Data Protection Information Microsoft Services

The DAA GmbH, DAV, DGVFM, DAA and EAA (hereinafter DAV) uses products from the Microsoft® Corporation's M365 suite with data storage in European data centres. The DAV has concluded a data processing agreement with Microsoft® for this purpose. When using these onlinebased services, various data of employees of the DAV as well as customer or prospective customer data are processed by Microsoft® and the DAV. The DAV fulfils its duty to inform employees and customers in accordance with Art. 13 GDPR by publishing this information on the Group's website.

 

These services serve various purposes:  

Customer and employee communication in the form of video conferences via MS Teams®  

Customer surveys via MS Forms®  

Customer and supplier collaboration via MS Teams®    

 

For all of the following processing operations, the controller pursuant to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is:

 

Deutsche Aktuarvereinigung (DAV) e.V.
Hohenstaufenring 47 – 51
50674 Köln
Deutschland
E-Mail: info@aktuar.de
Tel.: +49 (0) 221 / 912 554-0
Fax: +49 (0) 221 / 912 554-44

 

You can reach our data protection officer at:

TÜV Rheinland i-sec GmbH
Dudweilerstraße 17
66117 Saarbrücken
Deutschland
E-Mail: datenschutz@aktuar.de

 

1. Your rights as a data subject  

You have the right to information about the personal data concerning you. You can contact us at any time for information. In the case of a request for information that is not made in writing, we ask for your understanding that we may require proof from you that you are the person you claim to be. Furthermore, you have a right to rectification or erasure or to restriction of processing, insofar as you are legally entitled to do so. Finally, you have the right to object to processing within the scope of the statutory provisions. You also have the right to data portability within the framework of data protection regulations.  

2. Deletion of data  

We generally delete personal data when there is no need for further storage. A requirement may exist in particular if the data is still needed to fulfil contractual services, to check and grant or defend against warranty and guarantee claims. In the case of statutory retention obligations, deletion will only be considered after expiry of the respective retention obligation.  

3. Recipients / transfer of data  

Personal data that is processed in connection with participation in video conferences is not passed on to third parties unless it is intended to be passed on. Please note that content from the services described, as well as in face-to-face meetings, is often used to share information with customers, interested parties or suppliers and is therefore intended to be passed on.  

The provider of said Microsoft® services, in this case Microsoft Corporation, necessarily obtains knowledge of the data described, insofar as this is provided for in our order processing contract with Microsoft.  

4. Data processing outside the European Union  

Data processing outside the European Union (EU) does not generally take place, as we have limited our storage location to data centres in the European Union. However, we cannot rule out the possibility that data may be routed via internet servers located outside the EU. This may be the case in particular if participants in "Microsoft services" are located in a third country. Furthermore, telemetry data may be analysed by Microsoft. In this case, a transfer to a third country, e.g. the USA, cannot be ruled out. Microsoft endeavours to comply with protection mechanisms such as certification by the DataPrivacyFramework (https://www.dataprivacyframework.gov/s/participant-search/participanthttps://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000KzNaAAK&status=Activedetail?id=a2zt0000000KzNaAAK&status=Active). Further information can be found here privacy.microsoft.com/de-de/privacystatement.    

However, the data is encrypted during transport via the Internet and is therefore largely protected against unauthorised access by third parties.  

5. Right to lodge a complaint with a supervisory authority  

You have the right to complain to a data protection supervisory authority about the processing of personal data by us. You can find an online overview of the data protection supervisory authorities in Germany on the website of the Federal Commissioner for Data Protection.  

www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html      

6. Conducting online meetings, conference calls and webinars via Microsoft® Teams®  Purpose of data processing  

We use the Teams® tool to conduct telephone conferences, video conferences and/or webinars (hereinafter: "video conferences"). If you access the Teams® website, the provider of Teams® is responsible for data processing. However, accessing the website is only necessary for the use of Teams® in order to download the software for the use of Teams®.  

If you do not want to or cannot use the Microsoft® Teams® app, you can also use Teams® via your browser. The service is then also provided via the Microsoft website.  

Processing of personal data  

Various types of data are processed when using Microsoft® Teams®. The scope of the data also depends on the data you provide before or during participation in a video conference. The following personal data is generally processed:  

User data: e.g. display name, e-mail address, profile picture (optional), preferred language  

Meeting metadata: e.g. date, time, meeting ID, telephone numbers, location  

Text, audio and video data: You may have the option of using the chat function in an video conferences. In this respect, the text entries you make are processed in order to display them in the video conferences. In order to enable the display of video and the playback of audio, the data from the microphone of your end device and from any video camera of the end device will be processed accordingly for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time via the Teams® applications.  

Scope of processing  

If we want to record video conferences, we will inform you transparently in advance and - if necessary - ask for your consent. If it is necessary for the purposes of logging the results of a video conference, we will log the chat content. However, this will not usually be the case. Automated decision-making within the meaning of Art. 22 GDPR is not used.  

Legal basis    

Insofar as personal data of employees of the DAV are processed, our legal basis is Art. 6 (1) b) of the employment contract. This also applies to interviews with potential applicants if the purpose is to initiate an employment contract with the DAV. In addition, Art. 6 para. 1 f), GDPR, our legitimate interest, can be the legal basis for data processing. In this case, we have a legitimate interest in providing video conferences as part of customer and employee communication. Your participation or utilisation takes place on a voluntary basis in accordance with Art. 6 para. 1 a) if you use the service as an external person.    

7. Conducting surveys via Microsoft Forms®    

We use the information collected by Forms® to improve our products, conduct customer surveys and increase customer satisfaction. We endeavour to make the surveys anonymous and data protectionfriendly, e.g. through predefined response options.    

Purpose of data processing  

We use Forms® to improve our products and increase customer and employee satisfaction. Microsoft® Forms® is a service of the Microsoft Corporation. If you call up Forms®, Microsoft is jointly responsible for data processing. Information on the use of Forms® can be found at: www.microsoft.com/de-de/servicesagreement/default.aspx and  

support.microsoft.com/de-de/office/sicherheit-und-datenschutz-in-microsoft-formshttps://support.microsoft.com/de-de/office/sicherheit-und-datenschutz-in-microsoft-forms-7e57f9ba-4aeb-4b1b-9e21-b75318532cd97e57f9ba-4aeb-4b1b-9e21-b75318532cd9.    

Processing of personal data  

Various types of data are processed when you use Forms®. The scope of the data depends, among other things, on what data you enter. It is not possible to create an exhaustive list, as it is always possible to send us personal data, for example when you answer open questions. The following personal data is subject to processing:  

User data: e.g. profile information, e-mail address (in the case of internal use at the DAV)  

Usage data: e.g. date and time of entry  

Text data in response fields: You decide which personal data you send us.  

 

Scope of processing  

We use Forms® to collect feedback from our customers and employees. This may be information about the DAV products and services or for internal administrative purposes. Automated decision-making within the meaning of Art. 22 GDPR is not used.  

Legal basis    

Insofar as personal data of employees of the DAV is processed, our legal basis is Art. 6 (1) b) of the employment contract. This may be the aforementioned administrative purposes. In addition, Art. 6 para. 1 f) GDPR, our legitimate interest, may be the legal basis for data processing. In these cases, we are interested in product improvement and customer and employee satisfaction. Your participation in such surveys is voluntary in accordance with Art. 6 (1) a) GDPR if you use the service as an external person.