With the following explanations, we want to disclose to you how we handle personal data that we collect and process as a result of your visit to our website or contacting us via our website. Furthermore, you will receive information on how we handle personal data if you have received an invitation or access to use a Microsoft 365 application, such as Microsoft Teams or Microsoft Sharepoint Online, via inav GmbH.
We process your personal data only to the extent necessary to provide a functional website and to present our content. In addition, personal data is only collected by us if and to the extent that you provide it to us with your knowledge. Personal data is processed regularly and only with your consent. An exception applies in those cases in which prior obtaining of consent is not possible for factual reasons or is not reasonable under proportionate effort and the processing of the data is permitted by legal regulations.
A. General information
Responsible for the processing of your personal data:
inav – privates Institut für angewandte Versorgungsforschung GmbH
represented by CEOs Univ.-Prof. Dr. Volker Eric Amelung and Malte Haring, and authorized signatories Dr. oec. publ. Matthias Arnold and Dr. rer. pol. Franziska Püschner
Phone: +49 30 24 63 12 22
If you have any questions or complaints regarding the handling of your personal data, you can of course contact us. You can reach our data protection officer (attorney Dirk Otto, specialist attorney for industrial property protection, Osnabrücker Straße 7, 10589 Berlin) at: email@example.com.
Irrespective of this possibility, you have the right to directly contact the supervisory authority responsible for data protection or to use other ordinary legal remedies at any time.
In particular, the supervisory authority responsible for such complaints is the supervisory authority within a member state in which you have your permanent residence (for example, domicile) or workplace. Within the Federal Republic of Germany, for example, this is the supervisory authority of the federal state in which you have chosen to permanently reside/work.
A.II. Provision of the website and creation of log files
Each time our website is called up, our system automatically collects data and information from the computer system of the calling computer. The following data is collected:
- Information about the browser type and version used
- the operating system of the user
- date and time of access
- websites from which the user’s system accesses our website
- websites that are accessed by the user’s system via our website
The data is also stored in the log files of our system. A storage of this data together with other personal data of the user does not take place.
The temporary storage of the listed data by the system is necessary to enable delivery of the website to the user’s computer and to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. For this purpose, the user’s IP address must remain stored for the duration of the session. An evaluation of the data for marketing purposes does not take place in this context.
These purposes are also our legitimate interest in data processing according to Art. 6 para. 1 lit. f DSGVO.
A.IV. Google Analytics
Insofar as you have given your consent, Google Analytics, a web analytics service provided by Google LLC, is used on this website. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
During your visit to the website, the following data is collected, among other things:
- The pages you visit, your “click path”.
- Achievement of “website goals” (conversions, e.g. newsletter sign-ups, downloads, bookings)
- Your user behavior (for example, clicks, dwell time, bounce rates)
Your approximate location (region)
- technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
- the referrer URL (via which website or advertising medium you came to this website)
On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, and compiling reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website and the success of our marketing campaigns.
The recipient of the data is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, as a processor. We have concluded an order processing agreement with Google for this purpose. Google LLC, based in California, USA, and, if applicable, US authorities can access the data stored by Google. A transfer of data to the USA cannot be ruled out.
The data sent by us and linked to cookies are automatically deleted after 14 months. The deletion of data whose retention period has been reached takes place automatically once a month.
In addition, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google, by
a. Not giving your consent to the setting of the cookie or
b. downloading and installing the browser add-on to disable Google Analytics.
You can also prevent the storage of cookies by selecting the appropriate settings on your browser software. However, if you configure your browser to reject all cookies, this may result in the restriction of functionalities on this and other websites.
An e-mail address is available on this website for contacting us. In the event that you use this to contact us, the personal data transmitted with the e-mail will be stored. We ask you to consider that the usual e-mail dispatch does not guarantee the confidentiality of the transmitted data. Therefore, we do not process any personal data of a special kind in this way.
Your data will be processed only to the extent necessary to process your request. The data will be used exclusively for processing the conversation. In this context, the data will not be passed on to third parties. Subsequently, they will be deleted.
If we link to other external offers on our website and you (actively) follow this link, you leave the sphere of influence of our website. For the handling of your personal data by the linked website, please refer to the data protection provisions there.
A.VII. Legal basis
Insofar as the collection and storage of personal data is not necessary solely in order to deliver and operate the website at all, we collect and process personal data for the purpose of maintaining, improving and securing the offer, as well as their security (Art. 6 para. 1 letter f DSGVO). In these described purposes also lies our legitimate interest in the use.
In addition, we process this data in fulfillment of legal obligations to which our company is subject (Art. 6 para. 1 letter b and letter c DSGVO).
Insofar as we collect and use your data to inform you about our products and services or as part of our social media activities, we do so in our legitimate interest (Art. 6 (1) (f)) or on the basis of a separate consent from you.
A.VIII. Duration of processing/Deletion
If no information is provided at the respective points in the description of the data collection or use, the data will be deleted by us at the point in time at which it is no longer required to achieve the purpose for which it was collected or we are no longer obligated or entitled to retain it due to accounting regulations or other statutory retention obligations or due to another legal provision.
You have the right to object at any time to the processing of your personal data (collected on the basis of Art. 6(1)(e) or (f)).
B. Rights of the person concerned
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller: If you wish to exercise your rights, please contact us using the contact details provided under “A.I. Responsibilities/Contact”.
B.I. Right to information
You may request confirmation from the aforementioned data controller as to whether personal data concerning you are being processed. We will provide you with the following information as a free copy:
- purposes of processing
- categories of personal data that are processed
- recipients or categories of recipients
- planned storage period of the personal data or criteria for determining it
- existence of a right to rectification/ deletion/ restriction/ objection in connection with the processing of your personal data as well as the right to lodge a complaint with the supervisory authority
- insofar as the personal data is not collected from you: all available data on the origin of the data
- the existence of automated decision-making including profiling pursuant to Art. 22 (1), (4) DSGVO
B.II. Right to rectification
You have a right of rectification and/or completion vis-à-vis the controller if the personal data processed concerning you are inaccurate or incomplete. The controller shall carry out the rectification without undue delay.
B.III. Right to restriction of processing
Under certain conditions specified in Article 18 of the GDPR, you may request the restriction of the processing of personal data concerning you.
B.IV. Right to deletion
In addition to the above-mentioned regular deletion based on the achievement of the purpose, you may request the controller to delete the personal data concerning you without undue delay, provided that one of the other grounds specified in Art. 17 of the GDPR applies without an exception.
B.V. Right to information
If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data relating to you has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed about these recipients by the controller.
B.VI. Right to data portability
In accordance with Art. 20 DSGVO, you have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. In addition, you have the right to transmit this data to another controller without hindrance by the aforementioned controller to whom the personal data was provided, provided that
- the processing is based on consent pursuant to Art. 6 (1) a DSGVO or Art. 9 (2) a DSGVO or on a contract pursuant to Art. 6 (1) b DSGVO and
- the processing is carried out with the help of automated procedures.
B.VII. Right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
Data protection information according to Art. 12, 13 DSGVO
You have received an invitation or other access to use a Microsoft 365 application, such as, in particular, Microsoft Teams, Microsoft Sharepoint Online, etc. (hereinafter MOA) from us or from one of our affiliated subsidiaries (hereinafter “we” or “us”) as a data controller within the meaning of the applicable data protection law.
Microsoft 365 is a productivity, collaboration and exchange platform for individual users, teams, communities and networks that can be used across organizational units. When you use the MOA, personal data about you will be processed.
Please note that this privacy notice only informs you about the processing of your personal data by us when you use Microsoft applications together with us. If you require information about processing by Microsoft, please refer to the relevant statement.
Who is responsible for the processing of personal data?
Responsible is inav – privates Institut für angewandte Versorgungsforschung GmbH, Schiffbauerdamm 12, 10117 Berlin, firstname.lastname@example.org
Who can I contact if I have questions about data protection?
Questions about data protection can be addressed to the company-appointed data protection officer: Attorney Dirk Otto, email@example.com, phone: 030 23 36 92 48
For what purpose should your data be processed?
The processing is required for the use of MOA, in particular Microsoft Teams, a communication and file editing platform with the possibility of audio and video conferences in groups but also in individual (one-on-one) consultation, Furthermore, files and documents can also be shared via Sharepoint Online for viewing or joint editing.
What is the legal basis for the processing?
The processing is based on the following:
- as an employee once on Art. 6 para. 1 lit. b) in conjunction with. § 26 BDSG (employment contract) and the internal company instructions based on this or on your consent.
- as a customer/partner on your consent or our legitimate interests, which are based in a timely and expeditious processing of work orders, if for internal or other reasons a personal communication is not possible.
What personal data is processed when using Microsoft 365?
- Your IP address, which is used to access the Microsoft Office 365 applications.
- Your user name (access data to the Microsoft Office 365 applications), data, for example, within the scope of the so-called multifactor authentication, which you yourself have stored in your Microsoft account (e.g. optionally the (private) cell phone number).
- Identification features: Information about you that identifies you as a user, sender, recipient of data within the MOA. In particular, this includes the following master data: Name, first name, business contact data such as telephone number, e-mail address, business fax number, if provided by you. Other data (such as a profile picture you have stored) can also be viewed in your profile at any time. This information is visible to you at all times in your profile, but also in Outlook in particular, and can be customized by you.
- Data required for authentication and license use. In the MOA, all user activities, such as time of access, date, type of access, information about the data/files/documents accessed and all activities related to the use, such as creating, modifying, deleting a document, setting up a team (and channels in teams), making notes in the notebook, starting a chat, replying in the chat are processed.
The responsible body does not store the image and sound data of videoconferences. Unless all parties involved give their express consent immediately before the recording.
See above User account
Who has access to my personal data?
All files, content, and comments posted by users in MOA, especially in teams, are accessible to the people with whom they are shared. These can be individuals or members of a team or channels within a team. Collaborators/partners or customers have access to edits made and content created within shared tasks. All participants in a video conference have access in the sense of seeing, hearing, and reading content in the video conference, chats, shared files, and screen shares. In a chat, all participants have access to entered content and shared files.
The provider (Microsoft) has access to the data generated by the use of Teams to the extent necessary to fulfill its obligation under the contract for the processing of orders concluded with the company.
US investigative authorities may have access under US law (see below).
To whom is the data transmitted?
We use Microsoft Teams under a contract for order processing. Microsoft processes personal data exclusively on our behalf. Accordingly, Microsoft may only use them in accordance with our instructions and for our purposes and not for its own purposes, i.e. neither for advertising nor to pass them on to third parties.
How long is data stored?
The storage of data processed to provide the user account, as well as created and shared content, comments, chat messages, voice messages assigned, edited and submitted content and calendar entries, ends as soon as the employee has left our company, revokes his consent in whole or in part or objects to processing. Deletion will occur within 2 months of leaving the company. Deletion from Microsoft’s systems is from the time an account or content is deleted by the company is completed after 90 days. The same period applies to the deletion of files by the user himself. Sound and image data from video and audio conferences are not recorded and stored by us as the responsible party. Content in files shared by others, edited and submitted tasks and messages in group chats are stored as long as a team exists. Teams for specific tasks are deleted at the latest 5 years after the end of the task together with their content and chats created, shared and edited by employees. Contents of chats exist as long as the other user’s account exists.
The storage of data processed to provide the user account, as well as created and shared content, comments, chat messages, voice messages assigned, edited and submitted content and calendar entries, ends as soon as the contractual relationship with our company is terminated, you revoke your consent in whole or in part, or object to processing. The deletion takes place within 2 months after the termination of the contractual relationship. The deletion from the systems of Microsoft is from the date of deletion of an account or content by the company is completed after 90 days. The same period also applies to the deletion of files by the user himself. Sound and image data from video and audio conferences are not recorded and stored by us as the responsible party. Content in files shared by others, edited and submitted tasks and messages in group chats are stored as long as a team exists. Teams for specific tasks are deleted at the latest 5 years after the end of the task together with their content and chats created, shared and edited by employees. Contents of chats exist as long as the other user’s account exists.
Data protection when processing personal data in the USA
When using MOA, data may also be processed on servers in the USA. This is less about the content of chats, video conferences, appointments and set tasks, user accounts and team memberships, but about data that serve to ensure and improve the security and function of the platform. According to the current legal situation in
Under the CLOUD Act, U.S. investigators also have the ability to demand that Microsoft hand over personal data stored on servers in the EU. This is where most of the data that is generated when using Microsoft/Office 365 and Teams is stored. According to Microsoft, the number of these requests is quite small, and Microsoft can take legal action against them. The fewest requests, if any, are likely to be for school accounts. Microsoft reports a total of 3,310 requests from investigative agencies for July – December 2019. Of these, most came from Germany.
Where is my personal data processed?
The processing of personal data in Microsoft 365 and connected products takes place predominantly on servers located in Germany. It is possible that so-called telemetry data, a type of diagnostic data, is processed in the USA.
How secure is Microsoft 365?
The platform complies with all common security standards for cloud platforms.
Where can I learn more about Microsoft 365 privacy?
Topic Security at Microsoft – https://docs.microsoft.com/de-de/microsoft-365/security/?view=o365-worldwide
What does inav do to protect my personal data in Microsoft 365?
Protecting the personal data of our customers and employees is our top priority. We therefore take technical and organizational measures to ensure that the use of Microsoft 365 is as secure as possible. We have preset MS Teams so that as few risks as possible can arise from the actions and errors of the users themselves. Training users to use the tools in Microsoft 365 safely and responsibly is of central importance. Basic training takes place before access is granted. This is supplemented by annual instruction and the user agreement/service instructions.