Kuehne+Nagel
Privacy Policy Center
Information on data protection relating to collaboration and communication using Microsoft 365
The purpose of this notice is to inform the user about the processing of personal data by Microsoft 365. Microsoft 365 comprises – from an abstract point of view – a collection and combination of various tools and applications for purposes of collaboration, security, data protection, and processing of various data. The core tools include: Azure Active Directory, Exchange Online (email, calendar, address book, tasks), SharePoint Online (data storage, processing, application platform), and Microsoft Teams (collaboration, chat, meeting, and calls). These core tools are supplemented by security tools such as the Defender product line or Intune, which enhance the management of tools and apps, and Whiteboard, which is a digital whiteboard.
This data privacy notice does not cover third party applications and interfaces connected to the Microsoft 365 platform. Please refer to the separate data privacy notices applicable for each of the respective third party applications not part of Microsoft 365.
The following information concerns the processing of personal data for the usage of Microsoft 365.
Purpose of the processing
Microsoft Teams is part of the Cloud application Microsoft 365. The platform is a cloud-based service, which processes various types of personal data in delivering the service for business operations such as telephone conferences, online meetings, video conferences and/ or webinars (also known as ‘Online meetings’). Hence, creation of user account is necessary.
For the purpose of processing personal data, Microsoft 365 provides a secure and functioning modern workplace, facilitating optimal collaboration and communication for the Kuehne+Nagel Group employees; both internally and externally.
Collaboration refers to joint work vis-à-vis files, emails, calls, live transmissions, and innovative tools.
Moreover, personal data is processed for purposes of providing and ensuring smooth functioning of Microsoft 365. Processing, in this context, includes system generated protocols and administrative events (i.e., log files relating to user registration and user activities) as well as meta data relating to calls and meetings processed for purposes of error, technical, and verification support.
Controller
The controller is directly related to the performance for online meetings using the video conference solution Microsoft Teams is: respective affiliated company and department of the Kuehne + Nagel Management AG, that uses Microsoft 365 and that processes the data.
The data controller in the definition of the EU General Data Protection Regulation and other, national data protection laws of the Member States as well as further data protection regulations is:
Kuehne+Nagel Haus
P.O. Box 67
8834 Schindellegi
Switzerland
Phone: +41 (0) 44 786 95 11
Email: headoffice@kuehne-nagel.com
Kuehne+Nagel Management AG is responsible under the relevant privacy laws for all affiliated companies and controlled holdings affiliated with the Kuehne+Nagel Group
Kuehne+Nagel Group comprises all affiliated companies listed in the current Annual Report.
What personal data is processed and for what purposes?
Data processing is based on agreed-upon services indicated in the Microsoft 365 Service Terms and it solely determined by the data controller when using the cloud-based service.
The following personal data is processed by Microsoft 365, as well as by the products, (Exchange Online, SharePoint Online and, Microsoft Team) in delivering the service:
Personal data is processed both in connection with user ID-based and non-user-ID-based processing.
User’s personal data: any communication data such as first name, last name, telephone (optional), e-mail address, password (if "Single-Sign-On" is not used), profile picture (optional), Department (optional).
Meeting metadata: Meeting and conversation chats, voicemails, shared files, and transcriptions.
Recordings (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of online meeting chat.
When dialing in by phone: information on incoming and outgoing phone number, country name, start and end time. If necessary, further connection data such as the IP address of the device may be saved.
Call History: Detailed history of the phone call that you had make using Teams, which allows the user to check the past call records.
Additionally, non-user-ID-based processing of user activities are conducted for the provision and smooth operation of Microsoft 365. The non-user-ID-based processing involves the processing of the following personal data:
· First name, last name
· Photo, video and audio transmission
· Email address
· Email content
Legal Basis of Processing
The regulatory basis for the operation of Microsoft 365 is found in: 1) Art. 6 section 1 b of the GDPR ( For German users in connection with Article 26 section 1 of the Bundesdatenschutzgesetz (BDSG) regarding processing involving data by internal employees based in Germany); 2) Article 6 section 1 b of the GDPR regarding processing of data of external contractors; 3) Art. 6 section 1 a GDPR regarding the processing of video and audio data; and 4) in Art. 6 f GDPR for the processing of log data and Meta data. Processing of biometric data is based on Art. 6 section 1 f and c of the GDPR.
The right of users as controllers for the data provided to Microsoft the legal bases of processing as set forth in the Microsoft Online Service Terms. Whereas Microsoft will processes the data on the customer’s instructions, as a processor. The legal basis for processing your Personal Data is based on (Article 6, para. 1, lit. b of the General Data Protection Regulation (Regulation (EU) 2016/679). In conjunction, the data protection agreement with Microsoft in accordance with Art. 28 GDPR.
Any action of processing of the user personal data for specific purposes (e.g. use of your e-mail address for marketing purposes) can also take place on the basis of user consent. In general, a user can revoke this consent at any time. Purposes within the scope of user consent is Article 6, para. 1, lit. a of the General Data Protection Regulation (Regulation (EU) 2016/679).
The data protection of ‘Microsoft Team’ can be found at: https://learn.microsoft.com/en-us/microsoftteams/teams-privacy
The usage of Microsoft Teams as part of Microsoft 365 as processor is accordance to Article 28 GDPR.
Third parties access to personal data.
Kuehne + Nagel Group
We transfer your data within the affiliated companies of the Kuehne+Nagel Group for further processing based on appropriate purposes whenever needed. We only deploy of centralized Microsoft 365 tenant, managed by the Kuehne+Nagel Management AG
Processor
We also transfer your personal data for further processing to processors engaged by us (e.g., Microsoft Ireland Operations Ltd.). This also includes processing for administrative purposes by IT service providers engaged by the controller.
External third parties
In particular cases data is transferred to external third parties to the extent permitted and necessary for meeting the purposes mentioned above. This includes inter alia processing conducted as part of administrative services (e.g. technical support and maintenance) provided by IT service providers that are engaged by the controller.
Furthermore, personal data may be transferred to public authorities to the extent legally necessary.
Retention period: Deletion of Data
We store your data for as long as the usage of Microsoft 365 requires or for as long as we maintain a legitimate interest and legal grounds to do so. The retention period is based on the processing activities of the personal data that take place using Microsoft 365.
Log data is stored for a period of 90 days.
Emails and attachments are retained for the appropriate legal retention period and deleted once no further processing purpose exists.
In the case of service termination by the company, the personal information will be deleted after 180 days effectively after the service terminated.
Moreover, your data may be retained for a longer period under certain circumstances, including for example as result of an administrative or court order (for example a litigation hold order).
Right to withdraw consent on personal data
Any personal data should be processed based on consent by the Microsoft, hence, the user may have the right to withdraw the consent at any time. The request of withdrawal should be direct to the administrator (company’s administrator) that act as controller of personal data.
Data processing outside the European Union
We transfer data based on a combination of standard contractual clauses and data processing agreements. In addition, we transfer pseudonymous telemetry and diagnostic data from Microsoft Ireland to Microsoft Corp. based on EU contractual clauses.
We only transfer personal data in third countries, which have accepted a contractual agreement following the EU contractual clauses and additional security measures in order to establish a sufficient level of data protection. However, by using our Microsoft 365 services, you also consent to your data being processed by providers in other (third) countries. In such countries, authorities may have easier access to such data and you may have fewer rights to oppose such access, as compared to the European Union.
For more information, please refer to the provided link: https://learn.microsoft.com/en-us/microsoftteams/teams-privacy
Scope of processing
Before the event, participants shall be explicitly notified about the planned recording.
When using ‘Microsoft Teams’ to perform ‘online meetings’, the admin or presenter should inform users or participants of the transparency in advance and - if necessary - ask for the user consent. To highlight, the information of the recording will also be displayed in the "Microsoft Teams" app.
In order to participate in an "online meeting" or to enter the "meeting room", you must at least provide information about your name and your email address. It is permissible to do recording while using Microsoft Teams for online events via audio/ video although by default the setting is on ‘disabled mode’. Hence, by request, the changes for recording settings can done by the support team of Kuehne + Nagel.
Should it be necessary for the purposes of logging the results of an online meeting, the chat content will be recorded. However, this will usually not be the case.
For other event such as online training, the questions asked by webinar participants may be processes for the purposes of recording and follow-up of the event.
Automated decision making within the meaning of Art. 22 GDPR is not used.
Data protection officer
To ensure the safety and protection of user’s personal information when using Microsoft 365, we have appointed a data protection officer.
You can contact our team as follows: privacy@kuehne-nagel.com
Your rights as data subject
If your personal data is processed, you are a data subject in the definition of the GDPR and have the rights listed below in relation to the data controller. You can exercise your rights at any time via the following link https://privacy.kuehne-nagel.com/en/dsar-form.
Right to information
You can request confirmation from the data controller as to whether personal data relating to you is being processed by us. If such processing applies, you can request information from the data controller regarding the following aspects:
(1) The purposes for which the personal data is processed;
(2) The categories of personal data that is processed;
(3) The recipients or categories of recipients to whom personal data relating to you has been disclosed or will be disclosed in the future;
(4) The planned duration of storage of the personal data relating to you or, if this cannot be specified in detail, the criteria for determining the storage duration;
(5) Applicability of a right to rectification or erasure of the personal data relating to you, a right to restrict the processing by the data controller or a right to object to this processing;
(6) Applicability of a right to lodge a complaint with a supervisory authority;
(7) All available information on the origin of the data if the personal data has not been collected from the data subject;
(8) Applicability of an automated decision-making process including profiling according to Art. 22 (1) and (4) GDPR and – at least in these cases – explanatory information about the involved logic and scope, as well as the intended effects for the data subject from such processing.
You have the right to demand information as to whether the personal data relating to you is being transmitted to a third country or an international organization. In this regard, you can ask to be informed about the suitable guarantees according to Art. 46 GDPR relating to the transmission.
Right to rectification
You have a right to rectification and/or completion of data relating to the data controller, insofar as the processed personal data relating to you is incorrect or incomplete. The data controller has to make the correction without delay.
Right to restrict processing
On the following conditions, you can request the restriction of the processing of personal data relating to you:
(1) If you object to the correctness of the personal data relating to you for a period that enables the data controller to check the correctness of the personal data;
(2) The processing is illegitimate, and you reject the erasure of the personal data, and instead request the restriction of the use of the personal data;
(3) The data controller no longer needs the personal data for the purposes of processing, but you require it for the assertion, exercise or defense of legal claims; or
(4) If you have objected to processing according to Art. 1 GDPR and if it is not certain yet if the legitimate interests of the data controller outweigh your reasons.
If the processing of the personal data relating to you has been restricted, this data may be processed – other than for storage – only with your consent or only to assert, exercise or defend legal claims or to protect the rights of another natural person or legal entity, or for reasons of a compelling public interest of the European Union or of a Member State.
If the limitation of the processing has been applied according to the aforementioned conditions, you will be informed by the data controller before the limitation is lifted.
Right to erasure
a) Obligation to erase
You can demand from the data controller that the personal data relating to you is to be erased immediately and the data controller is to be obligated to erase this data immediately if one of the following reasons applies:
(1) The personal data relating to you is no longer required for the purposes for which it has been collected or otherwise processed.
(2) You withdraw your consent that served as the basis for processing according to Art. 6 (1) point a) or Art. 9 (2) point a) GDPR and there is no other legal basis for processing.
(3) You object according to Art. 21 (1) GDPR to processing and there are no overriding legitimate reasons for the processing, or you object to the processing according to Art. 21 (2) GDPR.
(4) The personal data relating to you is processed illegitimately.
(5) The erasure of personal data relating to you is required to fulfill a legal obligation according to EU law or the laws of the Member States that apply to the data controller.
(6) The personal data relating to you has been collected with regard to offered services of information society according to Art. 8 (1) GDPR.
b) Information to third parties
If the data controller has made the personal data relating to you publicly accessible and if it is obligated to erase it according to Art. 17 (1) GDPR, it will take appropriate measures, also of a technical nature, in consideration of the available technology and implementation costs, in order to inform the parties, who are responsible for the data processing and who process the personal data, of the fact that you, as the data subject, have requested that they erase all links to this personal data or copies or replications of this personal data.
c) Exceptions
The right to erasure does not apply if processing is required:
(1) To exercise the right to free speech and information;
(2) To fulfil a legal obligation that applies to the processing pursuant to EU law or the laws of the Member States that apply to the data controller, or to fulfill a task in the public interest or in exercise public power that has been delegated to the data controller;
(3) For reasons of public interest in matters of public health according to Art. 9 (2) point h) and i) as well as Art. 9 (3) GDPR;
(4) For archiving purposes that are in the public interest, for scientific or historic research purposes or for statistical purposes according to Art. 89 (1) GDPR, insofar as the right referred to under Section a) is expected to render the realization of the processing objectives impossible or obstructs it to significant extent; or
(5) For the assertion, exercise or defense of legal claims.
Right to information
If you have asserted the right to the rectification, or restriction of processing against the data controller, it will be necessary to inform all recipients to whom personal data relating to you has been disclosed of such rectification or erasure of this data or the restriction of the processing, unless this proves to be impossible or if such is tied to disproportionate effort or expense. You have the right, in relation to the data controller, to be informed of these recipients.
Right to data portability
You have the right to receive the personal data relating to you that you have made available to the data controller in a structured, commonly used and machine-readable format. You have furthermore the right to transmit this data to another data controller without obstruction by the data controller to whom the personal data has been made available, insofar as:
(1) The processing is based on a consent according to Art. 6 (1) point a) GDPR or Art. 9 (2) point a) GDPR or a contract according to Art. 6 (1) point b) GDPR, and
(2) The processing takes place by means of automated processes.
In exercising this right, you moreover have the right to effect the transmission of the personal data relating to you directly from one data controller to another data controller insofar as this is technically feasible. Freedoms and rights of other persons must not be impaired in the process. The right to data portability does not apply to the processing of personal data that is required to fulfill a task in the public interest or to exercise a public power that has been delegated to the data controller.
Right to object
You have the right to object at any time, for reasons connected to your particular situation, to the processing of the personal data relating to you that takes place on the basis of Art. 6 (1) point e) or point f) GDPR; this also applies to profiling based on these provisions. The data controller will cease processing the personal data relating to you unless it can demonstrate the presence of compelling reasons for processing that qualify for protection and which override your interests, rights and freedoms, or if the processing serves the purpose of asserting, exercising or defending against legal claims.
If the personal data relating to you is processed for the purpose of direct marketing, you have the right to object at any time to processing of the personal data relating to you for the purpose of such advertising; this also applies to profiling if it is connected to such direct marketing.
If you object to the processing for the purposes of direct marketing, the personal data relating to you will no longer be processed for these purposes.
You have the option to exercise your right to object in connection with the use of the services of the information society – notwithstanding Directive 2002/58/EC – by means of automated procedures, in which technical specifications are used.
Right to withdraw consent according to data protection laws
You have the right to withdraw your consent according to data protection laws at any time. The legitimacy of the processing that has taken place up until your objection will not be affected by the revocation of the consent.
Automated decision-making in individual cases including profiling
You have the right not to be subjected to a decision that is exclusively based on automated processing – including profiling – which has a legal effect in relation to you or which causes similar significant disadvantages for you. This does not apply if the decision:
(1) Is required for the conclusion or the fulfilment of a contract concluded between you and the data controller;
(2) Is permissible based on the legal regulations of the EU or the Member States that apply to the data controller and if these legal regulations contain appropriate measures to protect your rights and freedoms as well as your legitimate interests; or
(3) Is made with your explicit consent.
However, these decisions may not be based on special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9 (2) point a) or point g) applies and appropriate measures for the protection of rights and freedoms as well as your legitimate interests have been taken. Regarding the cases referred to in (1) and (3), the data controller will take appropriate measures to protect rights and freedoms as well as your legitimate interests, which includes at least the right of a person of [sic] the data controller to exert its influence, to present own standpoints and to challenge the decision.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or in-court appeal, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your domicile, your workplace or the place of the suspected violation if you believe that the processing of personal data relating to you violates the GDPR. The supervisory authority with which the complaint has been lodged will inform the complainant of the status and the results of the complaint including the possibility of appeal in court pursuant to Art. 78 GDPR.
Report of data breaches
Data breaches can be reported at any time to privacy@kuehne-nagel.com.
A data breach means a breach of security that leads to the accidental or illegal destruction, loss or modification, unauthorized disclosure or unauthorized access of personal data, which is transmitted, stored or otherwise processed us or a third party contracted by it.
Minors
Persons younger than 18 years of age should not transmit any personal data without the agreement of their parents or legal guardians. According to Art. 8 GDPR, children aged 16 years or younger may give such consent only with the agreement of their parents or legal guardians. Personal data of minors is not knowingly collected and processed.
Changes to this Privacy Policy
Kuehne+Nagel reserves the right to amend this Privacy Policy at any time and with effect for the future. It is therefore recommended to read this Privacy Policy at regular intervals.
Status November 2022
