Privacy statement for Microsoft Teams
What is our legal framework?
All personal data are processed in accordance with EU Data Protection Law, that is to say in line with Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
Why do we process personal data?
Personal data are processed in order to facilitate collaboration and communication among ECB staff members and with external parties. The personal data are used to ensure that ECB staff can consume services provided by Microsoft Teams[1] and associated Microsoft products (such as Microsoft Outlook etc.) and interact with others via Microsoft Teams meetings, chat messages, channel messages, audio and video calls, Microsoft Teams Whiteboard sessions, file sharing, co-authoring documents etc.
What is the legal basis for processing your personal data?
Your personal data are being processed by the ECB in the performance of a task in the public interest, based on Article 5(1)(a) of Regulation (EU) 2018/1725 in conjunction with the Article 11.6 of the Statute of the European System of Central Banks and of the European Central Bank.
Who is responsible for processing your personal data?
The ECB is the controller for the processing of the personal data. The ECB Directorate General Information Systems - Infrastructure & Operations Services Division – End User Services Section is responsible for the processing.
Who will receive your personal data?
The recipients of the personal data are ECB staff members, staff members of the Integrated Collaboration Apps (ICA) Team of the End User Services Section, external parties for meetings they participate in, team from the managed service provider Unisys providing on-site and remote support for ECB staff members, external provider Microsoft on a need-to know basis (Microsoft policy technicians do not have standing access to data) and their sub-processors (Microsoft policy sub-processors do not get access to the content data but only to the aggregated and/or pseudonymised service-generated data[2]).
What type of personal data are collected?
- On behalf of its employees, the ECB is updating its Microsoft Teams instance with an initial set of data to ensure that you can connect, logon and effectively use the platform. This set of data includes information like username, first name, surname, e-mail address, organisational unit, phone extension, mobile number and office number.
- While collaborating on the ECB’s Microsoft Teams platform, you are creating and/or uploading content for processing and/or storage on the platform. This data may include chat and channel records (instant messaging conversations), images, videos, audio files, documents, meeting notifications, meeting participants records, call history, call quality data etc.
Where are your data transferred to, processed and stored?
Your personal data are/will be:
- processed by Microsoft, stored in datacentres located in the European Economic Area / European Union[3] (aggregated and/or pseudonymous service-generated data[4] is stored in datacentres located in the United States);
- based on the inclusion of special clauses in the contract with Microsoft which ensure that the company complies with EU data protection standards (standard contractual clauses approved by the European Commission).
How long will the ECB keep personal data?
The personal data are stored for a maximum of one year before being deleted.
Chat and channel messages are stored for a period of 1 year.
Any file stored or edited via Microsoft Teams has a defined retention period of 7 days counting from the creation date within the platform.
When a user is deleted from the Microsoft Teams services, the retention period for messages is a maximum of 90 days. However, if a user (or the ECB, on the user's behalf) deletes the personal data, all copies of the personal data are deleted within 30 days.
The diagnostic data collected through Microsoft Teams’s client software are stored for 30 days, while the service-generated data is kept for a maximum of 180 days.
Should the ECB terminate its contractual relationship with Microsoft, all corresponding personal data will be deleted between 90 and 180 days after the service termination.
What are your rights?
You have the right to access your personal data and correct any data that is inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data, to object or to restrict the processing of your personal data in line with Regulation (EU) 2018/1725.
Who can you contact in case of queries or requests?
You can exercise your rights by contacting the Integrated Collaboration Apps (ICA) Team at ica@ecb.europa.eu. You can also directly contact the ECB’s Data Protection Officer at dpo@ecb.europa.eu regarding all queries relating to personal data.
Addressing the European Data Protection Supervisor
If you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.
- Microsoft Teams on ECB laptops, ECB mobile devices and non-ECB laptops connected via Citrix.
- The service-generated data includes all data ‘generated’ or ‘derived’ by Microsoft through the operation of an online service. Microsoft aggregates this data from its online services and uses it to make sure performance, security, scaling, and other services that impact the customer experience are operating at the levels their customers require.
- In case of technical issues on the Microsoft Teams platform, support is delivered by Microsoft based on a globally distributed organisation (using the ‘follow-the-sun’ workflow model).
- Service-generated data is transferred from the European Union datacentres where they are initially created to centralised Microsoft back-end systems located in the United States for longer term storage. Prior to transfer, end user identifying information is pseudonymised as a privacy protective measure, so that any personal data in service-generated data transferred out of the European Economic Area is limited to pseudonymous data.
Pseudonymised data is data in which a personal identifier has been replaced with a value that does not directly identify a person (such as a numeric identifier that can no longer be attributed to a specific person without the use of additional information).
Pseudonymised data is defined according to ISO standard ISO/IEC 19944:2017 (8.3.3). It does not identify users themselves, but it does enable distinguishing one user from another, such as for accurate counting. Unlike anonymised data, pseudonymised data could be used to identify a person indirectly (such as when combined with other data such as the person’s function, title, and organisation). Pseudonymised data is therefore deemed to be personal data under the EUDPR.
‘R6Y04H4VfUWcGC3’ is an example of pseudonymised data derived from someone’s Microsoft 365 e-mail address. Nothing within this cryptographically obscured alphanumeric string can be directly traced to the person's identity.