University of Hamburg - to research, to teach, to educate and form, to homepage
RRZ
Regional Computing Center
(RRZ)

Photo: ServiceLine, Unsplash

Data protection information pursuant to Article 13 of the General Data Protection Regulation (GDPR) for the use of Microsoft 365 (M365) at the University of Hamburg

Content

A. Introduction

The following information shall serve to fulfill the information obligations pursuant to Art. 13 GDPR in connection with the use of M365 at the University of Hamburg (UHH). The UHH hereby informs you about the processing of your personal data when using M365 services provided by the UHH. The information relates in particular to the data processing purposes associated with the use, the legal basis for data processing, and your rights as a data subject under the GDPR.

Before the UHH informs you in detail about the processing of your personal data in accordance with Art. 13 GDPR (see B. Data protection information in accordance with Art. 13 GDPR), please note the following general information:

When using UHH's M365 services, its data protection responsibility solely covers the provision of the licensed M365 services or content for official purposes or for your studies. The UHH has no influence on any further processing of personal data by Microsoft (e.g., on the Microsoft website), meaning that Microsoft is itself responsible for such processing in terms of data protection law within the meaning of the GDPR.

This privacy policy does not take into account any data processing that may be carried out in the future with the help of M365 services, e.g., due to the implementation of new technologies or the introduction of new services or functions within M365. For this reason, among others, it may be necessary to change or supplement the following information at any time. If changes or additions become necessary, the UHH will inform you separately.

B. Data protection information pursuant to Art. 13 GDPR

1. Controller in accordance with the definition of the GDPR, contact for questions regarding the use of M365, data protection officer

a. Controller in accordance with the definition of the GDPR (Art. 4 No. 7 GDPR)

The controller in accordance with the definition of the GDPR for the processing of your personal data is the

University of Hamburg, represented by the president
Mittelweg 177
20148 Hamburg
praesident"AT"uni-hamburg.de 

b. UHH contact for questions regarding the use of M365

If you have any questions about the use of M365 at UHH, please contact :

University of Hamburg
Fabian Roth
Schlüterstraße 70
20146 Hamburg
rrz-serviceline"AT"uni-hamburg.de

c. Data Protection Officer

You can contact the UHH data protection officer at

Data Protection Officer of the University of Hamburg
Mittelweg 177
20148 Hamburg
datenschutz"AT"uni-hamburg.de

2. Purposes of data processing and processed data, legal basis for data processing

Several M365 services are used at UHH. When using UHH's M365 services, different categories of personal data are processed for different purposes, depending on the service used.


In this section, UHH provides information about the M365 services used at UHH. The following list contains information on each specific M365 service. It outlines the data processing purposes pursued by each service and the personal data or categories of personal data processed in the process. At the end of the description of each M365 service, you will find the legal basis for the corresponding data processing. Different legal bases may apply to different members of UHH and other persons affected by the data processing (i.e., UHH staff and employees, students, external persons such as guests or collaboration partners, hereinafter collectively referred to as “status groups” when referring to all affected groups). Therefore, you will find additional information about which legal bases are relevant for which status group.

M365 service: Exchange Online

(Exchange online service in M365, not the MS Exchange mail system of the UHH, operated by the RRZ )

  • Purposes of data processing
    • Email communication, calendar management
    • Communication medium for comprehensive collaboration and to simplify internal and external communication.
    • A calendar function is available to enable the organization of meetings.
  • Processed personal data or categories of processed data
    • Names, email addresses, content, header data, calendar data, metadata, log data
  • Legal bases for data processing
    • Employees: Art. 88 (1) GDPR in conjunction with § 10 (1–3) Hamburg Data Protection Act (HmbDSG – Hamburgisches Datenschutzgesetz) in conjunction with § 85 (1) Hamburg Civil Servants Act (HmbBG – Hamburgisches Beamtengesetz)
    • Students: Art. 6 (1) (e) in conjunction with (3) GDPR in conjunction with § 111 (1) Hamburg Higher Education Act (HmbHG – Hamburgisches Hochschulgesetz)
    • External Users: When the UHH uses M365 to fulfill and initiate contracts Art. 6 (1) (b) GDPR (in particular, implementation of projects and collaborations)
      When data processing is necessary for the performance of tasks in the public interest Art. 6 (1) (e), (3) GDPR in conjunction with § 4 HmbDSG in conjunction with § 3 HmbHG (in particular for research projects)
      In cases where prior consent is given, the legal basis is Art. 6 (1) (a) GDPR

M365 service: SharePoint Online

  • Purposes of data processing
    • Collaboration, project rooms
    • Service for internal directories within M365. SharePoint Online can be used to create and manage custom team- and project-oriented websites for collaboration.
    • The application serves to simplify collaborative editing by providing storage and access management to support collaboration.
  • Processed personal data or categories of processed data
    • User profiles, contact data, metadata, content data, log data
  • Legal bases for data processing
    • Employees: Art. 88 (1) GDPR in conjunction with § 10 (1–3) HmbDSG in conjunction with § 85 (1) HmbBG
    • Students: Art. 6 (1) (e) in conjunction with (3) GDPR in conjunction with § 111 (1) HmbHG
    • External Users: Depending on the purpose of the data exchange, Art. 6 (1) (b) or Art. 6 (1) (e), (3) GDPR in conjunction with § 3 HmbHG or Art. 6 (1) (a) GDPR (see also: information on Exchange Online)

M365 service: OneDrive for Business

  • Purposes of data processing
    • File storage and sharing: A user's personal drive for data, which can be used to share information, particularly for the purposes of cooperation, project work, and collaboration with other users.
  • Processed personal data or categories of processed data
    • User profiles, contact data, metadata, content data, log data
  • Legal bases for data processing
    • Employees: Art. 88 (1) GDPR in conjunction with § 10 (1–3) HmbDSG in conjunction with § 85 (1) HmbBG
    • Students: Art. 6 (1) (e) in conjunction with (3) GDPR in conjunction with § 111 (1) HmbHG
    • External Users: Depending on the purpose of the data exchange Art. 6 (1) (b) or Art. 6 (1) (e), (3) GDPR in conjunction with § 3 HmbHG or Art. 6 (1) (a) GDPR (see also: information on Exchange Online)

M365 service: Microsoft Teams

  • Purposes of data processing
    • Solution for communication and online meetings as well as organizing team work. The service enables chats, audio, video, and web conferences. In addition, groups ("teams") can be formed and used to share files, create posts, and organize tasks and projects. When a "team" is created, a SharePoint Online page and an Exchange Online mailbox are generated for each team at the same time.
  • Processed personal data or categories of processed data
    • Profile data, chats, video data, audio data, status, contact data, content data, log data
  • Legal bases for data processing
    • Employees: Art. 88 (1) GDPR in conjunction with § 10 (1–3) HmbDSG in conjunction with § 85 (1) HmbBG
    • Students: Art. 6 (1) (e) in conjunction with (3) GDPR in conjunction with § 111 (1) HmbHG
    • External Users: Depending on the purpose of the data exchange, Art. 6 (1) (b) or Art. 6 (1) (e), (3) GDPR in conjunction with § 3 HmbHG or Art. 6 (1) (a) GDPR (see also: information on Exchange Online)

M365 service: Planner / To Do / Tasks

  • Purposes of data processing
    • Ensuring the fulfillment of administrative tasks at UHH through task and project planning: planning, managing, scheduling, and overviewing tasks for individuals or teams.
  • Processed personal data or categories of processed data
    • Tasks, comments, status information, contact data, content data
  • Legal bases for data processing
    • Employees: Art. 88 (1) GDPR in conjunction with § 10 (1–3) HmbDSG in conjunction with § 85 (1) HmbBG
    • Students: Art. 6 (1) (e) in conjunction with (3) GDPR in conjunction with § 111 (1) HmbHG
    • External Users: Depending on the purpose of the data exchange, Art. 6 (1) (b) or Art. 6 (1) (e), (3) GDPR in conjunction with § 3 HmbHG or Art. 6 (1) (a) GDPR (see also: information on Exchange Online)

M365 service: Power Platform: Power Automate, PowerBI, PowerApps, Power Pages

  • Purposes of data processing
    • Automation and creation of custom applications without programming knowledge, visualization of data for reporting and data analysis, provision of effective work management, enabling planning and organizational concepts, fulfillment of reporting obligations, creation and presentation of key figures, creation of responsive websites
  • Processed personal data or categories of processed data
    • Forms, process data, logs, financial data, metadata, identification data, employment data, authentication data, membership and role data
  • Legal bases for data processing
    • Employees: Art. 88 (1) GDPR in conjunction with § 10 (1–3) HmbDSG in conjunction with § 85 (1) HmbBG, as well as Art. 6 (1) lit. c or e GDPR with regard to the content of reports
    • Students: Art. 6 (1) (e) in conjunction with (3) GDPR in conjunction with § 111 (1) HmbHG
    • External Users: Depending on the purpose of the data exchange, Art. 6 (1) (b) or Art. 6 (1) (e), (3) GDPR in conjunction with § 3 HmbHG or Art. 6 (1) (a) GDPR (see also: information on Exchange Online) 

 

M365 service: Intune / Endpoint Manager

  • Purposes of data processing
    • Device management and ensuring compliance with internal guidelines and data protection, control over the use of UHH applications and data, protection of sensitive data and minimization of security risks, ensuring compliance with legal requirements; remote assistance with device problems
  • Processed personal data or categories of processed data
    • Device data, compliance status, log data, device information, network information, remote access to resolve device problems
  • Legal bases for data processing
    • Employees: Art. 88 (1) GDPR in conjunction with § 10 (1–3) HmbDSG in conjunction with § 85 (1) HmbBG, as well as Art. 6 (1) lit. c or e GDPR with regard to processing necessary for the compliance with data protection and compliance guidelines

M365 service: Azure AD / Entra ID

  • Purposes of data processing
    • Central directory service for all MS365 applications, both on-premises (Azure AD) and on-demand (Entra ID): authentication, authorization management (formerly Microsoft Active Directory on Premise), license management for Microsoft products, ensuring system integrity and operational security, team and group communication through Microsoft 365 Groups
  • Processed personal data or categories of processed data
    • Login data, roles, group memberships, work contact details, personnel number or matriculation number, security questions, lecturer status, log data, profile pictures, and other account attributes provided voluntarily by the user, login reports, security reports, and monitoring logs
  • Legal bases for data processing
    • Employees: Art. 88 (1) GDPR in conjunction with § 10 (1–3) HmbDSG in conjunction with § 85 (1) HmbBG
    • Students: . 6 (1) (e) in conjunction with (3) GDPR in conjunction with § 111 (1) HmbHG
    • External Users: Depending on the purpose of the data exchange, Art. 6 (1) (b) or Art. 6 (1) (e), (3) GDPR in conjunction with § 3 HmbHG or Art. 6 (1) (a) GDPR (see also: information on Exchange Online)
    • For voluntary additional information on account attributes, consent in accordance with Art. 6 (1) (a) GDPR is the relevant legal basis for all user groups
    • With regard to establishing system integrity and operational security, the legal basis for all user groups is Art. 6 (1) (c) or (e) GDPR

M365 service: I. Microsoft Defender und II. Purview Data Loss Prevention

  • Purposes of data processing
    • Security and compliance: Monitoring of system security and company-wide binding guidelines for proper business processes, documentation, and implementation of data protection-related processes.
      I. The "Defender" components in M365 serves exclusively to maintain technical system security
      II. The functions of the "Purview" components are designed to help ensure and improve system security and compliance (= IT compliance, data protection, and information security) at UHH .
  • Processed personal data or categories of processed data
    • I. + II. Log data on logins and security-related processes (logins/logouts, permission changes, business address, telephone number (private), telephone number (business), email address (business), fax (business), university, matriculation number, name components (first name, prefix, suffix, last name, title), teaching and research area, subject area, employment category, organizational affiliation, personnel number, user ID, password, security questions, activities as a visiting professor or lecturer, log data (e.g., IP address, user ID, timestamp, etc.)
      For external parties: also email address (private)
  • Legal bases for data processing
    • Employees: Art. 88(1) GDPR in conjunction with § 10(1–3) HmbDSG in conjunction with § 85(1) HmbBG
    • Students: Art. 6 (1) (e) in conjunction with (3) GDPR in conjunction with § 111 (1) HmbHG
    • External Users: Depending on the purpose of the data exchange, Art. 6 (1) (b) or Art. 6 (1) (e), (3) GDPR in conjunction with § 3 HmbHG or Art. 6 (1) (a) GDPR (see also: information on Exchange Online)

M365 service: Microsoft Viva: Viva Connections

  • Purposes of data processing
    • Central access to important information, more efficient work and collaboration, personalization of targeted information for employees
  • Processed personal data or categories of processed data
    • User data, usage data, user feedback, content data, Interaction data, Connected third-party data sources
  • Legal bases for data processing
    • Employees: Art. 88 (1) GDPR in conjunction with § 10 (1–3) HmbDSG in conjunction with § 85 (1) HmbBG
    • Students: Art. 6 (1) (e) in conjunction with (3) GDPR in conjunction with § 111 (1) HmbHG
    • External Users: Depending on the purpose of the data exchange, Art. 6 (1) (b) or Art. 6 (1) (e), (3) GDPR in conjunction with § 3 HmbHG or Art. 6 (1) (a) GDPR (see also: information on Exchange Online)

3. Recipients of personal data and transfer to third countries

When using M365 services provided by the UHH, a recipient of your data within the meaning of the GDPR is Microsoft Ireland Operations, Ltd., based in the European Union (EU), specifically in Dublin, Ireland. Your personal data, which was previously processed mainly on local UHH servers, will therefore continue to be stored on European servers. Microsoft Ireland Operations, Ltd. acts as a processor for UHH within the meaning of the GDPR. This means that when you use UHH's M365 services, your personal data is processed on behalf of UHH and a data processing agreement in accordance with Art. 28 GDPR has been concluded between UHH and Microsoft for this purpose.

Generally, UHH does not intend to transfer your personal data to a third country. Third countries within the meaning of the GDPR are countries outside the EU and the European Economic Area (EEA), such as the US, and therefore may not offer a level of data protection comparable to EU standards. However, when using UHH's M365 services, the transfer of your personal data via Microsoft Ireland Operations, Ltd. to third countries, in particular to the United States to Microsoft Corporation, cannot be assured. According to the case law of the European Court of Justice (ECJ), the United States is also generally considered a country with an insufficient level of data protection according to EU standards. However, an adequate level of data protection for data transfers to the US is provided in cases where the data recipients are certified under the EU-US Data Privacy Framework (DPF). The DPF is an adequacy decision by the EU Commission within the meaning of the GDPR, according to which transfers of personal data to the US may be carried out because, in the opinion of the EU Commission, an adequate level of protection is guaranteed if the aforementioned certifications are in place. Microsoft Corporation currently has a valid certification under the DPF.

If, when using UHH's M365 services, your personal data is transferred via Microsoft Ireland Operations, Ltd. to third countries for which no adequacy decision has been made, this is done on the basis of so-called standard data protection clauses in accordance with Art. 46 (2) (c) GDPR (also known colloquially as Standard Contractual Clauses, SCCs), which have been previously approved by the EU Commission. Upon request, these appropriate safeguards to ensure an adequate level of protection can be provided to you. In addition, Microsoft has committed to the EU-US Privacy Shield Framework and has certified its compliance with the EU-US Privacy Shield Principles (SCCs) that have been previously approved by the EU Commission. Upon request, these appropriate safeguards to ensure an adequate level of protection can be provided to you. In addition, Microsoft has contractually committed itself to the UHH, via the aforementioned data processing agreement, to further safeguards and measures to protect personal data and the data subjects.

4. Storage period and deletion deadlines

The UHH is legally obliged to store your personal data generated when using the UHH's M365 services for a certain period of time. Your personal data will therefore be stored as follows when using the UHH's M365 services:

The storage period is generally based on membership in a so-called M365 group. A distinction is made between owners and members of a group (e.g., as displayed in M365 Teams). These memberships are controlled by the group lifecycle process, which defines when a group is created, modified, and deleted.

After the automated group process, the content is stored in a retention container for up to 180 days. This means that if, for example, M365 groups or user accounts are deleted, the associated content is not immediately physically removed, but is first moved to a special area ("container") where it remains accessible or recoverable for the specified period (up to 180 days).

After that, the data is automatically deleted from the retention container and, if it is not worthy of archiving, permanently deleted. This serves to protect against accidental data loss and supports compliance with legal and organizational retention periods in accordance with GDPR requirements.

The specific period and configuration of the expiration policy depends on the respective group and policy settings.

Log data is automatically deleted by Microsoft—currently after a maximum of 13 months.

Otherwise, your personal data that is not covered by the aforementioned storage periods will only be stored for as long as is necessary for the purposes mentioned in section 2 above.

None of the aforementioned periods apply if longer storage or retention periods and/or documentation obligations are prescribed by law for UHH, e.g., in accordance with the German Fiscal Code (AO – Abgabenordnung), state budget regulations, or the German Commercial Code (HGB – Handelsgesetzbuch). A further exception to the aforementioned periods may arise if your personal data is still required for the assertion, exercise, or defense of legal claims. In such cases, your personal data will only be processed for the corresponding purpose; further data processing will then no longer take place.
After the aforementioned storage periods have expired, any documents that were processed when using UHH's M365 services and contain your personal data will be offered to the University Archive Hamburg for transfer. If no transfer takes place, your personal data will be permanently deleted from UHH's M365 services.

5. Legal or contractual provision of your personal data, necessity of provision for the conclusion of a contract

The provision of some personal data, such as comments, sharing, etc., is not mandatory but voluntary.

For employees, there is no legal obligation to provide certain data. However, it may not be possible to execute the employment contract without the provision of your data, and this may have further individual consequences.

For students, if you do not provide your personal data, you may not be able to participate in study-related events if these require a corresponding M365 account for authentication.

For external parties, the provision of your personal data is neither legally nor contractually required. If you do not consent to the processing of your data, this will not have any negative consequences for you.

6. Automated decision-making, profiling

Automated decision-making, including profiling pursuant to Article 22 (1) and (4) GDPR is not performed in connection with the use of UHH's M365 services.

7. Your rights under the GDPR

In connection with the data processing described above, you have the following rights:

  • Right to information pursuant to Art. 15 GDPR
  • Right to rectification of inaccurate or incomplete personal data concerning you pursuant to Article 16 GDPR
  • Right to erasure of your personal data or a "right to be forgotten" under the conditions of Art. 17 GDPR. The right to erasure depends on the conditions and restrictions laid down by law.
  • Right to restriction of processing of your personal data under the conditions of Art. 18 GDPR. A right to restriction of processing depends on the conditions and restrictions laid down by law.
  • Right to data portability under the conditions of Art. 20 GDPR
  • If the processing is based on Art. 6 (1) (e) or (f) GDPR, you have the right to object to the processing pursuant to Art. 21 (1) GDPR on grounds relating to your particular situation. In this case, we will no longer process this data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise or defence of legal claims.
  • If the processing of your data is based on a declaration of consent submitted by you, you also have the right to revoke your consent at any time in accordance with Art. 7 (3) GDPR. The declaration of revocation can be made informally and does not require any justification. Any revocation will only take effect for the future. This means that it would not affect the lawfulness of the processing that took place before you revoked your consent.
  • To exercise your rights, you can contact the person named in section 1b above, among others. If you have any further questions, our data protection officer will be happy to advise you. You can reach them using the contact details provided in section 1c.
  • Furthermore, you have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR if you believe that the processing of your personal data violates the GDPR.

Version 1, Stand 14.11.2025