1. You are here:
  2. Central Facilities
  3. University Computer Centre
  4. Software
  5. Microsoft 365
  6. Microsoft 365 Privacy

Privacy Policy and Terms of Use

With the new nationwide agreement 3.0, the use of Office products such as Word and Excel for work or study purposes is only possible after regular registration with Microsoft (product activation or verification; personalized licence using your university account at the FH Erfurt).

Private or commercial use is not included in the licence agreement. To activate the licence, the user must log in with their personal user ID.

In addition to the login data (email address and university account), other personal data (including usage and behaviour, log and content data) will be processed by Microsoft.

  • On centrally managed devices, the transmission of unnecessary diagnostic and telemetry data is deactivated for work-related use (Microsoft 365 for Enterprise). With the Office Diagnostic Viewer, every user can see for themselves what data has been transmitted. Furthermore, only apps that have been checked and documented by data protection will be authorized ( possibly with certain restrictions).

    Privacy notice: It is not permitted to save confidential, work-related and identity-related data in the Microsoft Cloud. The "User Guidelines for Microsoft Cloud Storage Services at FHE" must be observed.

    Data protection notice according to Art. 13 of the German Data Protection Act DSGVO (direct collection) or Art. 14 DSGVO (collection by third parties)

    Controller:
    Fachhochschule Erfurt, represented by the President, Prof. Dr. Frank Setzer
    Tel.: 0361 6700-5513
    Email: praesidialamt@fh-erfurt.de

    Data Protection Officer:
    Email: datenschutz@fh-erfurt.de
    www.fh-erfurt.de/datenschutz

    Further responsible parties:

    Microsoft Ireland Operations Limited One

    • Microsoft Place, South County Business Park, Leopardstown Dublin 18, Ireland, 

    Microsoft Corporation  

    • One Microsoft Way Redmond, Washington 98052 

    Microsoft website with FAQs and contact details

    Purposes

    Microsoft 365 Apps is a suite of desktop applications (including Word, PowerPoint, Excel, OneNote and Publisher). Due to Microsoft licensing regulations, personal login details (email address and university account) are required.

    All licensed modules support IT-based collaboration between the university's staff and students using Microsoft Office 365 and thus assist the university in fulfilling its legal responsibilities with regard to education and training.

    Disclosure of personal data to Microsoft may occur for the following purposes:

    a) billing and account management
    b) internal and external fees
    c) internal reporting and modelling
    d) countering fraud
    e) cybercrime or cyberattacks
    f)  improving core functionality in terms of accessibility, data protection or energy efficiency 
    g) financial reporting
    h) compliance with legal obligations

    and all purposes included in the Microsoft Products and Services Data Protection Addendum (DPA).

    Legal basis

    Students: Art. 6, 1, lit. a) of the German Data Protection Act (DSGVO): Consent

    Employees: Art. 6 (1) (b) DSGVO in conjunction with §27 ThürDSG, §§ 79 to 87 Thuringian Public Servants Act; for public servants also Art. 6 (1) (c)

    For persons who can be identified in communications and documents: Art 6, 1 lit. e) in conjunction with § 16 (1) Thuringia Data Protection Act (ThürDSG) and § 5 ThürHG: performance of duties

    Legal basis for disclosure to Microsoft (beyond order processing)

    For licensed persons: Art. 6 (1) (b) DSGVO and Art. 49 (1) (c) DSGVO (data categories documents and files, contact information)

    For purposes that are not covered by the contract: Art. 49 (1) (d) DSGVO (e.g. logging data)

    Data categories

    1. Documents and data
    2. Tasks and solutions
    3. Communication data
    4. Basic user-related data for the account which can be supplemented with user-generated data
    5. Authentication data 
    6. Contact details 
    7. Profiling
    8. Access log
    9. System-generated log data
    10. Device information (including information on the software or service used)
    11. Product feedback (including information on the equipment, software or service used)

    Categories of data subjects

    • Students
    • Employees of the University of Applied Sciences Erfurt who use or administer MIcrosfot 365
    • Persons who can be identified in communications and documents

    Types of data processed

    Microsoft 365 processes the following data:

    Data that is synchronized from the active directory of FH Erfurt

    Users:

    • University email address for registration
    • Groups
    • Telephone number for Telephone MultiFactor Login (MFA) (from user device)
    • Location of device when using Authenticator app (MFA) (from user device)

    Devices:

    Only devices on which users register manually are listed.

    • Name of device
    • Operating system
    • Registered user

    Furthermore, login events (access log) are recorded in Microsoft 365: date, time, app, IP address, device information (device name, browser, operating system, link type), date of first and last activity of the computer.

    Content data: all data, including text, sound, video or image files and software, generated by the user and uploaded to the cloud for storage or processing, as well as any customization. (Please observe the Guidelines for Cloud Storage at FHE).

    Data generated by services:  Sind data generated or derived by Microsoft through the operation of services, such as usage or performance data. Most of this data contains pseudonymous identifiers generated by Microsoft. AFor data protection reasons, this generation is deactivated or limited to a minimum on work computers.

    Diagnostic data: collected by Microsoft or retrieved from software installed locally by the customer in connection with online services. Such data is also referred to as telemetry data. Deactivated on work computers for data protection reasons.

    Customer support data: data provided by the user through contact with Microsoft to obtain technical support for online services. Deactivated on work computers for data protection reasons.

    Origin of data

    Login data:

    Students: This is entered directly by the data subject when registering with their FH email address.
    Employees: Data transfer from the local user administration (Active Directory) to the Microsoft user portal.
    Content data: Generated directly by user.

    Log data: Occurs when the users use the program.

    Storage period

    • 90 days after deletion of the account on request or after appeal (data categories 4-7)
    • 90 days after deletion of content data, once the need for it has expired (data categories 1-3)
    • 180 days for data categories 8 and 9
    • Event-related for data categories 10 and 11

    Overview of dataflows

    Rights of data subjects

    According to DSGVO, you are entitled to the following rights under the conditions specified in the law:
    right to information (Art. 15 DSGVO), right to rectification (Art. 16 DSGVO), right to erasure (Art. 17 DSGVO), right to restriction of processing (Art. 18 DSGVO), right to data portability (Art. 20 DSGVO), right to object (Art. 21 DSGVO), right to appeal (Art. 21 DSGVO).
    You also have the right to lodge a complaint with a supervisory authority (Art. 77 DSGVO). In Thuringia, this is the State Commissioner for Data Protection and Freedom of Information, the "Landesbeauftragte für den Datenschutz und die Informationsfreiheit", Häßlerstraße 8, 99096 Erfurt (www.tlfdi.de).

    Recipients

    • Persons with whom you communicate or work
    • Microsoft Ireland Operations Limited, for the purpose of contract processing and fulfilment 
    • Microsoft Corporation, for order processing, fulfilment of contracts and internal purposes
    • and their subprocessors and support subcontractors

    Guarantees for international data traffic:

    Microsoft processes the data on behalf of the University of Applied Sciences Erfurt (as the controller) and may therefore only use the data in accordance with the university's instructions and for the university's purposes. However, Microsoft also uses personal data for its own purposes and is therefore also to be regarded as its own controller.

    It cannot be entirely ruled out that personal data may be transferred when using Microsoft 365 to third countries without an adequacy decision and without appropriate safeguards equivalent to the EU's level of security.

    For the University of Applied Sciences

    • Exceptions Art. 49 (1) lit c DSGVO for purposes a) and f)
    • Exceptions Art. 49 (1) lit. d DSGVO for purposes b), c), d) e), g), h)

    Microsoft Corporation  

  • Use of the software and services is governed by the contractually applicable version of Microsoft Product Terms. In particular, Microsoft's Acceptable Use Policy must be observed.

    All members and students of the University of Applied Sciences Erfurt are licensed according to §21 (1) of the Thuringian Higher Education Act.

    The registration of users and the administration of licences is carried out through a central platform (tenant client), which is administered by the University of Applied Sciences Erfurt.

    As previously, passwords can only be changed on the user portal. To increase security and protect against misuse, 2-factor authentication is activated for some user accounts.

    The system administrator for Microsoft at FH Erfurt does not back up any data from Microsoft 365. Users are responsible for ensuring that any files used in Microsoft 365 are backed up.

    Insofar as personal data of other persons is processed by the user with the software and the services, the regulations of data protection must be complied with and the fulfilment of the information obligations must be ensured.

    In general, data that is subject to confidentiality and high levels of security must not be transferred without encryption to the service's storage facility. Please observe the "User Guidelines for Microsoft Cloud Storage at FHE".

    The user acknowledges that:

    • they are only entitled to use the software and services during the licence period.
    • all software must be deleted or services can no longer be used if the University of Applied Sciences Erfurt terminates the contract, does not submit an accession or renewal order or does not acquire licences for an unlimited period of time before the end of the licence period, depending on which event occurs first.

    Fachhochschule Erfurt hereby fully excludes liability for damage or misconfiguration on private devices to the extent legally possible.

    Use of the software and services is also subject to the terms of the Campus and School Agreement (CASA), including but not limited to limitations of liability, exclusion of warranties, and exclusion of remedies and claims.

  • At any time, you can object by email to the processing of your personal data by FH Erfurt (Art. 21 DSGVO). Consequently, we will delete your FHE Microsoft account.

    Without an FHE Microsoft account, it is not possible to use the Microsoft 365 service under licence.

Contact

Cloud Management

Microsoft Documents