Skip to main content

Data protection information

The content on this page was translated automatically.

A. Introduction

The following information serves to fulfill the information obligations pursuant to Art. 13 GDPR in connection with the use of MS365 by the Hamburg University of Music and Drama (HfMT). The HfMT hereby informs you about the processing of your personal data when using MS365 services of the HfMT. The information relates in particular to the data processing purposes associated with the use, the legal basis of the data processing and the rights of data subjects to which you are entitled under the GDPR.

Before the HfMT informs you in detail about the processing of your personal data in accordance with Art. 13 GDPR (see under B. Data protection information in accordance with Art. 13 GDPR), the following general information:

When using MS365 services of the HfMT, its responsibility under data protection law comprises solely the provision of the MS365 services or content provided for official purposes, the MS365 services or content provided for you in the context of your studies or the licensed MS365 services or content provided for you. The HfMT has no influence on any further processing of personal data by Microsoft (e.g. on the Microsoft website), so that Microsoft itself is responsible for such processing under data protection law within the meaning of the GDPR.

This data protection information does not take into account any data processing that may be carried out in the future with the help of MS365 services, e.g. due to the implementation of new technologies or the introduction of new services or functions within MS365. For this reason, among others, it may be necessary to amend or supplement the following information at any time. If changes or additions become necessary, HfMT will inform you of this separately.

B. Data protection information pursuant to Art. 13 GDPR

1. controller within the meaning of the GDPR, contact for questions regarding the use of MS365, data protection officer

a. Controller within the meaning of the GDPR (Art. 4 No. 7 GDPR)

The controller for the processing of your personal data within the meaning of the GDPR is the

Hamburg University of Music and Drama, represented by its President
Harvestehuder Weg 12
20148 Hamburg
praesident@hfmt-hamburg.de

b. HfMT contact for questions regarding the use of MS365

For questions regarding the use of MS365 at the HfMT, you can contact the following office

Hamburg University of Music and Drama
Bernd Flickenschild
Harvestehuder Weg 12
20148 Hamburg
support@hfmt-hamburg.de

c. Data Protection Officer

You can contact the data protection officer of the HfMT at

Privacy Officer of the Hamburg University of Music and Drama
Harvestehuder Weg 12
20148 Hamburg
datenschutz@hfmt-hamburg.de

2. purposes of data processing and processed data, legal bases of data processing

Several MS365 services are used at the HfMT. Depending on the service used, different categories of personal data are processed for different purposes when using MS365 services of the HfMT.

The HfMT informs you under this point about the MS365 services used at the HfMT. In the following list you will find information on a specific MS365 service. The data processing purposes pursued with the respective service and the personal data or categories of personal data processed are presented. Finally, at the end of the description of the respective MS365 service, you will be informed of the legal basis for the corresponding data processing. Different legal bases may be relevant for different members of the HfMT and other persons affected by the data processing (= staff or employees of the HfMT, students, external persons such as guests or collaboration partners, hereinafter referred to collectively as "status groups" if all groups of data subjects are mentioned). You will therefore find additional information on which legal basis is relevant for which status group.

MS365 services

(Exchange online service in M365, not the MS Exchange mail system of the HfMT, operated by the RRZ)

  • Purposes of the data processing
    • E-mail communication, calendar management
    • Communication medium for comprehensive collaboration and to simplify internal and external communication.
    • A calendar function is available to enable the organization of meetings.
  • Processed personal data or categories of processed data
    • Names, e-mail addresses, content, header data, calendar data, metadata, log data
  • Legal basis of the data processing
    • Employees: Art. 88 para. 1 GDPR in conjunction with Section 10 para. 1-3 Hamburg Data Protection Act (HmbDSG) in conjunction with Section 85 para. 1 Hamburg Civil Service Act (HmbBG)
    • Students: Art. 6 para. 1 lit. e in conjunction with para. 3 GDPR in conjunction with § 111 para. 1 Hamburg Higher Education Act (HmbHG)
    • External: Insofar as the HfMT uses M365 to fulfill and initiate contracts Art. 6 para. 1 lit. b GDPR (in particular implementation of projects and cooperations)
      Insofar as data processing is carried out for the performance of tasks in the public interest Art. 6 para. 1 lit.e, para. 3 GDPR in conjunction with § 4 HmbDSG in conjunction with § 3 HmbHG (in particular for research projects)
      For cases where a declaration of consent is given, the legal basis is Art. 6 para. 1 lit. a GDPR

  • Purposes of data processing
    • Collaboration, project rooms
    • Service for internal directories within M365. SharePointOnline can be used to create and manage user-defined team and project-oriented sites for collaboration.
    • The application is designed to simplify collaborative editing by providing storage and access management to support collaboration.
  • Processed personal data or categories of processed data
    • User profiles, contact data, metadata, content data, log data
  • Legal basis of the data processing
    • Employees: Art. 88 para. 1 GDPR in conjunction with Section 10 para. 1-3 HmbDSG in conjunction with Section 85 para. 1 HmbBG
    • Students: Art. 6 para. 1 lit. e in conjunction with para. 3 GDPR in conjunction with § 111 para. 1 HmbHG
    • External: Depending on the purpose of the data exchange, Art. 6 para. 1 lit. b or Art. 6 para. 1 lit. e, para. 3 GDPR in conjunction with Section 3 HmbHG or Art. 6 para. 1 lit. a GDPR (see the information on Exchange Online)

  • Purposes of data processing
    • File storage and sharing: A user's personal drive for data that can be used to share information with other users, in particular for the purposes of collaboration, project work and collaboration.
  • Processed personal data or categories of processed data
    • User profiles, contact data, metadata, content data, log data
  • Legal basis of the data processing
    • Employees: Art. 88 para. 1 GDPR in conjunction with Section 10 para. 1-3 HmbDSG in conjunction with Section 85 para. 1 HmbBG
    • Students: Art. 6 para. 1 lit. e in conjunction with para. 3 GDPR in conjunction with § 111 para. 1 HmbHG
    • External: Depending on the purpose of the data exchange, Art. 6 para. 1 lit. b or Art. 6 para. 1 lit. e, para. 3 GDPR in conjunction with Section 3 HmbHG or Art. 6 para. 1 lit. a GDPR (see the information on Exchange Online)

  • Purposes of the data processing
    • Solution for conducting communications and online meetings and for organizing the work of teams. The service enables chats, audio, video and web conferences to be held. In addition, groups ("teams") can be formed and used to share files, create contributions and organize tasks and projects. When a "team" is created, a SharePoint Online page and an Exchange Online mailbox are generated for each team at the same time.
  • Processed personal data or categories of processed data
    • Profile data, chats, video data, audio data, status, contact data, content data, log data
  • Legal basis of the data processing
    • Employees: Art. 88 para. 1 GDPR in conjunction with Section 10 para. 1-3 HmbDSG in conjunction with Section 85 para. 1 HmbBG
    • Students: Art. 6 para. 1 lit. e in conjunction with para. 3 GDPR in conjunction with § 111 para. 1 HmbHG
    • External: Depending on the purpose of the data exchange, Art. 6 para. 1 lit. b or Art. 6 para. 1 lit. e, para. 3 GDPR in conjunction with Section 3 HmbHG or Art. 6 para. 1 lit. a GDPR (see the information on Exchange Online)

  • Purposes of the data processing
    • Ensuring the fulfillment of administrative tasks of the HfMT through task and project planning: planning, administration and scheduling and overview of tasks for individuals or in teams.
  • Processed personal data or categories of processed data
    • Tasks, comments, status information, contact data, content data
  • Legal basis of the data processing
    • Employees: Art. 88 para. 1 GDPR in conjunction with Section 10 para. 1-3 HmbDSG in conjunction with Section 85 para. 1 HmbBG
    • Students: Art. 6 para. 1 lit. e in conjunction with para. 3 GDPR in conjunction with § 111 para. 1 HmbHG
    • External: Depending on the purpose of the data exchange, Art. 6 para. 1 lit. b or Art. 6 para. 1 lit. e, para. 3 GDPR in conjunction with Section 3 HmbHG or Art. 6 para. 1 lit. a GDPR (see the information on Exchange Online)

  • Purposes of data processing
    • Automation and creation of individual applications without programming knowledge, visualization of data for reporting and data analysis, provision of effective work management, enabling planning and organizational concepts, fulfillment of reporting obligations, creation and presentation of key figures, creation of responsive websites
  • Processed personal data or categories of processed data
    • Forms, process data, logs, financial data, metadata, identification data, personal data, authentication data, membership and function data
  • Legal basis for data processing
    • Employees: Art. 88 para. 1 GDPR in conjunction with Section 10 para. 1-3 HmbDSG in conjunction with Section 85 para. 1 HmbBG, as well as Art. 6 para. 1 lit.c or e GDPR with regard to report content
    • Students: Art. 6 para. 1 lit. e in conjunction with para. 3 GDPR in conjunction with § 111 para. 1 HmbHG
    • External: Depending on the purpose of the data exchange, Art. 6 para. 1 lit. b or Art. 6 para. 1 lit. e, para. 3 GDPR in conjunction with Section 3 HmbHG or Art. 6 para. 1 lit. a GDPR (see the information on Exchange Online)

  • Purposes of data processing
    • Device management and ensuring compliance with internal policies and Privacy, controlling the use of HfMT applications and data, protecting sensitive data and minimizing security risks, ensuring compliance with legal requirements; remote assistance with device problems
  • Processed personal data or categories of processed data
    • Device data, compliance status, log data, device information, network information, remote access to solve device problems
  • Legal basis of the data processing
    • Employees: Art. 88 para. 1 GDPR in conjunction with Section 10 para. 1-3 HmbDSG in conjunction with Section 85 para. 1 HmbBG, as well as Art. 6 para. 1 lit. c or e GDPR with regard to compliance with Privacy and compliance guidelines

  • Purposes of the data processing
    • Central directory service for all MS365 applications both on-prem (Azure AD) and on-demand (Entra ID): Authentication, authorization management (formerly Microsoft Active Directory on Premise), license management for Microsoft products, ensuring system integrity and operational security, team and group communication through Microsoft 365 Groups
  • Processed personal data or categories of processed data
    • Login data, roles, group memberships, official contact data, personnel number or matriculation number, security questions, lecturer activity, log data, profile pictures and other voluntary account attributes provided by the user, login reports, security reports and monitoring logs
  • Legal basis for data processing
    • Employees: Art. 88 para. 1 GDPR in conjunction with § 10 para. 1-3 HmbDSG in conjunction with. § Section 85 para. 1 HmbBG
    • Students: Art. 6 para. 1 lit. e in conjunction with para. 3 GDPR in conjunction with § 111 para. 1 HmbHG
    • External: Depending on the purpose of the data exchange, Art. 6 para. 1 lit. b or Art. 6 para. 1 lit. e, para. 3 GDPR in conjunction with Section 3 HmbHG or Art. 6 para. 1 lit. a GDPR (see the information on Exchange Online)
      For voluntary additional information on account attributes, consent is required for all status groups in accordance with Art. 6 para. 1 lit. a GDPR is the relevant legal basis
      With regard to the establishment of system integrity and operational security, the legal basis for all status groups is Art. 6 para. 1 lit. c or e GDPR

  • Purposes of data processing
    • Security and compliance: monitoring system security and company-wide binding guidelines for proper business processes, documentation and implementation of processes relevant to data protection
      • I. The "Defender" components in M365 serve exclusively to maintain technical system security
      • II. the functions of the "Purview" components are intended to support HfMT in ensuring and improving system security and compliance (= IT compliance, Privacy and information security).
  • Processed personal data or categories of processed data
    • I. + II. Log data on logins and security-relevant processes (logins/logouts, changes of rights, work address, telephone number (private), telephone number (business)), e-mail address (business), fax (business), university, matriculation number, name components (first name, prefix, suffix, surname, title), teaching and research area, subject area, personnel category, organizational affiliation, personnel number, user ID, password, security issues, activities as a guest professor or lecturer, log data (e.g. IP address, user ID, time stamp), data on the use of the HfMT's IT infrastructure (e.g., IP address, user ID, time stamp).e.g. IP address, user ID, time stamp, etc.)
    • For external persons: also e-mail address (private)
  • Legal basis for data processing
    • Employees: Art. 88 para. 1 GDPR in conjunction with. § Section 10 (1-3) HmbDSG in conjunction with Section 85 (1) HmbBG
    • Students: Art. 6 para. 1 lit. e in conjunction with para. 3 GDPR in conjunction with § 111 para. 1 HmbHG
    • External: Depending on the purpose of the data exchange, Art. 6 para. 1 lit. b or Art. 6 para. 1 lit. e, para. 3 GDPR in conjunction with Section 3 HmbHG or Art. 6 para. 1 lit. a GDPR (see the information on Exchange Online)

  • Purposes of data processing
    • Central access to important information, more efficient work and collaboration, personalization of targeted information to employees
  • Processed personal data or categories of processed data
    • User data, usage data, user feedback, content data, interaction data, connected third-party data sources
  • Legal basis of the data processing
    • Employees: Art. 88 para. 1 GDPR in conjunction with Section 10 para. 1-3 HmbDSG in conjunction with Section 85 para. 1 HmbBG
    • Students: Art. 6 para. 1 lit. e in conjunction with para. 3 GDPR in conjunction with § 111 para. 1 HmbHG
    • External: Depending on the purpose of the data exchange, Art. 6 para. 1 lit. b or Art. 6 para. 1 lit. e, para. 3 GDPR in conjunction with Section 3 HmbHG or Art. 6 para. 1 lit. a GDPR (see the information on Exchange Online)

3. recipients of personal data and third country transfers

When using MS365 services of the HfMT, the recipient of your data within the meaning of the GDPR is Microsoft Ireland Operations, Ltd. based in the European Union (EU), specifically in Dublin, Ireland. Your personal data previously processed mainly on local HfMT servers will therefore continue to be stored on European servers. Microsoft Ireland Operations, Ltd. will also act as a processor for HfMT within the meaning of the GDPR. This means that your personal data will be processed on behalf of HfMT when using MS365 services of HfMT and an order processing contract has been concluded between HfMT and Microsoft for this purpose in accordance with Art. 28 GDPR.

In principle, the HfMT does not intend to transfer your personal data to a third country. Third countries within the meaning of the GDPR are countries that are outside the EU and the European Economic Area (EEA), such as the USA, and therefore may not offer a level of Privacy comparable to EU standards. However, when using MS365 services of the HfMT, a transfer of your personal data via Microsoft Ireland Operations, Ltd. to third countries, in particular to the USA to the Microsoft Corporation, cannot be completely ruled out. According to the case law of the European Court of Justice (ECJ), the USA is also generally regarded as a country with an inadequate level of Privacy in accordance with EU standards. However, a sufficient level of Privacy for data transfers to the USA is given in cases where the data recipients are certified according to the EU-US Data Privacy Framework (DPF). The DPF is an adequacy decision of the EU Commission within the meaning of the GDPR, according to which personal data may be transferred to the USA, as the EU Commission is of the opinion that an adequate level of protection is guaranteed if the aforementioned certifications are available. Microsoft Corporation currently has a valid certification in accordance with the DPF.

If, when using MS365 services of the HfMT, your personal data is transferred via Microsoft Ireland Operations, Ltd. to third countries for which no adequacy decision has been made, this is done on the basis of so-called standard data protection clauses pursuant to Art. 46 para. 2 lit. c GDPR (also known colloquially as Standard Contractual Clauses, SCCs), which have been previously approved by the EU Commission. These suitable guarantees to ensure an adequate level of protection can be provided to you on request. In addition, Microsoft has contractually committed itself to the HfMT to further security guarantees and measures to protect personal data and the data subjects via the aforementioned order processing contract.

4. storage duration and deletion periods

The HfMT is legally obliged to store your personal data generated when using MS365 services of the HfMT for a certain period of time. Your personal data is therefore stored as follows when you use HfMT MS365 services:

The storage period is generally based on the membership in a so-called MS365 group. A distinction is made between owners and members of a group (e.g. according to the display of a team in MS365 teams). These affiliations are controlled via the group lifecycle process, which defines when a group is created, changed and deleted.

After automated group expiration, the content is stored in a storage container for up to 180 days. This means that if MS365 groups or user accounts are deleted, for example, the associated content is not physically removed immediately, but is first moved to a special area ("container") where it can still be accessed or restored for the specified period (up to 180 days).

The data is then automatically removed from the storage container and permanently deleted if it is not worth archiving. This serves to protect against unintentional data loss and supports compliance with legal and organizational retention periods in accordance with GDPR requirements.

The specific deadline and the configuration of the expiry policy depend on the respective group and policy settings.

Log data is automatically deleted by Microsoft - currently after a maximum of 13 months.

Otherwise, your personal data that is not covered by the aforementioned retention periods will only be stored for as long as is necessary for the purposes stated in section 2 above.

None of the aforementioned periods apply insofar as longer storage or retention periods and/or documentation obligations are prescribed by law for the HfMT, e.g. according to the German Fiscal Code (AO), State Budget Code or the German Commercial Code (HGB). A further exception to the aforementioned periods may arise, for example, if your personal data is still required for the assertion, exercise or defense of legal claims. In such cases, your personal data will only be processed for the corresponding purpose and no further data processing will take place.

After expiry of the aforementioned storage periods, any documents that were processed when using MS365 services of the HfMT and contain your personal data will be offered to the Hamburg University Archives for transfer. If no transfer takes place, your personal data will be permanently deleted from the MS365 services of the HfMT.

5. provision required by law or contract

Your personal data, necessity of provision for the conclusion of a contract

The provision of some personal data, such as comments, sharing, etc., is not mandatory, but voluntary.

For employees, there is no legal obligation to provide the data with regard to some data. However, it may not be possible to execute the employment contract without providing your data and this may have further individual consequences.

For students, if you do not provide your personal data, you may not be able to participate in study-related events if these require a corresponding MS365 account for authentication.

For external students, the provision of your personal data is neither legally nor contractually required. If you do not consent to the processing of your data, this will not have any negative consequences for you.

6. automated decision-making, profiling

Automated decision-making including profiling in accordance with Article 22 (1) and (4) GDPR does not take place in the context of the use of MS365 services of the HfMT.

7. your rights under the GDPR

You have the following rights in connection with the data processing described above:

  • Right to information in accordance with Art. 15 GDPR
  • Right to rectification of inaccurate or incomplete personal data concerning you in accordance with Art. 16 GDPR
  • Right to erasure of your personal data or a "right to be forgotten" under the conditions of Art. 17 GDPR. A right to erasure depends on the conditions and restrictions laid down by law.
  • Right to restriction of processing of your personal data under the conditions of Art. 18 GDPR. A right to restriction of processing depends on the conditions and restrictions laid down by law
  • Right to data portability under the conditions of Art. 20 GDPR
  • If the processing is based on Art. 6 para. 1 lit. e) or f) GDPR, you have the right to object to the processing in accordance with Art. 21 GDPR for reasons arising from your particular situation. In this case, we will no longer process this data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.
  • If the processing of your data is based on a declaration of consent given by you, you also have the right to revoke the consent you have given at any time in accordance with Art. 7 para. 3 GDPR. The declaration of revocation can be made informally and does not require any justification. If you withdraw your consent, this will take effect for the future. This means that it would not affect the lawfulness of the processing that took place before you withdrew your consent;
  • To exercise your rights, you can contact us using the contact details provided in section 1b above. If you have any further questions, our data protection officer will be happy to advise you and can be contacted using the contact details provided in section 1c.
  • You also have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR if you believe that the processing of your personal data violates the GDPR.