Data privacy statement for the use of Microsoft 365

Last updated: Friday, March 4, 2022

Applications

You have an invitation to use a Microsoft Office application, such as Microsoft Teams, Microsoft SharePoint Online, Microsoft Forms (hereinafter referred to as M365) by Ascendant Design and Training, Laramie, WY, United States, or by one of its affiliated companies (hereinafter referred to as "we" or "us") as the responsible party within the meaning of the respective applicable data protection laws.

Microsoft Office 365 is a productivity, collaboration and exchange platform for individual users, teams, communities and networks, that can be used both within Ascendant Design and Training, and with external partners on a cross-company basis.

With the use of M365, personal data are processed. Please note that this data privacy statement only informs you about the processing of your personal data by us when using Microsoft applications in cooperation with us. If you need information about Microsoft's processing of your personal data, please read the appropriate declaration.

Microsoft privacy statement: https://privacy.microsoft.com/en-us/privacystatement

 

1. Information on the processing and on categories of personal data subject to processing in the context of the use of M365

Certain information is already automatically processed when using M365. In the following we have specified for you exactly which personal data are processed and on which legal basis this is done.

1.1. Your IP address used to access the Microsoft Office 365 applications

1.2. Your user name (access data to Microsoft Office 365 applications), data within the scope of the so-called multi-factor authentication, which you have stored yourself in your Microsoft account (e.g. optionally the (private) mobile phone number).

1.3. Identification features: Information identifying you as user, sender, recipient of data within M365. This includes in particular the following master data: name, first name, official contact data such as telephone number, e-mail address, official fax number, insofar as provided by you or if it was transmitted by your organization. This information is always visible in your profile, but in particular also in Outlook for you and other M365 users, and can be customized by you.

1.4. Data required for authentication, license use, logging and misuse detection. M365 processes all user activities, such as time of access, date, type of access, details regarding data/files/documents accessed and all activities related to use, such as creating, modifying, deleting a document, setting up a team (and channels in teams), taking notes in the notebook, starting a chat, replying in the chat.

1.5. User data: User data collected by you or from you. This includes in particular communication content (text, audio, video), files created by you or to be created by you. This depends on the application you use in M365. If audio or video content is recorded, you will be notified of this.

1.6. Data backups and archiving: The data collected from or about you is stored in our data backup. This serves to restore the system and the data itself. In addition, your data will be (partially) archived, if this is required by law.

 

2. Transfer and transmission of data

Apart from the cases explicitly mentioned in this data privacy statement, your personal data will only be disclosed without your express prior consent if it is legally permissible and necessary. This may be the case, for example, if such processing is necessary to protect vital interests of the user or another natural person.

2.1. Data provided by you during registration will be shared within our group for internal administrative purposes, including joint customer and supplier support, to the extent necessary.

2.2. Should it be necessary to clarify an illegal or abusive use of M365 or for legal prosecution, personal data will be disclosed to law enforcement or other authorities and, if applicable, to injured third parties or legal advisors. However, this only occurs if there are indications of illegal or abusive behavior. A transfer can also take place if this serves the enforcement of terms of use or other legal claims. We are also legally obliged to provide information to certain public bodies on request. These are criminal prosecution authorities, authorities that pursue administrative offences for which fines have been imposed, and financial authorities.

2.3. We depend on Microsoft for the use of M365. Microsoft is a so-called processor of orders and is subject to our instructions as the responsible party in the sense of the GDPR when processing personal data within the framework of Microsoft Office 365 applications used by us. In accordance with our legal obligations, we have entered into contractual agreements with Microsoft and other contract processors for the transfer of data. Processing of personal data by Microsoft takes place on servers located in the United States.

2.4. In the course of further expansion of our business, it may happen that the structure of our company changes by changing its legal form, by forming, acquiring or selling subsidiaries, parts of companies or components of companies. In such transactions, if necessary, such information may be transferred to another legal entity along with the part of the business to be transferred. Whenever personal information is transferred to third parties to the extent described above, we will ensure that this is done in accordance with this data privacy statement and applicable data protection laws.

 

3. Transfer of data to third countries

A transfer to third countries, both within the group and by commissioning contract processors and third parties, cannot be ruled out when using M365.

 

4. Change of purpose

Processing of your personal data for purposes other than those described above will only be carried out to the extent permitted by law or if you have consented to the changed purpose of data processing. In the event of further processing for purposes other than those for which the data were originally collected, we will inform you of these other purposes prior to further processing and we will also provide you with any other relevant information.

 

5. Period of data storage

We delete, block or make anonymous your personal data as soon as they are no longer required for the purposes for which we have collected or used them in accordance with the above paragraphs. Subject to statutory deletion and retention periods, we store your personal data for the duration of the contractual relationship with you. Login data and IP addresses are deleted after 90 days at the latest. Your data will also be stored in data backups. These are regularly and operationally reasonably overwritten.

 

6. Your rights as data subject

6.1. Right of access to data and information

You have the right to obtain from us, at any time and upon request, information on personal data processed by us and relating to you, within the scope of Article 15 GDPR. To do this, you can submit an application by e-mail to the address below.

6.2. Right to correction of inaccurate data

You have the right to ask us to immediately correct any personal data concerning you if it is inaccurate. To do so, please contact us at the addresses indicated below.

6.3. Right of deletion of data

You have the right, under the conditions described in Article 17 GDPR, to request us for the deletion of personal data referring to you. To exercise your right of deletion, please contact us at the addresses indicated below.

6.4. Right to restriction of processing

You are entitled to demand that we restrict processing in accordance with Article 18 GDPR. To exercise your right to limit processing, please contact us at the addresses indicated below.

6.5. Right to data transferability

You have the right to access any personal data concerning you provided to us in a structured, common, machine-readable format in accordance with Article 20 GDPR.
To exercise your right to data transferability, please contact us at the addresses indicated below. 

 

7. Right to object

You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you, which is carried out on the basis of Article 6, paragraph 1, a), e) or f) GDPR, in accordance with Article 21 GDPR. We will stop processing your personal data unless we can prove compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.

 

8. Right to lodge a complaint

You also have the right to lodge complaints with the competent supervisory authority.

Denmark
Datatilsynet
Carl Jacobsens Vej 35
2500 Valby
Tel. +45 33 1932 00
Email: dt@datatilsynet.dk
Website: http://www.datatilsynet.dk/

For other participating countries, please see the list at:
https://edpb.europa.eu/about-edpb/about-edpb/members_en

 

9. Contact

If you have any questions or comments regarding our handling of your personal data or if you would like to exercise any of the rights mentioned in points 6 and 7 as a data subject, please contact us:

Ascendant Design and Training, LLC
Email: dataprivacy@ascendantdesign.net

If you have any questions or comments on the practical handling and operation of M365, please contact the Ascendant Design and Training contact who invited you to use it.

 

10. Changes to this data privacy statement

We keep this data privacy statement up to date. Therefore, we reserve the right to change it from time to time and to update it if changes occur in the collection, processing or use of your data. The current version of the data privacy statement is always available at https://www.ascendantdesign.net/Document.html?Document=docs%2FDataPrivacy-Microsoft365.htm.