Terms of use for the use of Microsoft 365 components at Goldhofer AG by external parties and data protection information
As a project or business partner of Goldhofer AG, you will receive an invitation to use Office 365 components for collaboration with Goldhofer AG. Goldhofer AG provides these components with the help of Microsoft.
To protect you, as well as the employees of Goldhofer AG, and to comply with laws, collective bargaining agreements and other regulations, the following binding terms of use apply.
These terms of use become part of the contractual relationship between Goldhofer AG and you, or, where applicable, the company or organization you represent. Acceptance of the invitation and use of the provided Microsoft 365 components is considered a binding declaration to accept these terms of use without deviations.
If you act on behalf of a company or organization that cooperates with Goldhofer AG, you also confirm that you are authorized to accept the unchanged terms of use.
If this is not possible or if you have any questions, please contact your contact person at Goldhofer AG before using the services. Furthermore, we inform you about the processing of your personal data when using Microsoft Office 365 components in accordance with Article 13 of the General Data Protection Regulation (see Part II below).
Table of Contents
1 Terms of use for Microsoft 365 components 3
2 Basic regulations for the use of M365 components 3
2.1 Purpose 3
2.2 Need to Know Principle 3
2.3 Confidentiality and Information Classification 3
2.4 Intellectual Property 3
2.5 Termination 4
2.6 Liability 4
3 Regulations for information security 4
3.1 Data security and protection of confidentiality 4
3.2 Passwords 4
3.3 Protection against spam and viruses, logging, and control 4
3.4 Mobile devices 5
3.5 Availability 5
3.6 Reporting obligations 5
4 Special conditions when using the M365 component "Microsoft Teams" 6
4.1 Transparency 6
4.2 Camera function 6
4.3 Participation 6
4.4 Recordings of a Teams conference 6
5 Part II - Privacy information in accordance with Article 13 GDPR 7
1 Terms of use for Microsoft 365 components
The following terms of use of Goldhofer AG apply to all individuals who are not employees of Goldhofer AG within the meaning of the Works Constitution Act (hereinafter "external users") when using Microsoft 365 components provided by Goldhofer AG for collaboration purposes (hereinafter "M365 components").
2 Basic regulations for the use of M365 components
2.1 Purpose
Goldhofer AG provides all M365 components solely for the purpose of business collaboration within the scope of projects, orders, and contractual obligations in relation to external users. The same applies to the contents provided by the components, such as development data, documents, presentations, etc. Any use of M365 components and contents for other purposes is prohibited. In particular, the use of M365 components and contents for private purposes, the transfer of contents to private devices or private storage that are not under the exclusive control of the company or organization of the external user, as well as the use of information to analyze the performance or behavior of Goldhofer AG employees, are prohibited. Personal and social data of Goldhofer AG employees may not be stored in M365 storage locations accessible by external users.
2.2 Need to Know Principle
The principle of necessity applies to all processing of contents in and out of M365 components. Contents may only be passed on to those persons within a common team who need to know them to perform their tasks. The disclosure of contents from M365 components to Goldhofer-external persons outside a team (third parties) requires the prior and express consent of Goldhofer AG.
2.3 Confidentiality and Information Classification
The confidentiality provisions between Goldhofer AG and the external user apply to all contents accessible via the M365 components and to all information derived from the use. The instructions of the project management or the inviter regarding the handling and disclosure of confidential contents must be followed.
2.4 Intellectual Property
External users may not claim or apply for patent, trademark or other rights for themselves or third parties in relation to contents from M365 components, unless the rights holder has given his or her prior written consent or permission is provided for in the underlying contract, e.g. in an order or project contract.
2.5 Termination
Goldhofer AG may terminate the provision of M365 components at any time. The external user will then be given the opportunity to obtain data belonging to him.
2.6 Liability
Goldhofer AG is only liable for pecuniary damages in connection with the use of M365 components in cases of willful intent and gross negligence. In the event of negligently caused breach of a material contractual obligation, the liability of Goldhofer AG is limited to the typically foreseeable damage. These exclusions and limitations of liability also apply to all organs, agents and employees of Goldhofer AG. They do not apply in case of injury to life, body or health.
3 Regulations for information security
3.1 Data security and protection of confidentiality
Unauthorized access to the M365 components provided by Goldhofer AG and the data processed (and stored) therewith must be prevented by risk-appropriate technical and organizational measures in accordance with Article 32 of the General Data Protection Regulation (GDPR). When implementing the measures, the state of the art must be taken into account. Access must also be blocked in the event of short-term absence, and computers must be shut down in the event of longer-term absence.
3.2 Passwords
Passwords (and PINs) may not be disclosed to unauthorized persons, i.e., persons who do not require access to M365 components to fulfill a project, order, or business contractual relationship.
Passwords must be selected and kept secret in accordance with the state of the art.
Passwords for access to M365 components may not be used multiple times for other purposes.
3.3 Protection against spam and viruses, logging, and control
E-mails and other data suspected of containing malware, viruses, or spam may, at the discretion of Goldhofer AG, be quarantined or centrally and automatically deleted.
For system administration, i.e., in particular for the analysis and elimination of system problems, for ensuring IT, operational, and information security and for maintenance support, personal evaluations of data that arise when using the M365 components are possible. This also applies to the defense against cyberattacks.
In certain cases, a forensic examination of the hardware used is also possible. Data from the operating system, operating system-related components, traffic data from internet services, and tool-related data may be logged for these purposes and may also contain personal data.
3.4 Mobile devices
The use of M365 components via notebooks, smartphones, and tablets requires special security measures. Mobile devices must not be left unattended in publicly accessible places. If the external security settings have not been pre-set and configured by the IT department, the external must do so themselves.
The PIN or password input and activation in the event of non-use of the mobile device must be switched on, and in the event of repeated incorrect code input (for smartphones and tablets and where possible), further login processes must be blocked or delayed. Operational data of Goldhofer AG, in particular address books and emails, may not be stored with other third-party providers or synchronized via other clouds without separate permission from the Goldhofer project manager.
In the event of device loss, Goldhofer AG must be informed immediately if there is a risk that access data or data of Goldhofer AG may fall into the hands of unauthorized persons. If possible, remote wiping must be performed, and a theft/loss report must be filed.
3.5 Availability
Goldhofer AG does not guarantee any particular availability of the M365 components or the data processed (and stored) therewith.
3.6 Reporting obligations
External parties must immediately report indications of data protection violations, abuse, security-related vulnerabilities, or security-related incidents (e.g., unauthorized data access or releases) to the respective contact person at Goldhofer AG.
4 Special conditions when using the M365 component "Microsoft Teams"
4.1 Transparency
All members of a team room, both Goldhofer AG employees and external users, have transparency with regard to the other members of a team room. It is particularly prohibited to disclose personal access data to a team room to unauthorized persons or to allow other persons to participate in a team conference without permission, especially in a telephone or video conference. The functionality of the video conferencing systems used is designed in such a way that the respective participant can recognize which video and audio data are being recorded, transmitted, and stored.
4.2 Camera function
Goldhofer AG employees are not obliged to use the camera function during video conferences due to internal Goldhofer regulations. This cannot be demanded by external users either.
4.3 Participation
Goldhofer AG employees are entitled to have their concerns regarding the video and audio data concerning them respected by other participants and external users due to internal Goldhofer regulations. Therefore, Goldhofer AG employees can also participate in decisions with external users, such as whether the local system should allow automatic dial-in from outside, whether the local cameras can be controlled by the conference partner, and whether and how application sharing should take place.
4.4 Recordings of a Teams conference
Image and sound recordings (including snapshots) may only be made with the consent of the participating members. The purpose and consent of the participants to the recording are documented within the recording. Each participant has the right to receive a copy of the recording.
Agreement is reached between the participants on the use of stored video and audio data within the purpose of the recording. If there is no agreement on this, the data will be deleted immediately after the conference.
If a recording is altered beyond the purpose of quality improvement, all identifiable participants in the final version must give their consent to this version and any amended purpose of the recording.
Unless a deletion deadline for the recording has been specified within the purpose of the recording, the recording and all copies must be deleted no later than 12 months after the end of the recording. External users will confirm the deletion of their own permissible recordings to Goldhofer AG upon request.
The provision of video and audio recordings to persons outside a team (external users or Goldhofer AG employees) requires documented consent from the recording's participants.
5 Part II - Privacy information in accordance with Article 13 GDPR
According to Article 13 of the General Data Protection Regulation (GDPR), you will be informed about the processing of your personal data when using the M365 components provided by Goldhofer AG. The information takes into account the essential aspects arising from the operating concept in the Microsoft Cloud. Further privacy information about Microsoft 365 can be found on Microsoft's websites.
Essential privacy information about the operation of Microsoft Office 365
Goldhofer is responsible for data protection with regard to external users. The contractual partner of Goldhofer AG is Microsoft Ireland Operations Ltd. from Dublin, which operates Microsoft Office 365 as a data processor within the meaning of Article 28 GDPR for Goldhofer AG.
The data protection officer of Goldhofer AG can be reached at datenschutz@Goldhofer.com.
Data processing with Microsoft Office 365, including data storage, takes place in the Microsoft Cloud, specifically in data centers located in Europe.
The overarching purposes of data processing are mainly the (also mobile) use of a functionally comprehensive and certified collaboration platform in a uniform IT ecosystem with clients and customers. The purposes of processing by individual M365 components result from the functions of the respective M365 components provided to external users.
The legal basis under Article 6 GDPR for processing personal data of external users through the M365 components provided by Goldhofer AG is generally Article 6 (1) (b) GDPR (performance of a contract) and Article 6 (1) (f) GDPR (legitimate interests). This does not preclude the fact that data processing may also be based on other legal bases, e.g., based on consent given to Goldhofer AG.
It is not intended to transfer personal data to a third country for the purpose of operating Microsoft 365. In particular, data is not stored in third countries. However, subject to the general regulations (e.g., export control requirements), data can be sent to project partners or clients in third countries as usual or accessed from there during travel to third countries.
Disruptions should be largely automated and resolved according to the Microsoft operating concept. In individual cases, support staff from Microsoft or Microsoft subcontractors may need to be involved. In extremely rare cases, downstream Microsoft support engineers may also need to access so-called personal customer data in storage areas of Goldhofer AG, e.g., to repair mailbox databases. In doing so, (partial) knowledge of personal customer data cannot be ruled out. Access may also be from third countries where there is no adequate level of data protection within the meaning of the GDPR and for which there is no adequacy decision of the EU Commission, e.g., from the USA. In such cases, the adequate level of data protection is ensured through pre-agreed standard data protection clauses that grant data subjects similar rights as in the EU. A copy of the signed standard data protection clauses is attached as Annex 3 to the Microsoft Online Services Terms.
Regardless of where customer data is accessed from, any such access requires prior and explicit approval by Goldhofer AG under the Customer Lockbox procedure. Approval is granted by employees of Goldhofer AG who are specially authorized for this purpose. Each approved access is only possible for the partial data required for the specific case, is time-limited, and is logged. After the time limit or achievement of the purpose of the request, Goldhofer AG is informed about the access.
In Microsoft Office 365, logging of log data for individual components is carried out for administrative purposes, and it is centralized in the data centers of the European region. Access to this data is restrictively regulated at Goldhofer AG. Personal log data is typically deleted after 90 days.
Goldhofer AG does not carry out profiling or automated decision-making as defined in Article 22 of the GDPR in the operation of Microsoft Office 365.
Data Subject Rights: You have the right:
To request information about your personal data processed by Goldhofer AG under Article 15 of the GDPR. This includes the processing purposes, categories of personal data, recipients or categories of recipients, the intended storage duration (if possible), the existence of the right to rectification, erasure, restriction of processing or objection, the right to lodge a complaint, the source of your data (if not collected from you), and the existence of automated decision-making, including profiling, and meaningful information about its details.
To request the correction or completion of your personal data stored by Goldhofer AG under Article 16 of the GDPR without undue delay.
To request the deletion of your personal data stored by Goldhofer AG under Article 17 of the GDPR if:
• the data is no longer necessary for the purposes for which it was collected or otherwise processed,
• you have revoked any consent that the processing relied on under Article 6(1)(a) or Article 9(2)(a) of the GDPR, and there is no other legal basis for the processing,
• you have objected to the processing under Article 21(1) of the GDPR, and there are no overriding legitimate grounds for the processing,
• the personal data has been unlawfully processed,
• the deletion of personal data is necessary to comply with a legal obligation under Union or Member State law to which the controller is subject,
• the personal data has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR (consent of a child).
• The right to erasure does not apply if the processing is necessary for:
• exercising the right of freedom of expression and information,
• compliance with a legal obligation,
• reasons of public interest in the area of public health, or
• archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
• To request the restriction of processing of your personal data under Article 18 of the GDPR if:
• you contest the accuracy of the data,
• the processing is unlawful but you oppose the erasure of the data,
• Goldhofer AG no longer needs the data for processing but you require the data to establish, exercise or defend legal claims, or
• you have objected to processing under Article 21 of the GDPR.
To receive your personal data, which you have provided to Goldhofer AG, in a structured, commonly used and machine-readable format, or to request the transmission of this data to another controller under Article 20 of the GDPR, provided that the processing is based on your consent under Article 6(1)(a) or Article 9(2)(a) of the GDPR or on a contract under Article 6(1)(b) of the GDPR, and the processing is carried out by automated means. This right shall not adversely affect the rights and freedoms of others.
Please note that Goldhofer AG is required to verify your identity before responding to any of the above requests.
According to Article 7(3) of the General Data Protection Regulation (GDPR), you have the right to revoke your consent to Goldhofer AG at any time. This means that if Goldhofer AG has been processing your data based on your consent and there is no other legal basis for such processing, Goldhofer AG must stop processing your data in the future. If you receive a request for consent from Microsoft when using Goldhofer AG's Microsoft Office 365 components (for example, in the context of updates), this consent will be deemed not to have been given due to agreements between Goldhofer AG and Microsoft.
Additionally, according to Article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority. Typically, you can contact the supervisory authority of your usual place of residence, workplace, or the location of Goldhofer AG e.V.
If your personal data is processed on the basis of legitimate interests according to Article 6(1)(f) of the GDPR, you have the right to object to the processing of your personal data under Article 21 of the GDPR, provided that there are reasons arising from your particular situation.