Privacy Policy of ]init[ AG and its Subsidiaries for Microsoft 365 Applications

Microsoft 365 is a productivity, collaboration, and communication platform for individual users, teams, communities, and networks that can be used across organizational units. 

Microsoft 365 is a productivity, collaboration and exchange platform for individual users, teams, communities and networks that can be used across organizational units.

]init[ AG für digitale Kommunikation and its subsidiaries (hereinafter referred to as "we" or "us") use the Microsoft 365 applications Teams, Stream, Forms, Lists and Teams-Teams (hereinafter referred to as M365) as described below.

This Privacy Notice applies if we have invited you to one of these applications and you use one of these applications together with us. This information also applies to all employees of ]init[ AG für digitale Kommunikation and its subsidiaries as well as to freelancers commissioned by us. 

Person responsible

When an M365 application is used by ]init[ AG for digital communication, the responsible party is

]init[ AG für digitale Kommunikation
Köpenicker Str. 9
10997 Berlin

Tel: +49 30 97006 200
Fax: +49 30 97006 135

E-Mail: init@init.de
Web: www.init.de

When an ]init[ subsidiary uses an M365 application, that subsidiary is the data controller under data protection law.

Purpose of data processing

Microsoft Teams

We use the Microsoft Teams tool to conduct telephone conferences, online meetings, video conferences and/or webinars (hereinafter: "online meetings").

Microsoft Forms

We use Microsoft Forms to conduct surveys, polls and quizzes (hereinafter: "surveys").

Microsoft Stream

Microsoft Stream is used by us for training, education, learning, screencasts, recording of recurring processes and videos in the area of onboarding (hereinafter "knowledge transfer").

Microsoft Lists

Microsoft Lists allows all ]init[ employees to create individual lists to organize themselves and their own tasks and share them with colleagues (hereinafter "organization").

Microsoft Teams-Teams

Microsoft Teams can be used by all employees and freelancers, in particular for exchanging information (chats), storing information (documents, images, graphics), editing files together, planning tasks and for joint meetings (hereinafter "information exchange").

Type of processing

The following information is processed as soon as you use any of the M365 applications listed here:

Log files, protocol data and metadata (e.g. IP address, time of participation, device/hardware information).

We have listed below which other personal data is processed in the individual applications:

Microsoft Teams

We process the following data as part of our online meetings via Microsoft Teams:

  • Communication data (e.g. your e-mail address, telephone number) 
  • Personal master data (e.g. first name, surname, profile picture)
  • Content of the online meeting (image and sound and, if you are appearing in person, your verbal and/or written contributions, chat function). 
  • Authentication data 

To enable the display of video and playback of audio, the data from the microphone of your end device and any video camera on the end device will be processed for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time via the "Microsoft Teams" applications.

Microsoft Forms

We process the following data as part of our surveys via Microsoft Forms:

  • Communication data (e.g. your e-mail address, telephone number)
  • Your answers to questions

Depending on the settings, responses can be collected anonymously or in a way that identifies the respondent.

Microsoft Stream

We process the following data as part of our knowledge transfer via Microsoft Stream:

  • Communication data (e.g. your e-mail address, telephone number)
  • Video content (image and sound and, if you appear in person, your comments and "Like" information). If the camera has been deactivated, only your audio track will be recorded.

Microsoft Lists

As part of our employee management system, we process the following data when using Microsoft Lists:

  • Communication data such as business e-mail address, telephone number
  • Personal master data such as first name, surname, profile picture
  • Content data that is entered in the list

Microsoft Teams-Teams

When using Teams teams, we process the following data:

  • Communication data such as business e-mail address, telephone number
  • Personal master data such as first name, surname, profile picture
  • Content of the information exchange, image and sound and if you appear in person your contributions in word and / or writing, chat function

Scope of processing

Microsoft Teams

We use Microsoft Teams to conduct online meetings. If we want to record online meetings, we will inform you transparently in advance and - if necessary - ask for your consent.

If it is necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this will not usually be the case.

Where appropriate, the Town Hall feature in Microsoft Teams is used. The Town Hall feature in Microsoft Teams allows only the presenter to activate their microphone and camera. Participants cannot use their microphones or cameras. Communication can take place via Q&A and, if enabled, through the chat.

Microsoft Forms

We use Microsoft Forms to conduct surveys. The information you enter in the survey forms is stored under password protection to ensure that third parties cannot access it and that only we can evaluate the survey responses for the purpose stated in the form.

Microsoft Stream

We use Microsoft Stream for knowledge transfer. Corresponding recordings of e.g. training courses can be stored in Microsoft Stream for internal use.

Microsoft Lists

We use Microsoft Lists for the self-organization of employees. In particular, they can create task lists for structured work at their own request and also share these with colleagues.

Microsoft Teams-Teams

We use Microsoft Teams to facilitate the exchange of information among employees and with project stakeholders, with the aim of streamlining collaborative project work - in particular, to enable joint editing of documents and files and to facilitate communication among team members.

Automated decision-making within the meaning of Art. 22 GDPR does not take place.

Legal basis for data processing

Participants in web conferences, meetings, etc.: With regard to personal data of employees of ]init[ AG and its subsidiaries, data processing is based on Section 26(1), sentence 1 of the German Federal Data Protection Act (BDSG) (data processing in the context of an employment relationship) in conjunction with Article 6(1)(b) of the GDPR or Article 6(1)(f) of the GDPR.

If an M365 application is used for the initiation of a contract or for the fulfillment of our contractual obligations, data processing is based on Article 6(1)(b) of the GDPR. 

If there is no contractual relationship, the data processing is based on Art. 6 para. 1 lit. f) GDPR. In this case, we are interested in the effective implementation of "online meetings", "surveys" and "knowledge transfer".

Deletion of data

We generally delete or anonymize personal data when there is no longer a need for further storage or identification. Such a need may arise, in particular, for documentation purposes, or when the data is still required to fulfill contractual obligations or to assess, grant, or defend against warranty or guarantee claims. In the case of statutory retention obligations, deletion is only considered after the respective retention obligation has expired.

Recipients / forwarding of data

Personal data that is processed in connection with participation in an M365 application will not be passed on to third parties unless it is intended to be passed on.

The applications Microsoft Teams, Forms and Stream are part of Microsoft Office 365. Microsoft Office 365 is software from Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399 USA. You can find Microsoft's own version on data protection when using M365 applications here: Microsoft Privacy Statement – Microsoft Privacy.

Data processing outside the European Union

The provider of the aforementioned Microsoft services is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland; the parent company is Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Data is generally not processed outside the European Union (EU), as we have limited our data storage to data centers located within the European Union. However, we cannot rule out the possibility that data may be routed through Internet servers located outside the EU. This may be the case, in particular, if users of an M365 application are located in a third country. This does not apply to employees of ]init[ AG, as working outside the EU is prohibited at ]init[ AG.

An adequacy decision by the EU Commission, the Trans-Atlantic Data Privacy Framework (TADPF), is in place for the USA. Microsoft Corporation has certified itself in accordance with the TADPF and has therefore undertaken to comply with European data protection principles. In addition, we have concluded an order processing agreement with Microsoft as the provider of the M365 applications in accordance with Art. 28 GDPR, including the standard contractual clauses of the European Commission, and have agreed additional measures, even if data flows from Europe to the USA are not contractually provided for.

With regard to the use of Microsoft Teams for communication, Microsoft itself acts as the telecommunications provider. Accordingly, Microsoft has already added the following paragraph (the second-to-last paragraph on page 11) to its DPA dated January 1, 2023, regarding telecommunications data:

"Telecommunications Data | To the extent Microsoft processes Traffic Data, Content Data and other Personal Data in the provision of products and services that are considered telecommunications services under applicable law, specific legal obligations may apply. Microsoft will comply with all telecommunications-specific laws and regulations applicable to its provision of the Products and Services, including breach notification laws, data protection laws, and telecommunications secrecy laws."

We have sent Microsoft a side letter to clarify the above passage and to clarify Microsoft's responsibility.

The data is TLS-encrypted during transport over the Internet and thus protected against unauthorized access by third parties. Transmission takes place via Hypertext Transfer Protocol Secure (HTTPS). HTTPS is a communication protocol on the World Wide Web that is used to transmit data in a tap-proof manner. The synchronization of diagnostic and telemetry data has been deactivated.

Your rights as a data subject

  • Right to information (Art. 15 GDPR)
    You have the right to request confirmation as to whether personal data concerning you is being processed. If this is the case, you have a right to information about this personal data and to the information listed in detail in Art. 15 GDPR.
  • Right to rectification (Art. 16 GDPR)
    You have the right to demand the immediate correction of incorrect personal data concerning you and, if necessary, the completion of incomplete data.
  • Right to erasure (Art. 17 GDPR)
    You have the right to demand that personal data concerning you be deleted immediately if one of the reasons listed in Art. 17 GDPR applies.
  • Right to restriction of processing (Art. 18 GDPR)
    You have the right to request the restriction of processing if one of the conditions listed in Art. 18 GDPR is met, e.g. if you have lodged an objection to the processing, for the duration of the examination by the controller.
  • Right to data portability (Art. 20 GDPR)
    In certain cases, which are listed in detail in Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format or to request the transmission of this data to a third party.
  • Right of withdrawal (Art. 7 GDPR)
    If the processing of data is based on your consent, you are entitled to withdraw your consent to the processing of your personal data at any time in accordance with Art. 7 (3) GDPR. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.

Right to object to the collection of data in special cases and to direct marketing (Art. 21 GDPR)

If data processing is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions. The respective legal basis on which processing is based can be found in this privacy policy. If you object, we will no longer process your personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defense of legal claims (objection pursuant to Art. 21 (1) GDPR).

If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing. If you object, your personal data will subsequently no longer be used for the purpose of direct marketing (objection pursuant to Art. 21 (2) GDPR).

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you are of the opinion that the processing of data concerning you violates data protection regulations. The right to lodge a complaint can be exercised in particular with a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement.

Assertion of your rights

Unless otherwise described above, please contact the data protection officer in writing (by post or e-mail) to assert your rights as a data subject.

Copyright and confidentiality

Contents are protected by copyright and may not be reproduced or passed on to third parties - not even in part - without the prior written consent of ]init[. Recording or screenshots of online meetings, surveys, knowledge transfer, organization and the exchange of information, e.g. on audio or video tapes, is not permitted unless permitted above.

Please ensure that you do not share, discuss or communicate any confidential or sensitive information in the M365 applications described above. This applies equally to personal data that is not required for the fulfillment of tasks or purposes.

Data Protection Officer of ]init[ AG

]init[ AG für digitale Kommunikation
z. Hd. Datenschutzbeauftragter
Köpenicker Str. 9
10997 Berlin
datenschutz@init.de

As of March 2026