Data protection information for collaboration and communication via Microsoft 365

This notice informs you about the processing of your personal data in the Microsoft 365 tenant of the EUROPIPE Group, consisting of EUROPIPE GmbH and Mülheim Pipecoating GmbH. Microsoft 365 is a cloud application for the purpose of collaboration, security, data protection and the processing of various data. The core of this compilation primarily comprises the tools:

-Exchange Online (e-mail, calendar, address book, tasks),
-OneDrive and SharePoint Online (storage, processing, application platform) and
-Microsoft Teams (collaboration, chat, meeting and telephony).
-SharePoint (storage platform for group repositories)
-Stream (creating and sharing videos)

1. Who is responsible for data processing?

The EUROPIPE Group companies that use Microsoft 365 and process your data are responsible within the meaning of data protection law.

EUROPIPE GmbH
Sandstr. 140
45473 Mülheim an der Ruhr/Germany
Phone: +49 208 976-0

MÜLHEIM PIPECOATINGS GmbH
Sandstr. 140
45473 Mülheim an der Ruhr/Germany
Phone: +49 208 976-2300

If you have any data protection-related questions, please contact the data protection officer of the company through which you have access to Microsoft 365. Alternatively, you can also contact the data protection officer of EUROPIPE GmbH datenschutz@europipe.com or Mülheim Pipecoatings GmbH datenschutz@muelheim-pipecoatings.com with general questions.

2. For what purposes do we process personal data?

The purpose of the processing is the internal and external collaboration and communication of EUROPIPE Group employees with internal and external partners. Another purpose is the provision and secure and smooth operation of Microsoft 365 and its tools.

Collaboration here means, for example, working together on files, e-mail communication, meetings, live broadcasts and innovative tools.

The provision and smooth operation of Microsoft 365 is also one of the purposes for which personal data is processed. This processing includes, among other things, the logs and administrative events created by the system (e.g. log files about login and user actions) as well as metadata about calls and meetings, which are used for error, support, statistical and verification purposes.

3. What types of personal data?

Personal data is processed as part of the use of Microsoft 365. Personal data may be processed automatically or by input by users.

Personal data is processed as part of user ID-based and non-user ID-based processes.

Data could also be processed in third-party apps. These are currently deactivated.

The following personal data is processed for the purpose of collaboration with or between users and guests (user ID-based processes) within the tenant and for secure IT operations:

Professional contact, work and organizational data (e.g. name, e-mail, company, personnel number, photo if applicable, etc.)
Private telephone numbers and private data, if these are (voluntarily) provided by the user in the system
Administrative events (e.g. joining a team, creating a channel, sending an e-mail, etc.)
Metadata (e.g. on calls and meetings (e.g. network status, date/time/duration, end devices used, audio quality data)
User activities (e.g. chat messages, comments, file accesses) for external users without a user ID
Live transmissions of sound and, if necessary, image and screen
Recordings of images and sound, including the screen if applicable, are generally excluded. Exceptions may only be considered after separate regulation and consent of the participants and transparency of the recording.

For the purpose of communication and collaboration as well as secure IT operations, the following personal data is processed by persons who are not users/guests in the tenant (non-user ID-based processes):

First name, last name
Photo, image and sound transmissions (if activated)
E-mail address
Content from e-mails or chat, for example

The following data is processed for IT security purposes:

Audit logs, telemetry and diagnostic data
Test parameters in the area of cybersecurity, e.g. access from different countries in the shortest possible time. -Objective: e.g. detection of attacks, identity theft.
Warnings and notifications about security incidents
User information
Technically necessary cookies are used for the purpose of secure and stable provision of the services.

4. Legal basis for the processing of personal data

The legal basis for the operation of Microsoft 365 is based on Art. 6 para. 1 lit. b) GDPR in conjunction with. § Section 26 para. 1 BDSG (for employees of the Group companies in Germany) or Art. 6 para. 1 lit. b) GDPR for external parties. Insofar as the data processing does not serve the execution of the contract with the data subject, but is in the legitimate interest of the company without conflicting overriding interests of the data subject, the legal basis is Art. 6 para. 1 lit. f) GDPR.

Processing for IT security purposes (in particular log files and metadata) and cookies is carried out on the basis of Art. 6 (1) (f) GDPR. The legitimate interests pursued by the controller include the following

Detection of improper use;
IT security and continuous improvement of services.
If image and sound recordings are processed, this is done on the basis of the consent of the data subject (Art. 6 para. 1 lit. a) GDPR).

5. To which recipients or categories of recipients do we disclose your data in the context of this processing activity?

If there is a legal basis or consent for passing on your data, your data will only be made available to those bodies that require it to fulfill the above-mentioned purposes. These are primarily service providers employed within our company (e.g. internal IT service providers and Microsoft Ireland Operations Ltd.), vicarious agents and companies within the Group. All recipients are obliged to comply with data protection regulations.

In addition, we transmit your personal data to authorities in individual cases where required by law.

We transfer data on the basis of standard contractual clauses and within the framework of the Data Privacy Framework in conjunction with data processing agreements. In addition, pseudonymized telemetry and diagnostic data may be transferred from Microsoft Ireland to Microsoft Corp. on the basis of EU standard contractual clauses and within the framework of the Data Privacy Framework. Otherwise, no data is transferred to recipients in third countries that do not guarantee a level of data protection that complies with the GDPR.

6. How long do we store your data?

We store your data for as long as is necessary to fulfill the stated purposes.

Metadata from calls and meetings is stored for a maximum of 120 days (depending on the date). Here, too, the data is automatically deleted after this period has expired. This data is required for the stability of the system, support and also to defend against attacks in this vector. Only certain authorized and monitored administrators have access.

Logged administrative events are stored for 180 days and then automatically deleted.

Chats in teams are deleted after one year. Teams rooms (groups) are deleted after 365 days of inactivity unless the team owners confirm that they are still needed.

E-mails and attachments are stored for the statutory retention periods and then deleted if there are no other purposes.

The personal data processed by security tools and other tools used for IT security are stored for a maximum of 180 days and then deleted. In individual cases and in the event of security incidents, some data may be retained for longer in order to investigate the incident and prevent future incidents.

Under certain circumstances, your data must also be stored for longer, for example in connection with a corresponding official or court order in the form of a so-called litigation hold, which includes a ban on data deletion for the duration of the proceedings.

If the data are no longer required for the fulfillment of contractual or legal obligations, they must be deleted regularly, unless their temporary further processing is necessary for the following purposes:

Fulfillment of retention periods under commercial and tax law, e.g. according to the German Commercial Code or the German Fiscal Code. The periods specified there are 2 to 10 years or after completion of the tax audit.
Preservation of evidence within the framework of the statute of limitations (e.g. §§ 195ff. BGB).

7. Technical and organizational measures

As part of the processing of your personal data, we have carried out a risk analysis for the processing and introduced risk-adapted technical and organizational measures based on this. These measures are regularly reviewed and adapted to the existing risks.

Among other things, we have taken the following measures:

Data classification
Monitoring and surveillance of the environment
Deactivation of the feedback function, where possible
Restriction of the functions of the connected and optionally connected services
Contractual measures and supplementary agreements
Pseudonymization of reports and reports
Automatic deletion of data in predefined cycles
Tools for removing old users and their data

The EUROPIPE Group has implemented a management system for data protection and information security and some Group companies are regularly audited and certified externally on the basis of ISO 27001 or the VDA-TISAX industry information security standard.

8. What data protection rights do you have?

In the following, we inform you about the rights to which you are entitled under data protection law, which you can assert against the controller and the respective data protection officer at any time free of charge.

You can find out how to contact the data protection officer and the controller under point 1.

Every data subject has the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, the right to object under Art. 21 GDPR (see 10. below) and the right to data portability under Art. 20 GDPR. The restrictions under Sections 34 and 35 BDSG apply to the right of access and the right to erasure. In addition, you have the right to lodge a complaint with the competent data protection supervisory authority (Art. 77 GDPR in conjunction with Section 19 BDSG).

You can withdraw your consent to the processing of personal data at any time by contacting the controller. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected.

9. Is there an obligation on your part to provide data?

As part of our business relationship, you must provide the personal data that is necessary for the establishment and execution of a business relationship and the fulfillment of the associated contractual obligations or that we are legally obliged to collect.

10. Information about your right to object in accordance with Art. 21 GDPR a. Individual right of objection

a. Individual right of objection

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(e) GDPR (data processing in the public interest) and Article 6(1)(f) GDPR (data processing on the basis of a balancing of interests). If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

b. Right to object to the processing of data for advertising purposes

In individual cases, we process your personal data for the purpose of direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes. The objection can be made informally by sending an e-mail to the respective sending e-mail address or to the contact details of the respective Group company specified above under point 1.

Usage information for external users when using Office 365 in the EUROPIPE-Tenant

1. Object and purpose of the instructions for use

The EUROPIPE Group ("EUROPIPE"), consisting of EUROPIPE GmbH and Mülheim Pipecoatings GmbH, has licensed the Microsoft O365 software applications in order to provide the services contained therein to the employees of the EUROPIPE company and, in some cases, to business partners ("Users") for the purpose of business use. In addition to familiar applications (such as Outlook, Word, Excel or PowerPoint), the services include other new online services that provide new functionalities and can be used anywhere and on any device. These usage instructions contain the main regulations and requirements that apply to the use of the internet-based Microsoft 365 services ("Office 365") for users in the EUROPIPE tenant.

2. General regulations

These terms of use apply to the use of Office 365 applications that are made available for use by external partners as part of the existing business relationship. Use is to the conclusion of a confidentiality agreement.

The services provided by EUROPIPE are based on the respective available and activated functional scope of Office 365. EUROPIPE endeavors to provide Office 365 as uninterruptedly as possible within the scope of technical and operational possibilities. However, temporary restrictions or interruptions may occur due to technical faults (e.g. interruption of the power supply, hardware and software errors, technical problems in the data lines). No guaranteed service or availability is associated with the use of Office 365.

3. Access to Office 365

The prerequisite for using Office 365 is access to the EUROPIPE domain (username and password) with an existing EUROPIPE e-mail address.

EUROPIPE is entitled to reject any registration request without giving reasons and to change the applications and functions provided in Office 365 at any time and without notice and to discontinue in whole or in part. If the user changes his e-mail address or if the right to access the EUROPIPE Tenant ends, the previous user account shall be deleted. If necessary, a new user account must be applied for.

The user is responsible for ensuring that data entered in the user account or contained in the user account is backed up in good time before the user account is deleted in accordance with section 4.

4. Rights of use and copyright

As part of the business relationship, content may be uploaded to Office 365 and thus made available to other users in the EUROPIPE Tenant. By uploading content, the user grants EUROPIPE a perpetual, free, sublicensable and transferable right to use the content in question, in particular to store the content and publish it, make it publicly available within Office 365, edit and reproduce it and, if necessary, grant rights of use to third parties. Users warrant that they or the company for which they are acting are the sole owner of all rights to the posted content or are otherwise authorized (e.g. by effective consent of the rights holder) to post the content and to grant the rights of use and exploitation under this paragraph. If copyright-protected content is posted by third parties, this must be identified by appropriate source references.

EUROPIPE users of Office 365 are responsible for all actions and activities they perform in Office. This includes all information they provide, content and documents they post and other interactions within Office 365 (e.g. comments, sharing, likes) (collectively "actions"). EUROPIPE assumes no responsibility for ensuring that the contributions, information, content and documents (collectively "Content") posted by EUROPIPE Users in Office 365 are complete, accurate, up-to-date or suitable for achieving the purpose stated therein. EUROPIPE has no influence whatsoever on the content of third-party websites linked by EUROPIPE Users. EUROPIPE does not adopt this content as its own and accepts no responsibility for the accuracy and completeness of links and the information contained therein. The protection of copyrights and other intellectual property rights is the responsibility of EUROPIPE users. EUROPIPE shall be entitled to remove comments and contributions from users in the event of breaches of these terms of use and in particular the rules of conduct (see point 7 below).

5. Information security regulations

Users are obliged to keep the access data required for registration secret at all times and to protect it appropriately. To ensure confidentiality, the access data may not be made accessible or transferred to third parties - not even within the framework of representation regulations. If users have reasonable grounds to suspect that third parties have unauthorized access to the user account, they are obliged to inform EUROPIPE or the relevant contact person at EUROPIPE immediately. Users are generally responsible for every activity in their user account in Office 365.
It is imperative to ensure that content containing confidential information, in particular trade or business secrets or personal data, is only made accessible to the authorized group of persons.

6. Storage and protection of documents

The Microsoft cloud provides storage space and synchronizes the files stored there on the user's desktop and mobile devices. This data can be accessed with the various Office 365 applications provided (OneDrive, Teams, SharePoint, etc.). This storage space is to be used exclusively for business purposes and is used to store business data that was created for business purposes using business end devices (PCs, smartphones, etc.).

For data protection reasons, data with a high protection requirement, such as personal data or other types of sensitive personal data (such as health data), must be classified as confidential or secret within the meaning of Art. 9 GDPR.

All documents with personal data stored in the Microsoft cloud must be deleted by the user once the purpose of the data processing has been fulfilled and there are no longer any retention periods.

The following standard deletion routines are stored:

Chat posts are deleted after 1 year
Log/metadata/connection data: 90 days
Team rooms: 1 year after the last use of the room

The user can delete the files stored in the cloud earlier or extend the deletion period. Users can delete or correct the content of their own chat messages themselves.

7. Code of Conduct

Users are obliged to comply with all relevant legal provisions of the respective workplace when using Office 365. Generally recognized basic values in dealing with other people and companies must be respected. Courtesy, an objective tone and respect for other opinions must be maintained at all times.

It is not permitted to make available, store, distribute or transmit content or to take actions that violate applicable laws or other legal provisions. This includes inalienable rights such as personal rights or intellectual property rights (copyright, trademark law, patent law, etc.) of third parties.

Prohibited are all contents or actions that

is offensive, defamatory, obscene, harassing, threatening, racially or ethnically offensive, discriminatory with respect to race, gender, color, creed, sexual orientation or disability, or otherwise harmful;
constitute illegal and/or criminal activities or promote unlawful violence;
depict or contain images of sexual acts;
are likely to jeopardize industrial peace in the long term or contain incorrect or misleading statements of fact;
serve unauthorized advertising purposes or the marketing of products;
serve to disseminate political positions or opinions;
automatic comments, chain letters or similar actions.

Users can voluntarily add a profile picture of themselves and remove it at any time. The profile picture is visible to every user. The profile picture must be appropriate to the business context. If a profile picture is inappropriate in this sense, EUROPIPE may prohibit its use and/or remove the picture. Users are prohibited from posting photos or videos in which other persons can be recognized unless they have given their consent. Recordings of video conferences are generally not permitted. In the case of video conferences, it must be ensured that no images of uninvolved persons are transmitted.

A presence status is automatically stored in the Microsoft cloud depending on the calendar events, which can be individually controlled and changed by the user.

8. Data protection information

Within Office 365, personal data is stored or otherwise processed in the Microsoft cloud in European data centers in connection with the use of the services. In the future, processing in data centers in Germany is planned. Further information on the type and scope of data processing by Microsoft can be found in Microsoft's privacy policy - Data protection information by Microsoft..

9. Confidentiality

The user undertakes to treat all confidential content and information that becomes known or accessible in the course of use as strictly confidential and not to disclose it to unauthorized third parties and to use all content and information exclusively in the context of business cooperation with EUROPIPE. Confidential content and information shall include all information and data to which the user has intentional or unintentional access when using the Microsoft Office 365 services in the EUROPIPE tenant, regardless of whether they are marked as confidential or must be classified as confidential by the user due to their nature. Confidentiality shall continue to apply even after the termination of the collaboration and access to the EUROPIPE Tenant. Any unauthorized storage or copying of content and information is prohibited.

10. Final provisions

Use shall be based on these terms of use. Any deviating terms and conditions or agreements of the user shall not apply, even if EUROPIPE has not expressly rejected them or provides services or performances without reservation despite being aware of the user's conflicting or deviating terms and conditions or agreements. EUROPIPE reserves the right to make changes to these Terms of Use due to the constant additions and changes to the individual products in the Office 365 license packages.