Data protection for video conferences with Teams

USE OF MICROSOFT TEAMS ACC. ART. 13 GDPR 

INFORMATION FROM CADOCARE GMBH ON DATA PROTECTION WHEN USING MICROSOFT TEAMS IN ACCORDANCE WITH. ART. 13 GDPR 

 

Ladies and Gentlemen, 

We would like to inform you about the processing of your personal data in connection with the use of "Microsoft Teams" (hereinafter referred to as "Teams"). 

Teams is used by Cadocare GmbH as an internal and external online communication platform, e.g. to conduct telephone and video conferences, but also online meetings and webinars (hereinafter: "Online Meetings"). 

WHO IS RESPONSIBLE FOR THE DATA PROCESSING OF TEAMS AT CADOCARE? 

The data controller under data protection law for data processing directly related to the holding of online meetings via Teams at Cadocare is generally 

Cadocare GmbH 

Boschstrasse 22 

52531 Übach-Palenberg 

Phone: +49 2451 / 94349-0 

E-mail: info@cadocare.com 

Website: www.cadocare.com 

 

Managing directors authorised to represent the company: Patrick Gerards, Markus Ritter 

 

The provider of the Services Team is Microsoft Corporation, One Microsoft Place, South County Business Park, Leopardstown Dublin 18, Ireland, which has its headquarters in the USA, One Microsoft Way Redmond, Washington 98052 (hereinafter referred to as "Microsoft"). 

 

There is an agreement between Cadocare and Microsoft as the processor in accordance with Art. 28 GDPR. 

 

Note: If you access the Teams website, Microsoft is generally responsible for the data processing that takes place there. 

 

WHAT DATA IS PROCESSED? 

Various types of data are processed when you use Teams. However, the exact scope of the data, including its processing, also depends on what data you disclose before and when participating in an online meeting and how you use Teams. 

The common data to be processed when using Teams includes in particular the following: 

  • Personal details (e.g. first and last name, e-mail address, profile picture), 
  • Meeting metadata (e.g. date, time and duration of the communication, name of the meeting, participant IP address), 
  • Text, audio and video data (e.g. chat histories, video and audio playbacks), 
  • Connection data (e.g. phone numbers, country names, start and end times, IP addresses). 

In the following, we would like to inform you in more detail about the scope of data processing. 

Fundamentally necessary data for Teams usage 

As an authorized Cadocare employee, you have a user account with which you can organize and hold online meetings as a "user" or "host". Please refer to the internal brief instructions on using Teams. 

To create your user account or to plan and hold an online meeting, the following data is collected and processed from you: 

  • Name, 
  • User name, 
  • E-mail or telephone number, 
  • Password (if no single sign-on is used). 

This information always comes from the user accounts already created in the Cadocare system. 

If you attend a Cadocare online meeting as an internal or external participant ("guest"), the host will send you a corresponding access link by e-mail. The host must use your e-mail address for this purpose. You can only participate in this one meeting using this access link. When registering for the online meeting, you must always provide your name and, if applicable, your e-mail address. 

As a participant, you can take part in meetings directly via the browser without installing the Teams app. 

Teams itself also collects data from you which, according to Microsoft, is necessary for the provision, technical and operational support and improvement of the services provided. This includes, in particular, technical data about your devices, your network and your internet connection, such as 

  • IP address,
  • MAC address, 
  • other device IDs (UDID), 
  • Device type, operating system type and version, client version, 
  • Camera type, 
  • Microphone or loudspeaker, 
  • Type of connection 
  • Date and time of the connection 
  • Voluntary information and data processing when using Teams functions 

Using the existing Teams functionalities, it is possible for you to provide further information about yourself, but you are not obliged to do so. In this context, you are free, for example, to use the chat, question or survey functions as part of the online meeting and thereby disclose corresponding data about yourself. 

If you use the chat, question or survey function, the texts etc. you enter will be processed in order to display them in the online meeting and, if necessary, to log them. 

You can also switch your camera and microphone on, off or mute them yourself. If you decide to switch your camera or microphone on, the data from your end device's microphone and any video camera on the end device will be processed for the duration of the meeting. 

Please always be aware that the data that you or others upload, provide or create during an online meeting will be processed by the participants for at least the duration of the meeting. Often even beyond that. This includes, in particular, chat/instant messages, files, whiteboards and other information shared while using the service. 

Further information on the processing of your data 

Further information on the processing of your data when using Teams, in particular those that take place under Microsoft's own responsibility, can be found at: 

https://privacy.microsoft.com/de-de/privacystatement und https://news.microsoft.com/de-de/datenschutz-und-sicherheit-in-microsoft-teams-nutzer/. 

WHAT ARE THE PURPOSES OF THE PROCESSING AND THE RELEVANT LEGAL BASES? 

As described above, we use Teams to conduct online meetings at Cadocare to the extent described above. 

If you use Teams as an employee of Cadocare for operational purposes, the data processing is carried out on the basis of Art. 6 para. 2, 88 GDPR in conjunction with Section 26 para. 1 BDSG. This is because the data processing you carry out using Teams is necessary for the purposes of carrying out your employment relationship or fulfilling the obligations owed by you under your employment contract due to the necessities / circumstances described above, which Cadocare is confronted with. 

If you participate in an online meeting as an external participant, your data is regularly processed on the basis of Art. 6 para. 1 lit. b GDPR. However, this only applies insofar as your participation in the online meeting is for the fulfillment or execution of a contract concluded with you or with the company at which you are employed. The same applies to cases in which a contract is initiated and this was done on your initiative. 

If data processing in connection with the use of Teams is not necessary for the purposes of the employment relationship or for the performance of a contract concluded with you or for the implementation of pre-contractual measures, it is carried out on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest here is the maintenance of location-independent communication, the maintenance of business contacts and the provision of services owed. 

If, when using the tool, you also voluntarily provide information about yourself or voluntarily use functions that are not mandatory, the associated data processing is based on your consent, which can be revoked at any time, in accordance with Art. 6 para. 1 lit. a in conjunction with. Art. 7 GDPR and, if applicable, in conjunction with Section 26 (2) BDSG if you are a Cadocare employee. 

You can withdraw your consent at any time with effect for the future. Please note that processing that took place before the revocation is not affected by this. 

WHO ARE THE RECIPIENTS OF THE DATA AND HOW IS THE DATA PASSED ON? 

It is very important to us not to pass on your data, which we process in connection with your participation in online meetings, to third parties. Data will therefore only be passed on if it is intended to be passed on, if you have expressly consented to the transfer in advance or if we are obliged or authorized to do so by law. Content from online meetings is often intended to be forwarded to third parties such as customers, interested parties, etc. Therefore, if you do not wish your data to be passed on, you should communicate this accordingly or keep the data to be kept secret to yourself. Regulations on the disclosure of data can be found in our internal short note on the use of Teams. 

As the provider of the Teams software, Microsoft Corporation supports us as an external service provider and processor within the meaning of Art. 28 GDPR. Based on corresponding contractual agreements, Microsoft processes your data strictly in accordance with our instructions. Data processing outside the European Union (EU) or the European Economic Area (EEA) does not take place, as we have limited our storage location to data centers in the European Union. However, it cannot be ruled out that your data may also be processed outside the EU or the EEA or transferred to Microsoft Corporation. The transfer of data to the USA is subject to appropriate safeguards within the meaning of Art. 46 GDPR through the use of standard data protection clauses and additional measures taken. We will be happy to provide you with a copy of the standard data protection clauses and further information on the additional measures taken on request. 

If a data subject dials into an online meeting from a third country, Cadocare cannot rule out the possibility that data will be routed via internet servers outside the EU. 

WHO IS OUR DATA PROTECTION OFFICER? 

We have appointed a data protection officer. 

Reinhold Goetz, Dipl.Ing. Communications Engineering 

Certified data protection officer and auditor TÜV 

Certified data protection specialist DEKRA 

E-mail: rgoetz@datenschutzservice.nrw 

Web: https://www.datenschutzservice.nrw  

Tel: 02235 / 9947997 

 

WHAT RIGHTS DO YOU HAVE AS A DATA SUBJECT? 

You have the right to information about the personal data concerning you. You can contact us at any time for information. 

In the case of a request for information that is not made in writing, we ask for your understanding that we may require proof from you that you are the person you claim to be. 

Furthermore, you have a right to rectification or erasure or to restriction of processing, provided that the legal requirements are met. 

Finally, you have the right to object to the processing within the framework of the statutory provisions. 

There is also a right to data portability within the framework of data protection regulations. 

In the event that the data processing is based on your effective consent, you have the right to withdraw this consent at any time with effect for the future. 

You have the right to complain to a data protection supervisory authority about the processing of personal data by us. 

 

WHEN AND HOW IS DATA DELETED? 

When deleting your data, we are guided in particular by the principles of purpose limitation and storage limitation in accordance with Art. 5 para. 1 GDPR. We therefore always delete your data when we no longer have a legitimate purpose for storing it. 

Legitimization of data retention may consist in particular in the fact that certain data is still required in order to fulfill contractual services, to check and grant or defend against warranty and guarantee claims. In the case of statutory retention obligations, e.g. of a tax law nature, deletion is only considered after the respective retention obligation has expired. 

If you are registered with Teams as a user, reports on online meetings (meeting metadata, telephone dial-in data, questions and answers in webinars, survey function in webinars) can be stored in Teams for up to one month. 

 

DO YOU HAVE ANY FURTHER QUESTIONS, SUGGESTIONS, ETC.? 

If you have any further questions, suggestions, etc., please do not hesitate to contact us at any time using the information options above.