Privacy Policy for Microsoft Teams

Last updated: March 2023

We, Bionorica SE, are not only committed to protecting your health but also to protecting your data and therefore your privacy. This Privacy Policy is designed to inform you regarding

  • which personal data we collect, store, block, delete or otherwise process from you in the course of our telephone and video conferences and other online meetings using the (video) conferencing solution "Microsoft Teams" (collectively referred to as "processing"),
  • the purpose for which we use the data,
  • how you can object to the use of such data or withdraw your consent and
  • which rights you have as a data subject, e.g. how you can revoke your declared consent and exercise additional rights to information, rectification, objection and deletion with respect to your data.

1. Who is responsible for data processing and who can I contact?

The (data) “controller”, as defined in the GDPR (General Data Protection Regulation), is:

Bionorica SE
Kerschensteinerstr. 11-15
92318 Neumarkt, Germany
Telephone: +49 (0) 9181 231-90
Fax: +49 (0) 9181 231-265
E-mail: info@bionorica.de

You can contact our company data protection officer by email at datenschutz@bionorica.de or by post at the above address to "The Data Protection Officer".

2. Scope of validity

This Privacy Policy applies to the use of the (video) conferencing solution "Microsoft Teams" in its desktop, mobile and browser variants. In doing so, we use "Microsoft Teams" to conduct our usual office communication, internal and external telephone and video conferences, job interviews, webinars and/or other online meetings (hereinafter: online meetings). "Microsoft Teams" is a service provided by Microsoft Corporation, which is based in Ireland.

Note: If you call up the "Microsoft Teams" website, the provider of "Microsoft Teams" is responsible for data processing. However, accessing the website is only necessary to download the software for the use of "Microsoft Teams". If you do not wish to or cannot use the "Microsoft Teams" app, you can also use "Microsoft Teams" via your browser. The service will then also be provided via the "Microsoft Teams" website.

We reserve the right to change this Privacy Policy at any time with effect for the future. The current version is available on our website. Please visit our website regularly to consult the applicable data protection provisions.

3. What sources and data does Bionorica SE use?

We process personal data that we receive in the course of our online meetings using "Microsoft Teams". The scope of the data also depends on the data you provide before or during participation in an online meeting.

The personal data we process includes in particular:

  • User details (e.g. display or user name, profile picture (optional), preferred language, email address if applicable).
  • Log files, protocol data
  • Text, audio and video data (you may have the option of using the chat function in an online meeting. In this respect, the text entries you make are processed in order to display them in the online meeting. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal and from any video camera of the terminal are processed accordingly for the duration of the online meeting. You can switch off or mute the camera or microphone yourself at any time via the "Microsoft Teams" apps).
  • Metadata (e.g. IP address, time of participation, meeting ID, location, telephone number, device/hardware information)
  • When dialling in with the telephone (e.g. information on incoming and outgoing phone number, country name, start and end time. If necessary, further connection data, such as the IP address of the device, can be saved).
  • Due to the legal opinion of the data protection authority responsible for us, we generally refrain from recording online meetings (see section 5). Should such recording take place in individual cases, e.g. at your express request and with your express consent, data will be processed in the form of video, audio and presentation recordings.

In order to participate in an online meeting or to enter the meeting room, you must provide at least a user name for the respective online meeting. You are, of course, also free to enter "Guest" or "Anonymous", for example.

4. Processing purposes and legal basis

We process personal data in accordance with the provisions of the European General Data Protection Regulation (EU GDPR) and the German Federal Data Protection Act (BDSG) on the following legal bases:

4.1. For the fulfilment of contractual obligations (Art. 6 para. 1 cl. 1 lit. b GDPR)

The processing of data takes place within the framework of concluded contracts (e.g. employee contracts, customer contracts) for the implementation of pre-contractual measures, which take place at the request of third parties (e.g. applicants, initiation of business contact), or for the implementation of all activities necessary for the operation and/or administration of a pharmaceutical company (e.g. marketing discussions, training courses).

4.2. For the purposes of the legitimate interests (Art. 6 para. 1 cl. 1 lit. f GDPR)

Where necessary, we process personal data beyond the actual fulfilment of the contract to protect our legitimate interests. Our legitimate interest in data processing is to conduct modern communication options via online meetings, to inform participants and to collaborate with them effectively and efficiently (e.g. discussions on specialist topics, conducting business activities). In the interests of our employees, business partners and other third parties, we have implemented "Microsoft Teams" in a data protection-friendly manner and refrain from collecting and storing data that is not necessary.

4.3. Based on your consent (Art. 6 para. 1 cl. 1 lit. a GDPR)

Insofar as you have given us consent to process personal data for specific purposes (e.g. recording of an online meeting), the legality of this processing is based on your consent.

Consent that has been given can be revoked at any time. This also applies to the revocation of declarations of consent given to us before the GDPR came into effect. Please note that the revocation of consent does not affect the lawfulness of the processing carried out up to the point of the revocation.

The revocation of consent can be made free of charge and informally to our contact details mentioned under section 1. In the case of a revocation by telephone, we may ask you to provide additional proof of your identity by another means.

5. Does a recording take place during an online meeting?

The video conferencing function of "Microsoft Teams" allows us to offer you participation in our online meetings via video and/or audio. In principle, there will be no recording of the event.

In exceptional cases, recording may take place exclusively on the basis of your voluntary consent given in advance. For such exceptional cases, detailed information on the planned processing of the data (including storage period and recipient group) is provided in advance.

6. To what extent is automated decision making applied in individual cases?

In principle, we do not use fully automated decision-making pursuant to Article 22 of the GDPR to conduct online meetings via "Microsoft Teams”. If we use these procedures in individual cases, we will inform you about this separately if this is required by law.

7. Who gets my data?

Online meetings - like face-to-face meetings - are used to share information with third parties. Personal data is primarily transmitted to the other participants when using online meetings.

In addition, those offices and departments within Bionorica SE that require your data to fulfil their duties, e.g. the IT department in the event of malfunctions, will receive access to your data.

Service providers used by us and carefully selected and controlled may also receive data for these purposes, but in doing so they are obliged to comply with the data protection requirements that also apply to us within the framework of so-called commissioned processing. These can be, for example, companies in the IT services and telecommunications sectors.

The provider of "Microsoft Teams" necessarily obtains knowledge of the above-mentioned data insofar as this is provided for in the context of our commissioned data processing agreement with Microsoft. A transfer to other recipients outside Bionorica SE only takes place if there is a legal basis (e.g. legal obligation, consent, legitimate interest, etc.).

8. Is data transferred to companies in third countries or to an international organisation?

"Microsoft Teams" is part of Microsoft Office 365 and a service offered by a European subsidiary of Microsoft Corporation based in the USA. Data processing with Office 365 is based on the Microsoft EU Data Boundary on servers in data centres in the European Union in Ireland and the Netherlands.

However, we cannot completely exclude the possibility that Microsoft Corporation or US security authorities may have access to the circumstances and content of communications via Microsoft Teams. Microsoft Corporation may also have access to the data in the context of remote maintenance. For this access purpose, we have implemented the "Customer Lock Box" functionality in Office 365. Each access requested in the context of remote maintenance is thereby checked by us in each individual case. If authorised by us, such access may also be provided by Microsoft affiliates from outside the European Union. However, where data may also be processed by Microsoft outside the EU, we take appropriate and reasonable steps to ensure an adequate level of data protection, for example by entering into so-called EU standard contractual clauses.

Microsoft reserves the right to process usage data for its own legitimate business purposes. We have no influence on this data processing by Microsoft. To the extent that "Microsoft Teams" processes personal data in connection with legitimate business purposes, Microsoft is the independent data controller for those data processing activities and, as such, is responsible for compliance with all applicable data protection regulations. If you require information about Microsoft's processing, please refer to the relevant Microsoft statement or contact Microsoft directly. Information on this can be found here:

https://privacy.microsoft.com/en-us/privacystatement
https://learn.microsoft.com/en-us/microsoftteams/teams-privacy

9. How long will my data be stored?

We process your personal data only as long as it is necessary for the fulfilment of the processing purposes described above. If the data is no longer necessary for the fulfilment of the processing purposes described above, it shall be deleted unless its further processing - for a limited period of time - is necessary for the following purposes:

  • Fulfilment of retention obligations under commercial and tax law: The German Commercial Code (HGB) and the Money Laundering Act (GwG) should be mentioned. The time limits specified there for storage and documentation are up to ten years.
  • Preservation of evidence within the framework of the statutory statute of limitation provisions. According to Sections 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years.

The following processing operations are stored for an explicitly defined period of time:

  • Login data and IP addresses are deleted after 90 days at the latest.
  • The chat contents in the context of an online meeting are logged when using "Microsoft Teams" and remain in the chat histories of all meeting participants.
  • Recordings of online meetings are automatically deleted after 60 days.

10. What rights do I have as a data subject?

As a data subject, you have the right to access pursuant to Article 15 GDPR. In the case of a request that is not made in writing, we may ask you to provide supplementary proof of your identity by another means. You also have the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR and the right to data portability under Article 20 GDPR. With respect to the right to access and the right to erasure, the limitations set forth in Sections 34 and 35 BDSG apply. You also have the right to lodge a complaint with a responsible data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG).

You also have the right to object under Article 21 GDPR and you may object to the processing of personal data on the basis of Article 6 para. 1 lit. e or f GDPR at any time without giving reasons.

Gender-neutral wording: For reasons of better readability, we use the generic masculine in our texts. However, all genders are always addressed.