Video conferencing system MS Teams

This supplementary declaration contains information on how and to what extent Clausthal University of Technology collects data as part of the provision of the Microsoft Teams ("MS Teams") video conferencing system and how this data is processed. Microsoft Teams is a platform developed by Microsoft Corp ("Microsoft"), based in Redmond, WA 98052-6399, USA, One Microsoft Way, and integrated into the Microsoft 365 suite (MS 365), which can be used by members of Clausthal University of Technology for online, telephone and video conferences as well as web events ("online meetings"). MS Teams is an alternative to the primary video conferencing system BBB, which is operated independently by Clausthal University of Technology at the Clausthal-Zellerfeld site.

Further contact persons

The respective initiator of the video conference is responsible for the content and specific organization of video conferences. The contact details are communicated to the participants at the beginning of each video conference.

The technical provision of MS 365 is carried out by the Clausthal University of Technology Computer Center. TU members can manage their access independently at https://service.rz.tu-clausthal.de. Technical inquiries can be directed to support@rz.tu-clausthal.de.

Legal basis for the processing of personal data

The legal basis depends on the purpose of the individual video conference.

The basis for the processing of personal data is basically § 17 para. 1 NHG. Insofar as personal data of employees of Clausthal University of Technology is processed, the legal basis is also Art. 88 GDPR i.V.m. § SECTION 26 BDSG.

Insofar as we have the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis.

If video conferences are held in the context of contractual relationships, Art. 6 para. 1 lit. b GDPR serves as the legal basis.

Insofar as the processing of personal data is necessary to fulfill a legal obligation to which Clausthal University of Technology is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

Under conditions of the Covid-19 pandemic, the conduct of video conferences is also based on a public interest in combination with the protection of vital interests of the data subjects pursuant to Art. 6 para. 1 lit. d and e GDPR.

The MS Teams service is a voluntary additional offer for members of Clausthal University of Technology, which can be used in individual cases to hold video conferences:

• One or more communication partners are technically unable to participate in a BBB video conference, e.g. dial-in restrictions for industrial partners
• There is mutual consent from all communication partners involved to use the service for a video conference

In the absence of consent, the respective participant has the option of not entering or leaving the online conference. As an alternative, the primary video conferencing service BBB (webconf.tu-clausthal.de) is available to all TUC members.

The service may not be used for conferences within the scope of the university's sovereign tasks. These are in particular the conduct of examinations and any video conferences with sensitive content such as job interviews.

Type, scope and purpose of the data collected

Personal data is processed by us for the purpose of administrative user management, for contacting and interacting with users and for providing personalized services, for carrying out studies as students or activities as employees at Clausthal University of Technology.

Data processing differs between initiators and participants in a video conference depending on the role they play.

Initiators, TU members with a user account:

University members can independently apply for a license of the Microsoft 365 license package via the service portal of the computing center(https://service.rz.tu-clausthal.de). MS Teams is an integral part of this package; it is not possible to apply for an individual component. The prerequisite for becoming the initiator of an MS Teams video conference is the activation of the Microsoft 365 license package.

As part of the federal framework agreement with Microsoft, the Clausthal University of Technology Computer Center provides members of the university with licenses for the use of Microsoft 365 including Office 365 and MS Teams. Upon leaving the service or after completion of studies, access to Microsoft services may no longer be provided by Clausthal University of Technology. In order to be able to automatically guarantee this contractual condition, your data will be automatically synchronized from the TUC directory service (AD) with those in the Microsoft directory service (Azure AD) as soon as you have approved this.

The following data is shared with Microsoft. Data in brackets correspond to the possible values.

• Active account (yes / no) accountEnabled
• Data center identifier CN
• Full name displayName
• Unique name in AD distinguishedName
• First name givenName
• Associated groups (student, employee, other) member
• Unique identifier (generic) objectGUID, objectSID and sourceAnchor
• Surname sn
• Country (DE) usageLocation
• User name (@tu-clausthal.de) userPrincipleName

Duration of data storage

The data will only be transferred to Microsoft after you have given your consent by confirming this on the service portal of the data center. TU members are free to terminate this comparison at any time by revocation (withdrawal of consent). In the event of revocation, no (further) use of Microsoft 365 services is possible. At the latest after TU members leave the university (exmatriculation, termination of employment), this synchronization is automatically terminated and the data from the Azure AD at Microsoft is automatically deleted after one month.

Initiating a video conference

Clausthal University of Technology has configured the service to save data as far as possible. The use of MS Teams is subject to Microsoft's terms of use and data protection regulations.

Data protection regulations: https://privacy.microsoft.com/de-de/privacystatement

Terms of use: https://www.microsoft.com/de-CH/servicesagreement/

By using Microsoft Teams, you accept Microsoft's terms of use and privacy policy.

When initiating a video conference or participating with a user account, the following data is processed:

Data for creating/registering a user account (e-mail address, password, membership of Teams, roles and rights), data for displaying a user status and read receipts (chat), chat messages created, voice notes, image and sound data in video and audio conferences, metadata for video conferences such as group of participants, start and end of video conferences, Contents of screen sharing, files shared by uploading, calendar entries created, status of tasks (assigned, submitted, due date, feedback), content created and edited in Word, Excel, PowerPoint and OneNote, entries in surveys, technical usage data to provide the functionalities and security of MS Teams and functions integrated in Teams.

The temporary storage of log file data by the system is necessary for the login process in order to enable the delivery of requested documents to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.

Participants

Participation in a Microsoft Teams meeting is possible without a user account. The prerequisite is an appointment invitation from an initiator. The following data is processed: a self-chosen user name, the assigned role "guest" and associated rights, chat messages, image and sound data when the camera and microphone are activated, content of screen shares (if permitted by the initiator), depending on access via browser or app, technical usage data for the provision of the functionalities and security of MS Teams and functions integrated in Teams (log file data such as IP address, browser version), metadata such as group of participants, start and end of a video conference. The provider does not store image and audio data from video conferences.

Duration of data storage

The content of the video conference, such as audio, image and text data, is not processed after the video conference has ended and is deleted at the end of the session. The temporary storage of log file data by the system is necessary for the registration process in order to enable the delivery of requested documents to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.

SSL encryption

The connection to the MS Teams video conferencing service is made using SSL encryption (https). Data encrypted via SSL cannot be read by third parties.

Transfer of personal data to a third country or an international organization

Clausthal University of Technology does not independently transfer personal data to a third country. However, such a transfer cannot be completely ruled out insofar as Microsoft Teams is offered by Microsoft as a service provider based in a third country (USA).

In addition to the standard contractual clauses for commissioned data processing, Clausthal University of Technology has also concluded extensive regulations on data protection for Microsoft online services (Data Protection Addendum, DPA) with Microsoft. In the case of core online services, Microsoft stores dormant customer data in certain larger geographical areas. Processing by Microsoft is subject to the GDPR provisions under European Union law.

If a participant in a video conference is located in a third country, data is also transferred to the respective third country.

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights in particular vis-à-vis the controller:

Right to information pursuant to Art. 15 GDPR

You can request confirmation from the controller as to whether personal data concerning you is being processed by Clausthal University of Technology.

Right to rectification in accordance with Art. 16 GDPR

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete.

Right to restriction of processing pursuant to Art. 18 GDPR

Under certain conditions, you may request the restriction of the processing of personal data concerning you, e.g. if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data or if the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead.

Right to data portability pursuant to Art. 20 GDPR

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Automated decision-making in individual cases including profiling in accordance with Art. 22 GDPR

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR.