Information on data protection

The EU General Data Protection Regulation [GDPR] stipulates that persons whose data is collected must be informed about the respective processing context in order to ensure fair and transparent processing. The following information provides you with an overview of the processing of your personal data in connection with the use of "online meetings" arranged by us (see "Who is responsible for data processing?") such as telephone conferences, video meetings, chats or training courses/webinars using products from Microsoft Ireland Operations Ltd. or Microsoft Corporation (in particular "Teams", hereinafter: "Tools").

Please note that this information only informs you about the processing of your personal data by us if you use Microsoft applications together with us at our instigation.

Who is responsible for data processing?

The controller within the meaning of the law is generally the company through which you have been invited in direct connection with the organisation of "online meetings". Please refer to the following information to find out which company this is:

Scheer GmbH Scheer Tower
Uni-Campus North
D-66123 Saarbrücken
Phone: +49 681 96777-0
E-Mail: info@scheer-group.com

You can contact our data protection officer by post at the address shown opposite with the addition "Attn. data protection officer" or electronically at: datenschutz@scheer-group.com

Scheer Austria GmbH Ernst-Melchior-Gasse 22
AT-1020 Vienna
Phone: +43 1 36 136 00
Fax: +43 1 36 136 00 99

Scheer Switzerland AG Industriestrasse 50b
CH-8304 Wallisellen
Phone: +49 681 96 777-0

Within the European Union, Scheer GmbH (see above) acts as a representative within the meaning of Art. 27 GDPR of Scheer Schweiz AG.

Scheer PAS Germany GmbH Scheer Tower
Uni-Campus North
D-66123 Saarbrücken
Phone: +49 681 96777-0

Scheer PAS Switzerland AG Lautengartenstraße 12
CH-4052 Basel
Phone: +41 61 27097-10
Fax: +41 61 27097-11
E-Mail: info@scheer-pas.com

Within the European Union, Scheer PAS Deutschland GmbH (see above) acts as a representative within the meaning of Article 27 GDPR of Scheer PAS Schweiz AG.

Notes

The contractual partner of Microsoft Ireland Operations Ltd. is Scheer GmbH, regardless of which Scheer Group company invites you to an online meeting. Scheer GmbH also provides a large part of the infrastructural services that we require to organise online meetings.

If you access the Microsoft website, the provider of "Microsoft Teams" is responsible for data processing. However, accessing the website is only necessary for the use of "Microsoft Teams" in order to download the software for the use of "Microsoft Teams". If you do not want to or cannot use the "Microsoft Teams" app, you can also use "Microsoft Teams" via your browser. The service is then also provided via the "Microsoft Teams" website.

What do we process your data for and on what legal basis?

We use the tools to enable people to communicate and collaborate via telephone conferences, video conferences, online meetings, chats and/or training courses/webinars. The tools are services provided by Microsoft Ireland Operations Ltd (Ireland) or Microsoft Corporation (USA). The legal basis differs depending on who participates.

Insofar as personal data of employees of Scheer GmbH or a Scheer Group company in Germany is processed (including applicants), Section 26 BDSG is the legal basis for data processing. For our companies outside the Federal Republic of Germany, the country-specific data protection regulations on employee data protection apply, if available, or alternatively the provisions of the GDPR.

For other participants in "online meetings", insofar as these are carried out within the framework of contractual relationships with the data subjects, Art. 6 para. 1 lit. b) GDPR is the legal basis for data processing. If there is no contractual relationship between the controller and the data subject or if third parties participate, the legal basis is Art. 6 para. 1 lit. f) GDPR. This is particularly the case if processing is an elementary component of tool use or the processing is based on a business or official cooperation (including initiation) between the parties involved, whereby our interest here is in the effective organisation of "online meetings".

What data is processed and to what extent?

Various types of data are processed when using the tools. The scope of the data also depends on the data you provide before or during participation in an "online meeting".

The following personal data is subject to processing:

• User details: e.g. display name, first name, surname, telephone (optional), e-mail address, profile picture (optional), department (optional), preferred language
• Meeting metadata: e.g. date, time, topic, status, participant IP address, meeting ID, location, device/hardware information
• For recordings (optional): MP4 file of the video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.
• When dialling in with the telephone: information on the incoming and outgoing call number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be saved.
• Text, audio and video data: You may have the opportunity to use the chat, question or survey functions in an "online meeting". In this respect, the text entries you make are processed in order to display them in the "online meeting" and, if necessary, to log them. In order to enable the display of video and the playback of audio, the data from the microphone of your end device and from any video camera of the end device will be processed accordingly for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time using the tool applications.

To take part in an "online meeting" or to enter the "meeting room", you must at least provide details of your name or display name.

Scope of processing

We use the tools to conduct "online meetings". If we want to record "online meetings", we will inform you transparently in advance and - if necessary - ask for your consent. The fact of the recording will also be displayed to you in the tool.

If it is necessary for the purposes of logging the results of an "online meeting", we will log the chat content. However, this will not usually be the case. In the case of webinars, we may also process the questions asked by webinar participants for the purposes of recording and following up on webinars.

If you are registered with Microsoft as a user for the tools, then reports on "online meetings" (meeting metadata, telephone dialling data, questions and answers in webinars, survey function in webinars) may be saved at Microsoft.

The possibility of software-based attention monitoring in "online meeting" tools has been deactivated by us. Automated decision-making within the meaning of Art. 22 GDPR does not take place on our part.

Finally, we process your personal data insofar as this is necessary to prevent or prosecute criminal offences, to ensure smooth IT operations, as part of building security measures (e.g. access control) and to ensure domiciliary rights.

Who has access to your data?

Personal data that is processed in connection with participation in "online meetings" is generally known to the participants in the respective online meeting. Video, image, audio and/or photo recordings of the participants in a video conference and, if applicable, documents relating to the content, shared screens, participant lists and chats are disclosed to the participants in the web conference.

Furthermore, data within our group of companies is only made accessible to those departments that need it to fulfil the above-mentioned purposes (e.g. marketing, sales, project staff, accounting for billing, IT for the secure operation of the infrastructure). Please note, however, that the content of online meetings is often intended to be passed on to customers, interested parties or third parties.

Other recipients could also be those to whom we are legally obliged to disclose data in some way (e.g. public authorities and institutions), to enforce outstanding claims (e.g. lawyers), to whom you have given us your consent (e.g. as a reference), or service providers who necessarily support us in providing our services, such as the provider of the respective "online meeting" tool. We have concluded an order processing contract with providers who work for us within the framework of order processing, which complies with the requirements of Art. 28 GDPR.

Data processing outside the European Union

Technical data processing outside the European Union [EU] does not take place insofar as we have limited the storage location to data centres in the European Union as far as possible. However, we cannot rule out the possibility that data may be routed via internet servers located outside the EU. This may be the case in particular if participants in the "online meeting" are located in a third country. We also have no influence on the system-side processing of technical information such as device/hardware information (e.g. IP address, operating system data of the end device and time and date of access) by the service provider.

As our group of companies also includes companies in third countries (e.g. Switzerland) or service providers (e.g. Microsoft) with headquarters, parent company or a data centre in third countries support us on a case-by-case basis, it is unfortunately not possible to rule out the possibility of data being passed on. In such cases, we ensure as far as possible that only data that is necessary for the fulfilment of the specific task is accessed and that appropriate security measures (e.g. adequacy decision of the EU Commission, EU standard contractual clauses) are taken.

The level of data protection is guaranteed vis-à-vis Microsoft through the conclusion of supplemented EU standard data protection clauses and technical and organisational measures. This includes the fact that data is transport-encrypted during transport via the Internet and is generally protected against disclosure to third parties. With regard to personal data that is stored by Microsoft in the USA and Europe and may be subject to official requests for information from authorities in the USA, Microsoft guarantees in a statement dated 20 July 2020 that such orders will be challenged in court, which would allow access to personal data. In addition, as part of a legal settlement, Microsoft has acquired the right to disclose transparent reports on the number of US national security orders issued to Microsoft, and new guidelines have been introduced within the US government that have restricted the use of non-disclosure orders (see https://news.microsoft.com/de-de/stellungnahme-zum-urteil-des-eugh-was-wir-unseren-kunden-zum-grenzueberschreitenden-datentransfer-bestaetigen-koennen/).

The level of data protection is considered sufficient in relation to the expected content of the online meetings.

Further information from Microsoft (as of September 2021) can be found here:

• Microsoft Privacy Statement
• GDPR Overview
• Privacy and Security in Microsoft Teams
• Statement on EDPB Decision
• New Measures for Data Protection
• Data Protection Series
• End-to-end encryption in Microsoft Teams
• Microsoft's Commitment to Privacy and Security in Teams

Your rights

We generally delete personal data when there is no longer a need for further storage. A requirement may exist in particular if the data is still needed to fulfil contractual services, to check and grant or defend against warranty and guarantee claims. In the case of statutory retention obligations, deletion will only be considered after expiry of the respective retention obligation.

Under the applicable regulations, you have various rights in relation to the processing of your personal data:

• Right of access: You have the right to request information about your personal data. You can contact us at any time in this regard. In the case of non-written requests, we ask for your understanding that we may require proof that you are the person you claim to be.
• Right to rectification or erasure: You have the right to request the rectification or erasure of your data or the restriction of its processing, insofar as you are legally entitled to do so.
• Right to object: You have the right to object to the processing of your data.
• Right to data portability: You have the right to request the transfer of your data within the legal framework.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority.

Data Protection Officer

You can reach our data protection officer or a contact person for data protection at: datenschutzscheer-group.com and by post at the address of the controller stated at the beginning.

Other notes

As the recipient of this information, please inform any other persons in your organisation affected by this if they participate in our services for communication and collaboration via our tools. This information is current as of September 2021. We reserve the right to update this information if necessary. You can also request a current version from us at any time.