you. If this is the case, you have a right to information about this personal data as well as other information related to the processing (Art. 15 GDPR).
  • In the event that personal data about you is not (or is no longer) accurate or incomplete, you may request that this data be corrected and, if necessary, completed (Art. 16 GDPR).
  • If the legal requirements are met, you may request the erasure of your personal data (Art. 17 GDPR) or the restriction of the processing of such data (Art. 18 GDPR). However, the right to erasure under Art. 17(1) and (2) GDPR does not apply, inter alia, if the processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (Art. 17(3)(b) GDPR).
  • If you have consented to the processing or if there is a contract for data processing and the data processing is carried out with the help of automated procedures, you may have a right to data portability (Art. 20 GDPR).
  • You have the right to complain about the processing of your personal data to a supervisory authority within the meaning of Art. 51 GDPR. The competent supervisory authority for Bavarian public bodies is the Hessian State Commissioner for Data Protection, Postfach 3163, 65021 Wiesbaden.

Right of objection

You may also object to the processing of personal data concerning you by us at any time (Art. 21 GDPR). If the legal requirements are met, we will subsequently no longer process your personal data.

Purpose

Microsoft 365 serves as a tool for teaching, research and administration.

Microsoft's Office products for editing documents, spreadsheets and presentations are widely used in everyday office life and represent a quasi-industry standard. When exchanging documents for further processing, Microsoft Office formats are predominantly used. Available alternative products (e.g. the free LibreOffice) do not include the same range of functions and cannot always process Microsoft Office formats without loss, making file exchange considerably more difficult.

In the Federal Contract 3.0, Microsoft offers, among other things, the product Microsoft 365 A3, which includes per-person usage rights for one local copy of Office Professional Plus and five individual installations of Microsoft Apps for Education, as well as the use of Office 365 and other online services in the Microsoft cloud. A personal education user account in the Microsoft Cloud is required to use Microsoft Apps for Education as well as the online services (Azure Active Directory - AAD).

Data categories

  1. Last name, first name, email address
  2. Permissions
  3. log data (date of last password change, date of last login)
  4. personal settings, other properties of the user profile
  5. Information about tokens for login using multi-factor authentication for administrators (via phone, app or questions)
  6. System-generated log data (telemetry data), product usage metadata (e.g., software version, end user account, computer ID, device IP address)

Categories of data subjects

  • Employees
  • Students
  • PhD students
  • Lecturers
  • Administrators

Recipient

  • internally for administrators in the HRZ:
    for configuration, monitoring and securing operations (system integrity and confidentiality), support
  • external (recipient category), third country or international organization (category) Microsoft Ireland Operations Solutions:
    For service provision, service and support: contract performance, Art. 6 (1) b GDPR.
    Order processing, Art. 28 GDPRSowie their sub-processors and support service providers.

Guarantees for International Data Transfer

  • For the university
    Readmissions Art. 49 para. 1 lit c GDPR for purposes a) and f).
    Readmissions Art. 49 para. 1 lit. d GDPR for purposes b), c), d) e), g), h).
  • Microsoft Corporation
    Standard data protection clauses with additional safeguards for commissioned processing.
    When processing for its own purposes, the GDPR applies directly to Microsoft.
  • Sub-processors
    Standard data protection clauses

Storage period

  • 90 days after deletion of the account upon request or objection for data categories 1-5
  • 180 days for data category 6