voestalpine AG Microsoft Teams

voestalpine AG Microsoft Teams

Important Information

Privacy policy of voestalpine for the use of Microsoft Teams

As a technologically innovative company, voestalpine AG (hereinafter referred to as voestalpine) attaches particular importance to the protection of your personal data. For this reason, we would like to inform you about what personal data is collected, how it is used and what options you have in this regard. You can obtain further information, including information on data protection in general, at https://www.voestalpine.com/group/de/datenschutz/.

Who is responsible for your data?

voestalpine AG is responsible for processing customer data.
voestalpine AG (FN 66209 t)
voestalpine-Straße 1
4020 Linz, Austria
info@voestalpine.com

You can reach voestalpine AG’s Group Data Protection Manager at:

Group Data Protection Office
voestalpine AG
voestalpine-Straße 1
4020 Linz, Austria
group-dataprotection@voestalpine.com

What are the purposes and legal bases for the processing of data by Microsoft Teams?

voestalpine uses Microsoft Teams for internal and external communication to maintain its own operations and optimize business processes. The legal basis is Art. 6 para. 1 lit. f in conjunction with Art. 28 DSGVO. In principle, Microsoft processes all personal data on voestalpine instructions.

What personal data does Microsoft Teams collect and process?

Customer data: Microsoft Teams collects all text, audio, video, image files, phone numbers, third party applications, and software that you add or upload to Teams yourself. At a minimum, this includes first and last names, full display name, email address, and chat messages.

Employee data: Microsoft Teams collects all text, audio, video, image files, phone numbers, third party applications, and software that you add or upload to Teams yourself. At a minimum, this includes first and last names, full display name, email address, and chat messages.

Data type Affected category Purpose Storage duration
User account External data Identification and description of the customer account 90 days after deletion of Azure Active Directory account
Last Logon External data Storage in M365 90 days after deletion of Azure Active Directory account
First name External data Identification and description of the customer account 90 days after deletion of Azure Active Directory account
Last name External data Identification and description of the customer account 90 days after deletion of Azure Active Directory account
Full display name External data Identification and description of the customer account 90 days after deletion of Azure Active Directory account
SMTP mail address External data Unique sender and recipient address 90 days after deletion of Azure Active Directory account
Phone number External data Identification and description of the customer account 90 days after deletion of Azure Active Directory account
Chat messages Texts in Teams Chat Storage in M365 Private chats: 36 months; teams channel messages: 24 months after last team use
Entered content Data shared with a team Maintenance of business activity 24 months after last use of a team

Where is personal data stored by Microsoft Teams and is the data transferred to a third country?

voestalpine stores customer data and employee data in encrypted form exclusively on Microsoft Azure servers in the EU, of which the data centers are located in Germany and the Netherlands.

Pseudonymized diagnostic data and data generated by the service (“legitimate business activities”) are transferred to a third country, primarily the USA. The transfer is based on EU standard contractual clauses and the EU-US Data Privacy Framework. In addition, to best protect your personal data, Microsoft has taken on additional contractual obligations. These commitments provide for:

  • The data subject is entitled to compensation whose data have been unlawfully processed and who has suffered (im)material damage as a result;
  • The data subject will be informed if Microsoft is legally required by a government order to release data to U.S. security authorities;
  • Microsoft will take legal action and go to the U.S. courts to challenge the government order to hand over the data.

Microsoft is responsible for the processing of personal data collected for “legitimate business activities.” 

Microsoft Enterprise Service Privacy
Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052, USA

You can reach Microsoft’s Privacy Officer at: 

Microsoft Ireland Operations, Ltd
Attn: Data Privacy
One Microsoft Place
South County Business Park
Leopards town
Dublin 18, D18 P521, Ireland

Who gets access to my data?

voestalpine uses subcontractors to provide its own services, e.g. for support or maintenance. However, these subcontractors are contractually obligated to comply with EU data protection regulations, i.e. DSGVO. The legal basis for this is Art. 28 DSGVO.

Nearshore/Onshore/ Offshore Country Company name Company address Processor/ Subprocessor Commissioned by
Onshore Austria voestalpine group-IT GmbH voestalpine- Strasse 3, 4020 Linz, Austria Processor voestalpine AG
Onshore Ireland Microsoft Ireland Operations, Ltd. One Microsoft Place South County Business Park Leopards town Dublin 18, D18 P521, Ireland Processor voestalpine AG

What rights do you have?

  • a. request information on the categories of data processed, the purposes of processing, any recipients of the data, the planned storage period (Art. 15 GDPR);
  • b. demand the correction or completion of incorrect or incomplete data (Art. 16 DSGVO);
  • c. revoke a given consent at any time with effect for the future (Art. 7 para. 3 DSGVO);
  • d. object to data processing based on a legitimate interest for reasons arising from your particular situation (Art. 21 (1) DSGVO);
  • e. in certain cases, within the framework of Art. 17 DSGVO, to demand the deletion of data – in particular insofar as the data is no longer required for the intended purpose or is processed unlawfully, or you have revoked your consent in accordance with (c) above or declared an objection in accordance with (d) above;
  • f. under certain conditions, to demand the restriction of data which, to the extent that deletion is not possible or the obligation to delete is disputed (Art. 18 DSGVO);
  • g. to data portability, i.e. you can receive your data that you have provided to us in a common machine-readable format, such as CSV, and transfer it to others if necessary (Art. 20 DSGVO);
  • h. complain about data processing to the competent supervisory authority.

Where can I find detailed description of Microsoft Teams?

For more information about Microsoft Teams, visit: https://docs.microsoft.com/dede/microsoftteams/teams-privacy .

Logo

Documents / Resources

voestalpine AG Microsoft Teams [pdf] User Guide
AG Microsoft Teams, AG, Microsoft Teams, Teams

References

Leave a comment

Your email address will not be published. Required fields are marked *