Privacy Policy for ‘Microsoft Teams’

Last update: October 2023

We, Lomapharm GmbH, are committed to protecting not only your health but also your data and, therefore, your privacy. This privacy policy will explain

• which personal data we collect, store, block, erase, or otherwise process (hereinafter referred to collectively as ‘processing’) as part of our telephone and video conferences and other online meetings that use the (video) conferencing solution ‘Microsoft Teams’,
• the purposes we use them for,
• how you can object to their use or withdraw your consent, as well as
• what rights you have as a data subject: how, for example, you can withdraw a consent you have granted and how you can assert other rights to information, rectification, complaints, and erasure of your data.

1. Who is responsible for the data processing and who can I contact?

The data controller, as set out in the GDPR, is

Lomapharm GmbH
Langes Feld 5
31860 Emmerthal, Germany
Phone: +49 (0) 5155 2791-0
Fax: +49 (0) 5155 2791-219
Email: service@lomapharm.de

You can contact our company data protection officer by email at datenschutz@lomapharm.de or by post under the above address with the note ‘the data protection officer’.

2. Scope of applicability

This privacy policy applies to the use of the (video) conferencing solution ‘Microsoft Teams’ in your desktop, mobile, and browser versions. To that end, we use ‘Microsoft Teams’ to carry out our usual office communication, internal and external telephone and video conferences, job interviews, webinars, and/or other online meetings (the ‘Online Meetings’). ‘Microsoft Teams’ is a service of the Microsoft Corporation, whose registered office is in Ireland.

Note: Whenever you access the website of ‘Microsoft Teams’, the provider of ‘Microsoft Teams’ is the controller for the data processing. However, the website must be accessed to use ‘Microsoft Teams’ only to download the necessary software. If you cannot or do not wish to use the ‘Microsoft Teams’ app, you can also use ‘Microsoft Teams’ on your browser. The service will then also be rendered via the website of ‘Microsoft Teams’ to that extent.

We reserve the right to amend this privacy policy at any time, with effect for the future. The current version is always available on our website. Please visit our website on a regular basis to learn about the applicable data privacy regulations.

3. What sources and data does Lomapharm GmbH use?

We process personal data that we receive for the purposes of our online meetings for which we use ‘Microsoft Teams’. The scope of the data also depends on what information regarding data you provide before or while participating in an online meeting.

The personal data we process particularly include:

• User details (such as display name or user name; profile picture (optional); preferred language; and email address, if applicable)
• Log files, log data
• Text data, audio data, and video data (you may use the chat function at any time during an online meeting). In this respect, the text entries you make are processed in order to display them in the online meeting. To allow video to be shown and audio to be played, data from your end device’s microphone and video camera (if there is one) are processed during the online meeting. You can switch off or mute the camera or microphone at any time via the ‘Microsoft Teams’ applications.
• Metadata (such as the IP address, date of participation, meeting ID, place, telephone number, and information on the device and hardware)
• When dialling in by phone (such as information on the incoming and outgoing telephone number, country name, and start and end times). Additional connection data such as the device’s IP address can be stored if necessary.
• Due to the legal opinion of the data protection authority responsible for us, we generally refrain from recording online meetings (see item 5). If such a recording is made in an individual case at your express request and with your express consent, data will be processed in the form of video, audio, and presentation recordings.

To participate in an online meeting or enter the meeting room, you must at least provide a username for the online meeting in question. Of course, you may also specify ‘guest’ or ‘anonymous’.

4. Purposes of the processing and legal basis

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) based on the following legal bases:

4.1 To fulfil contractual obligations (Art. 6(1)(b) GDPR)

Data are processed to perform the contracts entered into (such as employee contracts and customer contracts), implement pre-contractual measures taken at the request of third parties (such as applicants, or to establish a business contact) and carrying out all the tasks necessary in running and/or managing a pharmaceutical company (such as marketing conversations and training sessions).

4.2 As part of the balancing of interests (Art. 6(1)(f) GDPR)

Where necessary, we process personal data in a way that goes beyond the fulfilment of the contract itself in order to protect our legitimate interests. Our legitimate interest in the data processing lies in implementing modern communication options via online meetings, providing information to participants, and cooperating with those participants effectively and efficiently (conversations on specialised topics and performing business activities, for example). In the interest our employees, business partners, and additional third parties, we have implemented and executed ‘Microsoft Teams’ in a privacy-friendly way, and we dispense with collecting and storing unnecessary data.

4.3 On the basis of your consent (Art. 6(1)(a) GDPR)

To the extent that you have given consent to the processing of personal data for specific purposes (such as recording an online meeting), this processing of the data shall be lawful on the basis of your consent.

Consent that has been given can be withdrawn at any time. This also applies to the withdrawal of declarations of consent that were given before the GDPR came into effect. Please note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

You can withdraw consent free of charge and informally via our contact data stated in point 1. If consent is withdrawn by phone, we ask that, if necessary, you provide additional proof of your identity using another means.

5. Is a recording being made during an online meeting?

Through the video conference function of ‘Microsoft Teams’, we can allow you to participate in our online meetings via video and/or audio. As a general principle, the event will not be recorded.

In exceptional cases, a recording can be made exclusively based on your previously granted voluntary consent. For such exceptional cases, detailed information on the planned processing of the data (including the storage period and group of recipients) will be provided in advance.

6. To what extent is there automated decision-making in individual cases?

We generally do not use any fully automated decision-making, as referred to in Article 22 GDPR, to hold online meetings via ‘Microsoft Teams’. If we implement this procedure in individual cases, you will be informed of this separately, insofar as this is legally required.

7. Who will receive my data?

Online meetings – as well as face-to-face meetings – are used to share information with third parties. This means that, when online meetings are used, personal data are transmitted primarily to the other participants.
Moreover, within Lomapharm GmbH, the bodies and departments that receive your data are those which require them to fulfil their obligations, such as the IT Department if there are any malfunctions.

The service providers used, carefully chosen and monitored by us can also receive data for these purposes, but are, in this regard, bound by the requirements of data protection law that also apply to us, as part of ‘contracted processing’. These may include companies in the IT services or telecommunications sectors.

The aforementioned data must be disclosed to ‘Microsoft Teams’ if this is provided for in our contract on commissioned data processing with Microsoft. Disclosure to additional recipients outside Lomapharm GmbH shall only take place if there is a legal basis for this (e.g. a legal obligation, consent, legitimate interest, etc.).

8. Are data transferred to companies in third countries or an international organisation?

‘Microsoft Teams’ is part of Microsoft Office 365 and a service offered by a European subsidiary of the Microsoft Corporation with registered office in the USA. The data processing performed with Office 365 is based on the Microsoft EU Data Boundary on servers in data centres in the European Union, in Ireland, and the Netherlands.

However, we cannot completely rule out the possibility that the Microsoft Corporation or US security authorities might have access to the circumstances and content of the communication via Microsoft Teams. And the Microsoft Corporation might have access to the data as part of remote maintenance. To that end, the access will be requested and documented as part of the support process. We will examine on a case-by-case basis every access requested as part of remote maintenance. If we approve such access, it can also be made from outside the European Union by Microsoft’s affiliated companies. If data are processed exclusively outside the EU, however, we take appropriate and reasonable measures to ensure an adequate level of data protection (by entering into EU Standard Contractual Clauses, for example).

Microsoft reserves the right to process usage data for their own legitimate business purposes. We have no influence on this data processing of Microsoft. Insofar as ‘Microsoft Teams’ processes personal data in connection with the legitimate business purposes, Microsoft is independently responsible for those data processing activities and as such is responsible for the compliance with all applicable data protection regulations. If you need information about the processing through Microsoft, please consult Microsoft’s privacy policy or contact Microsoft directly. You can find information in that regard here: https://privacy.microsoft.com/en-GB/privacystatement or
https://learn.microsoft.com/en-GB/microsoftteams/teams-privacy.

9. How long will my data be stored?

We process your personal data only as long as it is necessary to fulfil the purposes of the processing described above. If the data are no longer necessary for the fulfilment of the processing purposes described above, they will be erased, unless their processing (for a limited time) is necessary for the following purposes:

• Fulfilling retention obligations under commercial and tax law: These include the German Commercial Code (Handelsgesetzbuch – HGB) and the German Anti-Money Laundering Act (Geldwäschegesetz – GwG). The periods for retention and documentation stated there last up to 10 years.
• Preservation of evidence in the context of legal limitation periods. According to Section 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch – BGB), these limitation periods may last up to 30 years, whereas the standard limitation period lasts for three years.

The following processing will be stored for an explicitly defined period:

• Login data and IP addresses will be erased after 30 days at the latest.
• When ‘Microsoft Teams’ is used, the chat content during an online meeting will be recorded and will remain in the chat histories of all meeting participants.
• Recordings of online meetings will be deleted automatically after 60 days.

10. What rights do I have as a data subject?

As the data subject, you have the right of access under Article 15 GDPR. If a query is not in writing, we ask that, if necessary, you provide additional proof of your identity using another means. Moreover, you have the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, as well as the right to data portability under Article 20 GDPR. The right of access and the right to erasure are subject to the limits according to Sections 34 and 35 of the German Federal Data Protection Act. In addition, there exists a right to lodge a complaint with a competent data supervisory authority (Article 77 GDPR in conjunction with Section 19 of the German Federal Data Protection Act).

Furthermore, you have the right to object under Article 21 GDPR and you can object to processing of personal data on the basis of Article 6(1)(e) or (f) GDPR at any time without giving reasons.