Data protection

The review of the documents provided by Microsoft by the data protection officer of the University of Vienna has shown that Microsoft complies with the formal requirements of the GDPR.

Subsequently,

• data protection impact assessments (DPIA) were carried out,
• a data processing agreement (DPA) was signed, and
• the processing was recorded in the processing directory of the University of Vienna.

In the opinion of the University of Vienna's data protection officer, Microsoft 365 is an operating resource. The legal basis for data processing must therefore always be that for which the original data processing is intended (e.g. student data after completion of the degree programme in accordance with Section 53 of the University Act, if student data is stored via Microsoft 365).

Only data processing that must be carried out without exception due to the use of Microsoft 365 requires a separate legal basis. In the opinion of the data protection officer, this is extremely rare. This legal basis for the processing of personal data for Microsoft 365 is, in accordance with Art. 6(1)(f) GDPR, the overriding interest of the University of Vienna (see processing directory GDPR number DSG-2020-01261 or General Data Protection Declaration of the University of Vienna and Data Protection Declaration of the University of Vienna for Cloud Services and Other IT Applications, § 4 General information on data processing). Special categories of personal data (sensitive data) are not processed in this context.

Please also note the Microsoft Privacy Statement on the Microsoft web pages.

Microsoft 365 is a resource. Therefore, the legal basis must always be that for which the original data processing is intended (e.g. student data after completion of the degree programme in accordance with Section 53 of the University Act).

Since Microsoft 365 can be made available to employees and students in a manner that complies with data protection regulations from the perspective of the University of Vienna's data protection officer, it makes no difference whether the data is sensitive or non-sensitive personal data. The decisive factor is always the respective legal basis on which, for example, sensitive data can be processed. In this case, Art. 9 GDPR must be applied without exception. The respective legal basis for the processing of sensitive data can be found in Art. 9 GDPR in an exhaustive list.

Microsoft 365 is to be regarded as a pure storage medium for, for example, text documents containing sensitive data. As already mentioned above, the legal basis is not to be found for Microsoft 365 itself, but for the actual data processing. If there is a legal basis for the processing of sensitive data within the meaning of Art. 9 GDPR, this sensitive data can also be processed (stored) by Microsoft 365.

To use Microsoft 365, you need a Microsoft account to which a personalised license (named user license) is assigned. When you order a Microsoft 365 subscription as an employee via the self-service portal (via Uni data network/VPN) or as a student via AcadCloud, a Microsoft account and a personalised license are automatically created.

For employees, the license is valid as long as they are in active employment or the license is returned via the self-service portal (via Uni data network/VPN). For students, the license can be renewed every 12 months via AcadCloud as long as they are admitted to the University of Vienna for a degree programme.

At least once every 30 days, a connection to the internet must be established to check the status of the subscription. If the device is offline for more than 30 days, Microsoft 365 will switch to restricted functionality mode until a connection to the internet is re-established. In restricted functionality mode, Microsoft 365 remains installed, but documents can only be viewed and printed. All functions for editing or creating new documents are disabled.

In the course of the data protection impact assessment for Microsoft 365, technical and organisational residual risks were identified, but these can be significantly reduced by two measures:

• Introduction of multi-factor authentication
• Introduction of logging of administrative activities (audit log).

The data protection officer is currently developing a concept for regular training of employees on data protection and data security.

The University of Vienna has configured the data protection requirements for Microsoft 365 as follows:

• Two-factor authentication for all users (in accordance with TOMs requirements)
• Audit log enabled
• Activation of end-to-end encryption in Teams for all users (currently only available for 1:1 calls and in the desktop app and mobile apps)
• Optional connected experience is disabled
• Third-party apps are blocked in the stores (Office applications, Teams)
• Transmission of diagnostic data is configured by policy to the minimum necessary data (‘neither nor’)
• Reports in the Teams Admin Centre and Microsoft 365 Admin Centre are displayed in pseudonymised form
• Microsoft 365 Adoption Score and Microsoft Viva Insights, formerly MyAnalytics), are disabled (features that enable performance and attendance monitoring)
• If recordings or transcriptions of video conferences are to be made in the Teams app, consent must be obtained from the participants.
• Direct communication between Microsoft and users (Microsoft can send e-mails directly to users by default) is not permitted for desktop apps and mobile apps, but is possible in web apps.

When logging in to Microsoft 365 services (including Microsoft Teams), as with the web login service, you will be redirected to a service operated by the ZID on its own infrastructure to verify your u:account UserID and associated password. The passwords thus remain on the servers of the University of Vienna.

The identity and access management system Entra ID (formerly Azure Active Directory) from Microsoft 365 at the University of Vienna is used for the login to Microsoft 365 and the third-party applications Adobe Creative Cloud, Grammarly and DeepL Pro. Third-party applications can also connect to Entra ID via the standard SCIM (System for Cross-Domain Identity Management) to automatically manage user accounts. For more information, please visit the Microsoft website SCIM synchronisation with Microsoft Entra ID.

Automatic account creation when ordering software

When ordering the relevant software via the self-service portal (via Uni data network/VPN) or AcadCloud, the following happens:

1. The u:account is marked in the Active Directory operated locally by the ZID.
2. The Entra Connect synchronisation service sets up a University of Vienna Microsoft account for this u:account in Entra ID.
3. In Entra ID, a group assignment is made to the ordered software.
   • For Microsoft 365, only the assignment in Entra ID is necessary.
   • For third-party applications, SCIM handles the synchronisation of user information.

Returning software and removal from Entra ID

• If corresponding software is returned via the self-service portal (via Uni data network/VPN) or AcadCloud, the associated group assignment in Entra ID is removed. For third-party applications, SCIM informs the respective systems.
• If all software products that use Entra ID are returned, the synchronisation flag for the u:account is removed from the local Active Directory and thus deactivated in Entra ID.
• If the software is not returned, all group assignments, permissions and user information in EntraID will be cleared at the latest when the u:account is deactivated.
• After deactivation in Entra ID, the created Microsoft account remains active for 30 days and is then permanently deleted.

Authentication

Password-based authentication is performed via the Microsoft Active Directory Federation Services (ADFS) operated locally by the ZID. This means that third-party providers cannot gain access to the u:account password.

Applications that use the Microsoft account are secured with a second factor when logging in. Users can manage the methods for logging in via their Microsoft account in the security information.

The multi-factor authentication service is provided by Microsoft in a European data centre. Personal information at user level, such as blocked or bypassed users or change requests for Microsoft Authenticator device tokens, is stored for 90 days. Although no personal data such as user names, telephone numbers or IP addresses are logged, user authentication attempts are recognised using UserObjectId. Log data is stored for 30 days.

Further information on multi-factor authentication from Microsoft can be found on the Microsoft web page.

Information on how long user data is retained in Microsoft 365 after clearance can be found on the Microsoft website Data residency and customer data for Microsoft Entra multifactor authentication.

Connected experiences are features of Microsoft 365 applications. During operation, connected experiences can communicate with Microsoft 365 online services and exchange user data. If you also use the optional connected experiences, user data may be processed in other Microsoft services and/or third-party services. Unlike telemetry (collection of diagnostic data), the purpose of connected and optional connected experiences is not for diagnostics, but to offer users specific additional features, such as dictation and translation functions or the integration of online videos, for example from YouTube.

The University of Vienna has configured the connected experiences for desktop and mobile apps in Microsoft 365 as follows:

Employees

• The connected experiences that do not involve any processing of user data are always enabled.
• Connected experiences that involve the processing of user data in Microsoft 365 services, other Microsoft services and/or third-party services can be activated if required.

Activation/deactivation of connected and optional connected experiences

• To activate these features in the Office desktop apps, you must purchase the SRV02483 – Microsoft 365 (additional package) – Connected and optional connected experiences must be purchased free of charge via the self-service portal (via the Uni data network/VPN).
• The deactivation of the optional connected experiences can be done in the privacy settings of the Office desktop apps (Word, Excel or PowerPoint).
• The connected experiences that analyse content are activated when you order the SRV02483 – Microsoft 365 (additional package) – Connected and optional connected experiences service via the self-service portal (via the Uni data network/VPN) and can only be deactivated by returning this package.

Please note the information provided by the Data Protection Officer of the University of Vienna and the data protection and terms of use of the respective third-party providers when using their services. You are responsible for complying with the guidelines of the university and the legal provisions such as the DSG, UrhG, TKG, StGB and other Austrian laws.

Students

• The connected experiences that do not involve any processing of user data are always activated.
• The connected experiences that involve processing of user data in Microsoft 365 services, other Microsoft services and/or third-party services are activated and can be partially deactivated if necessary.

Deactivation of connected and optional connected experiences:

• Connected experiences that can analyse content cannot be deactivated.
• The optional connected experiences can be deactivated in the Office desktop apps (Word, Excel, PowerPoint).

Please note the information provided by the Data Protection Officer of the University of Vienna and the data protection and terms of use of the respective third-party providers when using their services. You are responsible for complying with the guidelines of the university and the legal provisions such as the DSG, UrhG, TKG, StGB and other Austrian laws.

In connection with the use of Microsoft 365 at the University of Vienna, we would like to inform you about the use of optional connected experiences and the associated possible use of third-party products. These third-party products may process data from employees and students under certain circumstances.

1. Data protection and legal basis
   It must be ensured that no personal data of employees or students is transferred to third-party providers unless there is a sufficient legal basis for doing so. In particular, the requirements of the General Data Protection Regulation (GDPR) and the individual relevant substantive laws (e.g. DSG, UrhG, TKG, StGB) must be complied with.
2. Raising awareness among students and staff
   Please inform students and colleagues that data may be transferred to third-party providers in the context of optional connected experiences in Office. Explain the possible risks and data protection measures.
3. Responsibility when using third-party products
   When selecting and using third-party services that have not been approved by the University of Vienna, you are responsible for checking and complying with data protection regulations. The University of Vienna has neither knowledge of nor control over possible processing by third-party providers. If you have any uncertainties or questions, please contact the responsible data protection office at the University of Vienna.

Only use the optional connected experiences if it is absolutely necessary for you; otherwise, this service can be deactivated or remain deactivated.

For further information or support, please contact the Data Protection Officer at the University of Vienna.

The University of Vienna has configured the connected experiences for employees for desktop apps and mobile apps in Microsoft 365 as follows:

The category Connected experience, download online content is enabled by default, as this involves pure downloading without processing data in the cloud.

The category Connected experience that can analyse your content can be used by activating it via a separate add-on through the self-service portal – e.g. for functions such as the dictation function Dictate. This separate activation was chosen in consultation with the AID, as user data is processed in the Microsoft cloud.

The category Further connected experience is deactivated, as third-party modules can be integrated.

For the web applications, only the additional connected experiences can be deactivated by the University of Vienna, and Connected experience that analyses your content is activated.

In Microsoft Teams, users have access to the record, live transcription and live captioning functions.

In order to comply with the Web Accessibility Act (WZG), the University of Vienna is obliged to take appropriate technical measures to ensure that all students and/or employees have the same requirements (as far as possible) to use the services offered by the University of Vienna. Live transcription and live captions for video conferences have therefore also been activated via the Microsoft Teams app. In this context, personal data is processed. Live captions are only displayed during video conferences and are not stored.

You will be asked separately whether you consent to the recording of the video conference. If the live transcription function is activated, the initiator is automatically prompted in Teams to inform the participants verbally about the activation of the function.

The legal basis for the processing is Art. 6 (1) lit. a GDPR. The data is stored until revoked or until the purpose of the processing has been fulfilled.

Microsoft allows participants to hide their own identity in the Live Captions and Live Transcription features. For more information, please visit the Microsoft web page at Hide your identity in meeting captions and transcripts in Microsoft Teams.

Messages in personal chats are automatically cleared after 365 days.

A team and its subordinate channels are automatically cleared if there is no activity within 365 days. Any new activity extends the team for another 365 days. All team owners will be automatically notified by Microsoft via e-mail in good time before the team expires.

Microsoft 365 diagnostic data is used in the same way as for the Windows 10 and Windows 11 operating systems, as follows:

• To keep applications secure and up to date
• To identify, diagnose and resolve problems
• To make product improvements

This data does not contain any user names or e-mail addresses, nor does it contain the contents of user files or information about applications that are not related to Office. However, it does contain identifiers. A pseudonymous PrimaryIdentityHash is collected from users, but this is removed before it is transmitted to Microsoft. In general, diagnostic data is anonymised and pseudonymised before being transmitted to Microsoft.

Diagnostic data is collected on the local device and transmitted to Microsoft every 5 to 30 minutes. This data can be viewed by users using the free Microsoft tool Diagnostic Data Viewer. Information about the Diagnostic Data Viewer can be found on the Microsoft web pages on Using the Diagnostic Data Viewer with Office.

For the transmission of diagnostic data, the University of Vienna has configured the neither policy globally in Microsoft 365 for desktop and mobile apps. This neither option means that no diagnostic data is collected from the Office applications running on the user's device and sent to Microsoft. This setting cannot be changed by users.

Further information can be found on the Microsoft website Using policy settings to manage privacy controls for Microsoft 365 Apps for Enterprise – section Policy settings for diagnostic data.

A complete list of all diagnostic data used in Microsoft 365 can be found at the following link: https://learn.microsoft.com/en-us/microsoft-365-apps/privacy/required-diagnostic-data

In addition to diagnostic data, so-called required service data is also collected and sent to Microsoft. There are a number of services that are essential to the functioning of Office applications and therefore cannot be disabled. For example, the licensing service, which confirms that you have a valid license to use Office. Required service data about these services is collected and sent to Microsoft, regardless of other privacy-related policy settings that have been configured. Similarly, in the context of Connected Experiences, which analyse your content and can be activated by separate subscription via the SAM self-service portal, required service data is sent to Microsoft.

Further information on essential services and the events and data fields used there can be found on the web page: Essential Services for Office

Further information on essential services in the context of connected experiences can be found on the web page: Required service data for Microsoft 365 products

The University of Vienna has deactivated the transmission of diagnostic data for desktop and mobile applications, but the necessary service data is sent from the user's device to Microsoft.

On centrally managed PCs (managed devices), the privacy settings for the Windows 10 and 11 operating systems and Microsoft Office are configured and managed by the ZID via Group Policy in such a way that the privacy of our users is protected as much as possible.

For self-managed PCs (unmanaged devices), it is the responsibility of the users to configure the Windows and Office privacy settings.

Microsoft stores the data used by users in Microsoft 365 redundantly in four data centres within the European Union (located in Ireland, the Netherlands, Finland and Austria). This includes content from Office applications stored in OneDrive or SharePoint online.

Microsoft encrypts both the transport of data and the data at rest. The comprehensive implementation of encryption mechanisms – as well as Microsoft's data storage concept – prevents third parties from accessing the processed personal data, both during storage and during transmission.

OneDrive corresponds to a personal home directory that has been set up on a share, in this case SharePoint online.

OneDrive is provided at the University of Vienna with a quota of 50 GB for employees and 5 GB for students and can be integrated via the file manager or accessed via a web browser.

Microsoft does not proactively scan data stored in OneDrive, either preventively or on the basis of suspicion.

Microsoft 365 apps can also access OneDrive or SharePoint online directly. For example, private chats and files in Teams are stored in your personal OneDrive. Microsoft Stream SharePoint is used for image and video recording (meetings). Chats and files from Teams created in Teams are stored in SharePoint online to enable shared access.

When ordering Microsoft 365, the following documents must be agreed to:

• Microsoft 365 Terms of Use
• Microsoft Privacy Policy
• Terms of Use in connection with artificial intelligence at the University of Vienna
• General privacy policy of the University of Vienna
• Terms of Use for the ZID software portfolio

Supplement to the Terms of Use Other Microsoft services and third-party services within the scope of optional connected experiences

Microsoft service agreement

Depending on which service you use, additional terms and conditions may apply:

Overview of optional connected experiences in Office

Experiences that rely on Bing

These Bing-based experiences are provided to you under the terms of the Microsoft Service Agreement and the Microsoft Privacy Statement. All search queries you make to Microsoft 365 Apps for Enterprise while using these services are sent to Microsoft Bing. They are not associated with you by the Bing organisation.

Experiences that rely on other Microsoft-owned online services and/or services owned by third-parties

Inserting online videos

Additional Terms of Use may apply when you access third-party content. For example, when you connect to YouTube, YouTube's Terms of Use and Google's privacy policy apply.

Required service data for Microsoft 365 products

When you use optional cloud-assisted services, Microsoft may collect required service data, such as usage, error and performance data.