1. Information on the Processing of Personal Data
With this data protection declaration, we (arboo GmbH, hereinafter referred to as “arboo”) inform you about the processing of your personal data in the context of the use of our software using Microsoft Outlook.
2. Data Controller
The person responsible pursuant to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is:
3. What Personal Data we Process
In the course of providing our software using Microsoft Outlook, we process the following personal data:
- Display Name (usually first and last name), email address, profile picture (if set), booking time slots.
Purpose: Provision of software features, user administration, functions in the software such as display of users who have booked a certain resource, quality assurance, user support.
4. Microsoft 365, Microsoft Outlook
We use Microsoft Outlook in connection with our software. In Microsoft Outlook, we use arbooMEET Add-In.
We carry out the data processing on the basis of a legitimate interest pursuant to Art. 6 (1) f) GDPR. Our legitimate interest for the data processing is:
Reserving bookable resources for users and displaying these users on floor plans in the software.
Microsoft Outlook is part of Microsoft 365. Microsoft Outlook is a productivity, collaboration and exchange platform for individual users, teams, communities and networks. This includes, among other things function like reading and writing emails and planning meetings.
Microsoft 365 is software from the company:
Microsoft Ireland Operations Limited
South County Business Park Leopardstown
Microsoft Outlook is part of the Microsoft 365 cloud application, for which a user account must be created.
Data processing with Microsoft 365 takes place on servers in data centers in the European Union in Ireland and the Netherlands. For this purpose, we have concluded a commissioned processing agreement with Microsoft in accordance with Art. 28 DS-GVO. Accordingly, we have agreed extensive technical and organisational measures with Microsoft for Microsoft 365 that comply with the current state of the art in IT security, e.g. with regard to access authorisation and end-to-end encryption concepts for data lines, databases and servers.
Furthermore, we have implemented the “Customer Log Box” functionality in Microsoft 365. This means that Microsoft has no access whatsoever to our data in Microsoft 365.
Microsoft may request access for the purpose of remote maintenance. This access will then be reviewed by us on a case-by-case basis and granted if approved. In this case, such access may also be granted by Microsoft affiliates from outside the European Union. We have concluded EU standard contracts (standard data protection clauses) with Microsoft exclusively for this case of access from outside the European Union in individual cases approved by us. In order to guarantee an appropriate level of data protection when transferring personal data to a third country such as the USA in this specific case, we have implemented supplementary measures in the form of state-of-the-art technical and organisational measures such as access authorisation and encryption concepts for data lines, databases and servers, as described above.
Microsoft reserves the right to process customer data for its own legitimate business purposes. We have no control over these data processing activities by Microsoft. To the extent that Microsoft Outlook processes personal data in connection with its legitimate business purposes, Microsoft is the independent data controller for those data processing activities and as such is responsible for compliance with all applicable data protection laws. If you require information about Microsoft’s processing, please refer to the relevant Microsoft statement.
5. Disclosure to Third-Parties
As described above, we use Microsoft as a processor within the meaning of Article 28 of the GDPR.
6. Data Storage
Login data and IP addresses are deleted after 180 days at the latest.
7. Your Rights
You can ask for information about which personal data we store. If you have provided personal data on the basis of a contract or consent, you are entitled to receive this data in a common and machine-readable format.
You can also request the erasure, rectification or restriction of the processing of your data. If your personal data is transferred to a country outside the EU that does not provide adequate protection, you may request a copy of the contract that provides for adequate protection of personal data. If you have given your consent for the use of your personal data, you can withdraw your consent at any time with effect for the future.
If we use your personal data on the basis of a balance of interests, you can object to the use of your data. In this case, we will no longer use your data unless our interests prevail.
8. Contact Person