Microsoft 365 involves processing of personal data, which shall comply with Regulation (EU) N° 2018/1725 (the ‘’Regulation’’).
The JU protects the fundamental rights and freedoms of natural persons and in particular their right to privacy with respect to the processing of personal data. The JU processes your personal data in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (the Regulation).
Pursuant to Article 15 of the Regulation, we provide the following information regarding the processing of your personal data in the context of M365.
What is the purpose of the processing?
As a European public administration, the JU needs to lead the way in terms of both integrating digital at the core of European policy implementation and leveraging the potential of digital to work better and faster.
For this strategy to deliver in the public interest, the JU has designed several actions and adopted a series of new tools designed to form together a Digital Workplace.
The Digital Workplace is an opportunity for the JU to become an example of a modern public, connected and efficient Public Administration by providing staff with the best combination of tools, physical framework and working methods, to effectively support the achievement of the priorities of our organisation.
The Digital Workplace responds to the need for connected office, integrating teleworking tools for activities such as conference calls, remote collaboration, audio- or videoconferencing or webinars.
Consequently, the JU has decided to operate M365 provided by Microsoft Ireland.
M365 processes the following categories of data, each of which may include personal data:
- Identification Data;
- Service-Generated Data; and
- Content Data.
For more information on the above categories of data, please see the next section.
The operation of M365 requires the processing of Identification Data, Service-Generated Data and Content Data by the JU for the following purposes:
- enabling M365 capabilities, including facilitating and coordinating field tasks;
- end-user support for issues with M365;
- prevention, detection and resolution of security events (e.g. cyber-attack), to ensure the confidentiality, integrity and availability of M365; and
- responding to data subjects exercising their rights in relation to personal data processed within M365.
Additionally, Microsoft Ireland as a processor for and on behalf of the JU processes Identification Data, Service-Generated Data for internal business operations in the context of providing M365. These business operations consist of (exhaustive list):
- billing and account management;
- internal reporting and business modelling;
- combatting fraud, cybercrime, and cyberattacks;
- improving core functionality of accessibility, privacy and energy efficiency; and
- financial reporting and compliance with legal obligations.
Your personal data will not be used for an automated decision-making including profiling, advertising or marketing.
The JU reserves the right to consult user activity based on Service-Generated Data to maintain the security and integrity of the JU’s M365 environment.
Which personal data do we process?
The operation of M365 inevitably involves the processing of personal data. Three groups of personal data can be distinguished:
- Identification Data contains personal data necessary for the proper identification of the user and the corresponding user account, including exhaustively:
- email address and, in certain cases, account status; and
- user personal data (last name, first name).
This information is copied to all M365 data centres around the globe used to provide the service that allows global access and access control to the JU’s environment in M365. Note that identification data is visible to everyone having access to M365.
- Service-Generated Data contains information related to the guest’s usage of online services, most notably the user IP address, creation time, site URL and user email address. This data is generated by events that are related to user activity in M365. Event data will allow to monitor all activity in the cloud environment of each user.
Examples: IP address, logs (creation of document, renaming of document, copying of document, modification of document, etc.), etc.
- Content Data includes any content uploaded to M365 by users, such as documents, and multimedia (e.g. video recordings). Such data is stored in M365 but not otherwise processed by the service.
Examples: emails, databases, uploaded batches of data, images (still/moving), sound recordings, documents, chat conversations, channel messages, spreadsheets, presentations, etc.
There might be personal data processed within the JU, in particular personal data contained within the Content Data of individual users or groups of users, in addition to the personal data processed by M365 that are covered by this privacy statement. This refers for example to documents or messages exchanged between members of a specific group or team. The decision what data should be processed using M365 remains fully with the respective operational controller or user. Existing policies or instructions concerning this data may exist and need to be taken into account. Relevant documents might for instance be instructions on how to process HR-related data, medical data etc.
The JU does not take any responsibility for the inappropriate use of M365. Please refer to the relevant record and privacy statement of the particular processing activity for further information.
“The JU and Microsoft do NOT process special categories of personal data in the context of M365. Nevertheless, users may use M365 as a means for processing special categories of personal data in the context of specific policies.”
Why do we process your personal data and under what legal basis?
The JU processes personal data on the basis of Art. 5 (1) (a) of the Regulation, which states that processing shall be lawful when it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in a Union institution or body.
Personal data is processed for the performance of tasks carried out in the public interest by the Union institutions and bodies for the management and functioning of those institutions and bodies. All personal data connected to the use of M365 are processed based on the necessity for the performance of a task carried out in the public interest by the JU, including the processing of personal data that are necessary for the management and functioning of the JU.
More specifically, the objective of all processing activities related to M365 is to support the management and the functioning of the JU, by adjusting the internal mechanisms and management systems to the new technological environment and advancements, by providing to the JU staff the necessary means and tools to perform their daily tasks and by organizing JU’s operations according to the principles of sound financial management.
Moreover, the JU carries out specific and important tasks in accordance with various regulations, decisions, initiatives, strategies and/or action plans, in particular with regards to Horizon 2020. The functionalities of the M365 support the management and the functioning of the JU and enables it to carry out such tasks. It is a necessary means to perform and manage such tasks efficiently.
Who is the controller and other actors involved in the processing?
The controller of the processing of personal data in the framework of the M365 is the JU, legally represented by its Executive Director.
In order to provide the M365, the JU makes use of certain processors that process personal data for an on behalf of the JU. In particular, the JU relies upon the services of Microsoft Ireland as Cloud Service Provider (CSP) and RealDolmen as Licensing Solutions Provider (LSP).
How is KDT processing the personal data?
The data collected is processed electronically. Exceptionally, manual processing may take place in the framework of service operations, in particular to investigate security alerts.
The processing is not intended to be used for any automated decision making, nor profiling. The processing is not intended to be used for marketing or advertising.
How do we protect and safeguard your information?
Technical and Organisational Measures
The JU has put in place appropriate technical and organisational measures to prevent or act against any unauthorised and unlawful processing or disclosure, as well as accidental loss, modification or destruction of personal data. These technical and organisational measures are based on the state of the art, the risks of processing, and the need to protect the personal data. Furthermore, these technical and organisational measures will regularly be adjusted to the technical developments and organisational changes.
The JU’s contractors and processors, including Microsoft Ireland and RealDolmen, are bound by specific contractual clauses for processing operations with regards to personal data on behalf of the JU and by the confidentiality obligations deriving from the transposition of the General Data Protection Regulation (Regulation 2016/679) in the EU Member States.
Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.
Where personal data and information related to M365 is stored on the servers of the JU, the operation of such servers abides by JU’s security decisions and provisions established for this kind of servers and services. This includes the Common IT Security Policy, implemented by the JU, applying the security measures described in the Commission Decision (EU Euratom) 2017/46 of 10 January 2017 concerning the security of communication and information systems in the European Commission, Standards on Information Systems Security, Complementary information systems security policy and control measures as applied to specific applications by respective system owners.
Data Localisation and International Transfer
All personal data in electronic format are stored either on the servers of the JU’s data centre or in Microsoft Ireland datacentres in the EU (linked to the JU’s M365). If users access M365 from outside the EU/EEA, personal data may however be transferred to a corresponding location in order to provide the service.
To enable the global service provisioning of M365, Microsoft copies Identification Data to all M365 data centres around the globe used to provide the service. This copied identification data remains under the control of Microsoft and is used to verify the user authentication details and grant access to the JU’s M365 resources.
Service-Generated Data is not necessarily processed outside of the EU. Microsoft is authorised to transfer it to Microsoft Corp., located in the USA, and the network of sub-processors. This type of data contains information on the usage of the service. The data is aggregated before being transferred but may contain identifiable information.
In addition to the general policy of Microsoft to secure personal data by means of pseudonymisation and encryption, the risk of disclosure of personal data to third country authorities by Microsoft Ireland and its affiliates is mitigated by customized contractual provisions, which address the way Microsoft responds to access requests and limits risks to personal data of the user.
Any data in transit is protected by strong encryption.
Who can access to your personal data and to whom is it disclosed?
Access to your personal data processed for the operation of M365 is provided to the JU staff responsible for carrying out this processing operation and to authorised staff of external contractors on a ‘need to know’ basis. Such authorised staff abide by statutory, and when required, additional confidentiality agreements. External contractors’ staff act under the supervision of the abovementioned JU officials. Such staff may belong to:
- external bodies: European Court of Auditors, European Court of Justice, the JU Internal Auditor (Internal Audit Service of the European Commission), may also access to relevant personal data for audit control or appeal purposes; and
- external contractors of (such as Microsoft Ireland and RealDolmen).
For services related to M365, Microsoft, as Cloud Service Provider (CSP), acts as data processor. Contact details: Microsoft Ireland, South County Business Park, One Microsoft Place, Carmanhall and Leopardstown, Dublin, D18 P521, Ireland.
RealDolmen, as Licensing Solutions Provider (LSP), also acts as a data processor. Contact details: RealDolmen, A. Vaucampslaan 42, 1654 Huizingen, Belgium.
The JU will ensure that staff and contractors having access to personal data are bound by statutory and/or contractual confidentiality obligations.
Exceptionally, personal data might be disclosed to a third party if, and to the extent that, we are required to do so by Union of Member State law.
What are your rights and how can you exercise them?
As a data subject, you have the following rights under the Regulation:
- You have the right of access to your personal data and to relevant information concerning how we use it.
- You have the right to rectify your personal data.
- Under certain conditions, you have the right to ask that we delete your personal data.
- Under certain conditions, you have the right to ask that we restrict the use of your personal data.
- You have the right to object to our processing of your personal data, on grounds relating to your particular situation, at any time.
- You have the right not to be subject to a decision based solely on automated processing of data, including profiling, if such decision has legal effect on you, except for certain situations, such as entering into a contract (as required by Articles 14-16 & 24 of the Regulation).
Information on actions taken following data subject requests to exercise rights shall be provided without undue delay and in any case within one (1) month of receipt of the request. In case of complex or voluminous requests, this period may be extended by another two (2) months, in which case the JU will inform the data subject.
In case data subjects wish to exercise their rights, they should send an email to the JU’s Data Protection Officer at email@example.com.
Possible restrictions as laid down in Article 25 of the Regulation may apply.
How long is the data retained?
The JU only keeps your personal data for the time necessary to fulfil the purpose of collection or further processing. In the framework of the operation of M365, the JU has determined the following retention periods:
- Identification Data: for as long as the user account is active
- Content Data: up to 180 days upon expiration/termination of the subscription
- Service-Generated Data: six months
Complaints, concerns and recourse
Should you have any complaint or concern you may contact the Data Protection Officer of the JU at firstname.lastname@example.org.
In addition, as a data subject, you have a right to recourse to the European Data Protection Supervisor (EDPS) at any time by e-mail to email@example.com or a letter to the EDPS postal address marked for the attention of the EDPS DPO:
European Data Protection Supervisor
Rue Wiertz 60
For more information on the EDPS, please consult their website: https://www.edps.europa.
More information on Data Protection at the JU can be obtained in the record of processing activities and in the privacy notices published on the JU’s website.