Privacy Statement Microsoft 365

Privacy policy of Syntegon Technology GmbH for used Microsoft 365 modules (M 365)

1. Data Protection Notice
Syntegon Technology GmbH (hereinafter "Syntegon" or "We" or "Us") and its affiliated companies inform you in the following about the processing of your personal data in the context of the implemented Office modules from Microsoft (MS Teams, MS SharePoint and other explicitly named M 365 modules).

  • MS Teams: Tool for online meetings/video conferencing as well as general telephony solutions
  • MS SharePoint: Tool for document exchange and editing
  • MS Exchange Online in conjunction with MS Outlook: e-mail communication

2. Controller
Syntegon is the controller responsible for the processing of your data; exceptions are outlined in this data protection notice.

Our contact details are as follows:

Syntegon Technology GmbH
Formerly Bosch Packaging Technology
Stuttgarter Straße 130
71332 Waiblingen
Germany

E-mail: info@syntegon.com
Phone: +49 71 51 14-0


3. Collection, processing and usage of personal data

The following categories of data are processed:

  • Communication data (company, name, telephone, e-mail - if personal, address, IP address)
  • Contract master data (contractual relationship, product or contractual interest)
  • Log files, log data
  • Metadata (e.g. IP address, time of meeting participation, etc.)
  • Profile data (e.g. your username, if you provide it of your own accord)
  • Content data (document related)

4. M 365 Office modules, MS Teams video conferencing, MS Exchange Online, MS SharePoint

MS Teams, MS SharePoint and MS Exchange Online are part of the M 365 cloud application from Microsoft. A user or guest account must be created for MS Teams and SharePoint. The exchange of e-mails takes place via Exchange Online and does not require a user or guest account from the communication partner. For MS Teams/Polls no user or guest account is required.

MS Teams
Through the meeting features offered by Microsoft Teams, we can offer you participation via video / audio in our online events. There is no recording of events without the consent of the participants. Through the offered chat and telephony function of MS Teams, you can contact us in writing or via audio. Furthermore, MS Teams is used as a collaboration and exchange platform for project work for communication and cooperation.

MS Forms / Polls
For example, voluntary surveys and votes can be carried out via MS Forms / Polls.

MS SharePoint
Using MS SharePoint, you can share and collaborate on files with us as part of project work, provided a contractual relationship exists.

MS Exchange Online in connection with Outlook
MS Exchange Online in combination with Outlook covers the mail communication of the Syntegon Group.

We carry out the data processing based on a legitimate interest pursuant to Art. 6 (1) f) DS-GVO. Our legitimate interest for data processing is the communication and collaboration of our employees, business partners and interested third parties.

We obtain the Microsoft Office 365 software from the company:
Microsoft Germany GmbH
Walter-Gropius-Straße
580807 Munich
Germany

Data processing with Microsoft 365 takes place on servers in data centers in the European Union in the Netherlands. For this purpose, we have concluded a data processing under commission agreement with Microsoft within the meaning of Art. 28 GDPR. Accordingly, we have agreed on extensive technical and organizational measures with Microsoft for Office 365 that comply with the currently applicable state of the art of IT security, e.g. with regard to access authorization and end-to-end encryption concepts for transmission paths, databases and servers.

Microsoft reserves the right to process Customer Data for its own legitimate business purposes. We cannot influence these data processing operations by Microsoft. To the extent that Microsoft Teams processes personal data in connection with its legitimate business purposes, Microsoft acts as an independent data controller for this data processing and, as such, is obliged to comply with the applicable data protection regulations. To the extent technically possible and contractually permissible, our IT administration selects the most privacy-friendly default settings for the M365 modules we use and reduces the transfer of customer and metadata to Microsoft to an absolute minimum.
For more information about privacy in connection with Microsoft Office products, please visit Microsoft's websites:

We have no influence on the collection, processing and use of personal data when clicking on the links (such as the IP address or the URL of the page on which the link is located) and cannot accept any responsibility for this.

5. Children
The offer to use M365 is not intended for children under the age of 16.

6. Information disclosure

6.1 Data transfer to other data controllers

Principally, your personal data is forwarded to other controllers only if required for the fulfillment of a contractual obligation, or if we ourselves, or a third party, have a legitimate interest in the data transfer, or if you have given your consent.
Additionally, data may be transferred to other controllers when we are obliged to do so due to statutory regulations or enforceable administrative or judicial orders.

6.2 Data transfer to processors
The transfer is made to Microsoft Deutschland GmbH as a processor and to the sub-processors lawfully used by Microsoft. If the sub-processors are located outside the EEA in so-called third countries, Microsoft will ensure that the recipient either has got an adequate level of data protection or has got your consent to the transfer.

7. Duration of storage; retention periods
Principally, we store your data for as long as this is necessary to enable communication and collaboration via the M365 modules used by us for this purpose and the associated services, or for as long as we have a legitimate interest in continuing to store it. In case of MS Teams, we will automatically delete chat histories (chat participants; content and files) on our site that are older than two years. In all other cases, we delete your personal data with the exception of data we are obliged to store for the fulfillment of legal obligations (e.g. due to retention periods under the tax and commercial codes we are obliged to have documents such as contracts and invoices available for a certain period of time).
Login data and IP addresses are deleted by Microsoft after 180 days at the latest. You can find more information on the Microsoft websites (link).

8. Security
Our employees and the companies providing services on our behalf, are obliged to confidentiality and to compliance with the applicable data protection laws.

We take all necessary technical and organizational measures to ensure an appropriate level of security and to protect your data that are administrated by us especially from the risks of unintended or unlawful destruction, manipulation, loss, change or unauthorized disclosure or unauthorized access. Our security measures are, pursuant to technological progress, constantly being improved.

9. User rights
To enforce your rights, please use the details provided in the Contact section. In doing so, please ensure that an unambiguous identification of your person is possible.

Right to information and access:
You have the right to obtain confirmation from us about whether or not your personal data is being processed, and, if this is the case, access to your personal data.

Right to correction and deletion:
You have the right to obtain the rectification or completion of inaccurate personal data or deletion of your data as far as statutory requirements are fulfilled.

This does not apply to data which is necessary for billing or accounting purposes or which is subject to a statutory retention period. If access to such data is not required, however, its processing is restricted (see the following).

Restriction of processing:
You have the right to demand for – as far as statutory requirements are fulfilled – restriction of the processing of your data.

Data portability:
You are entitled to receive data that you have provided to us in a structured, commonly used and machine-readable format or – if technically feasible – to demand that we transfer those data to a third party.

Objection to direct marketing:
Additionally, you may object to the processing of your personal data for direct marketing purposes at any time. Please take into account that due to organizational reasons, there might be an overlap between your objection and the usage of your data within the scope of a campaign which is already running.

Objection to data processing based on the legal basis of “legitimate interest”:
In addition, you have the right to object to the processing of your personal data at any time, insofar as this is based on legitimate interest. We will then terminate the processing of your data, unless we demonstrate compelling legitimate grounds according to legal requirements which override your rights.

Withdrawal of consent:
In case you consented to the processing of your data, you have the right to revoke this consent at any time with effect for the future. The lawfulness of data processing prior to your withdrawal remains unchanged.

Right to lodge complaint with supervisory authority:
You have the right to lodge a complaint with a supervisory authority. You can appeal to the supervisory authority which is responsible for your place of residence or your state of residency or to the supervisory authority responsible for us. This is:

State Commissioner for Data Protection and Freedom of Information

Address:
Lautenschlagerstrasse 20
70173 Stuttgart
Germany

Postal address:
P.O. Box 10 29 32
70025 Stuttgart
Germany

Phone: +49 711 / 615541-0
Fax: +49 711 / 615541-15

E-Mail: poststelle@lfdi.bwl.de

10. Changes to the Data Protection Notice
We reserve the right to change our security and data protection measures. In such cases, we will amend our data protection notice accordingly. Please, therefore, notice the current version of our data protection notice, as this is subject to changes.

11. Contact
If you wish to contact us, please find us at the address stated in the “Controller” section.

To assert your rights and to notify data protection incidents please use the following link: https://www.bkms-system.net/syntegon.

For suggestions and complaints regarding the processing of your personal data we recommend that you contact our data protection officer:

Data Protection Officer
Information Security and Privacy (PA/DSO)
Syntegon Technology GmbH
Postfach 11 27
71301 Waiblingen
Germany

or

E-Mail: dpo@syntegon.com

Effective date: 19.10.2021