Nexia Website
Nexia GmbH
Wirtschaftsprüfungsgesellschaft
Steuerberatungsgesellschaft
Georg-Glock-Straße 4
40474 Düsseldorf
+49 211 171700
kontakt@nexia.de
Print

Privacy Notice Microsoft Teams

Information pursuant to Art. 13, 14 of the GDPR about the use of your personal data


Responsible entity and contact information

The responsible entity within the meaning of data protection law is

Nexia GmbH
Wirtschaftsprüfungsgesellschaft | Steuerberatungsgesellschaft
Georg-Glock-Straße 4, 40474 Düsseldorf, Germany

You will find further information about our company, details of the persons authorized to represent us and also further contact options in our Legal Notice on our website.
https://www.nexia.de/legal-notice

Contact details of the data protection officer: datenschutz@nexia.de

Note: If Microsoft's online services, such as www.teams.microsoft.com, are used, Microsoft is responsible for data processing as the provider of ‘Microsoft Teams’. The use of ‘Microsoft Teams’ online services is required, for example, in order to use the Microsoft Teams web app. This may result in additional data processing by Microsoft.


Purpose of the processing

We use Microsoft Teams to conduct telephone conferences, online meetings, video conferences and/or web conferences (hereinafter: online meetings). Microsoft Teams is a service of Microsoft Corporation.

Unless Nexia is your employer, Nexia is not responsible for the privacy and security practices of its customers that arise in the use of this product, but merely makes portions of these services available to you. Please note that when using these Services, you must always comply with your company‘s privacy policy when processing personal data. 

Data processing is carried out for the purpose of enabling Nexia employees and customers to work and communicate collaboratively.
 

Legal basis for data processing

Nexia processes your data on the following legal basis: for the performance of a contract concluded with you or in execution of pre-contractual measures with you (Art. 6 (1)(b) GDPR), for the processing of your data in the context of your employment with Nexia (§ 26 BDSG) or within the framework of a consideration of the legitimate interests of Nexia to maintain and ensure proper operation of IT, safeguarding of business records, archiving of data in the event that longer retention periods than those specified by data protection are applicable (Art. 6 (1)(f) GDPR). In addition, Nexia may process your data on the basis of your consent (Art. 6 (1)(a) GDPR). If there is no contractual relationship, the legal basis is Art. 6 (1)(f) GDPR. 
 

Which data is processed?

When using Microsoft Teams, various types of data are processed within the Microsoft cloud infrastructure, see the following point “servers used”. The scope of the data also depends on the data you provide before or during participation in an online meeting.

The following personal data are subject to processing (depending on the optional information provided by the user):

User details: e.g. display name (display name), email address if applicable, profile picture (optional), preferred language.

Meeting metadata: e.g. date, time, meeting ID, phone numbers, location

Text, audio and video data: You may have the option of using the chat function in an online meeting. To this extent, the text entries you make are processed in order to display them in the online meeting. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device are processed accordingly for the duration of the meeting. 

For recordings: e.g. MP4 files of all video, audio and presentation recordings, M4A files of all audio recordings, text files of the meeting chat

When dialling in by phone: e.g. incoming and outgoing phone number, country name, start and end time, IP address of the device if applicable

Note on the use of the data: The above-mentioned data is processed exclusively for the organisation, implementation and follow-up of Microsoft Teams meetings. You can control the use of the camera and microphone at any time by deactivating or muting them.

Server:

  • Identities and authentications: Azure Active Directory (Azure AD) > Azure-Server
  • Chats: Exchange Online: > Azure-Server;
  • Channel messages: Microsoft Teams Dienste > Azure-Server
  • Voicemails and contacts: Exchange Online > Azure-Server
  • Images are stored in Media Services: Azure Blob Storage > Azure-Server
  • Files shared in a private or group chat: OneDrive for Business > Azure-Server
  • Files stored in Teams: SharePoint Online > Azure-Server
  • Recordings of online meetings: Stream or OneDrive/SharePoint > Azure-Server

Data centers for Azure, Exchange Online, SharePoint and OneDrive as well as Stream are located in the EU for European customers. 

The servers can be selected by team administrators on a country-specific basis.

Data is generally stored on Microsoft servers in the European Union (EU). Microsoft has taken extensive data protection measures and also concluded the EU standard contractual clauses, which ensure that the service provider is committed to complying with European data protection law. 

Microsoft servers are C5-certified (certification from the German Federal Office for Information Security for cloud service providers). The Microsoft Cloud also has ISO27001 certification, among other things.
 

Scope of the processing

We use Microsoft Teams to conduct online meetings. If we want to record online meetings, we will transparently communicate this to you in advance and - if necessary - ask for consent.

Chat content is logged when using Microsoft Teams. Files that users share in chats are stored in the OneDrive for Business account of the user who shared the file. The files that team members share in a channel are stored on the team's SharePoint site. The chat content and shared files are saved for a limited period of time.

It is also possible to share the screen or a specific display (window, application). In this case, all content of the corresponding shared screen or display is transmitted.

When using additional services such as translators, further data may be processed by us or transmitted to the service provider in order to provide these services.

After creating a user account, extended functions are available that trigger corresponding data processing, e.g. by uploading shared files, created calendar entries, status of tasks, content created and edited in Word, Excel, PowerPoint and OneNote, entries in surveys, as well as technical usage data to provide the functionalities and security of Microsoft Teams.

Automated decision-making within the meaning of Art. 22 GDPR is not used.
 

Recipients / data transfer

Personal data processed in connection with participation in online meetings is generally not passed on to third parties unless it is intended to be passed on. Please note that content from online meetings, as well as face-to-face meetings, is often used to communicate information with customers, prospects or third parties and is therefore intended for disclosure.

Other recipients: The Microsoft Teams provider necessarily obtains knowledge of the above data to the extent provided for in our order processing agreement with Microsoft Teams.
 

Data processing outside the European Union

Data processing outside the European Union does not take place as a matter of principle, as we have limited our storage location to data centers in the European Union. The data is encrypted during transport via the Internet and thus protected against unauthorized access by third parties.
 

Your rights as a data subject

You have the right to obtain information about the personal data concerning you. You can contact us for information at any time. 

In the case of a request for information that is not made in writing, we ask for your understanding that we may require proof from you that you are the person you claim to be. 

Furthermore, you have a right to rectification or deletion or to restriction of processing, insofar as you are entitled to this by law.

Finally, you have a right to object to processing within the scope of legal requirements.

A right to data portability also exists within the framework of data protection law.


Deletion of data

As a matter of principle, we delete personal data if there is no need for further storage. A requirement may exist in particular if the data is still needed to fulfill contractual services, to check and grant or defend against warranty and, if applicable, guarantee claims. In the case of statutory retention obligations, deletion will only be considered after expiry of the respective retention obligation.
 

Right of complaint to a supervisory authority

You have the right to complain about the processing of personal data by us to a data protection supervisory authority.
 

Modification of this privacy notice

We revise this data privacy notice in the event of changes to data processing or other occasions that make this necessary. You will always find the current version on this page.
 

Further information on Microsoft and data privacy

https://www.microsoft.com/en-gb/privacy/privacystatement
https://learn.microsoft.com/en-gb/microsoftteams/privacy/location-of-data-in-teams
https://www.microsoft.com/en-gb/trust-center


Last update of this privacy notice: 10/2024