Privacy notice Microsoft 365
Information pursuant to Art. 13, 14 of the GDPR about the use of your personal data
Responsible entity and contact information
The responsible entity within the meaning of data protection law is
Nexia GmbH
Wirtschaftsprüfungsgesellschaft | Steuerberatungsgesellschaft
Georg-Glock-Straße 4, 40474 Düsseldorf, Germany
You will find further information about our company, details of the persons authorized to represent us and also further contact options in our Legal Notice on our website. https://www.nexia.de/legal-notice
Contact details of the data protection officer: datenschutz@nexia.de
Purpose of the processing
The products of the cloud service “Microsoft 365” (this includes Word, Excel, Power-Point, Exchange with Outlook, OneDrive, SharePoint, Forms) are provided by Nexia GmbH (hereinafter “Nexia”). Unless Nexia is your employer, Nexia is not responsible for the privacy and security practices of its customers that arise in the use of this product, but merely provides portions of these services to you. Please note that when using these Services, you must always comply with your company’s privacy policy when processing personal data.
The purpose of data processing is to enable Nexia employees and customers to work and communicate together.
Legal basis for data processing
Nexia processes your data on the following legal basis: for the performance of a contract concluded with you or in execution of pre-contractual measures with you (Art. 6 (1)(b) GDPR), for the processing of your data in the context of your employment with Nexia (§ 26 BDSG) or within the framework of a consideration of the legitimate interests of Nexia to maintain and ensure proper operation of IT, safeguarding of business records, archiving of data in the event that longer retention periods than those specified by data protection are applicable (Art. 6 (1)(f) GDPR). In addition, Nexia may process your data on the basis of your consent (Art. 6 (1)(a) GDPR). If there is no contractual relationship, the legal basis is Art. 6 (1)(f) GDPR.
Which data is processed?
When using Microsoft 365, different types of data are processed. The scope of the data depends on what data you store in these cloud applications and what synchronization you set.
When using Microsoft 365, personal data is processed in the course of your professional activities, which your organization provides, for example, via your user account. The type and scope of personal data processed about you depends primarily on what information you or others process about you with Microsoft 365 when using Microsoft Office (Word, Excel, PowerPoint), Exchange, OneDrive and SharePoint. The data is generally stored on Microsoft servers in the European Union (EU). Microsoft has taken extensive data protection measures and has also concluded the EU standard contractual clauses, which ensure that the service provider is committed to complying with European data protection law. The Microsoft Cloud also has ISO27001 certification, among other things.
Scope of the processing
Automated decision-making within the meaning of Art. 22 GDPR is not used.
Recipients / data transfer
Personal data processed in connection with Microsoft 365 will generally not be disclosed to third parties unless it is specifically intended for disclosure.
Data processing outside the European Union
Data processing outside the European Union does not take place as a matter of principle, as we have limited our storage location to data centers in the European Union. The data is encrypted during transport via the Internet and thus protected against unauthorized access by third parties.
Your rights as a data subject
You have the right to obtain information about the personal data concerning you. You can contact us for information at any time.
In the case of a request for information that is not made in writing, we ask for your understanding that we may require proof from you that you are the person you claim to be.
Furthermore, you have a right to rectification or deletion or to restriction of processing, insofar as you are entitled to this by law.
Finally, you have a right to object to processing within the scope of legal requirements.
A right to data portability also exists within the framework of data protection law.
Deletion of data
As a matter of principle, we delete personal data if there is no need for further storage. A requirement may exist in particular if the data is still needed to fulfill contractual services, to check and grant or defend against warranty and, if applicable, guarantee claims. In the case of statutory retention obligations, deletion will only be considered after expiry of the respective retention obligation.
Right of complaint to a supervisory authority
You have the right to complain about the processing of personal data by us to a data protection supervisory authority.
Modification of this privacy notice
We revise this data privacy notice in the event of changes to data processing or other occasions that make this necessary. You will always find the current version on this page.
Further information on Microsoft and data privacy
https://www.microsoft.com/de-de/cloud
https://www.microsoft.com/de-de/trust-center
https://www.microsoft.com/de-de/trust-center/privacy/
Date privacy notice: 10/2023