Data Protection Policy for Using Microsoft 365

The University of Mannheim uses the cloud service “Microsoft 365” for which Microsoft acts as processor in accordance with Art. 28 GDPR. In this context, the University IT processes personal data while complying with applicable data protection regulations (GDPR). The applicable terms and conditions of Microsoft (Microsoft Online Service Terms) contain the contract on commissioned data processing based on standard contractual clauses (SCC). The University of Mannheim is part of the Baden-Württemberg agreement. The licenses under the Baden-Württemberg agreement allow the staff members and students of the University of Mannheim to use the cloud services free of charge. 


Datenschutzbeauftragte Universität Mannheim
L 1, 1 
68131 Mannheim 

Purpose of Data Processing

The purpose of data processing is to enable collaborative work and communication between staff members and between students, when conversations in person or direct physical attendance are not possible. It is expressly not the purpose of data processing to use the data collected to evaluate the users’ performance or to create profiles of the users. 

Basis and duration of data processing

Students of the University of Mannheim, if there are not also staff members of the University, have digitally consented to the data processing and have the right to revoke their consent. In order to guarantee the voluntary nature of the consent to the data processing, it must neither lead to benefits nor to disadvantages when it comes to the learning progress (including grades).  

Data storage ends when your membership or your employment contract ends or, for students, upon revocation of their consent or upon disenrollment or after the expiration of statutory deletion periods, if the person was a party to external contracts or has legally represented a university institution. 

Scope and nature of the processing

The University IT is the administrator of the Microsoft service mandate for all user groups at the University of Mannheim. In this regard, only the name, the institution, the office phone number (if applicable) and the e-mail address are transmitted to Microsoft in order to comply with the data minimization principle. Due to maintenance work and data back-ups, specific employees (administrators) may access meta data and dormant data and may see detailed user statistics and standardized evaluations. Administrators are bound to an extraordinary level of secrecy, also and in particular towards supervisors and professors. 

Recipient / Disclosure of data

The dormant data (general user data) as well as the data traffic are processed by Microsoft Ireland Operations Limited. In addition, these data are transmitted to and processed by the Microsoft Corporation, as well as their support service providers and sub processors