Privacy Notice for the Use of Microsoft Teams for External Users

You have received an invitation to use Microsoft Teams from MEWA Textil-Service AG & Co. Management OHG (John-F.-Kennedy-Strasse 4 in 65,189 Wiesbaden, Germany).

The following document provides important information about how the companies within the MEWA group (MEWA) located in Germany and across Europe process your personal data when using Microsoft Teams as further explained below. The corporate purpose of MEWA is the development, preparation and care of reusable textile systems. MEWA also provides services in the textile service field for companies in manufacturing, business, handicrafts, trade and the catering business. We, as MEWA, are hereby providing the following essential and further information on data processing (Privacy Notice) in order to give you an overview of our procedures regarding the collection, storage, use, disclosure or deletion (hereinafter referred to collectively as process or processing) of any kind of information about you (e.g. name or contact information; hereinafter referred to collectively as personal data) within the framework of our business relationship. It is important that you read this Privacy Notice together with our privacy policy which contains more detailed information about our data processing (beyond the use of Microsoft Teams) and can be accessed at https://www.mewa-service.com/others/privacy-policy/ (Privacy Policy).

Information About the Data Controller and Contact Information of the Data Protection Officer

We, as the contractual partner of your company, are the data controller in charge of processing your personal data. Our contact details can be found on the respective contract documents and also on our business correspondence (e.g. letters, emails, etc.).

You can contact our data protection officer by addressing correspondence to the following postal address: MEWA Textil-Service AG & Co. Management OHG, Data Protection Officer, John-F.-Kennedy-Strasse 4, 65,189 Wiesbaden, Germany or by email at datenschutzbeauftragter@mewa.de.

Microsoft Teams

Microsoft Teams (as part of Microsoft Office 365 Cloud Services) is an Internet-based collaboration and communication solution for individual users and groups that can be used across companies.

When you use Microsoft Teams, personal data about you is processed. Please note that this Privacy Notice only informs you about the processing of your personal data by MEWA if you use Microsoft Teams together with us.

Further information on the processing of your personal data by MEWA outside of the use of Microsoft Teams can be found at:
https://www.mewa-service.com/others/privacy-policy/

For information about Microsoft’s processing of personal data when you use Microsoft Teams, please read Microsoft’s privacy policy.

1. Purposes of Processing and Legal Bases

We process your personal data for the following purposes:

• Carrying out communication and collaboration activities for the purpose of processing and fulfilling contracts concluded with our corporate customers and partners;
• implementing measures for the improvement of our products/services and for strengthening our customer relationship;
• carrying out surveys, for example, for market research or customer satisfaction (customer feedback);
• for customer retention/direct marketing, providing that you have not objected to the processing of your personal data for this purpose (further detail on marketing is contained in our Privacy Policy).

The lawful bases we rely on for processing your personal data are (i) performance of our contract with you, and (ii) our legitimate interests, to study how customers use our products / services, to develop them, to grow our business and to inform our marketing strategy. We may process your personal data for more than one of these lawful bases depending on the specific purpose for which we are using the personal data. Further details on the types of lawful bases we rely on are included in our Privacy Policy.


2. Information About the Processing and Categories of Personal Data in Connection with the Use of Microsoft Teams

Certain information is automatically processed when you use Microsoft Teams:
2.1 Your IP address that is used to access the Microsoft Teams applications within Microsoft Office 365.

2.2 Your username (access data for Microsoft Office 365),
Data that you yourself have stored in your Microsoft account (e.g. optionally a mobile phone number for the two-factor authentication).

2.3 Identification features:
Information about you that may identify you as a user, sender, or recipient of data within Microsoft Teams. This includes the following master data:
Surname, first name, business contact details such as telephone number and email address.

Data (such as an optionally stored profile picture) can also be viewed in your profile. This information is visible to you at all times in your profile and can be customised by you.

2.4 Data required for authentication and operation
Microsoft Teams processes all user activities, such as the time of access, date, type of access, information about the data/files/documents you have accessed within Microsoft Teams, and all activities, such as creating, modifying, deleting a document, setting up a team (and channels in Teams), starting a chat and the course of discussions in the chat.

2.5 Data you provide in the course of communication with Microsoft Teams
Personal data that you contribute to documents or chat discussions in Microsoft Teams (e.g. documents such as presentations, tables, etc.)

3. Disclosure of Data

Apart from the cases explicitly mentioned in this Privacy Notice, your personal data will only be passed on if it is legally permissible or necessary (e.g. for license checks).

3.1 If it is necessary for the clarification of an illegal or abusive use or for an investigation, personal data shall be forwarded to the law enforcement authorities or other authorities and, if applicable, to injured third parties or legal advisers. MEWA is legally obliged to provide information to certain public bodies upon request. These are law enforcement agencies, authorities that pursue administrative offences that have been subject to fines and the tax authorities.

3.2 Microsoft is a processor of personal data and is subject to the instructions of MEWA as the data controller within the meaning of the GDPR when processing personal data. Any transfer of personal data in the course of Microsoft’s provision of the service is justified because we have carefully selected and verified the external service provider as a processor in accordance with Art. 28 (1) of the GDPR. All personal data is processed according to our instructions. Microsoft processes personal data only on servers located within the EU.

4. Transfer to Third Countries or International Organisations

Recipients of personal data may also include recipients located outside your country, in particular, outside the European Economic Area (EEA). This may also be a country for which the European Commission has not yet made an adequacy decision on whether this country ensures an adequate level of data protection (third countries), for example, the USA. In this case, it is determined by appropriate means that all recipients based outside the EEA shall ensure an adequate level of data protection (Art. 45 of the GDPR) for such personal data and that technical and organisational security measures are taken to prevent personal data from being accidentally deleted or to protect it against unlawful destruction, accidental loss or modification, unauthorised disclosure or access and against all other unlawful forms of processing. The appropriate means can be accessed via the contact details that have been specified. Pursuant to the applicable legal provisions, onward transfers of personal data are subject to the necessary appropriate requirements regarding onward transfers.

5. Storage and Retention Periods

We process personal data only for as long as is necessary to fulfil the respective processing purposes. As soon as personal data is no longer required, we shall erase personal data from our systems and records and/or take measures to anonymise personal data so that it can no longer be used to identify you. In order to comply with legal requirements, however, we must keep or save certain personal data for a specific time. Such data includes, for example, documentation, certification and the retention obligations of national trade and taxation law. For example, the storage and retention periods relevant for us are generally three to ten years or, in exceptional cases, up to 30 years in accordance with the law applicable in Germany.

6. Your Rights as a Data Subject

Your legal rights: Under the terms established by applicable data protection law (including the GDPR and German Federal Data Protection Act, or BDSG for short and UK data protection legislation), you have the following rights:

6.1 Right of access: You have the right to obtain information about whether or not your personal data is being processed. Where this is the case, you have the right to be provided with information about personal data, for example, the purposes of the processing, the categories of personal data concerned and the recipients or categories of recipient to whom the personal data has been or will be disclosed. You have the right to receive a copy of the personal data undergoing processing. For any further copies which you request, we may charge a reasonable fee based on administrative costs.

6.2 Right to rectification: You have the right to request that we rectify inaccurate data concerning your person. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data made complete, including by means of providing a supplementary statement.

6.3 Right to erasure (Right to be forgotten): You have the right to request that we delete your personal data.

6.4 Right to restriction of processing: You also have the right to request the restriction of processing of your personal data. In this case, the corresponding data will be marked and may only be processed by us for certain purposes.

6.5 Right to data portability: You have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format. You have the right to transmit such personal data to another controller without us interfering.

6.6 Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data. Where appropriate, we must stop processing your personal data. If you exercise your right to object, we will no longer process your personal data for such purposes. There are no costs for exercising this right. Such a right of objection may not exist, in particular, if the processing of your personal data is necessary in order to take measures before concluding a contract or to fulfil an already concluded contract.

In the event of any complaints, you also have the right to lodge a complaint with the relevant supervisory authority.

Mandatory User Instructions for Partners and Other External Users for the Use of Microsoft Teams and MEWA’s Cloud Services.

1. Use of IT Infrastructure and Cloud Services for Business Purposes

The cloud services provided by MEWA are to be used exclusively for professional/project-related purposes.

2. Trade and Business Secrets

You are not permitted to store strictly confidential documents (e.g. executive minutes, research data, corporate strategies, etc.) in the cloud systems provided by MEWA. These documents are to be transmitted to MEWA by encrypted e-mail or sent by post. If in doubt, ask your contact person at MEWA.

3. Access to Cloud Systems

You will need to arrange access to MEWA’s cloud systems (e.g. Microsoft Teams) via your own device.
Access to MEWA’s cloud services is subject to the following rules:
You must make sure that your terminal devices have the latest operating system updates, program updates (browser), security updates and up-to-date virus scanners (including current signatures).
You must not access to MEWA’s cloud services from external systems (e.g. public computers in hotels and libraries, internet cafés, systems of acquaintances and friends, etc.).
After accessing MEWA’s cloud services, ensure that you log off from the cloud service immediately.

4. Uploading and Downloading of Data in Cloud Services

Uploading private data to MEWA’s cloud services is not permitted.
Before data is uploaded to MEWA’s cloud services, it must be scanned by an up-to-date virus scanner.
Only data to which the user or their company holds the rights may be uploaded to MEWA’s cloud services.

5. Use of E-Mail and Messenger Services

The use of cloud messaging services or smartphone-based services such as WhatsApp or Slack for the purpose of communication with MEWA and MEWA’s systems is not permitted.
Chat functionalities provided by MEWA for business purposes (e.g. Microsoft Teams) may not be used for private purposes.

6. Storage in Cloud Services

Documents must be stored in network folders and folders in the cloud, especially group, topic, or project drives, so that they can be accessed by colleagues and project participants.

7. Browser Messages

Browser messages should not be ignored. They could contain important information about the security of the data.

8. Security Aspects

Should you notice or suspect security flaws or the intrusion of malicious code (such as worms, viruses, etc.) or gain the impression that someone is trying to obtain confidential information about them, for example, claims about needing to check their password, etc., you are requested to contact the administrator/service desk responsible for them immediately by telephone.

9. Password and Terminal Device Protection

Users must handle their password in such a way that no third party can gain knowledge of it. If a user becomes aware of the unauthorised use of their password to access MEWA’s cloud services, you immediately inform us and your IT security officer, and change your password.
Storage of access data (login ID, password) to the cloud system is not permitted.