These Terms of Use inform the employees and doctoral students of the University of Mannheim of the license terms and conditions, the use and the period of use as well as the relevant information on data protection and specify the data that may be used and exchanged in M 365 to create the basis for using M 365 as a collaboration tool while working from home. All employees and doctoral students eligible to use the services and software must comply with these Terms of Use.
License terms and conditions
Using the Microsoft services is subject to the license terms and conditions of the service provider. The license terms and conditions may be retrieved from the official Microsoft website.
Use for university purposes and end devices
The software and services may only be used for university purposes and only by employees or doctoral students of the University of Mannheim. However, when employees or doctoral students collaborate with persons not employed by the University of Mannheim, they can invite them as guests or external participants. Office from the cloud may be installed on up to five computers or notebooks, five additional tablets and five additional mobile end devices (smartphones). This permission also applies to private end devices, however, the Microsoft services may only be used for university purposes. Please note that confidentiality of the data has to be ensured, even when using private end devices.
Period of use
Only employees or doctoral students at the University of Mannheim are eligible to use the services and software. If the user is no longer an employee or doctoral student at the University of Mannheim, all data in the user’s personal cloud storage will be deleted. Software products and university data that are used on private devices for the purpose of fulfilling work duties must be uninstalled or deleted when the employment relationship ends. Department-specific back-up and storage structures have to ensure that university data required for work purposes are available at all times.
Information on data protection
When providing the Microsoft cloud services, the University of Mannheim follows the data minimization principle that means only the data required for operating the service will be transferred to the service provider. The University of Mannheim’s information on data protection regarding the use of Microsoft 365 products are specified in the relevant Data Protection Policy for Using Microsoft 365.
Data classification
When processing data in the Microsoft cloud (for example in Teams, OneDrive or OneNote), it is mandatory to handle the information carefully in order to comply with the relevant data protection and information security regulations. Users are obliged to check if and under which conditions they are allowed to store data in the cloud. Users must observe the data classification described in the following section.
Special regulations apply to the storage of administrative data. Thus, all documents have to be stored on the university drives. Processing administrative data in the Microsoft cloud is limited to documents of the TLP:Clear category, e.g. public documents. If, in individual cases, it seems useful or necessary to store documents of other categories, the head of the relevant division has to be consulted.
Based on the Traffic Light Protocol (TLP), a system to classify non-public and confidential information, we differentiate between the following classifications:
Depending on the classification of the data, the data may be or must be stored internally or externally in the cloud, either encrypted or unencrypted.
TLP classification | Rules for disclosure | Examples | Internal storage | External storage (cloud) |
TLP clear public | Unlimited disclosure. The document does not contain any confidential information and may be disclosed and made available to the public without any restrictions, except for copyright-related issues. | Course catalog, press releases, flyer. | Unencrypted storage on the central NAS drive of the university possible. | Data may be stored unencrypted in the cloud. |
TLP green internal | Internal disclosure. This document contains information required for work purposes. It may be forwarded to partners of the university but it must not be published. | Rules and regulations, work instructions, internal communication including e-mail. | Unencrypted storage on the central NAS drive of the university possible. | Data may be stored unencrypted in the cloud. |
TLP amber confidential | Disclosure restricted. This document may contain confidential information and may only be disclosed to a limited number of pre-defined persons (e.g. UNIT, University Library, Chair X). Disclosure to third parties is only possible if the third persons require the document for fulfilling their work duties and are aware of the TLP classification. Upon classification of the data, the pre-defined group of persons must be added in brackets. | Personal data, payslip, business travel expense report, research data, technical data, writing assignments that are protected, examination-related data, applications. | Unencrypted storage on the central NAS drive of the university possible. | Encrypted data storage in the cloud. |
TLP red strictly confidential | Personal, only for intended recipients. This documents contains strictly confidential information which may only be disclosed to a limited number of persons defined in advance, mostly these are also participants in a meeting, conference or written correspondence (e.g. President's Office). Disclosure is forbidden. Upon classification of the data, the pre-defined group of persons must be added in brackets. | Arising from official or contractual obligations in cooperation with third parties. | Encrypted storage on the central NAS drive of the university. | Encrypted storage in the cloud. |
Data security
Microsoft as provider fulfills the requirements (C5) of the Federal Office for Information Security for secure cloud computing. The data are processed in accordance with the state-of-the-art (Art. 32 GDPR) and there are back-ups by the University of Mannheim to secure the central data storage. The data are deleted in accordance with the statutory regulations and after the relevant release by the internal archive of the University IT.