DATA PROTECTION INFORMATION FOR MICROSOFT SERVICES
Corteco uses products from the Microsoft® Corporation’s M365 suite with data storage in European data centres. Corteco has concluded a data processing agreement with Microsoft® for this purpose. When using these online-based services, various data of employees of the Corteco as well as customer or prospective customer data are processed by Microsoft® and Corteco. Corteco fulfils its duty to inform employees and customers in accordance with Art. 13 GDPR by publishing this information on the Group’s website.
These services serve various purposes:
• Customer and employee communication in the form of video conferences via MS Teams®
• Customer and employee satisfaction surveys via MS Forms®
• Appointment and visitor management via Bookings® and FindTime®
• Customer and supplier collaboration via SharedChannels® via MS Teams®
For all of the following processing operations, the controller pursuant to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is
Corteco GmbH
Badener Str. 4
69493 Hirschberg, Germany
Phone: +49 6201 25964 0
Fax: +49 6201 25964-11
E-Mail: service@corteco.de
2. You can reach our data protection officer at
legitimis GmbH
Ball 1
51429 Bergisch Gladbach, Germany
Phone: +49 2202 28 941-0
E-Mail: datenschutz-corteco@legitimis.com
1. Your rights as a data subject
You have the right to information about the personal data concerning you. You can contact us at any time for information. In the case of a request for information that is not made in writing, we ask for your understanding that we may require proof from you that you are the person you claim to be. Furthermore, you have a right to rectification or erasure or to restriction of processing, insofar as you are legally entitled to do so. Finally, you have the right to object to processing within the scope of the statutory provisions. You also have the right to data portability within the framework of data protection regulations.
2. Deletion of data
We generally delete personal data when there is no need for further storage. A requirement may exist in particular if the data is still needed to fulfil contractual services, to check and grant or defend against warranty and guarantee claims. In the case of statutory retention obligations, deletion will only be considered after expiry of the respective retention obligation.
3. Recipients / transfer of data
Personal data that is processed in connection with participation in video conferences is not passed on to third parties unless it is intended to be passed on. Please note that content from the services described, as well as in face-to-face meetings, is often used to share information with customers, interested parties or suppliers and is therefore intended to be passed on.
The provider of said Microsoft® services, in this case Microsoft Corporation, necessarily obtains knowledge of the data described, insofar as this is provided for in our order processing contract with Microsoft.
4. Data processing outside the European Union
Data processing outside the European Union (EU) does not generally take place, as we have limited our storage location to data centres in the European Union. However, we cannot rule out the possibility that data may be routed via internet servers located outside the EU. This may be the case in particular if participants in “Microsoft services” are located in a third country. Furthermore, telemetry data may be analysed by Microsoft. In this case, a transfer to a third country, e.g. the USA, cannot be ruled out. Microsoft endeavours to comply with protection mechanisms such as certification by the DataPrivacyFramework (https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000KzNaAAK&status=Active). Further information can be found here https://privacy.microsoft.com/de-de/privacystatement.
However, the data is encrypted during transport via the Internet and is therefore largely protected against unauthorised access by third parties.
5. Right to lodge a complaint with a supervisory authority
You have the right to complain to a data protection supervisory authority about the processing of personal data by us. You can find an online overview of the data protection supervisory authorities in Germany on the website of the Federal Commissioner for Data Protection.
6. Conducting online meetings, conference calls and webinars via Microsoft® Teams®
Purpose of data processing
We use the Teams® tool to conduct telephone conferences, video conferences and/or webinars (hereinafter: “video conferences”). If you access the Teams® website, the provider of Teams® is responsible for data processing. However, accessing the website is only necessary for the use of Teams® in order to download the software for the use of Teams®.
If you do not want to or cannot use the Microsoft® Teams® app, you can also use Teams® via your browser. The service is then also provided via the Microsoft website.
Processing of personal data
Various types of data are processed when using Microsoft® Teams®. The scope of the data also depends on the data you provide before or during participation in a video conference. The following personal data is generally processed:
• User data: e.g. display name, e-mail address, profile picture (optional), preferred language
• Meeting metadata: e.g. date, time, meeting ID, telephone numbers, location
• Text, audio and video data: You may have the option of using the chat function in an video conferences. In this respect, the text entries you make are processed in order to display them in the video conferences. In order to enable the display of video and the playback of audio, the data from the microphone of your end device and from any video camera of the end device will be processed accordingly for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time via the Teams® applications.
Scope of processing
If we want to record video conferences, we will inform you transparently in advance and – if necessary – ask for your consent. If it is necessary for the purposes of logging the results of a video conference, we will log the chat content. However, this will not usually be the case. Automated decision-making within the meaning of Art. 22 GDPR is not used.
Legal basis
Insofar as personal data of employees of Corteco are processed, our legal basis is Art. 6 (1) b) of the employment contract. This also applies to interviews with potential applicants if the purpose is to initiate an employment contract with CORTECO. In addition, Art. 6 para. 1 f), GDPR, our legitimate interest, can be the legal basis for data processing. In this case, we have a legitimate interest in providing video conferences as part of customer and employee communication. Your participation or utilisation takes place on a voluntary basis in accordance with Art. 6 para. 1 a) if you use the service as an external person.
7. Conducting surveys via Microsoft Forms®
We use the information collected by Forms® to improve our products, conduct customer surveys and increase customer satisfaction. We endeavour to make the surveys anonymous and data protection-friendly, e.g. through predefined response options.
Purpose of data processing
We use Forms® to improve our products and increase customer and employee satisfaction. Microsoft® Forms® is a service of the Microsoft Corporation. If you call up Forms®, Microsoft is jointly responsible for data processing. Information on the use of Forms® can be found at: https://www.microsoft.com/de-de/servicesagreement/default.aspx and https://support.microsoft.com/de-de/office/sicherheit-und-datenschutz-in-microsoft-forms-7e57f9ba-4aeb-4b1b-9e21-b75318532cd9.
Processing of personal data
Various types of data are processed when you use Forms®. The scope of the data depends, among other things, on what data you enter. It is not possible to create an exhaustive list, as it is always possible to send us personal data, for example when you answer open questions. The following personal data is subject to processing:
• User data: e.g. profile information, e-mail address (in the case of internal use at Corteco)
• Usage data: e.g. date and time of entry
• Text data in response fields: You decide which personal data you send us.
Scope of processing
We use Forms® to collect feedback from our customers and employees. This may be information about Corteco products and services or for internal administrative purposes. Automated decision-making within the meaning of Art. 22 GDPR is not used.
Legal basis
Insofar as personal data of employees of the Corteco is processed, our legal basis is Art. 6 (1) b) of the employment contract. This may be the aforementioned administrative purposes. In addition, Art. 6 para. 1 f) GDPR, our legitimate interest, may be the legal basis for data processing. In these cases, we are interested in product improvement and customer and employee satisfaction. Your participation in such surveys is voluntary in accordance with Art. 6 (1) a) GDPR if you use the service as an external person.
8. Making appointments via Microsoft® Bookings® and FindTime®
We offer customers, employees, applicants and suppliers appointment scheduling via Microsoft® Bookings® or Microsoft FindTime®. This enables us to offer you appointments for face-to-face meetings, video conferences, telephone calls or webinars.
Purpose of data processing
We use Bookings® and FindTime® for efficient appointment and event planning. If you access Bookings® or FindTime® online, Microsoft® is jointly responsible for data processing. Information on the use of Bookings® can be found at: https://learn.microsoft.com/de-de/microsoft-365/bookings/bookings-faq?view=o365-worldwide and FindTime® can be found here: https://support.microsoft.com/de-de/office/datenschutz-und-schutz-personenbezogener-daten-in-findtime-7dbbeb41-245c-4573-97ea-50fcb8610cde
Processing of personal data
When using Bookings® and FindTime®, contact and appointment data are primarily processed. The following personal data is processed:
• User data: e.g. profile information, e-mail address, company information
• Date data: e.g. selected period, date and event data such as location, organiser, etc.
Scope of processing
We use Bookings® and FindTime® for efficient collaboration and appointment scheduling. Automated decision-making within the meaning of Art. 22 GDPR is not used.
Legal basis
Insofar as personal data of employees of the Corteco is processed, our legal basis is Art. 6 (1) b) of the employment contract. This may be for administrative and training purposes. In addition, Art. 6 para. 1 f) GDPR, our legitimate interest, may be the legal basis for data processing. In these cases, we are interested in optimising processes and saving time in coordination. Your participation in appointment scheduling is voluntary in accordance with Art. 6 para. 1 a) GDPR if you use the service as an external person.
9. Collaboration in the context of guest access via SharedChannels®
We work together with business partners in the context of product and research collaboration, with employees of other Corteco and other service providers. Guest access to systems such as Teams® can be created if necessary.
Purpose of data processing
SharedChannels® is a functionality of Teams® and therefore a service of the Microsoft Corporation. It is used for efficient collaboration based on the M365 Suite and its integrated applications. Further information is available at: https://support.microsoft.com/en-us/office/what-is-a-shared-channel-in-microsoft-teams-e70a8c22-fee4-4d6e-986f-9e0781d7d11d
Processing of personal data
Various types of data are processed when you use SharedChannels®. The scope of the data depends, among other things, on which rights and roles are assigned to you. It is not possible to create an exhaustive list, as this always depends on the situation. The following personal data is generally processed:
• User data: e.g. profile information, contact details
• Usage data: e.g. login data, changes to documents
• Project data: Documents, presentations, audio and video data (not exhaustive)
Scope of processing
We use SharedChannels® and Teams® for said collaboration in the context of the business activities of the Corteco Business Group. Automated decision-making within the meaning of Art. 22 GDPR is not used.
Legal basis Insofar as personal data of employees of the CORTECO is processed, our legal basis is Art. 6 para. 1 b) GDPR, the employment contract. In addition, Art. 6 para. 1 f) GDPR, our legitimate interest, may be the legal basis for data processing. In these cases, we are interested in collaboration within the group of companies and with our customers, suppliers and service providers.