Data resulting from the recording of an MS Teams session may be retained for more than one year, depending on the type of session. The retention period depends on the purpose of the recording. If a record is outdated or obsolete before the retention period expires, it will be deleted. Further information on the retention period can be found in a specific privacy policy and/or disclaimer sent with the session invitation. Privacy Statement for Microsoft Unified, Premier, and Consulting customers. My organization only processes data on behalf of others. Does it still have to comply with the GDPR? Personal data is contained in customer data, information generated by Microsoft products and services, and system-generated logs. The search for personal information may vary depending on Microsoft products and services. Search tools include searching for content or in-app search capability. Administrators can access system-generated logs associated with a user`s activity. To help you in the event of a personal data breach, Microsoft has: – Security personnel trained in specific procedures.
– Has policies, procedures, and controls in place to ensure that Microsoft maintains detailed records. This response includes documentation that captures the facts of the incident, its impact and corrective actions, as well as tracking and storing information in our incident management systems. Under the GDPR, as a controller, you are required to carry out DPIAs before data processing, which is likely to result in a high risk to the rights and freedoms of the individual, in particular when processing using new technologies. The GDPR provides the following non-exhaustive list of cases where DPIAs need to be performed: Much of an organization`s data is generated in Office applications such as Excel and Outlook. You can also find data relevant to a DSR in the information generated by Microsoft products and services, as well as in the logs generated by the system. For example, the ability to record a virtual meeting depends on the type of meeting and must be approved by the designated data controller. Participants will be informed both in the invitation and before activating the recording that the meeting will be recorded and informed of the possibility of objecting to the recording. Personal data is processed for the purpose of providing the aforementioned services, i.e. collected and stored on Microsoft`s cloud servers. They are not used for automated decision-making, including profiling.
The GDPR also requires you to contact your data protection authority (DPA) before starting processing if you cannot identify enough processes to minimise the high risks to data subjects. If there are legitimate grounds to continue processing and storing data, such as. B “to comply with a legal obligation requiring processing under Union or Member State law to which the controller is subject” (Article 17(3)(b)), the GDPR recognises that organisations may be obliged to retain data. However, you must ensure that you engage your legal counsel to ensure that the reasons for retention are contrary to the rights and freedoms of the data subjects, their expectations at the time of data collection, etc. be weighed. Personal data is any information relating to an identified or identifiable person. There is no difference between a person`s private, public or professional roles. Personal data may include: Microsoft practices data protection by default in its technical and business functions. As part of these efforts, Microsoft conducts comprehensive privacy reviews of data processing operations that may impact the rights and freedoms of data subjects. The data protection teams integrated into the service groups review the design and implementation of the services to ensure that personal data is processed in a manner that is respectful and in accordance with international law, user expectations and our explicit obligations.
For the avoidance of doubt, beta or preview software, hardware modified software, or software licensed by Microsoft or our affiliates that is not publicly available or otherwise licensed under the Microsoft Software License Terms may be subject to different or lesser obligations. Some products collect and send telemetry or other data to Microsoft by default. The product documentation provides information and instructions for disabling or configuring such a telemetry collection. The GDPR imposes notification obligations on controllers and processors in the event of a personal data breach. As a data processor, Microsoft ensures that customers are able to comply with the GDPR NOTIFICATION REQUIREMENTS. Data controllers are responsible for assessing privacy risks and determining whether a breach requires notification through a customer`s data protection authority. Microsoft provides the information necessary for this assessment. For more information about how Microsoft detects and responds to a personal data breach, see Data Breach Notification under the GDPR. GDPR compliance will cost most businesses time and money, although it can be a smoother transition for those who work in a well-structured cloud service model and have an effective data governance program. You have the right, in certain circumstances, for example when your personal data is no longer necessary for the purposes for which it was collected or when it has been processed unlawfully.
The processing of certain “special” categories of personal data – such as. B personal data revealing a person`s racial or ethnic origin or concerning his or her health or sexual orientation – is subject to stricter rules than the processing of “ordinary” personal data. This evaluation of personal data is very specific to the facts, so we recommend that you hire an expert to assess your specific situation. To comply with the GDPR, Microsoft amended its professional services agreements to meet the requirements that needed to be included in its data processing agreements. How Microsoft tries to prevent breaches, how Microsoft detects a breach, and how Microsoft responds to a breach and notifies the data controller. The GDPR`s “right to data portability” allows a data subject to request a copy of personal data in a “structured, commonly used and machine-readable format” and to request your organization to transfer those files to another data controller. Microsoft has long used standard contractual clauses (also known as model clauses) as the basis for data transfer for its online services for businesses. Standard contractual clauses are terms and conditions provided by the European Commission that can be used to transfer data within the European Economic Area in a compliant manner. Microsoft has included the standard contractual clauses of the Online Terms of Service in all of its volume licensing agreements.
The Article 29 Working Group has determined that Microsoft`s implementation of the Standard Contractual Clauses is compliant. .