Privacy Information

The EU General Data Protection Regulation [GDPR] stipulates that individuals whose data is collected must be informed about the specific context of data processing to ensure fair and transparent handling. The following information provides an overview of the processing of your personal data in connection with the use of “online meetings” (such as conference calls, video meetings, chats, or trainings/webinars) organized by us (see “Who is responsible for data processing?”) using products from Microsoft Ireland Operations Ltd. or Microsoft Corporation (especially “Teams”, hereinafter referred to as “Tools”).

Please note that this information only informs you about the processing of your personal data by us when you use Microsoft applications upon our request.

Who is Responsible for Data Processing?

The entity responsible under the law is typically the company that invited you to participate in the “online meeting.” The following are the responsible companies:

Scheer GmbH Scheer Tower
Uni-Campus Nord
D-66123 Saarbrücken
Phone: +49 681 96777-0
Email: info@scheer-group.com

Our Data Protection Officer can be reached by mail at the above address with the addition “Attn: Data Protection Officer” or electronically at: datenschutz<at>scheer-group.com

Scheer Austria GmbH Ernst Melchior Gasse 22
AT-1020 Wien
Phone: +43 1 36 136 00
Fax: +43 1 36 136 00 99

Scheer Schweiz AG Industriestrasse 50b
CH-8304 Wallisellen
Phone: +49 681 96 777-0

Within the European Union, Scheer GmbH (above) acts as the representative under Article 27 GDPR for Scheer Schweiz AG.

Scheer PAS Deutschland GmbH Scheer Tower
Uni-Campus Nord
D-66123 Saarbrücken
Phone: +49 681 96777-0

Scheer PAS Schweiz AG Lautengartenstrasse 12
CH-4052 Basel
Phone: +41 61 27097-10
Fax: +41 61 27097-11
Email: info@scheer-pas.com

Within the European Union, Scheer PAS Deutschland GmbH (above) acts as the representative under Article 27 GDPR for Scheer E2E Schweiz AG.

Notes

Regardless of which company of the Scheer Group invites you to an online meeting, the contract partner of Microsoft Ireland Operations Ltd. is Scheer GmbH. Scheer GmbH also provides a large portion of the infrastructural services necessary for conducting online meetings.

If you access the Microsoft website, the provider of “Microsoft Teams” is responsible for data processing. Accessing the website is only necessary to download the software for using “Microsoft Teams.” If you do not want or cannot use the “Microsoft Teams” app, you can also use “Microsoft Teams” through your browser. The service will then be provided via the “Microsoft Teams” website.

For What Purpose and on What Legal Basis Do We Process Your Data?

We use the Tools to facilitate communication and collaboration through conference calls, video conferences, online meetings, chats, and/or trainings/webinars. The Tools are services provided by Microsoft Ireland Operations Ltd. (Ireland) or Microsoft Corporation (USA). The legal basis depends on the participants.

If personal data of employees of Scheer GmbH or a company of the Scheer Group in Germany is processed (including applicants), Section 26 BDSG is the legal basis for data processing. For our companies outside the Federal Republic of Germany, the respective national data protection regulations apply, if available, or the provisions of the GDPR.

For other participants in “online meetings,” if these are conducted as part of contractual relationships, Article 6(1)(b) GDPR is the legal basis for data processing. If no contractual relationships exist between the controller and the data subject or third parties participate, the legal basis is Article 6(1)(f) GDPR. This is particularly the case if processing is an essential part of using the Tool or the processing is based on business or official cooperation (including initiation), with our interest being the effective conduct of “online meetings.”

What Data Is Processed and to What Extent?

Various types of data are processed when using the Tools. The scope of the data also depends on what data you provide before or during the participation in an “online meeting.”

The following personal data is subject to processing:

• User Information: e.g., display name, first name, last name, phone (optional), email address, profile picture (optional), department (optional), preferred language
• Meeting Metadata: e.g., date, time, topic, status, participant IP address, meeting ID, location, device/hardware information
• Recordings (optional): MP4 file of video, audio, and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.
• Dial-in with Phone: Information about incoming and outgoing phone number, country name, start and end time. Additional connection data, such as the IP address of the device, may be stored.
• Text, Audio, and Video Data: You may have the option to use chat, question, or survey functions in an “online meeting.” The text inputs you make will be processed to display them in the “online meeting” and, if necessary, to log them. To enable video display and audio playback, the data from the microphone of your device and any video camera of the device will be processed during the meeting. You can turn off or mute the camera or microphone at any time via the Tool applications.

To participate in an “online meeting” or enter the “meeting room,” you must at least provide your name or display name.

Scope of Processing

We use the Tools to conduct “online meetings.” If we want to record “online meetings,” we will inform you transparently in advance and, if necessary, ask for your consent. The fact of the recording will also be displayed in the Tool.

If it is necessary for the purposes of recording the results of an “online meeting,” we will log the chat contents. However, this will generally not be the case. In the case of webinars, we may also process the questions posed by webinar participants for the purpose of recording and follow-up.

If you are registered as a user for the Tools with Microsoft, reports on “online meetings” (meeting metadata, phone dial-in data, questions and answers in webinars, survey function in webinars) may be stored by Microsoft.

The software-based attention monitoring feature of the “online meeting” Tools is disabled by us. Automated decision-making within the meaning of Article 22 GDPR does not take place on our part.

Finally, we process your personal data to the extent necessary to prevent or prosecute criminal offenses, ensure smooth IT operations, within the framework of building security measures (e.g., access control), and to ensure the right to control access.

Who Has Access to Your Data?

Personal data processed in connection with participation in “online meetings” is generally known to the participants of the respective online meeting. For instance, video, image, sound, and/or photo recordings of the participants of a video conference, as well as any documents related to the content, shared screens, participant lists, and chats are disclosed to the participants of the web conference.

Furthermore, data within our corporate group is only made accessible to those departments that require it to fulfill the aforementioned purposes (e.g., marketing, sales, project staff, accounting for billing, IT for secure infrastructure operation). Please note that the content of online meetings is often intended to be shared with customers, prospects, or third parties.

Other recipients may also include those to whom we are legally obligated to disclose data (e.g., public authorities and institutions), for the enforcement of outstanding claims (e.g., lawyers), to whom you have given your consent (e.g., as a reference), or such service providers that necessarily support us in providing the service, such as the provider of the respective Tool for the “online meeting.” We have concluded a data processing agreement with providers who act as data processors on our behalf, meeting the requirements of Article 28 GDPR.

Data Processing Outside the European Union

A technical data processing outside the European Union [EU] generally does not occur as we have limited the storage location to data centers in the European Union to the extent possible. However, we cannot exclude the routing of data via Internet servers located outside the EU. This can especially be the case if participants in the “online meeting” are located in a third country. Additionally, we have no control over the system-side processing of technical information such as device/hardware information (e.g., IP address, operating system data of the device, and the date and time of access) by the service provider.

As our corporate group also includes companies in third countries (e.g., Switzerland) or we are occasionally supported by service providers (e.g., Microsoft) with headquarters, parent companies, or data centers in third countries, a data transfer cannot be ruled out. In such cases, we ensure, within our capabilities, that access is only granted to the necessary data for the specific task and that appropriate security measures (e.g., EU Commission adequacy decisions, EU standard contractual clauses) are in place.

The data protection level with Microsoft is ensured through the conclusion of enhanced EU standard contractual clauses and technical-organizational measures. This includes data being encrypted during transmission over the Internet and generally protected from disclosure to third parties. Regarding personal data stored by Microsoft in the USA and Europe that may be subject to requests for information by US authorities, Microsoft guarantees in a statement dated July 20, 2020, that such orders will be challenged in court. Moreover, Microsoft has acquired the right through a legal settlement to disclose transparent reports on the number of US orders for national security addressed to Microsoft, and new guidelines within the US government have been introduced to restrict the use of non-disclosure orders.

Microsoft’s data protection level is deemed sufficient based on the anticipated content of the online meetings.

Further information from Microsoft (as of September 2021) can be found here:

• Microsoft Privacy Statement
• GDPR Overview
• Privacy and Security in Microsoft Teams
• Statement on EDPB Decision
• New Measures for Data Protection
• Data Protection Series
• End-to-End Encryption in Microsoft Teams
• Microsoft’s Commitment to Privacy and Security in Teams

Your Rights

We generally delete personal data when there is no longer a need for its storage. A need may exist, for instance, if the data is still required to fulfill contractual services, examine and grant or defend warranty and, if applicable, guarantee claims. In the case of legal retention obligations, deletion is only considered after the respective retention obligation expires.

You have various rights regarding the processing of your personal data under the applicable regulations:

• Right to Access: You have the right to request information about your personal data. You can contact us at any time regarding this. For non-written requests, we ask for your understanding that we may require proof that you are the person you claim to be.
• Right to Rectification or Erasure: You have the right to request the correction or deletion of your data or the restriction of its processing, as far as you are legally entitled to do so.
• Right to Object: You have the right to object to the processing of your data.
• Right to Data Portability: You have the right to request the transfer of your data within the legal framework.
• Right to Complain: You have the right to lodge a complaint with a supervisory authority.

Data Protection Officer

Our Data Protection Officer or a contact person for data protection can be reached at: datenschutz<at>scheer-group.com and by mail at the address of the responsible entity mentioned at the beginning.

Other Notes

Please inform other affected persons in your organization who participate in our communication and collaboration services using our Tools. This information is current as of September 2021. We reserve the right to update this information as needed. You can also request an up-to-date version from us at any time.