Online Meetings, Teleconferences and Webinars via Microsoft Teams
We take the protection of your personal data very seriously. We treat your personal data with confidentiality at all times and in compliance with the statutory data protection regulations. For this reason, we would like to inform you here regarding the processing of your personal data in connection with the use of Microsoft Teams (hereinafter referred to as “Teams”) and which rights you are entitled to.
Information about the responsible party (referred to as the “controller” in the GDPR)
The data processing controller is:
WeylChem ORGANICA GmbH
We have appointed a data protection officer for our company.
kelobit IT-Experts GmbH
Dr. Andreas Melzer
Thüringer Str. 31
MS Teams is a service of Microsoft Ireland Ltd. (“Microsoft”). It cannot be ruled out in this context that data are sent to the US to Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Microsoft may also carry out remote repairs from other third countries. We concluded the standard data protection clauses of the European Commission with Microsoft. For further information see Item “Transfer to third parties“.
Scope and purpose of collection of data
To the extent that you retrieve the website of MS Teams or Microsoft, Microsoft is responsible for data processing. However, a retrieval of the website for use of MS Teams is only necessary for downloading the software for use of MS Teams.
If you do not want to use the MS Teams app, you can also use MS Teams via your browser. The service is then provided via the website of MS Teams.
When using MS Teams different types of data are used. The data volume also depends on which data you enter before or during participation in an online meeting. The following personal data are the subject matter of the processing:
- Display name
- E-mail address
- Profile picture (optional)
- Language preference
- Meeting ID
- Telephone numbers
Text, Audio and Video Data
You may have the possibility of using the chat function in an online meeting. In this context, the text entry data are processed in order to display them in the online meeting. In order to facilitate the display of video and replay of audio, the data of the microphone of your final device as well of any video camera of the final device are processing during the meeting. You can turn off the camera or mute the microphone yourself at any time via the Teams application.
We use MS Teams in order to host online meetings, telephone and video conferences, webcasts, etc. You can also use a pseudonym in order to participate in an online meeting or to enter the “meeting room”.
The chat content is recorded during use of MS Teams. We normally save the chat content for one month. If necessary for recording the results of an online meeting, we can also record the chat content for a longer period, but at maximum until the purpose being pursued has been achieved. However, normally this will not be the case.
When we want to record meeting, we will be transparent and tell you in advance and where necessary, ask for your consent. The fact that the data is being recorded will also be displayed in the Teams app, resp. in the web browser display. Moreover, the organizer can determine which participants have the right to carry out a recording.
In the case of webcasts, we can also process the questions posed by the participants for the recording and reworking of webcasts. You also have the possibility of allowing declassification for your monitor. In this case we have knowledge of the data and content shared via your monitors.
Where personal data are processed by our company staff, §26 BDSG is the legal basis of the data processing. Should personal data not be required for the formation, performance or termination of the employment relationship when using MS Teams but notwithstanding be an elementary component in the use of MS Teams, Art. 6 Sect. 1 lit. f GDPR will be the legal basis of the data processing. In these cases, our interest is in the effective hosting of online meetings.
In other respects, the legal basis of data processing in the hosting of online meetings is Art. 6 Sect. 1, lit b GDPR where the meetings are hosted within the framework of contractual relations.
Where there is no contractual relationship, the legal basis is Art. 6 Sect. 1. lit f. GDPR. Here as well, our interest is in the effective hosting of online meetings.
Who receives my data?
At our company only persons requiring your data for the smooth performance of online meetings generally have access to them, i.e., for example organizers and participants in meetings from our company. These may include multiple departments within our organization, depending on which services or products you receive from us. Our IT department also has access to your data for exclusively technical processing.
Personal data processed in connection with online meetings are generally not disclosed to third parties unless they were intended for disclosure. Please be advised that content from online meetings as well as in the case of personal conferences frequently have the purpose of communicating information with customers, potential customer or third parties and are thus intended for disclosure.
As the provider of MS Teams Microsoft inevitably gains knowledge of the above data where this is provided for within the scope of our contract processing agreement with MS Teams. Service providers we work with may also be recipients of data concerning you personally within the scope of contract processing pursuant to Article 28 GDPR.
We may be required to disclose certain data to the relevant authorized bodies within the scope of our statutory obligations.
Transfer to third parties
In general, there is no data processing outside of the European Union (EU), as we have restricted our storage site to computing centers within the European Union. However, we are unable to rule out routing or storage of data via an Internet server located outside of the European Union. This may in particular be the case where the participants in an online meeting reside in a third country.
A secure data protection level is guaranteed through the conclusion of additional EU standard data protection clauses and technical-organizational measures. When using standard data protection clauses our intention is to implement additional measures for the protection of your data where necessary. For this purpose, the data are i.e. encrypted during transmission via the Internet and when inactive and are thus protected from unauthorized third-party access. Microsoft uses standard technologies such as TLS and SRTP in order to encrypt all data during the transmission between the devices of the users and the Microsoft computing centers as well as between the Microsoft computing centers. This comprises messages, files (video, audio, etc.), conferences and other content. Moreover, inactive company data at Microsoft computing centers are encrypted in such a way that allows the organization to decrypt the content where necessary. Moreover, MS Teams uses TLS and MTLS for the encryption of chat messages. The entire server-to-server data traffic requires MTLS- independent of whether the data traffic is restricted to the internal network or exceeds the internal network perimeter. For more information on how Microsoft Teams encrypts the data go here: https://docs.microsoft.com/de-de/microsoftteams/teams-security-guide.
With regard to personal data stored by Microsoft in the US and Europe and which may be subject to official requests for information by authorities in the US, Microsoft guarantees in a statement of July 20, 2020 that such orders facilitating access to personal data may be contested in court. Beyond this, within the scope of a legal settlement Microsoft acquired the right to disclose transparent reports on the number of American orders on national security addressed to Microsoft; moreover new guidelines were introduced within the US government which restricted the use of confidentiality orders (cf.ttps://news.microsoft.com/de-de/stellungnahme-zum-urteil-des-eugh-was-wir-unseren-kunden-zum-grenzueberschreitenden-datentransfer-bestaetigen-koennen/) On the basis of the anticipated content of our MS Teams meetings which normally do not contain any personal data except for the names of the participants in the video conference, the data protection level is deemed to be adequate.
Notwithstanding, we are explicitly advising you that MS Teams is a service offered by a provider in the US. Consequently, processing of your personal data also takes place in a third party which currently is regarded as insecure as defined by the GDPR. This may harbor risks for the users, as the assertion of the data subject rights may for example be made more difficult. Negotiations are being conducted at political, data protection law and bilateral level to find a solution. However, currently there are no results. If you decide personally that adequate protection cannot be provided to you in this legal situation (in accordance with a ruling by the European Supreme Court), participation in an online meeting per MS Teams is currently not possible.
Term of storage of data
We generally delete data when there is no longer any requirement to store them. There may in particular be a requirement where the data are still needed for meeting contractual obligations, for inspecting or defense against warranty and any guarantee claims. In the case of statutory records preservation duties deletion is only possible after expiration of the respective records preservation duty.
Data subject rights
Every data subject has the right to information pursuant to Article 15 GDPR, the right to correction pursuant to Article 16 GDPR, the right to deletion pursuant to Article 17 GDPR, the right to restriction of the processing pursuant to Article 18 GDPR, the right to objection from Article 21 GDPR, as well as the right to data transferability from Article 20 GDPR. In the case of the right to information or the right to deletion, the restrictions as set out under §§34 and 35 Federal Data Protection Act (BSSG) will apply. In addition, there is a right of objection before a data monitoring office having jurisdiction (Article 77 GDPR).
You may withdraw any consent given to us for the processing of personal data at any time. This will also apply to the withdrawal of declarations of consent given to us before the Basic Data Protection Ordinance, i.e., before May 25, 2018. Please be advised that the withdrawal of consent will only have effect for the future. Any cases of processing prior to the withdrawal of consent are not affected.
Is there an obligation to provide data?
Providing your personal data is, first, not required either by law or contractually, nor are you obligated to provide these data. In order to participate in an online meeting or to enter the “meeting room” you must at minimum provide your name Should you not wish to do so, participation in our online meetings is unfortunately not possible.
Automated decision making
There is no automated decision making as defined by Art. 22 GDPR.
We do not process your data with the objective of automated evaluation of specific personal aspects.
Information on right of objection
Right of objection in the individual case
You have the right to lodge an objection against the processing of your personal data on the basis of Art. 6 Sect. 1 lit. f GDPR at any time on grounds arising from your specific situation (data processing on the basis of weighing of interests). This will also apply to profiling based on this provision as defined by Art. 4 No. 4 GDPR.
If you lodge an objection, we will no longer process your personal data unless we can prove compellingly legitimate grounds for the process which outweigh your interests, rights and freedoms or the processing is for the purpose of asserting, exercising or defending legal claims.
Recipient of the objection The objection can be lodged without formality with the subject line “Objection”, stating your name and e-mail address and should be addressed to the contact details set out under “Information about the responsible party (referred to as the “controller” in the GDPR)“
Amendment of this data protection notice
We amend this data protection notice in the case of changes of the data processing or other reasons making this necessary. The currently valid version can be found at this website at all times.
Valid as per 08/10/2023