On this page you will find the Privacy Notice for the use of Microsoft Azure for business use by employees of RWTH Aachen University (Microsoft Azure).

1. Party responsible for data processing
2. Data protection officer
3. General Information on Data Processing
4. General Information
5. Rights of Data Subjects

---

1. Party responsible for data processing

The person responsible within the meaning of the EU General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

Rector of RWTH Aachen University
Templergraben 55
52062 Aachen (physical address)
52056 Aachen (postal address)
Email: rektorat@rwth-aachen.de
Website: www.rwth-aachen.de/rectorate

Responsible body for internal processing:

IT Center of  RWTH Aachen University
Seffenter Weg 23
52074 Aachen
Email: servicedesk@itc.rwth-aachen.de
Website: www.itc.rwth-aachen.de

2. Data protection officer

Availability of the officially appointed data protection officer

Data Protection Office of RWTH Aachen University
Templergraben 83
52062 Aachen (physical address)
52056 Aachen (mailing address)
Germany
Email: dsb@rwth-aachen.de
Website: www.rwth-aachen.de/dataprotection

3. General Information on Data Processing

Scope of Use

The scope of use refers to the following services offered via Microsoft Azure:

• Compute services
• Storage solutions
• Databases
• Network services
• Artificial intelligence and machine learning

Services outside the categories listed above are not excluded per se, but may require a review of feasibility where applicable.

The following restrictions apply to all services in Microsoft Azure:

• By default, only resource locations within the EU may be used.
• Third-party services from the marketplace are not available by default.

Scope of the Processing of Personal Data

Like other software vendors, Microsoft uses user-based licenses. Therefore, the use of Microsoft Azure (Azure) requires a personal Microsoft account. This RWTH Microsoft account is created by the IT Center based on your data from the RWTH identity management system and is managed by the IT Center.

The Microsoft account is automatically created for all employees of RWTH and exists for the duration of the employment relationship.
Microsoft Azure may only be used by employees of RWTH if the institution at which they work has booked a subscription via the IT Center. Employees may then be granted access to Microsoft Azure as needed.

Purpose of Data Processing

The use of Azure includes access to licensed products and services, the provision of updates, ensuring information security, and technical and customer-related support. Usage also generates statistics and discloses data to Microsoft which, according to Microsoft’s Data Processing Agreement (DPA) of January 2023, serve the following purposes:

• Billing and account management
• Compensation, such as the calculation of employee commissions and partner incentives
• Internal reporting and business modeling, such as forecasting, revenue, capacity planning, and product strategy
• Financial reporting

The current and archived versions of the DPA are available for download on Microsoft’s website.

Pseudonymized usage statistics are generated.

RWTH does not conduct any performance or behavior monitoring based on your use of your RWTH Microsoft account or Azure.

Visibility of Your Activities

Since the RWTH Microsoft account is an online account and Azure is a cloud-based offering with a very broad range of software and services, a comprehensive assessment of the visibility of your activities is not possible. The most common applications and traceable visibility aspects are outlined below:

• Your activities may be visible whenever you collaborate with other users within these cloud services.
• When cloud services are shared, they may be visible to other users.
• Other users may search for and invite you within the cloud services. In this context, your name and additional data from your RWTH Microsoft account may be visible.
• When collaborating on documents, changes made by you or others to shared documents, as well as metadata such as timestamps of changes, may be visible.

User Profile

In its initial configuration, your RWTH Microsoft account contains only your first and last name, your RWTH email address stored in the user account, and your affiliation status with RWTH. In some services, it is possible to independently supplement the user profile with additional information; however, this is not recommended. Such information is not required for official use or for the fulfillment of public tasks. Any additions are voluntary but should be avoided for reasons of data minimization.

Data Categories and Data Subjects

The following data categories (1–6) are processed and stored when using Azure:

1. Documents and files (data collected from users)
2. Basic personal and contact data (first and last name, cloud ID, email address, type of license)
3. Authentication data (if applicable, MFA data collected from users)
4. Profile data (data collected from users)
5. Access log files (data collected from users)
6. System-generated log data (e.g., access and change history) (data collected from users)

When using Azure, data relating to the following data subjects are processed or stored to the extent specified:

• Individuals who use or administer Azure online (all categories)
• Individuals who are identifiable in communications and documents (data categories 5 and 6)
• Individuals who use Azure locally (data categories 2 and 3)

Legal Basis for the Processing of Personal Data

Legal Basis of Data Processing

The provision of Microsoft Azure and its use by employees of RWTH is based on the following legal basis:

• Article 6(1), sentence 1, letter (e), paragraph (3), in conjunction with Section 18(1) DSG NRW, i.e., use of Azure in the role as an employee of RWTH for the performance of the associated duties of the university.

Data Deletion and Retention Period

The use of Azure is project-based. Once a project has been completed and Azure is canceled by the institutions, the project-related data will be deleted.

Authorized Groups of Persons or Individuals

Authorized persons are generally employees of the responsible entity who, by virtue of their position or function, have access to certain relevant data:

• Administrators have full access to all data categories for managing the tenant.
• Support staff have read-only access to data in the user directory for support purposes from the following data categories: 2 and 3.

Additional Recipients of the Data

• Microsoft Ireland Operations Limited, for the purposes of commissioned processing and contract performance
• Microsoft Corporation, for the purposes of commissioned processing, contract performance, and its own purposes

Detailed documentation of the processing purposes is provided in the respective current DPA.
Data transfer to Microsoft Corporation also takes place on the basis of the European Commission’s adequacy decision regarding the EU–US Data Privacy Framework.

4. General Information

Azure is operated by Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052, USA.

The use of Microsoft Azure is subject to Microsoft’s Terms of Use, the Microsoft Product and Online Services Terms, and the RWTH terms of use for Microsoft Azure. Microsoft’s privacy information for Azure can be found at Microsoft Privacy Statement.

5. Rights of Data Subjects

Pursuant to Articles 15 et seq. of the GDPR, and subject to the conditions defined therein, you have the right to access the personal data concerned, as well as the right to rectification or erasure, or restriction of processing, the right to object to processing, and the right to data portability. You also have the right, pursuant to Article 77 GDPR, to lodge a complaint with the data protection supervisory authority if you believe that the processing of personal data relating to you violates this regulation.

Status: 02/2026