to Homepage
You are located in service Microsoft 365
General information
IT Center Help

You are located in service: Microsoft 365

Data protection information for the creation of Microsoft accounts for business use by employees of RWTH Aachen University (Microsoft 365)
Print page

Data protection information for the creation of Microsoft accounts for business use by employees of RWTH Aachen University (Microsoft 365)

I. Party responsible for data processing

The person responsible within the meaning of the EU General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

Rector of RWTH Aachen University
Templergraben 55
52062 Aachen (physical address)
52056 Aachen (postal address)
Email: rektorat@rwth-aachen.de
Website: www.rwth-aachen.de/rectorate

Responsible body for internal processing:

IT Center of  RWTH Aachen University
Seffenter Weg 23
52074 Aachen
Email: servicedesk@itc.rwth-aachen.de
Website: www.itc.rwth-aachen.de

 

II. Data protection officer

Availability of the officially appointed data protection officer

Data Protection Office of RWTH Aachen University
Templergraben 83
52062 Aachen (physical address)
52056 Aachen (mailing address)
Germany
Email: dsb@rwth-aachen.de
Website: www.rwth-aachen.de/dataprotection

 

III. General information on data processing

Scope of use

  • M365 account (use of the Microsoft account for licensing, locally installed Office 365 application)

Scope of the processing of personal data

Like other software manufacturers, Microsoft also uses personal licenses. A personal Microsoft account is therefore required to use Microsoft 365 (M365). This RWTH Microsoft account is created and controlled by the IT Center using your data from the RWTH identity management system.

The Microsoft account is created automatically for all RWTH employees. With this account, you can use M365 and the Microsoft products licensed for you as long as and to the extent that these are provided by RWTH or as long as you are an employee of RWTH. 

Purpose of the processing of personal data

The use of M365 includes the use of licensed products and services, the provision of updates, the guarantee of information security and technical and customer-related support. The use also generates statistics and provides data to Microsoft for the following purposes according to Microsoft's DPA from April 2025.

  • Billing and account management
  • Remuneration such as calculation of employee commissions and partner incentives
  • Internal reporting and business modeling such as forecasting, revenue, capacity planning and product strategy 
  • Financial reporting

The current and archived editions of the DPA are available for download here.

Data transfer is based on a data processing agreement and the EU Data Privacy Framework. If the adequacy decision is declared invalid, Microsoft's standard contractual clauses will be used.
RWTH has opted for data residency in the EU within the framework of the MS EU Data Boundary.

Anonymized statistics on usage are compiled.

 

RWTH Aachen University does not monitor performance or behavior based on your use of your RWTH-Microsoft account or M365.

Visibility of your activities

As the RWTH-Microsoft account is an online account and M365 is a cloud-based offering with a very wide range of software and services, it is not possible to conclusively assess the visibility of your activities. The most common applications and trackable visibilities are described below:

  • Your activities may be visible whenever you connect with other users within the framework of MS Teams.
  • You can search for and invite other users within the framework of MS Teams. Your name and other data from your RWTH Microsoft account may be visible.
  • When collaborating on documents, the changes you or others make to shared documents as well as metadata such as modification times etc. can be visible.

User profile

Your RWTH-Microsoft account initially contains only your first and last name, your RWTH e-mail address stored in your user account and your RWTH affiliation status. In some services, it is possible to add further information to the user profile yourself, but this is not recommended. This is not necessary for official use or for the fulfillment of public tasks. The corresponding additions are voluntary, but should not be made for reasons of data economy.

Data categories and data subjects

The following data categories (1-6) are processed and stored when using M365 and MS Teams:

  1. Basic personal and contact data (email address, last name, first name, cloud ID)
  2. Profiling (data generated during license use: last use of the license, date and name of edited files)
  3. Log file with accesses (data on the device used: device, operating system, IP address, access date) and system-generated log data (access and change history, file name)
  4. Documents and files (data that users store independently in the cloud, e.g., chat content, author and date of creation, author and date of change)
  5. MFA methods (e.g., phone number, authenticator app, one-time password)
  6. Microsoft Teams groups (first and last name, cloud ID, online activity if not deactivated)

When using M365, the data of the following data subjects are processed or stored to the extent specified:

  • Persons who use or administer M365 online (categories 1-6)
  • Persons who are identifiable in communication and documents (data categories 2, 3)
  • Persons who use Office 365 locally (data categories 1, 2, 3, 5)

Legal basis for the processing of personal data

The provision of M365 and its use by RWTH employees is based on the following legal basis: 

  • Art. 6 para. 1 sentence 1 lit. e), para. 3 GDPR in conjunction with § Section 18 (1) DSG NRW, i.e. M365 is used in the role of an employee of RWTH Aachen University to fulfill the associated tasks of the university

Data deletion and storage period

In principle, the accounts of RWTH employees are automatically deleted after loss of the corresponding status in IdM, e.g. due to leaving the university. The following deletion periods apply to the data stored at Microsoft:

  • To allow the account to be restored, data in data categories 1, 2, 3, 5, 6 will be stored for a further 30 days after the account has been deleted, but will only be visible to administrators.
  • Documents and files (data category 4) can either be deleted manually by the user or are deleted automatically when the account is deleted. However, this data is stored for a further 30 days for recovery by the user or administrator in the event of accidental deletion, but is no longer visible to other users. 
  • In collaborative workspaces (data categories 4, 6), data is generally retained for as long as the workspace exists. The data must be deleted manually here.
  • Data in data category 3 is generally deleted after 180 days.

Groups of persons or persons authorized to access the data

Authorized persons are generally the employees of the responsible body who have access to certain relevant data due to their position or function:

  • Administrators have full access to all data categories to manage the tenant
  • Support employees have read access to data in the user directory for support purposes from all data categories
  • MS Teams users who belong to an MS Teams group can view personal data from data categories 4 and 6 from other MS Teams users in this group, both internally and externally. Guests within the group can also view the aforementioned data
  • RWTH members who use MS Teams can view personal data from data category 6 belonging to other RWTH MS Teams users via the search function in MS Teams
  • • When collaborating with external partners: the external partner as a “guest” with permission (invitation) from RWTH users (data categories 4, 6)

Other recipients of the data

  • Microsoft Ireland Operations Limited, for the purpose of order processing and contract fulfillment
  • Microsoft Corporation, for the purpose of order processing, contract fulfillment and own purposes
 

IV. General information

M365 is operated by Microsoft Corporation, One Microsoft Way Redmond, Washington 98052.

When using M365, the Microsoft Terms of Use (https://www.microsoft.com/de-de/rechtliche-hinweise/nutzungsbedingungen) (external link), the Microsoft Product and Online Terms (https://www.microsoft.com/licensing/terms/de-DE/productoffering) (external link) and the RWTH's terms of use for M365 apply. Microsoft's privacy information for M365 can be found at https://privacy.microsoft.com/de-de/privacystatement (external link).

 

V. Rights of data subjects

In accordance with Article 15 et seq. GDPR, under the conditions defined therein, you have the right to information about the personal data concerned and to rectification or erasure or restriction of processing, a right to object to processing and the right to data portability. In accordance with Article 77 GDPR, you also have the right to lodge a complaint with the data protection supervisory authority (https://www.ldi.nrw.de/) if you are of the opinion that the processing of your personal data violates this regulation.

 

Current version

The current version of the terms of use and data protection information apply.

Version: August 2025

last changed on 08/05/2025

How did this content help you?
Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License
Chat