The controller responsible for the processing of personal data in connection with the use of Microsoft 365 is either

• the Würth Group company you are employed by, or
• the Würth Group company with which you have a business relationship and which uses Microsoft 365.

An overview of all companies (including addresses and contact details) can be found in the Würth Group company directory.

The contact details of the responsible data protection officers or data protection departments are easily accessible at any time in the privacy policy on the homepage of the company responsible for you. If you are unsure which contact to use, you can request the contact details of the data protection officer responsible for you at any time at dataprotection@wuerth-it.com.

This information refers to the processing of personal data when using M365 in the context of the standard processing activities carried out here. It does not take into account any downstream processing that may be carried out in the future with the help of M365. Information about other processing will be provided separately.

A detailed overview of typical processing activities - including the categories of data processed in each case, the purposes of processing, the relevant legal bases, and the storage period - can be found in Section 2 of this privacy policy.

Please note that not all processing activities described there are relevant to every data subject. The specific processing depends on your role (e.g., employee, external business partner) and the M365 features used.

We use external service providers who provide services on our behalf. Your personal data is transferred to these service providers for this purpose. Any transfer of and access to your personal data is restricted to those persons who absolutely need this data to fulfill their professional duties and to provide M365.

These are the following service providers:

• Würth IT GmbH (Germany)
• Microsoft Ireland Operations Ltd. (Ireland)
• Microsoft Corporation (USA)
• Other sub-processors according to the current list in the Microsoft Service Trust Portal

We also disclose your personal data to government agencies, courts, external consultants, and similar third parties that are public institutions, to the extent required or permitted by applicable law.

Some of the recipients of your personal data are located outside the EEA (namely in the USA). Through an adequacy decision pursuant to Art. 45 GDPR and (to the extent that this does not or no longer applies) the conclusion of appropriate safeguards based on the standard contractual clauses (2021/914/EU) or by other appropriate means, we have ensured that all recipients located outside the EEA provide an adequate level of protection for personal data.

Your personal data will be stored by us and/or our service providers only to the extent and for the period necessary to fulfill our obligations to you or to fulfill the obligations of the service provider to us. When the purpose for data processing no longer applies, the personal data will be deleted from the systems and/or records and/or steps will be taken to properly anonymize your personal data so that you can no longer be identified based on this data. This does not apply if we and/or our service providers are required to retain your information beyond this period:

• to comply with legal or regulatory obligations to which we and/or our service provider are subject; and/or
• with regard to statutory limitation periods.

Specific retention rules for each type of processing are set out in Section 2 of this Privacy Policy.

You have the following rights: (i) the right to information; (ii) the right to a copy of your personal data that is subject to processing; (iii) the right to rectification; (iv) the right to erasure ("right to be forgotten"); (v) the right to restriction of processing; (vi) the right to data portability; and (vii) the right to lodge a complaint with the competent data protection supervisory authority.

You also have the right to object: you can object to the processing of your data if the data processing is based on Art. 6 (1) (f) GDPR or for direct marketing purposes. In the event of an objection to the processing of your personal data, we will examine your objection on a case-by-case basis. If we are obliged under data protection law to delete your personal data due to your objection, we will delete your data in accordance with statutory retention obligations. The objection does not affect the lawfulness of the processing carried out prior to the objection.

If you have given your consent to the processing of personal data, you can revoke this consent at any time. Such revocation does not affect the lawfulness of the processing that took place before the revocation of consent.

Certain data is technically and organizationally necessary for the use of M365 (e.g., user IDs, business contact details). If data is provided voluntarily or consent is required (e.g., for meeting recordings), separate information will be provided in the respective process.

Automated decision-making within the meaning of Art. 22 (1) GDPR and profiling within the meaning of Art. 4 No. 4 GDPR do not take place within the scope of the use of M365.

This privacy policy may be subject to change, e.g., due to the implementation of new technologies or the introduction of new services or functions. We reserve the right to change or supplement this privacy policy at any time.

If you participate in an online event via Microsoft Teams, we process your participation details and the content of the event (e.g., audio/video transmission, chat messages, and voice transcriptions) to enable the event to take place and to facilitate communication.

Categories of personal data

• Name
• Business contact details
• Participation information
• Content (audio/video, chat, recordings, transcripts).

Legal basis

Processing is based on Art. 6 (1) lit. f GDPR. Our legitimate interest is to enable efficient communication and the execution of events. Processing may also be based on Art. 6 (1) (b) GDPR or §26 (1) BDSG (Federal Data Protection Act) if this is necessary for the performance of the employment relationship. Your consent is required for processing in the context of recordings in accordance with Art. 6 (1) (a) GDPR.

Storage period

Meeting recordings are stored for 90 days by default, unless the person who sent the invitation changes the settings. Calendar data is subject to the Outlook retention policy.

We use Microsoft Teams to provide audio, video conferencing, and collaboration functionalities for internal meetings.

Categories of personal data

• Contact details (name, email)
• Work profile (job title, supervisor, direct reports)
• Content data (audio, video, chat, files, recordings, transcripts).

Legal basis

Processing is based on Art. 6 (1) (f) GDPR. Our legitimate interest lies in conducting efficient and location-independent internal meetings and providing a secure, integrated platform for real-time communication and collaboration. Processing may also be based on Art. 6 (1) lit. b GDPR or §26 (1) BDSG, provided that this is necessary for the performance of the employment relationship. Your consent is required for processing in the context of recordings in accordance with Art. 6 (1) lit. a GDPR.

Storage period

Meeting recordings are deleted after 120 days by default, unless the recording user has set a different setting.

For text-based collaboration, we process chat messages and shared files to enable quick coordination and team communication.

Categories of personal data

• Employee contact details (name, email address)
• Work profile (job title, supervisor, direct reports)
• Content data (chat, files).

Legal basis

Processing is carried out on the basis of Art. 6 (1) (f) GDPR. Our legitimate interest lies in providing a fast, location-independent, and secure means of communication for internal coordination and collaboration within a central platform. Processing may also be based on Art. 6 (1) (b) GDPR or §26 (1) BDSG (German Federal Data Protection Act) if this is necessary for the performance of the employment relationship.

Storage period

Storage is based on the Outlook retention policy set by the administrator. The retention period policies can be defined by the administrator as part of a group policy and set up by individual users. Microsoft allows users to select the following policies: 7 days, 30 days, 90 days, 1 year, 5 years, or "never."

For collaboration in Teams channels, we process chat and file content as well as information about roles and team membership. Regular channel refreshes ensure that only active content is retained.

Categories of personal data

• Employee contact details (name, email address)
• Work profile (job title, supervisor, direct reports)
• Content data (chat, files).

Legal basis

Processing is carried out on the basis of Art. 6 (1) (f) GDPR. Our legitimate interest lies in providing a fast, location-independent, and secure means of communication for internal coordination and collaboration within a central platform. Processing may also be based on Art. 6 (1) lit. b GDPR or §26 (1) BDSG (Federal Data Protection Act) if this is necessary for the performance of the employment relationship.

Storage period

Channels must be renewed by the channel administrators every 180 days. If they are not renewed, the associated content will be deleted.

Users who have an email account can participate in Microsoft Teams as guests. Guest access allows individuals who do not belong to the company to access Teams, documents in channels, resources, chats, and applications while the company retains control over company data.

Categories of personal data

• Guest contact details (display name, email address)
• Credentials (Entra ID object ID, guest account data).
• Content data (chat, files, recordings, transcripts).

Legal basis

Processing is carried out on the basis of Art. 6 (1) lit. f GDPR. Our legitimate interest lies in providing a fast, location-independent, and secure means of communication for external coordination and collaboration within a central platform. Your consent is required for processing in the context of recordings in accordance with Art. 6 (1) lit. a GDPR.

Storage period

Guest contact details are deleted after three months as standard, unless they need to be stored for longer due to legal requirements or organizational necessities.

To enable voice communication via Microsoft Teams, we process the data required for telephone calls, including optional recordings and transcripts.

Categories of personal data

• Employee contact details (name, email address)
• Work profile (job title, supervisor, direct reports)
• Content data (recordings, voice transcriptions).

Legal basis

Processing is carried out on the basis of Art. 6 (1) lit. f GDPR. Our legitimate interest lies in providing an integrated, secure, and location-independent telephony solution that enables efficient communication and collaboration within a central platform. Processing may also be based on Art. 6 (1) (b) GDPR or §26 (1) BDSG (German Federal Data Protection Act) if this is necessary for the performance of the employment relationship. Your consent is required for processing in the context of recordings and transcriptions in accordance with Art. 6 (1) (a) GDPR.

Storage period

Audio signals are streamed and not stored unless recording is activated. Audio recordings are deleted after 120 days by default, unless the recording user has changed this setting.

We use Exchange/Outlook for internal and external communication by email and process email content, attachments, and system-related delivery information.

Categories of personal data

• Content data (email text, attachments)
• Contact data (name, email address)
• Metadata (e.g., timestamp, delivery information).

Legal basis

Processing is carried out on the basis of Art. 6 (1) lit. f GDPR. Our legitimate interests consist of enabling internal and external communication by email and efficient email management. Processing may also be based on Art. 6 (1) lit. b GDPR or §26 (1) BDSG (German Federal Data Protection Act) if this is necessary for the performance of the employment relationship.

Storage period

Storage is based on the Outlook retention policy specified by the user. The retention period policies can be defined by the administrator as part of a group policy and set up by individual users. Microsoft allows users to select the following policies: 7 days, 30 days, 90 days, 1 year, 5 years, or "never." Mailboxes are deleted as part of the offboarding process 30 days after the employee leaves the company, unless the user has already deleted the data in advance.

We process calendar content and participant information for the purpose of organizing appointments and meetings.

Categories of personal data

• Content data (meeting content, file attachments)
• Contact data (name, email address).

Legal basis

Processing is carried out on the basis of Art. 6 (1) lit. f GDPR. Our legitimate interests consist of ensuring the efficient organization of appointments and meetings and providing an integrated calendar function. Processing may also be based on Art. 6 (1) lit. b GDPR or §26 (1) BDSG (Federal Data Protection Act) if this is necessary for the performance of the employment relationship.

Storage period

Storage is based on the Outlook retention policy set by the user. The retention period policies can be defined by the administrator as part of a group policy and set up by individual users. Microsoft allows the user to select the following policies: 7 days, 30 days, 90 days, 1 year, 5 years, or "never." The entire calendar is deleted 30 days after the employee leaves the company, unless the user has already deleted data in advance.

We process documents and associated metadata for shared file storage and permission management. This enables us to support collaborative work processes and controlled access.

Categories of personal data

• Content data (documents, spreadsheets, presentations, etc.)
• Contact data (name, email address).

Legal basis

Processing is based on Art. 6 (1) (f) GDPR. Our legitimate interests consist of enabling centralized and controlled file storage and improving collaboration within the company. Processing may also be based on Art. 6 (1) (b) GDPR or §26 (1) BDSG (Federal Data Protection Act), provided that this is necessary for the performance of the employment relationship.

Storage period

The retention period for each file depends on the business function of the content. SharePoint site owners must renew a SharePoint page every 180 days by default; SharePoint files are deleted if the web page is not renewed. OneDrive files are deleted by the user in accordance with the company's document retention policy. This occurs 30 days after the employee leaves the company, unless the user has already deleted the data in advance.

We process planner data for task distribution and scheduling to support collaboration in teams.

Categories of personal data

• Contact details (name, email address)
• Content data (form responses).

Legal basis

Processing is based on Art. 6 (1) lit. f GDPR. Our legitimate interests consist of providing an efficient solution for task allocation, planning, and project management. Processing may also be based on Art. 6 (1) lit. b GDPR or §26 (1) BDSG (Federal Data Protection Act), insofar as this is necessary for the performance of the employment relationship.

Storage period

Plans in Planner must be renewed every 180 days by one of the plan owners. If they are not renewed, the associated content will be deleted.

Copilot processes content data and credentials from the organizational environment for AI-powered assistance with everyday tasks. Processing takes place within the configured services and permissions.

Categories of personal data

• Content data (files, conversations, metadata)
• Credentials (Org ID (Azure Active Directory object ID / Entra ID object ID)).

Legal basis

Processing is based on Art. 6 (1) (f) GDPR. Our legitimate interests consist of providing a solution that helps to complete everyday tasks more efficiently and quickly.

Storage

Chat histories are retained for up to 30 days or less. Content created by users remains until it is deleted by the users.

We provide Office applications for the performance of work-related tasks. In doing so, we process content and usage data to enable the creation, editing, and sharing of documents.

Categories of personal data

• Employee contact details (name, email address)
• Content data (files, comments, profiles, signatures)
• Software setup/inventory data (user-defined settings).

Legal basis

Processing is carried out on the basis of Art. 6 (1) lit. f GDPR. Our legitimate interests consist of providing applications for text and data processing and productivity and ensuring their integration. Processing may also be based on Art. 6 (1) lit. b GDPR or §26 (1) BDSG (Federal Data Protection Act) if this is necessary for the performance of the employment relationship.

Storage period

Storage is based on the business purpose of the respective content. The software settings for OneDrive for Business are 30 days after the end of the employment relationship for the employee, unless the user has already deleted data in advance or if no retention period of more than 90 days has been set for OneDrive for Business. Documents that may not be deleted for legal reasons are retained for as long as these reasons exist.

To diagnose support cases and security incidents, M365 processes diagnostic data generated during the use of the services. This stabilizes product performance, fixes bugs, and analyzes security incidents.

Categories of personal data

• Product and service usage data (error/crash reports and data)
• Product and service performance data (application performance data).

Legal basis

Processing is based on Art. 6 (1) (f) GDPR. Our legitimate interest is to ensure the stability, security, and quality of IT services.

Storage period

Diagnostic data is generated in connection with other processing activities and is not stored in isolation. The specific storage period depends on the relevant activities in each case.

When the Secure Print function is activated, print jobs are temporarily stored and only released for printing after successful authentication, for example via a personal access card (badge). This ensures that confidential documents can only be collected by authorized persons.

Categories of personal data

• Employee contact details (name, email address)
• Content data (print files)
• Workplace interactions (use of access card, if relevant).

Legal basis

Processing is carried out on the basis of Art. 6 (1) lit. f GDPR. Our legitimate interests consist of ensuring a secure and efficient printing function.

Storage

Print jobs are usually deleted automatically after 10 days.

To secure data and IT systems, we process device and configuration data to detect and ward off threats and ensure the integrity of the systems.

Categories of personal data

• Device connectivity and configuration data (e.g., IP address, device manufacturer, device model, BIOS, processor, device name, operating system platform)
• Software setup and inventory data (e.g., software inventory, software versions)
• Contact data (name, email address)
• Content data (email, file attachments).

Legal basis

Processing is carried out on the basis of Art. 6 (1) lit. f GDPR. Our legitimate interests consist of warding off threats to IT systems and ensuring the security of the systems.

Storage

Security-related data is retained for up to 12 months, insofar as this is necessary to detect and analyze threats.

During the operation of M365, system-generated logs, diagnostic data, and metadata are created, which can be used by Microsoft for billing and reporting, among other things.

Categories of personal data

• System-generated log data
• Diagnostic data
• Metadata.

Legal basis

Processing is based on Art. 6(1)(f) GDPR. Our legitimate interests are derived from Microsoft's interests in processing personal data for business activities and consist of enabling Microsoft to perform its contractual services.

Storage period

For system-generated log data and diagnostic data, the description in the other processing activities applies. The business activities database is not stored separately.