Data Protection Statement in the context of Microsoft 365 services, including MS Teams
1. Description of the processing operation
This privacy statement provides information regarding the processing of personal data carried out by the European Investment Bank (the EIB or we / our - responsible controller inside the EIB-) in the course of Microsoft 365 services, including MS Teams.
It describes how the EIB, in the course of those activities, processes personal data relating to individuals (you) who are using the EIB instance of Microsoft 365 services and MS Teams as guest user.
2. Legal basis and the controller
Personal data are processed by the EIB (“EIB” or “responsible Controller inside the EIB”) in accordance with Regulation (EC) 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the EU institutions, bodies and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
In accordance with Article 309 of the Treaty on the Functioning of the European Union, the task of the European Investment Bank shall be to contribute, by having recourse to the capital market and utilising its own resources, to the balanced and steady development of the internal market in the interest of the Union.
All of this processing is necessary so that the EIB can carry out its tasks in the public interest in the course of Microsoft 365 services, including MS Teams by non-EIB users (identified as “guest accounts”). In some cases, processing is also necessary so that the EIB can comply with its legal obligations. Consent is in general not the legal basis justifying our processing of your personal data. If we do propose to rely on your consent, we will make this clear at the time.
3. Why we process your personal data
The EIB processes your personal data as reasonably necessary so that it can conduct and manage Microsoft 365 services, including MS Teams, in a reasonable and proper matter, in accordance with applicable law and regulation. Specifically, we process your personal data for the following purposes:
Enable sharing and collaboration activities
Prevent unauthorised access
Enable information protection
Create statistics necessary to improve the efficiency and security of the service
All chats and documents voluntarily uploaded by users through EIB MS Teams or directly in ODB/SPO (e.g. message, images, voicemail, contacts, files, etc.) including metadata such as title, author, last modified and classification.
Identity data (IP address, account name, email address, etc.)
Audit logs, such as the ones related to meetings and chats. Audit logs are triggered for all the activities of the users in Office 365.
5. Where do we obtain your personal data?
Documents and chats are stored on Microsoft 365 as part of the collaboration and sharing activities.
6. To whom is your data disclosed?
The personal data is disclosed, under the need to know basis, to the following recipients:
EIB users (e.g. staff, interim, contractors, trainees) and non-EIB users (identified as “guest accounts”) included in the MS Team channel that is used for the exchange of information.
Microsoft as a processor on behalf of EIB necessary to provide the service.
7. How long do we keep your personal data?
The data will be stored for the time needed by the application and deleted in max. 90 days after termination of the EIB subscription to Microsoft cloud services. For more specific information as to the period for which we will keep your personal data, please contact us (see the section headed "Contact us", below).
8. What are your rights and how can you exercise them?
Your rights are set out in the Regulation (EU) No 2018/1725.
You have the right to ask us to (i) provide you with a copy of your personal data; (ii) correct your personal data; (iii) erase your personal data; or (iv) restrict our processing of your personal data. You can also object to our processing of your personal data.
You can also lodge a complaint about our processing of your personal data with the European Data Protection Supervisor (firstname.lastname@example.org) at any time if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the EIB.
9. Contact us
If you have any questions about our processing of your personal data, or wish to exercise any of the rights described above, please contact the EIB's Data Protection Officer, Mr. Pelopidas Donos, by email at email@example.com or at the following address:
Mr. Pelopidas Donos European Investment Bank 98-100 Boulevard Konrad Adenauer L-2950 Luxembourg (Grand Duchy of Luxembourg)