Data Privacy Statement
Applications
You have an invitation to use Microsoft 365 (M365) SharePoint Online by Vitis Regulatory Ltd. as the responsible party within the meaning of the respective applicable data protection laws.
M365 SharePoint Online is a collaboration and exchange platform for individual users, teams and networks, which can be used both by users within the Vitis regulatory Group and with clients external to the business group.
With the use of M365 SharePoint Online, personal data are processed. Please note that this data privacy statement only informs you about the processing of your personal data when using M365 SharePoint Online in cooperation with Vitis Regulatory. If you need information about Microsoft’s processing of your personal data, please read the appropriate declaration.
Microsoft privacy statement: https://privacy.microsoft.com/en-us/privacystatement
You can access Vitis Regulatory general data privacy statement at any time by visiting www.vitisregulatory.com/privacy-statement
1. Categories and context of personal data subject to processing when using M365 SharePoint Online
Certain information is already automatically processed when using M365 SharePoint Online. In this privacy policy, Vitis Regulatory specifies for you exactly which personal data are processed and on which legal basis this is done:
1.1 Your IP address used to access the M365 SharePoint Online
Legal bases for this are Article 6 para. 1 a), b) and f) General Data Protection Regulation (GDPR), as well as Article 88 GDPR in conjunction with the national laws on employee data protection.
1.2 Your user name (access data to M365 SharePoint Online), data within the scope of the so-called multi-factor authentication, which you have stored yourself in your Microsoft account (e.g. optionally the (private) mobile phone number).
The legal basis for this is Article 6 para. 1 b) and c).
1.3 Identification features: Information identifying you as the user, sender, recipient of data within M365 SharePoint Online. This includes, in particular, the following master data: name, first name, official contact data such as telephone number, e-mail address, official fax number, insofar as provided by you or if your organization transmitted it. This information is always visible in your profile, particularly in Outlook for you and other M365 users, and can be customized by you.
The legal basis for this is Article 6 para. 1 a), b), c) and f) GDPR.
1.4 Data required for authentication, license use, logging and misuse detection. M365 processes all user activities, such as time of access, date, type of access, details regarding data/files/documents accessed and all activities related to use, such as creating, modifying, deleting a document, setting up a team (and channels in teams), taking notes in the notebook, starting a chat, replying in the chat.
The legal basis for this is Article 6 para. 1 b) and c) GDPR.
1.5 User data: User data collected by you or from you. This includes, in particular communication content, files created by you or to be created by you.
The legal basis for this is Article 6 para. 1 b) and f) GDPR.
1.6 Data backups and archiving: The data collected from or about you is stored in Vitis Regulatory data backup. This serves to restore the system and the data itself. In addition, your data will be (partially) archived if this is required by law.
The legal basis for this is Article 6 para. 1 b) and c) GDPR.
2. Transfer and transmission of data
Apart from the cases explicitly mentioned in this data privacy statement, your personal data will only be disclosed without your express prior consent if it is legally permissible or necessary. This may be the case, for example, if such processing is necessary to protect the user’s vital interests of another natural person.
2.1 Data provided by you during M365 SharePoint Online registration will be shared within the Vitis Regulatory businesses for internal administrative purposes, including supplier support, to the extent necessary.
The legal basis for this is Article 6 para. 1 f) GDPR.
Any possible transfer of personal data is justified because Vitis Regulatory has a legitimate interest in disclosing such data for administrative purposes within the Vitis Regulatory businesses and that your rights and interests in the protection of your personal data are in accordance with Article 6 para. 1 lit. f) GDPR do not prevail.
2.2 Should it be necessary to clarify an illegal or abusive use of M365 SharePoint Online or for legal prosecution, personal data will be disclosed to law enforcement or other authorities and, if applicable, to injured third parties or legal advisors. However, this only occurs if there are indications of illegal or abusive behaviour. A transfer can also occur if this serves the enforcement of terms of use or other legal claims. Vitis Regulatory is also legally obliged to provide information to certain public bodies on request. These are criminal prosecution authorities, authorities that pursue administrative offences for which fines have been imposed, and financial authorities.
Any transfer of personal data is justified by the fact that
(1) processing is necessary to fulfil a legal obligation to which Vitis Regulatory is subject pursuant to Article 6 para. 1 lit. c) GDPR in conjunction with national legal requirements for the disclosure of data to criminal prosecution authorities, or
(2) PFA has a legitimate interest in transferring such data to the aforementioned third parties if there are indications of abusive behaviour or to enforce Vitis Regulatory legal claims and your rights and interests in the protection of your personal data within the meaning of Article 6 para. 1 lit. f) GDPR do not prevail
or (3) Vitis Regulatory processes data based on Article 88 GDPR in connection with nationally applicable data protection law on the employment relationship to uncover criminal offences.
2.3 Vitis Regulatory depends on Microsoft for the use of M365 SharePoint Online. Microsoft is a so-called processor of orders and is subject to PFA’s instructions as the responsible party in the sense of the GDPR when processing personal data within the framework of Microsoft Office 365 applications used by Vitis Regulatory. In accordance with Vitis Regulatory’s legal obligations, Vitis regulatory has entered into contractual agreements with Microsoft and other contract processors for the transfer of data. Microsoft’s processing of personal data takes place on servers located in the UK.
2.4 In the course of further expansion of Vitis Regulatory’s business, it may happen that the structure of the company changes by changing its legal form, by forming, acquiring or selling subsidiaries, parts of companies or components of companies. In such transactions, if necessary, such information may be transferred to another legal entity along with the part of the business to be transferred. Whenever personal information is transferred to third parties to the extent described above, Vitis Regulatory will ensure that this is done in accordance with this data privacy statement and applicable data protection laws.
Any disclosure of personal data is justified because Vitis Regulatory has a legitimate interest in adapting Vitis Regulatory’s corporate form to the economic and legal circumstances as required and that your rights and interests in the protection of your personal data do not prevail in the sense of Article 6 para. 1 lit. f) GDPR.
3. Transfer of data to third countries
A transfer to third countries, both within the Group and by commissioning contract processors and third parties, cannot be ruled out when using M365 SharePoint Online. Vitis Regulatory has taken appropriate guarantees to protect your data in such a case.
Microsoft may temporarily give technical staff access to outside EU/EEA for technical maintenance. To guarantee compliance with Regulation (EU) 2018/1725, this should happen in line with instructions provided by the Directorate-General for Informatics (DIGIT) regarding the common agreement and terms of use between the European Institutions and Microsoft.
In addition, Microsoft does not control or limit the regions from which the customer or its end users may access or move customer data. Therefore, if an end-user travels outside the EU/EEA and uses the services, personal data may be processed outside the EU/EEA to enable access to the online services from their location.
4. Change of purpose
Processing of your personal data for purposes other than those described above will only be carried out to the extent permitted by law or if you have consented to the changed purpose of data processing. In the event of further processing for purposes other than those for which the data were originally collected, Vitis Regulatory will inform you of these other purposes prior to further processing. Vitis Regulatory will also provide you with any other relevant information.
5. Period of data storage
Vitis regulatory will delete, block or make anonymous your personal data as soon as they are no longer required for the purposes for which Vitis Regulatory has collected or used them in accordance with the above paragraphs. Subject to statutory deletion and retention periods, Vitis Regulatory stores your personal data for the duration of the contractual relationship with you. Login data and IP addresses are deleted after 90 days at the latest. Your data will also be stored in data backups, which are regularly and operationally reasonably overwritten.
6. Your rights as the data subject
6.1 Right of access to data and information
You have the right to obtain from Vitis Regulatory, at any time and upon request, information on personal data processed by Vitis Regulatory and relating to you within the scope of Article 15 GDPR. To do this, you can submit an application by post or by e-mail to the data protection officer at the address below.
6.2 Right to correction of inaccurate data
You have the right to ask Vitis Regulatory to correct without undue delay any personal data concerning you if it is inaccurate. To do so, please contact the data protection officer at the addresses indicated below.
6.3 Right of deletion of data
Under the conditions described in Article 17 GDPR, you have the right to request Vitis regulatory for the deletion of personal data referring to you. To exercise your right of deletion, please contact the data protection officer at the addresses indicated below.
6.4 Right to restriction of processing
You are entitled to demand that Vitis Regulatory restrict processing in accordance with Article 18 GDPR. To exercise your right to limit processing, please contact Vitis Regulatory via the contact address indicated in Section 9 below.
6.5 Right to data transferability
You have the right to access any personal data concerning you provided to Vitis Regulatory in a structured, common, machine-readable format in accordance with Article 20 GDPR.
To exercise your right to data transferability, please contact Vitis Regulatory via the contact address indicated in Section 9 below.
7. Right to object
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you, which is carried out based on Article 6, paragraph 1, a), e) or f) GDPR, in accordance with Article 21 GDPR. Vitis Regulatory will stop processing your personal data unless Vitis Regulatory can prove compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.
8. Right to lodge a complaint
You also have the right to lodge complaints with the competent supervisory authority.
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Fax: 01625 524510
Internet: https://ico.org.uk
or
European Data Protection Supervisor
Rue Wiertz 60, B-1047 Brussels (postal address)
Rue Montoyer 30, B-1000 Brussels (office address)
Telephone: +32 2 283 19 00
Email: edps@edps.europa.eu
Internet: www.edps.europa.eu
9. Contact
If you have any questions or comments regarding Vitis Regulatory’s handling of your personal data or if you would like to exercise any of the rights mentioned in points 6 and 7 as a data subject, please contact:
Ros Wildey (Director), Vitis Regulatory Limited: Ros.wildey@vitisregulatory.com
If you have any questions or comments on the practical handling and operation of M365 SharePoint Online, please raise it with the Vitis regulatory contact who invited you to use it, or your main point of contact at Vitis Regulatory.
10. Changes to this data privacy statement
Vitis Regulatory reserves the right to vary this statement from time to time in the course of maintenance of its data policies, and update the statement if changes occur in the collection, processing or use of your data.
The current version of the data privacy statement is always available at www.vitisregulatory.com/privacy-statement