Data Protection Information on the Use of M365 Applications at K+S

I. Data Protection Information on the Use of M365 Applications at K+S

With this data protection information, we would like to inform you about the processing of your personal data when using Microsoft 365 applications (hereinafter: MS365 applications) that are provided to you by K+S Aktiengesellschaft. 

Personal data within the meaning of Art. 4(1) GDPR is any information that enables the identification of a natural person. Such information includes, among other things, name, date of birth, address, telephone number, email address and/or the IP address. 

The M365 applications are provided by Microsoft Ireland Operations Limited, Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (hereinafter “Microsoft”). Microsoft acts as a processor for us and, when processing personal data within the scope of the M365 applications we use, is bound by our instructions (see Data Protection Addendum). In order to guarantee a minimum level of data protection, we have agreed with Microsoft that our tenant is located in the European Union and that personal data is processed there. This is additionally ensured by Microsoft’s EU Data Boundary (see here). In individual cases, however, access from third countries cannot be completely ruled out. 

Below, we provide information about the processing of your data in connection with the use of the MS365 applications provided to you by K+S AG and/or K+S Minerals and Agriculture GmbH. 

1. Controller(s) and (external) data protection officer 

When using MS365 applications, your personal data is processed. Please note that this data protection information only informs you about the processing of your personal data by the K+S Group. 

The controller is: 

K+S Aktiengesellschaft
Bertha-von-Suttner Str. 7, 34131 Kassel
Contact information: info@k-plus-s.com; +49 561 9301-0

The external data protection officer appointed for K+S AG and K+S Minerals and Agriculture GmbH is: 

Boris Reibach
Scheja & Partners GmbH & Co. KG
Adenauerallee 136
53113 Bonn
E-Mail: boris.reibach@scheja-partners.de
Tel.: +49 228 227 226-0

2. Purposes, legal bases for processing, and types of personal data

When using Microsoft 365 (MS365) applications, personal data is processed to provide and administer the services. The purposes of processing include, among other things, communication (e.g., via Outlook and Teams), real-time collaboration (e.g., via SharePoint and OneDrive), and the organization and optimization of work processes. The legal bases for this processing are generally Art. 6(1)(b) GDPR (performance of a contract, e.g., an employment contract) and Art. 6(1)(f) GDPR (our legitimate interest in efficient work organization). In individual cases, consent pursuant to Art. 6(1)(a) GDPR may also be used, for example for optional features. The personal data processed includes, among other things, contact data (e.g., name, email address), communication content (e.g., emails, chats), and usage and metadata (e.g., login times, IP addresses). 

You can find the specific purposes and legal bases for processing, as well as the types of personal data processed in the context of using the MS365 applications provided, in Chapter II of this data protection information. 

Recipients of personal data 

To provide the contractual service, the data required for provisioning the respective MS365 application is transferred to Microsoft. In particular, user identification and IP address are disclosed to Microsoft. When using MS365 applications, content data is transmitted to Microsoft. According to Microsoft, the transmission of content data is encrypted. 

Transfer to a third country 

As a general rule, data is not processed in a third country outside the European Union, because we have restricted the storage location to data centers in the European Union. 

However, it cannot be ruled out that, in individual cases, companies affiliated with Microsoft outside the European Union may gain access to the data. Such third-country transfers are legally permissible only if an adequacy decision of the EU Commission exists, the controller or processor has provided appropriate safeguards to protect the personal data, or one of the exceptions under Art. 49 GDPR applies. 

On 10 July 2023, the European Commission adopted an adequacy decision (EU-U.S. Data Privacy Framework – DPF) for transfers of personal data from the EU to companies in the United States. This means that from that point in time, data can be transferred from companies in the EU to companies in the U.S. covered by the adequacy decision without additional safeguards. This adequacy decision applies only if the relevant data recipient in the U.S. has submitted to the DPF and the associated data protection obligations by means of self-certification. In such cases, a transfer of data to that recipient is considered safe. 

Microsoft Corporation (USA) holds a certification, which can be found here. Although no further measures are required, we have additionally concluded the so-called Standard Contractual Clauses with Microsoft Corporation as part of the data processing agreement. These constitute an additional safeguard for third-country transfers. 

Microsoft as an independent controller 

In addition to the processing of your personal data by K+S AG and/or K+S Minerals and Agriculture GmbH in connection with the use of MS365 applications, Microsoft reserves the right to process your user data for its own business purposes. For such processing, Microsoft is the controller within the meaning of Art. 4(7) GDPR. We have only limited ability to influence Microsoft’s use of your usage data. We take all possible measures to minimize the forwarding of your usage data to Microsoft as far as possible, but we cannot fully prevent it. Details and contact options, in particular also regarding your rights vis-à-vis Microsoft, can be found at the following link: 
Microsoft privacy statement 

 

Storage period 

We store your personal data only for as long as is necessary to achieve the purposes. Once the purpose of processing has been fulfilled, your data will be deleted without undue delay. Storage beyond the fulfillment of the processing purpose takes place only if we are legally obliged to retain your data. 

Your rights as a data subject 

The General Data Protection Regulation (GDPR) guarantees every data subject certain rights with regard to their personal data. These include

Right of access  

You have the right to obtain information about the data stored by us, in particular for what purpose the processing takes place and how long the data is stored (Art. 15 GDPR). This right is restricted by the exceptions of § 34 BDSG, according to which the right of access does not apply in particular if the data is stored solely due to statutory retention requirements or for backup and data protection control, if providing the information would require disproportionate effort, and if misuse of the processing purpose is prevented by appropriate technical and organizational measures. 

Right to rectification 

You have the right to request that we rectify without undue delay any data concerning you if it is inaccurate (Art. 16 GDPR).

Right to erasure 

You have the right to request that we erase (Art. 17 GDPR) data concerning you. These conditions apply in particular if (a) the respective processing purpose has been achieved or otherwise ceases to apply, (b) we have processed your data unlawfully, (c) you have withdrawn consent and processing cannot be continued on another legal basis, (d) you have successfully objected to processing, or (e) where an obligation to erase exists under EU law or the law of an EU Member State to which we are subject. 
This right is subject to the restrictions under § 35 BDSG, according to which the right to erasure may not apply in particular if, in the case of non-automated data processing, erasure would involve a disproportionately high effort and your interest in erasure is to be regarded as low. 

Right to restriction of processing

You have the right to request restriction of the processing of your data (Art. 18 GDPR). This right exists in particular if (a) the accuracy of the data is contested, (b) you request restricted processing instead of erasure under the conditions of a justified request for erasure, (c) we no longer need the data for our purposes, but you require it for the establishment, exercise or defense of legal claims, or (d) the outcome of an objection is still contested.

Right to data portability 

You have the right to receive the data concerning you that you have provided to us in a structured, commonly used and machine-readable format (Art. 20 GDPR), insofar as it has not already been deleted.

Right to object 

You have the right to object at any time, on grounds relating to your particular situation, to the processing of data concerning you (Art. 21 GDPR). We will stop processing your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or unless the processing serves the establishment, exercise or defense of legal claims. 

Right to lodge a complaint with a supervisory authority

You also have the right to lodge a complaint with the competent data protection supervisory authority if you believe that the processing of your personal data violates data protection regulations.

The authority responsible for you is: 
The Hessian Commissioner for Data Protection and Information Security 

II. Specific data protection information for individual MS365 applications

Microsoft Entra ID P1

Purpose of processing 

Microsoft Entra ID P1 is used to manage identities and access rights. Personal data is processed to provide and manage user accounts, for authentication and authorization, and to protect the IT infrastructure. 

Legal basis for processing 

Art. 6(1)(b) GDPR (performance of a contract) for employees’ use of the services; Art. 6(1)(f) GDPR (legitimate interest) to ensure IT security and to manage access rights; where consent is required: Art. 6(1)(a) GDPR.

Categories of personal data processed:

  • Basic data: name, email address, username, password. 
  • Usage data: sign-in times, IP addresses, access logs.
  • Organizational affiliation: department, role, permissions.

 

Microsoft Entra ID P2

Purpose of processing:

Advanced management of identities and access rights, as well as security monitoring and risk assessment.

Legal basis for processing: 

Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(f) GDPR (legitimate interest in IT security). 

Categories of personal data processed:

  • Basic data: name, email address, username, password.
  • Usage data: sign-in times, IP addresses, activity logs. 
  • Behavioral data: anomalies in user behavior. 

 

Microsoft Entra ID Multi-Factor Authentification

Purpose of processing: 

Securing sign-in processes through an additional authentication layer. 

Legal basis for processing: 

Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(f) GDPR (legitimate interest in IT security). 

Categories of personal data processed: 

  • Identification data: username, email address, telephone number.
  • Verification data: one-time passwords, authentication codes. 
  • Technical data: IP addresses, device information, sign-in times.

 

Exchange Online (Plan 2)

Purpose of processing: 

Provision of email and calendar services as well as management of emails, contacts and appointments. 

Legal basis for processing: 

Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(f) GDPR (legitimate interest in managing IT infrastructures). 

Categories of personal data processed: 

  • Communication data: email addresses, content, attachments.
  • Calendar data: appointments, meeting requests.
  • Usage data: sign-in times, IP addresses.

 

Sharepoint Online (Plan 2)

Purpose of processing:

Provision of a collaborative platform for storing, managing and jointly editing documents and data within the company. 

Legal basis for processing:

Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in efficient collaboration and document management). 

Categories of personal data processed:

User information (e.g., name, email address, user ID), uploaded and edited documents, log data (e.g., access and editing history). 

 

ODfB (Plan 2)

Purpose of processing:

Storage and synchronization of files for individual users for location-independent use and collaboration. 

Legal basis for processing:

Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in flexible and secure data storage). 

Categories of personal data processed:

User information (e.g., name, email address, user ID), stored and synchronized files, log data (e.g., access logs, file changes).

 

Microsoft 365 Apps for Enterprise

Purpose of processing:

Provision and use of Office applications (e.g., Word, Excel, Outlook) for internal and external communication and collaboration. 

Legal basis for processing:

Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in efficient document editing and communication). 

Categories of personal data processed:

User information (e.g., name, email address, user ID), processed documents and emails, telemetry data (e.g., usage statistics).

 

Microsoft Teams

Purpose of processing:

Communication and collaboration within the company through chats, video conferences and shared file repositories. 

Legal basis for processing:

Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in effective internal and external communication). 

Categories of personal data processed:

User information (e.g., name, email address, user ID), chat history, meeting recordings, shared files, connection data. 

 

Microsoft Teams – People Recognition (Voice Recognition in meeting rooms)

Purpose of processing: 

In addition, for meetings held in meeting rooms in Microsoft Teams, the “People Recognition” function with “Voice Recognition” can be used. This function makes it possible to assign contributions from people who are together in a meeting room to a person within the transcription of a Teams meeting. This can improve traceability of meetings, especially for transcripts, meeting notes and analyses based on them. 

Legal basis for processing: 

To the extent that employees voluntarily create a personal voice profile for this function, the processing of the biometric data required for this purpose is carried out on the basis of voluntary consent pursuant to Art. 6(1)(a) GDPR in conjunction with Art. 9(2)(a) GDPR. Creating a voice profile and using this function are voluntary. Microsoft Teams can also be used without creating a voice profile. Without a voice profile, there is no named attribution of spoken contributions within the scope of this function. 

Categories of personal data processed:

User information (e.g., name, email address, user ID), meeting and transcription data, mapping data for speaker recognition, and biometric data in the form of a voluntarily created voice profile. 

Storage period: 

The voluntarily created voice profile is deleted without undue delay if the data subject withdraws their consent or removes the voice profile in Microsoft Teams. If the associated Teams account is deleted, the voice profile is removed within 90 days. Voice profiles that are not used for one year are automatically deleted. 

Recordings and transcripts of Teams meetings are generally stored within Microsoft Teams for 30 days. Participants can download recordings and transcripts. From the time of download, the respective participant is responsible for defining and complying with an appropriate retention period. The organizer of an appointment can extend or shorten the retention period, provided this is appropriate for the respective processing purpose.

 

Windows 11 Enterprise (Original) 

Purpose of processing:

Provision of a secure and high-performance operating system for the use of business applications. 

Legal basis for processing:

Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in IT security and system stability). 

Categories of personal data processed:

User information (e.g., name, email address, user ID), telemetry data (e.g., error reports, diagnostic data), sign-in and usage data. 

 

Microsoft Forms (Plan E5)

Purpose of processing: 

Creation and collection of surveys, quizzes and feedback. 

Legal basis for processing: 

Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(f) GDPR (legitimate interest in data analysis).

Categories of personal data processed: 

  • Form data: input data from forms.
  • User data: username, email address.

 

Microsoft Planner

Purpose of processing: 

Management of tasks and projects to optimize team collaboration.

Legal basis for processing: 

Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(f) GDPR (legitimate interest in project organization).

Categories of personal data processed: 

  • Task data: titles, descriptions, due dates. 
  • User data: username, email address. 
  • Communication data: comments, attachments. 

 

Microsoft Stream

Purpose of processing: 

Management and provision of videos for internal communication and training. 

Legal basis for processing:

Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(f) GDPR (legitimate interest in providing media). 

Categories of personal data processed: 

  • Video data: uploaded content, metadata. 
  • User data: username, email address. 
  • Usage data: viewing duration, interactions. 

 

Microsoft Power Apps

Purpose of processing: 

Creation of custom applications for process automation and data management. 

Legal basis for processing:

Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(f) GDPR (legitimate interest in process optimization).

Categories of personal data processed: 

  • Application data: user input, process data. 
  • User data: username, email address. 
  • Technical data: IP addresses, device information. 

 

Power Automate (for M365)

Purpose of processing

Automation of workflows to increase the efficiency of business processes. 

Legal basis for processing: 

Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(f) GDPR (legitimate interest in process automation). 

Categories of personal data processed: 

  • Process data: automated tasks and actions. 
  • User data: username, email address. 
  • Technical data: IP addresses, log data. 

 

Microsoft Power BI

Purpose of processing: 

Data analysis and visualization to support decision-making. 

Legal basis for processing: 

Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(f) GDPR (legitimate interest in data analysis).

Categories of personal data processed: 

  • Analytics data: uploaded data, visualizations.
  • User data: username, email address. 
  • Usage data: interactions, access history. 

 

Project Online Service

Purpose of processing: 

Cloud-based management of projects and resources to increase project transparency. 

Legal basis for processing: 

Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(f) GDPR (legitimate interest in project management). 

Categories of personal data processed: 

  • Project data: project plans, progress reports. 
  • User data: username, email address. 
  • Usage data: access history, change logs. 

 

To-Do

Purpose of processing: 

Management of personal and team-related tasks to increase productivity.

Legal basis for processing: 

Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(f) GDPR (legitimate interest in project management).

Categories of personal data processed: 

  • Task data: titles, due dates, notes. 
  • User data: username, email address. 
  • Synchronization data: device information, access times. 

 

Whiteboard

Purpose of processing: 

Enabling collaborative work through digital whiteboard solutions for teams. 

Legal basis for processing: 

Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(f) GDPR (legitimate interest in collaboration).

Categories of personal data processed:

  • Content data: sketches, notes, diagrams.
  • User data: username, email address. 
  • Usage data: sign-in times, interactions.

 

Microsoft 365 Information eDiscovery & Audit

Purpose of processing:

Enabling the search, archiving and analysis of company data for compliance and security purposes. 

Legal basis for processing:

Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR (legitimate interest in compliance and security).

Categories of personal data processed:

Communication and document data, user information, log data (e.g., access and change histories).

 

Microsoft Teams Phone

Purpose of processing:

Enabling calls and VoIP communication for business purposes. 

Legal basis for processing: 

Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in efficient business communication). 

Categories of personal data processed:

User information (e.g., name, phone number, user ID), call logs, voicemail messages, connection data.

 

Microsoft Viva Insights

Purpose of processing:

Providing analytics on individual and organization-wide productivity and ways of working to improve efficiency. 

Legal basis for processing:

Art. 6(1)(f) GDPR (legitimate interest in optimizing work processes and productivity analytics). 

Categories of personal data processed:

User information (e.g., name, email address, user ID), usage statistics (e.g., document editing times, meeting duration), communication patterns (e.g., number of emails, meetings).

 

Microsoft 365 Copilot Chat

Purpose of processing:

Personal data is processed to provide and administer the services, in particular for communication and real-time collaboration via chats and video conferences. 

Legal bases for processing:

Art. 6(1)(b) GDPR (performance of a contract, e.g., an employment contract) and Art. 6(1)(f) GDPR (legitimate interest in efficient work organization).

Categories of personal data processed:

Inputs and outputs (prompts and responses, insofar as they contain personal data), contact and master user data (e.g., name, email address, user ID, organizational affiliation), communication content (e.g., emails, chats) as well as usage and metadata (e.g., login times, IP addresses), and uploads (uploaded content and any personal data contained therein). 

 

Microsoft 365 Copilot (Microsoft 365 Copilot Chat)

Purpose of processing:

Personal data is processed to support the creation and editing of documents and to provide intelligent features and recommendations within Microsoft 365 applications. 

Legal bases for processing:

Art. 6(1)(b) GDPR (performance of a contract, e.g., an employment contract) and Art. 6(1)(f) GDPR (legitimate interest in efficient work organization). 

Categories of personal data processed:

Inputs and outputs (prompts and responses, insofar as they contain personal data), contact and master user data (e.g., name, email address, user ID, organizational affiliation), communication content (e.g., emails, chats) as well as usage and metadata (e.g., login times, IP addresses), and uploads (uploaded files and any personal data contained therein). 

 

Microsoft Clipchamp

Purpose of processing:

Provision of a web-based video editor for creating, editing, and publishing video content, including the storage of projects, media content, and exported files. 

Legal basis for processing:

Art. 6(1)(f) GDPR (legitimate interest in using modern tools to create and edit video content and to support internal and external communication).

Categories of personal data processed:

User information (e.g., name, email address, user ID), content data (e.g., uploaded videos, images, audio files, project files), usage data (e.g., editing activities, timestamps, interactions within the tool), and technical metadata (e.g., device information, IP address, log data). 

Version: 1.2
Date: 04.05.2026
Editor: T. Bile
Änderung/Bearbeitung: Update (information on Clipchamp added)