I. Controller Responsible for Data Processing

The controller within the meaning of the EU General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

Rector of RWTH Aachen University
Templergraben 55
52062 Aachen (House address)
52056 Aachen (Postal address)
E-Mail: rektorat@rwth-aachen.de
Website: www.rwth-aachen.de/rektorat

Responsible party for internal processing:

IT Center of RWTH Aachen University
Seffenter Weg 23
52074 Aachen
E-Mail: servicedesk@itc.rwth-aachen.de
Website: www.itc.rwth-aachen.de

II. Data Protection Officer

Availability of the officially appointed data protection officers:

Data Protection Office of RWTH Aachen University
Templergraben 83
52062 Aachen (House address)
52056 Aachen (Postal address)
E-Mail: dsb@rwth-aachen.de
Website: www.rwth-aachen.de/datenschutz

III General Information on Data Processing

1. Scope of use

• M365 account (use of the Microsoft account for licensing, locally installed Office 365 application)

Only in the extended M365 use:

• Office Web Apps or Office for the Web
• OneDrive for Business
• SharePoint Online

2 Scope of the processing of personal data

Like other software manufacturers, Microsoft also uses personal licenses. A personal Microsoft account is therefore required to use Microsoft 365 (M365). This RWTH Microsoft account is created and controlled by the IT Center using your data from the RWTH identity management system.

The Microsoft account is created automatically for all RWTH employees. With this account, you can use M365 and the Microsoft products licensed for you as long as and to the extent that these are provided by RWTH or as long as you are an employee of RWTH. 

Purpose of data processing

The use of M365 includes the use of licensed products and services, the provision of updates, the guarantee of information security and technical and customer-related support. The use also generates statistics and provides data to Microsoft for the following purposes according to Microsoft's DPA from January 2024.

• Billing and account management
• Remuneration such as calculation of employee commissions and partner incentives
• Internal reporting and business modeling such as forecasting, revenue, capacity planning and product strategy 
• Financial reporting

The current and archived editions of the DPA are available for download.

Pseudonymized statistics on usage are compiled.

RWTH does not monitor performance or behavior based on your use of your RWTH-Microsoft account or M365.

Visibility of your activities

As the RWTH-Microsoft account is an online account and M365 is a cloud-based offering with a very wide range of software and services, it is not possible to conclusively assess the visibility of your activities. The most common applications and trackable visibilities are described below:

• Your activities may be visible whenever you connect with other users as part of these cloud services.
• If files are shared via OneDrive or other cloud services, they may be visible to other users.
• You can search for and invite other users as part of the cloud services. Your name and other data from your RWTH Microsoft account may be visible.
• When collaborating on documents, the changes you or others make to shared documents as well as metadata such as modification times etc. can be visible.

User profile

Your RWTH-Microsoft account initially contains only your first and last name, your RWTH e-mail address stored in your user account and your RWTH affiliation status. In some services, it is possible to add further information to the user profile yourself, but this is not recommended. This is not necessary for official use or for the fulfillment of public tasks. The corresponding additions are voluntary, but should not be made for reasons of data economy.

Data categories and data subjects

The following data categories (1-6) are processed and stored when using M365:

1. Documents and files (the data collected from users)
2. Personal basic and contact data (first and last name, CloudID and email address, type of license)
3. Authentication data (if applicable, MFA data collected from the users)
4. Profile creation (the data collected from the users)
5. Log files with accesses (the data collected from the users)
6. System-generated log data (e.g. access and change history) (data collected from users)

When using M365, the data of the following data subjects are processed or stored to the extent specified:

• Persons who use or administer M365 online (all categories)
• Persons who are identifiable in communication and documents (data categories 5 and 6)
• Persons who use Office 365 locally (data categories 2,3)

3. Legal basis for the processing of personal data

The provision of M365 and its use by RWTH employees is based on the following legal basis: 

• Art. 6 para. 1 sentence 1 lit. b) GDPR - processing for the performance of a contract, i.e. performance of a contract with Microsoft (data categories 2, 4, 5, 6)
• Art. 6 para. 1 sentence 1 lit. e), para. 3, Art. 88 para. 1 GDPR in conjunction with § Section 18 (1) DSG NRW, i.e. M365 is used in the role of an employee of RWTH Aachen University to fulfill the associated tasks of the university (data categories 1, 2, 3)
• Art. 6 para. 1 sentence 1 lit. e), para. 3 GDPR in conjunction with § Section 8 (7), Section 25 (1) HG NRW, i.e. the university administration ensures the fulfillment of the university's tasks in planning, administration and legal matters (data categories 1, 2, 3)

4 Data deletion and storage period

In principle, the accounts of RWTH employees are automatically deleted after loss of the corresponding status in IdM, e.g. due to leaving the university. The following deletion periods apply to the data stored at Microsoft:

• To allow the account to be restored, data in data categories 2 and 3 will be stored for a further 30 days after the account has been deleted, but will only be visible to administrators.
• Documents and files (data category 1) can either be deleted manually by the user or are deleted automatically when the account is deleted. However, this data is stored for a further 30 days for recovery by the user or administrator in the event of accidental deletion, but is no longer visible to other users. 
• Data in data categories 4, 5 and 6 are generally deleted after 180 days.

5. Groups of persons or persons authorized to access the data

Authorized persons are generally the employees of the responsible body who have access to certain relevant data due to their position or function:

• Administrators have full access to all data categories to manage the tenant
• Support employees have read access to data in the user directory for support purposes from the data categories: 2, 3

6. Other recipients of the data

• Microsoft Ireland Operations Limited, for the purpose of order processing and contract fulfillment
• Microsoft Corporation, for the purpose of order processing, contract fulfillment and own purposes

Detailed documentation of the processing purposes is provided in the current DPA. 
Data is transferred to Microsoft Corporation based on an order processing agreement and the EU Data Privacy Framework.

IV. General information

M365 is operated by Microsoft Corporation, One Microsoft Way Redmond, Washington 98052.

When using M365, the Microsoft Terms of Use, the Microsoft Product and Online Terms and the RWTH's Terms of Use for M365 apply. Microsoft's data protection information on M365 can be found at Microsoft webpage.

V. Rights of data subjects

In accordance with Article 15 et seq. GDPR, under the conditions defined therein, you have the right to information about the personal data concerned and to rectification or erasure or restriction of processing, a right to object to processing and the right to data portability. In accordance with Article 77 GDPR, you also have the right to lodge a complaint with the data protection supervisory authority if you are of the opinion that the processing of your personal data violates this regulation.

Current status

The current version of the terms of use and data protection information apply.

Status:  April 2024