Kontakt

Privacy Statement for Microsoft 365

Introduction

NTT DATA, Inc., its subsidiaries and affiliates (collectively ’NTT DATA’, ‘us’, ‘we’, ’our’) understand the importance of ensuring that we collect, use, store, disclose, share, and dispose of (collectively ‘process’ or ‘processing’) information about you (‘personal data’, including ‘personal information’ or ‘personally identifiable information’ as it may be defined under applicable data protection laws and regulations) in a transparent, fair, secure, and lawful way.

This Privacy Statement describes our practices processing personal data and your choices and rights in relation to personal data processed when you use any product or service offered as part of Microsoft 365 (‘M365’).

By using M365, you agree to the practices described in this Privacy Statement.

About M365

M365 is a collection of subscription productivity services and applications designed to enhance collaboration, communication and productivity, including conducting conference calls, and online meetings. It includes applications and online services like Word, Excel, PowerPoint, Outlook, OneNote, SharePoint, OneDrive, Teams, Viva Engage, and CoPilot.

M365 is developed by Microsoft Corporation (‘Microsoft’) and made available by NTT DATA to you. If you would like any additional information on Microsoft or how they process personal data, please see Microsoft Privacy Statement – Microsoft privacy. 

Personal data that is collected

When you use M365, your personal data may be processed.  Personal data is any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to you. We collect your personal data directly or indirectly from you or from third parties.

Personal data that we collect 
When you use M365, your personal data may be processed, including:

  • Profile Data for Internal Users: Data that is shared within NTT DATA about you.  This may include your first and last name, work email address, employee number, profile picture, avatars created by you, work contact number, job title, business unit, office location and IP address.
  • Profile Data for Guest Users: Data that is shared within NTT DATA about you. This may include your guest user display name, email address used for guest access authentication information used to access M365 (such as login credentials) and IP address.
  • Biometric Characteristics: Your face, voice and avatar you created may be recorded and your spoken words transcribed where you have consented.

When you use M365, your personal data may be included in:

  • Content: Emails, meeting invites, attachments to emails and meeting invites, calendar items, conversations and chats, voicemail, files, documents, recordings, transcriptions, responses to polls, or any other information you provide or make accessible to NTT DATA.  Content may include any text, images, photographs, graphics, audio and video, data, code, and software.
  • Activity Logs and User Activity: Details of your actions within M365, including what content was accessed, modified and sent.

Personal data that we automatically collect 
We may collect certain information by automated means, including:

  • Device Type and Operating System: Details about the device type (e.g., desktop, mobile) and the operating system (e.g., Windows, macOS, iOS, Android) used by you.
  • Browser Information: Information about the web browser used to access M365, including the browser type and version.
  • Client information: Information about the Teams client version used.
  • Device Compliance and Health: The compliance status and health of the device you use will be checked and recorded. This can include whether the device is managed, has up-to-date protection software, and meets other security requirements.
  • IP Address: The IP address from which you connect to M365, which can be used to determine the geographical location and network details.
  • Device Information: Details about the device you use to access M365, such as device type and operating system.

Personal data collected by Microsoft on M365 

  • Microsoft primarily acts as a data processor on behalf of NTT DATA when processing your personal data, however, in certain circumstances, it acts as the data controller and may collect information about you which Microsoft may use to improve or develop their products, for security and compliance reasons, or to generate diagnostic and other service-related data. We do not have access to personal data that is collected by Microsoft when it acts as a controller. If you would like any additional information, please see Microsoft Privacy Statement – Microsoft privacy.
  • When you create or interact with avatars, Microsoft may collect associated metadata such as customization choices, behavioral patterns, and usage frequency as part of its service operations.

Personal data we collect about other persons

  • When you submit any content on M365, your content may include third party personal data that you wish to include, or which is derived from facts described by you in your content.

Where you include sensitive personal data about yourself or a third party, e.g. information relating to health, biometric or genetic information, religion, political beliefs, union membership, race or sexual orientation, or information about children, we will process such personal data in accordance with this Privacy Statement. However, we ask that you do not submit or provide sensitive personal data or information about children to us when using M365, unless this information is relevant and necessary.  

How we process your personal data

We process personal data in compliance with applicable data protection laws and regulations and Works Council Agreements (where applicable), based on the country in which you are located.  
We process personal data for the following purposes:

  • To authenticate you and to provide you access to M365. 
  • To enable you to collaborate, send and receive content using M365.  This may include displaying, recording and storing your content.
  • To capture your audio, spoken words and image during any meetings you participate in, to enable video and audio playback, to create transcripts, and to reproduce, distribute, and publish meeting recordings.  You can turn off your camera or microphone at any time should you wish to not be recorded.
  • To collect your feedback, ratings, and preferences on M365 and to evaluate your satisfaction and engagement with M365.
  • To compile aggregated platform and performance related usage statistics about M365,including how many users have connected to M365, where such users have connected from and related aggregated statistics.

How we use automated decision-making

When using M365, no automated decisions, including profiling, will be made that have any legal or significant effects on you. 

Artificial intelligence

We may enable certain features of M365 which includes the use of artificial intelligence, including Copilot.  

Our legal basis for processing personal data

When we process personal data, we rely on the following legal basis:

  • Performance of contract: To manage our relationship with you or fulfil our contractual obligations to you. 
  • Our legitimate business interests: To protect our legitimate business interests or those of a third party with whom we disclose your personal data. Whenever we rely on this lawful basis to use your personal data, we assess our business interests to ensure that they do not override your rights. Additionally, you may have the right to object to our use of your personal data in certain circumstances. See ‘Your Privacy Rights’ section of this Privacy Statement.  
  • Compliance with a mandatory legal obligation: To ensure that we comply with applicable laws and regulations that govern and regulate how we do business.
  • Consent: Where you have provided consent to the processing of your personal data

How we disclose personal data

We may, to the extent necessary, disclose personal data to the following parties:

  • Our subsidiaries, affiliates and other NTT DATA companies: We may disclose information about you with our subsidiaries and affiliated entities for the purpose of operating our business, delivering, analyzing, improving, securing, and customizing M365, and for other legitimate purposes permitted by applicable law or otherwise with your consent.
  • Authorized personnel and advisors: We may disclose information about you with authorized NTT DATA personnel, agents and professional advisors to support business operations and activities.
  • Authorized service providers and third parties: We may disclose information about you with our service providers or other third parties for service delivery purposes.
  • Local, public and state authorities: We may disclose information about you with local and public authorities in order to comply with applicable laws and regulations.
  • Microsoft: Microsoft may have access to your personal data submitted on M365.  Microsoft has responsibility for ensuring adequate technical and organizational measures are in place when processing personal data (including the transfer of personal data to any third party). 
  • Other users of M365: Where other users of M365 are collaborating on the same content or participating in the same meeting with you, they will have access to personal data disclosed in the content or during the meeting.

We do not sell or share personal data of employees as defined by the California Privacy Rights Act and Personal Information Protection Law of the People's Republic of China.
Any service providers, third parties or other parties with whom we disclose personal data are contractually not permitted to process personal data for any purpose other than the purpose for which the personal data is provided or given access to. 

Cross-border transfers

As a global company we may transfer personal data, to the extent necessary, to countries where we do business or to international organizations in connection with the purposes identified above and in accordance with this Privacy Statement.

When we transfer personal data from the country from where it was originally collected to another country, we take steps to ensure that appropriate safeguards are in place, in line with applicable law, to protect your personal data.  You may obtain a copy of these safeguards by contacting us in accordance with the ‘How to contact us’ section below.

Security of personal data

The security of your personal data is very important to us. We are committed to protecting your personal data from accidental or unlawful destruction, loss, alteration, unauthorized access or disclosure by using a combination of physical, administrative and technical safeguards ourselves and contractually requiring third parties, service providers, and other external parties to whom we disclose your personal data to do the same.

The safety and security of your personal data also depends on you. You are responsible for keeping your username and password that you use to access M365 confidential.

Microsoft has implemented adequate technical and organisational measures to process your personal data and to ensure confidentiality, availability and integrity of your personal data.  You may obtain a copy of these measures by contacting us in accordance with the ‘How to contact us’ section below or viewing the Microsoft Privacy Statement – Microsoft privacy.

Your privacy rights

Data protection legislation, in certain countries, provide you with specific rights in relation to your personal data.  We are committed to upholding the following rights:

  • Right to be informed / know: you have a right to know what personal data we have about you, what we do with it, where we get it from, who we disclose it to and share it with, how long we keep it and why we need it.
  • Right of access: you have the right to access your personal data and obtain a copy of your personal data from us.
  • Right to correct: you have the right to update inaccurate and/or incomplete personal data about you. We will review all information provided by you to us, to determine whether the information is inaccurate.We reserve the right to delete the information instead of correcting if such deletion does not impact you or you consent to the deletion of your personal data.
  • Right to delete: you have the right to have your personal data erased, deleted or destroyed (i.e. right to be forgotten).
  • Right to data portability: you have the right to move, copy or transfer your personal data in a safe and secure way and reuse it for your own purposes.
  • Right to withdraw consent: you have the right to withdraw consent at any time regarding the use of your personal data (including cross-border transfers of personal data) or in relation to direct marketing activities.
  • Right to restrict use: you have the right to limit the way we use your personal data.
  • Right to object: you have the right to stop or prevent us from using your personal data.In particular, you can object to our use of your personal data for direct marketing or the sale of your personal data.
  • Right to challenge automated decisions: you have the right to query and review decisions made about you using purely automated means (i.e., without human involvement or intervention).
  • Right to complain: you have the right to file a complaint or raise a concern about how we use your personal data.Complaints may be made directly to us or a relevant Data Protection Authority.
  • Right to non-discrimination: you have the right not to be discriminated against for exercising your privacy rights.

You may submit a request to enforce your rights at any time.

You can make a request regarding your privacy rights by contacting us through the following ways: 

When you submit a request to us, you must provide sufficient information to allow us to verify that you are the person about whom the personal data relates. This information must contain sufficient detail to allow us to properly understand, evaluate and respond to your request.  If we cannot verify your identity, we will not be able to respond to your request.

Once we receive your request, we will begin the process to verify that you are the person that is the subject of the request. This may include matching identifying information provided by you with the information we have about you in our records.

Where permitted under applicable law, we may charge you a reasonable fee to access your personal data; however, we will advise you of any fee in advance.

We will respond to all requests and complaints in accordance with our policies and will acknowledge any requests within 10 days and respond substantively within 30 days.

In some situations, we may not be required to enforce these rights, where permitted under applicable law and where exceptions may apply.  We may also have a legitimate business interest to decline a request to action your rights. Where the processing is based on your consent, and you withdraw your consent we may still be entitled to process your personal data if we can rely on other legal bases for doing so. The withdrawal of your consent shall not affect the lawfulness of processing performed based on the consent before your withdrawal.

Individuals may hold additional rights in certain countries, which must be recognized and upheld.  Where you carry additional rights under any local laws and regulations, we will ensure that we comply with local law.

Authorized agent information

You may designate an authorized agent to make a request on your behalf. When your authorized agent makes a request related to your personal data, we will require the agent to provide written permission from you. We may also require that you verify your own identity directly with us at the time such a request is made. 

In order to allow an authorized agent to make a request on your behalf, you may contact us via one of the methods provided in the ‘How to contact us’ section of this Privacy Statement.

Retaining personal data

We retain your personal data for as long as is reasonably necessary and proportionate to fulfil the purpose for which it was collected, processed, or for another disclosed purpose, unless a longer retention period is required to comply with legal obligations, resolve disputes, protect our assets, or enforce our rights.

We will retain correspondence, documents and information related to any requests or complaints regarding your privacy rights for a period of 24 months or as required by any applicable laws and regulations. Individuals may hold additional rights under any local laws and regulations in certain countries, which we will recognize and uphold.

In some instances, we may anonymize information in accordance with our policies and may keep those anonymized records for longer periods.

Changes or updates to this Privacy Statement

We may update this Privacy Statement at any time for any reason.  If we do, we will update the ‘Version’ and ‘Date’.  All material changes will be communicated to you. We encourage you to regularly review this Privacy Statement to stay informed about how we use your personal data.

How to contact us

If you have any questions about how we use your personal data, have a privacy concern, or wish to make a request or complaint relating to your personal data, contact us via one of the following:

 


Copyright © 2024 NTT DATA, Inc.

Jetzt Kontakt aufnehmen