Terms of use for the use of M365 at the University of Hamburg

These Terms of Use contain regulations governing the use of Microsoft 365 (M365) for all users at the University of Hamburg (UHH).

These Terms of Use apply to all persons (employees, relatives, and members of UHH, students, external parties) who have been granted access to the applications in M365 at UHH or who can access M365 applications at UHH via an access point.

1. A prerequisite for use is that these Terms of Use are acknowledged by the user at the beginning of their use of M365.
2. Users must log in using multi-factor authentication (MFA or 2FA), i.e., in addition to the user ID and password, an additional factor is required (Benutzerkennung@uni-hamburg.de + multi-factor authentication via login.uni-hamburg.de). UHH reserves the right to automatically reject logins without a second authentication factor or with risky parameters (e.g., Tor browser IP).

1. The general use of the services by the persons named in Section 2 is linked to the term of the EES (Enrollment for Education Solutions) agreement between UHH and Microsoft in its currently valid version. The period of use is limited to the duration of this contractual relationship. Changes to this contract and the resulting scope of use shall be announced immediately by the responsible department within the UHH in an appropriate manner. Upon receipt of the notification of termination of the contractual relationship, the respective software products or services may no longer be used. Before deletion, the department responsible must check whether any retention obligations for the data contained therein prevent deletion.
2. The individual right of use is limited to the period during which the person falls within the scope of Section 2 of these Terms of Use and has been granted a right of use.
3. If a user leaves UHH, access to the M365 account will generally be blocked on the day of departure together with the local user account. The account will then be deleted in accordance with UHH guidelines (e.g., the Regional Computing Center (RRZ) usage regulations). Before leaving UHH, the respective user must back up any necessary work-related data or data relevant to their studies in a timely manner.

1. The UHH grants users a personal license to use M365 for study, teaching, and administrative purposes. Users agree to the license terms, in particular those of the manufacturer. The use of M365 for private or commercial purposes is strictly prohibited. With the license assignment, all users receive a Microsoft account (known as a Microsoft business, school, or university account). The access data may not be passed on to third parties under any circumstances.
2. The business use of M365 should only take place on business devices or on devices approved for Bring Your Own Device (BYOD) and may be enforced technically. However, when using public or private devices, full support cannot be offered—only limited assistance can be provided by the Regional Computing Center (RRZ).

1. The use of M365 services is subject to the manufacturer's license terms.
2. The UHH reserves the right to offer users only a selection of software and services or to restrict individual functions of the software and services. Persons named in Section 2 are not entitled to use all available functions of Microsoft services.
3. It is prohibited to use the services in an illegal or unauthorized manner or to store or distribute such content.
4. When conducting examinations, priority should be given to using the Zoom video conferencing system provided by the UHH's Zoom service.
5. The use of the Teams Analytics & Reports service is prohibited.

1. The Microsoft account is a personal account as defined in Section 2 of these Terms of Use.
2. Other users do not have access to a user's personal workspace. It is therefore not possible for other users to view the data. This only happens when data is shared or forwarded. Both sharing and forwarding require a legal basis and compliance with data protection principles.
3. If data is stored in the Teams environment, each team member has access to the unencrypted data contained therein or to this team area. Exceptions to this are personal channels to which only the respective members of the channel have access. However, this area is separate from the respective personal areas of the users.
4. Supervisors, team leaders, etc. do not have access to the account and personal area of the users.
5. Records from meetings are displayed and stored in the meeting chat. The respective participants in the meeting and the organizer themselves have access to these records.
6. The administrators of the RRZ have administrative access rights within the scope of their official duties.
7. When sharing content (including internally), the “need-to-know” principle must be observed. Consequently, files are only shared with persons who need access to them for their specific activities. The owners of the data/teams/SharePoint pages are responsible for setting up and managing access rights.
8. Access to the camera images by the other participants in a work-related Teams meeting is only granted after approval by the respective person. However, there is no obligation to grant approval.
9. Data owners must use the classification options specified by the UHH in M365 to enable correct access control.
10. No personal data may be included in file names and file paths.

1. The data in M365 is currently not backed up separately in other UHH systems. Due to the possibility of data loss, which can never be completely ruled out, users are therefore advised to back up the data required for their work in other systems provided by the UHH.
2. The content stored in M365 is temporary storage. M365 products are neither suitable nor intended for permanent file storage within UHH. File contents that are to be stored permanently must therefore be transferred to a suitable file storage system in a finalized version as soon as possible. The files must be removed from M365 at the latest when the file is removed. The deadlines are based on the schedule set by the University Archive in its currently valid version.

1. Definition of external persons / B2B users
• External persons are all natural persons who are not employees or members of UHH (e.g., cooperation partners, service providers, third parties involved on a temporary basis). These persons may only use M365 for collaboration and communication within the scope of projects and/or project-related tasks and in compliance with these terms of use. Private or commercial use is strictly prohibited.
2. Permitted sharing areas and forms of collaboration
• Collaboration with external persons may take place via defined sharing areas (Teams, SharePoint Online, OneDrive, and others) if the following requirements are met:
1. External persons may be invited by responsible persons (e.g., group owners) to join dedicated groups (e.g., as members of a SharePoint page or as Teams members) or directly (e.g., in chats) as “guests.” Guests are accounts registered in M365 itself or persons invited from other M365 environments. Registration may only be carried out using the processes specified by UHH. Memberships are logged by the system.
2. Access must be restricted to dedicated areas (e.g., membership in a specific team or file folder access) according to the need-to-know principle. This means that the aforementioned access may only be granted when and to the extent necessary to achieve the purpose intended by the granting of access. Sentences 1 and 2 also apply to access to personal data and other sensitive information.
3. The disclosure of personal data in particular to external persons is generally only permitted for non-sensitive content, in compliance with the principles of purpose limitation and necessity.
4. Access shall be granted for a limited period of time and with minimal rights (usually read access).
3. Technical and administrative framework conditions
1. Access to M365 services by external persons shall be technically limited to the invited content.
2. The invitation process must be carried out via a UHH account; anonymous or self-registered guest access is not permitted.
3. Regular review (at least annually) of all guest accounts is mandatory. An automated request is sent to the user asking whether the guest accounts used are still needed. After the user has responded, the procedure under Section 3 c) of these Terms of Use applies to accounts that are no longer needed.
4. Data protection and acknowledgment of the terms of use for M365
1. Before first use, external persons must be informed about the processing of their personal data in accordance with the GDPR.
2. Consent to the terms of use must be ensured by technical default settings in the system (e.g., logged consent by email).
3. The collaboration may not involve the transfer of special categories of personal data (e.g., health data, data on religious or ideological beliefs, data on sex life or sexual orientation, genetic or biometric data) or personal research data without first consulting the data protection officer or data protection representative.
5. Responsibilities
• The inviting person or organizational unit on the part of UHH is responsible for and must ensure:
• the specific reason for the collaboration,
• the selection and assignment of rights to the invited persons,
• compliance with data protection and data security regulations,
• the timely deactivation of access after the end of the project or the cessation of the purpose.
6. The UHH reserves the right to technically restrict or completely disable certain approval functions.

1. Users may be temporarily or permanently restricted from using M365 applications by UHH or excluded from doing so if
1. there is suspicion of an IT security incident involving the account in question, or
2. they culpably violate these terms of use, or
3. they misuse the M365 applications made available to them for criminal activities or activities that contravene the UHH's mission statement, or
4. the UHH suffers disadvantages as a result of other illegal behavior on the part of the users, or
5. the conditions for exclusion under the applicable RRZ usage regulations are met.
2. Any permanent restriction of use or permanent exclusion from use is subject to review by two independent persons. Both persons are obliged to document their audit procedures and the results of the review in a comprehensible manner. The documentation must include at least the following points:
1. Date of the audit procedure,
2. names of the auditors
3. and any deviations from the provisions of these Terms of Use that were identified.
4. All information and personal data processed in the course of this review must be treated as confidential and may only be used for the purpose of reviewing the case.
3. Measures pursuant to Section 10 a) may only be taken after a prior warning to the user has been unsuccessful. This does not apply in cases of imminent danger. The person concerned must be informed of the warning immediately in an appropriate form. The person concerned must always be given the opportunity to comment. Unless legal or information security requirements dictate otherwise, they must be given the opportunity to back up their data.
4. Temporary restrictions on use must be lifted immediately as soon as proper use is possible again.
5. A permanent restriction on use or the complete exclusion of a user from further use shall only be considered in the event of serious or repeated violations within the meaning of Section 10 a) of these Terms of Use if proper conduct can no longer be expected in the future. The decision on permanent exclusion shall be made after hearing the person concerned in accordance with the relevant UHH processes.
6. Any claims that UHH may have against the person concerned remain unaffected.

If a user becomes aware of any violations of these terms of use or observes suspicious activity on their account or another account, they must report this immediately to abuse"AT"uni-hamburg.de. This report will be treated confidentially and will help to ensure the security and integrity of the UHH's M365 environment.

The UHH is not liable for damages incurred by users through the use of M365 services, unless these are attributable to intentional or grossly negligent behavior.

1. As part of the provision of M365 services, personal data is processed in the M365 cloud. This personal data may vary depending on the service used in M365.
2. Users are informed about the processing of their personal data in separate data protection notices in accordance with Art. 13 GDPR.
3. Users undertake to comply with the applicable data protection regulations.

1. The UHH reserves the right to amend these Terms of Use as necessary. The current version of the Terms of Use will be posted in a suitable location.
2. Changes may be made in particular:
1. if this becomes necessary due to a change in the legal situation
2. if technical developments, new functions, or adjustments are required.
3. UHH will inform users of any changes to the Terms of Use in an appropriate manner (e.g., by email or via the user account).

Version 1. Status: November 4, 2025