Privacy statement for guest users on EEAs Microsoft365 Services
Introduction
Any personal data you submit to the European Environment Agency (EEA) in the context of the Microsoft 365 suite of applications will be processed in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by the European Union institutions, bodies, offices and agencies and on the free movement of such data.
To use EEA’s Microsoft 365 Services, you first need a Microsoft account, for which their privacy statement applies.
For the collection and processing of personal data stored in EEA’s Microsoft 365 applications, the EEA is acting as data controller and Microsoft is acting and data processor.
What is the nature and the purpose(s) of the processing operation?
We offer the services of Microsoft 365 applications for our partners to improve collaboration between external stakeholders such as the European Environment Information and Observation network (Eionet) and EEA.
The core capabilities in Microsoft 365 applications include business messaging, calling, video meetings and document management.
The personal data is collected and stored in Microsoft’s Cloud servers with the purpose of providing the abovementioned services. Personal data is stored in the EU according to the application configuration implemented by EEA and ensured by the contractual terms between the European Commission and Microsoft.
What personal data do we collect and for what purpose
We collect personal information when we create an account in our Microsoft 365 Azure Active Directory. This is needed in order to grant the user access to various services on our Microsoft 365 applications that require authentication.
Accounts are created for EEA's own staff, the staff of organisations that EEA cooperates with, including the member organisations of the European Environment Information and Observation Network (Eionet), European Union institutions, and consultants working for EEA.
Self-registration is not possible. Registration is only by invitation through EEA staff, including EEA Helpdesk, or by invitation through the National Focal Points (NFPs), who administer the list of members of Eionet in their countries.
The personal data saved and processed in our O365 tenant is:
- First name
- Last name
- Phone number (only in cases where the user decides to use SMS as multifactor authentication method)
The processing of your personal data is necessary for the performance of the tasks carried out by the EEA as mandated by Regulation (EC) No 401/2009 of 23 April 2009 on the EEA and Eionet.
Specific conditions for Eionet users
For the networking character of the Eionet, we collect some additional information from Eionet users to support networking between Eionet members. This includes
* Telephone number (optional)
* The organisation represented
* The country represented in Eionet
* Membership(s) in Eionet groups
* Whether or not the person is a National Focal Point (NFP)
Who can see your personal data
Your personal data is only accessible to users of EEAs Microsoft 365 applications. The following personal data is available for other authenticated users, which includes EEA staff and staff from EEA’s partners, including Eionet members:
- Full name
- Email address
Only staff in EEA Helpdesk can see additional transactional data connected to the account such as log-in information, which is only used for technical support.
Personal data is not shared with third parties for direct marketing purposes.
There are no third country transfers. The data is stored within the European Union.
Specific conditions for Eionet users
For the networking character of the Eionet, we store some additional information from Eionet users which is available to EEA staff and all other Eionet members. Other Eionet members and EEA will be able to see the following information:
* Telephone number (optional)
* The organisation represented
* The country represented in Eionet
* The memberships in Eionet groups
* Whether the person is a National Focal Point (NFP)
* Posts or written statements made by a specific individual in the Team environment
How can you access or rectify your information and delete your account
The EEA only processes the information from your already existing Microsoft account. If you want to update your information, you will need to do this directly through your organisation if you are using a work account, or by updating your personal Microsoft account under https://myaccount.microsoft.com/
You are also able to delete all account information stored at EEAs tenant if you wish to do so, by leaving the organisation EEA. This will trigger an initial removal of the information stored by EEA, and your user account will be completely deleted from EEA after 30 days. Please see here for more information about how to leave an organisation: https://docs.microsoft.com/en-us/azure/active-directory/external-identities/leave-the-organization
If you need further assistance with the rectification or removal of your data, you should address your request in writing by email to EEA helpdesk. You would need to use the same email address that is used in the account in order to prove your identity. You may be asked to provide more information to prove your identity before your account can be deleted.
If you wish at any time to withdraw your consent to the process, you should address your request in writing by email to dpo@eea.europa.eu. The withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.
Specific conditions for Eionet Users
Eionet users can update personal information related to their Eionet membership directly from the Eionet dashboard app, which is be available in EEA’s Microsoft Teams.
Site usage statistics and personalised experience settings
EEA does not store your personal data in cookies in any of its M365 based applications. We may store your own page settings in non-personalized ways (e.g. your language settings).
This information is used to gather aggregated and anonymous statistics with a view to improving our services and to enhance your user experience. The analytical reports generated by Microsoft 365 applications are only available to relevant EEA staff, other relevant EU institutions’ staff or by duly authorised external sub-contractors, who may be required to analyse, develop and/or regularly maintain certain sites.
How long do we store your personal data
When you are no longer involved in collaboration activities with EEA, your guest account in EEA’s Microsoft 365 applications is deleted. Accounts are also systematically removed when a user has not logged in to EEA’s Microsoft 365 applications nor accessed any of those services for more than 1 year.
If you do not accept an invitation sent by EEA to access services on EEA’s Microsoft 365 applications, all data related to the invitation are systematically removed after 3 months to ensure that EEA does not store the information of users who do not wish to take part in EEA’s collaboration activities.
Once your account is removed, you can no longer access the services that require login with an Microsoft 365 account at EEA, but some of your personal data (Name, Email) linked to your previous activities (e.g. conversations, or contributions in documents) may still be visible for the purpose of keeping track of past activities.
Specific conditions for Eionet Users
The systematic removal of accounts does not apply for users managed by the National Focal Points (NFPs), who maintain an active status as long as the National Focal Point of their country keeps them as members of an Eionet group.
However, users who are members of an Eionet group and who have been invited but have not accepted the invitation to log in to EEA’s Microsoft 365 applications will also be removed 3 months later.
Processing of transactional data
We also process such as IP-address, browser version and other device information for ensuring the security and functioning of our applications.
This data is also processed by [g]personnel at EEA, at Microsoft and at CERT-EU (https://cert.europa.eu/) which provides security services for EEA. These data is also available to EEA’s Internet Service Provider (tdc.dk), and EEA’s cloud service provider Microsoft, and their privacy statement applies.
Transactional data in Microsoft 365 applications is stored for a maximum of 90 days for security audit purposes, unless there is an individual reason to keep information for a longer period of time (e.g. when individual IP addresses are blocked if part of a Denial of Service attack).
How do we secure your personal data
Access to your personal data is subject to strict security controls like encryption and access control. We do not share your personal data with third parties without your prior consent. Accounts for EEA’s Microsoft 365 applications are required to have multifactor authentication enabled, providing an extra layer of security.
Microsoft 365 has been configured to preserve the confidentiality of the information exchanged by implementing encryption during all communications and encryption in storage, and anonymous access is not authorized. Any information you add to a group in Microsoft Teams, be it via chat, video conference or file sharing, will be available only to the specific users and groups indicated in “Who can see your personal data?”.
Microsoft data centres are certified in several security standards, most notably ISO 27001, SOC 1 and SOC 2, NIST Cybersecurity Framework (CSF), ISO 27017 and ISO 27018 Code of Practice for Protecting Personal Data in the Cloud.
Microsoft has implemented several safeguards to ensure the availability of the information. As a minimum, data is replicated between two data centres within the same region, has redundancy controls and implements backups that are encrypted before being transmitted and stored.
The functioning of the servers and databases containing the personal data is compliant with the EEA's Information Security Policy and the provisions established by the EEA's Information Security Officer.
How to contact us and right to appeal
You may contact the EEA’s Data Protection Officer (DPO) in case of any difficulties relating to the processing of your data at the following email address: dpo@eea.europa.eu.
You are entitled to have recourse at any time to the European Data Protection Supervisor (https://edps.europa.eu, edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data by the EEA.
Related specific privacy statements
As a prerequisite to using EEAs Office365 services, you need a Microsoft account, and you will have to agree to Microsoft's privacy statement before using any of the Microsoft Services. https://privacy.microsoft.com/en-gb/privacystatement