Data Protection Information
Teams-App TeamLinx42

This Teams app (hereinafter only the “App”) is provided by AppSphere AG, Ettlingen (hereinafter “we” or “us”) as the responsible party within the meaning of the applicable data protection law.
The app can only be used within the Microsoft Teams application.
Personal data is processed when using the app. Personal data means any information relating to an identified or identifiable natural person. With the following information, we would like to inform you about which personal data we process when you use the app and how we handle this data. In addition, we will inform you about the legal basis for the processing of your data and, insofar as the processing is necessary to protect our legitimate interests, also about our legitimate interests.
You can access this privacy policy at any time under the menu item “About” > “Privacy Policy” within the app to be directed to the privacy policy, which is stored on the homepage in its current version.

Overview / Contents

You will find the following information in our Data Protection Information

A. Our contact data and general matters relating to our data processing

  • Name and contact data of the controller
  • Contact data of the controller’s Data Protection Officer
  • General information about legal basis for the processing of personal data
  • General information about Data deletion and duration of archiving
  • General information about the sources of personal data
  • General information about the categories, purposes and legal basis for processing personal data
  • General information about the recipients and categories of recipients of the personal data

B. The scope of the processing of personal data via our website

  • Information collected during download
  • Data processing via Microsoft services
  • Hosting, server and operation of the app
  • Information collected with the use
  • Information processed outside the app
  • Data processing when using the feedback function
  • Encryption of the data transmissions of the app
  • Transmission of personal data to a third country (countries outside Germany but in the EU/EEA)

C. Your rights as the data subject

  • The right to be informed
  • The right to rectification
  • The right to erasure
  • The right to object to processing because of a legitimate interest
  • The right to revoke consent
  • The right to restrict processing
  • The right to information
  • The right to data portability
  • The right to object to processing because of a legitimate interest
  • The right to revoke consent
  • Automatic decision-making including profiling
  • Voluntary provision of data
  • The right to complain to a supervisory authority
  • Changes to this privacy notice

A. Our contact data and general information relating to our data processing

Name and contact data of the controller

The controller for the collection and use of personal data within the meaning of data protection legislation is

AppSphere AG
represented by the Board of Management: Dipl. Ing. (FH) Frank Roth, Dipl. Ing. Frank Seibert, Daniel Vollmer
76275 Ettlingen
Phone: +49 7243 348870
Fax: +49 7243 3488799
Email: datenschutz@appsphere.com
Registration court: Mannheim District Court
Registration number: Co. Reg. No. 709034
Further details can be found in our imprint.

Contact data of the controller’s Data Protection Officer

You can reach and contact our data protection officer at the address below:

Dr. Jörg Kümmerlen
secopan gmbh
Am Schoenblick 14
71229 Leonberg
Phone: 07152-5695810
Fax: 03212-1144458
Email: datenschutz@secopan.de

General information about legal basis for the processing of personal data

In general, the following applies when we process personal data:

  • In so far as we obtain your consent for processing procedures of personal data, sec. 6, para. 1, lit. a) of the EU General Data Processing Regulation (GDPR) acts as the legal basis for the processing of personal data.
  • In the case of the processing of personal data which is needed for the performance of a contract with you, art.6, para.1, lit. b) of the GDPR acts as the legal basis. This also applies already if the processing for the performance of pre-contractual measures is necessary.
  • In so far as the processing of personal data is necessary for the performance of a legal obligation to which we are bound, art. 6, para. 1, lit. c) of the GDPR acts as the legal basis.
  • In the event that the vital interests of yours or another natural person render the processing of personal data necessary, sec. 6, para. 1, lit. d) of the GDPR acts as the legal basis.
  • If the processing is necessary for the protection of a legitimate interest of us or of a third party and your interests, fundamental rights and freedoms do not override this interest, art. 6, para. 1, lit. f) of the GDPR acts as the legal basis.

 

General information about Data deletion and duration of archiving

Generally we delete or block the personal data as soon as the purpose of the archiving no longer applies. Data can also be archived if this was stipulated by the European or national legislative body in EU regulations, laws or other provisions to which we, as the controller, are subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless it is necessary to continue storing the data for other legal reasons, e.g. for the conclusion or fulfilment of a contract.

In specific terms this means:

If we are processing the personal data on the basis of consent for data processing (Sec. 6, para.1, lit. a) of the GDPR, the processing is ended when you revoke your consent unless a further legal basis for processing the data exists. This is the case if, at the time of the revocation, we are still entitled to process your data for the purpose of the performance of a contract, or if the data processing is necessary to protect our legitimate interests (on this point see also below).

If we are processing the data exceptionally by reason of our legitimate interests (Sec. 6, para. 1, lit. f) of the GDPR as part of a previous assessment, we will save this data until the legitimate interest no longer exists, the assessment comes to a different conclusion, or you have lodged a valid objection pursuant to sec. 21 of the GDPR (on this point see the “Note on a particular right to object” below under C.).

If we are processing the data for the purpose of the performance of a contract we will save the data until the contract has been finally performed and brought to a conclusion and no further claims can asserted under the contract, in other words until the matter becomes time-barred. The general period of prescription according to § 195 of the German Civil Code is three (3) years. However, certain claims, for example claims for compensation, only become time barred after 30 years (cf. § 197 German Civil Code). If there is a legitimate reason for assuming that this is relevant in a particular case, we will save the personal data during this period of time. The above-mentioned periods of prescription commence at the end of the year (therefore on December 31) in which the claim arose and the obligee becomes aware or should have become aware of the circumstances giving rise to the claim and the person of the liable party becomes or should have become aware of the foregoing without gross negligence.

We wish to point out that we are also subject to statutory retention obligations for reasons associated with taxation and book-keeping. These oblige us to archive certain data as evidence for our book-keeping which can include personal data for a period which can range from six (6) to ten (10) years. These retention periods take precedence over the above-mentioned deletion obligations. The retention periods also commence at the end of the year in question, and therefore December 31.
The legal basis for storage due to legal obligation is art. 6 para. 1 lit. c) of the GDPR.

General information about the sources of personal data

The personal data processed by us through the use of the app originate primarily from the data subjects themselves, in that they, as users of the app, transmit information such as device information (e.g. device type, operating system, time of access) to us via their terminal device.
Exceptionally, the personal data we process may also originate from third parties, for example where a person acts on behalf of a third party within the App.

General information about the categories, purposes and legal basis for processing personal data

We process the following categories of personal data:

  • Users (using company and using employees of the company),
  • All other data that users enter and store there in the course of using the app.

We process personal data for the following purposes and on the basis of the following legal foundations of the Data Protection Regulation (GDPR):

Users of the app are either in a free trial phase to try out the app or they have already subscribed to the app. In both cases, we process the personal data (master data, contract data) for the purpose of processing the contract in accordance with art. 6 para. 1 lit. b) of the GDPR.

The additional data of users collected through the use of the app will, as far as possible, be collected and processed by us on a non-personal basis. The IP address is not collected and processed by us. If, exceptionally, personal data are affected, we process them to fulfil the contract concluded between us and the customer (Sec. 6 para. 1 lit. b) of the GDPR) or to protect our legitimate interests on the basis of art. 6 para. 1 lit. f) of the GDPR. Our legitimate interests here are our interest in the security and integrity of the app and the data on our web server (in particular fault and error detection, as well as tracking of unauthorised access), as well as interests in the area of marketing and for statistical collection (usage patterns and usage volume of the app to improve the app and our services and offers). After giving the matter our due consideration we came to the conclusion in these cases that the processing of data to protect the above legitimate interests is necessary and overrides your fundamental rights and freedoms requiring the protection of personal data.

General information about the recipients and categories of recipients of the personal data

Your personal data will only be disclosed or otherwise transferred to third parties if this is necessary for the purpose of contract processing (in particular to enable the use of the app) or for billing purposes, there is a legitimate interest in the disclosure/transfer and your interests or fundamental rights and freedoms are not overridden or you have given your prior effective consent.

Categories of recipients can be: Service providers or subcontractors who support us in the creation, maintenance, servicing and operation of the app or service providers who carry out payment or invoice processing.

B. The scope of the processing of personal data by and through the app

As a matter of principle we only collect and use the personal data of users during the use our app in so far as this is necessary for the provision of a functioning app, its content and our services. Normally the personal data of our users is collected and used only after the user has granted his/her consent. The exception is such cases in which it is not factually possible to obtain consent in advance and/or the processing is permitted by the provisions of law.

The app can only be installed and used within the TEAMS software of Microsoft Inc, USA.

Data processing via Microsoft services

Data processing when using the app is carried out via Microsoft services. The head office of Microsoft Inc. is located in the USA. The USA is assessed by the European Court of Justice as a country with an insufficient level of data protection according to EU standards. There is a particular risk with data processing in the USA that data may be processed by US authorities, for control and for monitoring purposes, possibly also without any legal remedy.

However, Microsoft promises that all personal data processed through Microsoft 365 products for EU-based enterprise customers will be processed and stored exclusively within the EU. This commitment applies to all of Microsoft’s core cloud services – Azure, Microsoft 365 and Dynamics 365 and therefore also to Microsoft Teams 365, which acts as the base application for the use of our app (see Microsoft’s statement: https://news.microsoft.com/de-de/unsere-antwort-an-europa-microsoft-ermoeglicht-speicherung-und-verarbeitung-von-daten-ausschliesslich-in-der-eu/).

In addition, the app is operated via a Microsoft Azure data centre as a cloud service. However, we have agreed with Microsoft in this respect to process data exclusively within the EU (in data centres in Amsterdam and Ireland).

This means that in principle there is no data transfer outside the EU or the EEA (“third country transfer”). Should a third country transfer nevertheless take place, we have concluded the EU standard contractual clauses with Microsoft. In it, Microsoft undertakes to take and comply with measures that enable a level of data protection that is almost equivalent to that in the EU. Microsoft has also added the Additional Safeguards Addendum to Standard Contractual Clauses (available here; Attachment 2, Appendix 3) to the Standard Contractual Clauses, thereby creating additional safeguards. The agreement of the EU standard contractual clauses together with these additional safeguards thus constitute appropriate safeguards to carry out a third country transfer (Sec. 46 para. 1 in conjunction with para.2 lit. c) of the GDPR).

Frequently asked questions about Microsoft and data protection are answered here, for example: https://www.microsoft.com/de-de/trust-center/privacy/gdpr-faqs?market=de

Information collected during download/installation

When downloading or installing the app, necessary information may be transmitted to Microsoft, in particular the information of your Microsoft account or Teams account, the time of the download, as well as the individual tenant and user ID may be processed. The processing of this data is carried out exclusively by Microsoft and is beyond our control. In this respect, we refer to the above information on data processing via Microsoft services.

Hosting, server and operation of the app

The app is hosted by the cloud service Microsoft Azure. We only use the data centres in the West Europe region (Amsterdam) and North Europe (Ireland). The data therefore does not leave the EU or the EEA.
We have concluded a data processing contract with Microsoft, which includes the agreement of the EU standard contractual clauses.
The app is operated by AppSphere AG, which is already named above as the data controller.

 

Information collected with the use

As part of the use of the app, we collect certain data that is required for the use of the app.

These include:

  • The tenant ID, tenant domain and tenant name of the using company (the tenant ID is a globally unique identification number (GUID) assigned by Microsoft to the using company for the use of Microsoft 365 services),
  • The user IDs used to identify users (this usually consists of your email address),
  • First name and surname of the user
  • Company name of the user
  • Timestamp of the first access of the user
  • „Usage Location“ of the user

Further information on users, such as location, user picture, etc., is read from your tenant at runtime and only if required and displayed to the users in order to be able to use the app’s functionalities comprehensively.

The purposes of data processing: The collection and processing of the data is necessary in order to provide you with the app and the associated functions.

The legal basis for the data processing: The data processing is justified by the fact that the processing is necessary for the performance of the contract between you and us pursuant to art. 6 para. 1 lit. b) of the GDPR for the use of the App.

Duration of the archiving: The data will be stored at least for the duration of the use of the app and then at least for the duration of the usual limitation period (usually three years from the end of the year in which the usage contract was terminated). We expressly point out the possible longer storage period for data processing due to contract fulfilment above under “General information on data deletion and storage period”.

The right to object and the right to erasure: The collection and processing of data for the provision of the app is mandatory for the operation of the app. As a consequence the user has no right to object to this practice.

Information processed outside the app

Data that we process for the administration and billing of the concluded usage contract with the using company is processed outside the app. To do this, we use our CRM software Microsoft Dynamics 365 and the ERP software SAP by Design in particular.
This is data of the using company as our customer. This data is processed for the purpose of billing in the event of a paid subscription:

  • Company name and legal form,
  • Company address,
  • Payment details according to the agreed payment method(s).

 

Purposes and legal basis of data processing: We absolutely need this data in order to be able to fulfil the contract with the using customer. The data processing is thus carried out in accordance with art. 6 para. 1 lit. b) of the GDPR.

Duration of the archiving: The data will be stored at least for the duration of the use of the app and then at least for the duration of the usual limitation period (usually three years from the end of the year in which the usage contract was terminated). We expressly point out the possible longer storage period for data processing due to contract fulfilment above under “General information on data deletion and storage period”.

The right to object and the right to erasure: The collection and processing of data is mandatory for the operation of the app. As a consequence the user has no right to object to this practice.

The following software is used to process this data:

Data processing in our CRM system Microsoft Dynamics 365

We work with the customer relationship management (CRM) tool Dynamics 365 from Microsoft. The data of the customers of our app are stored and processed there. Microsoft makes every effort to comply with all European data protection requirements, in particular the General Data Protection Regulation (GDPR). The data processed by and with Microsoft when using Dynamics is adequately secured according to the state of the art.
With regard to the transfer of data to third countries, the information provided above on the use of Microsoft services applies in the same way.
Information around data protection in connection with Dynamics including a downloadable white paper, FAQ list etc. from Microsoft can be found here.

Data processing in our ERP system SAP ByDesign

The data is also processed in our ERP system SAP ByDesign. SAP SE is a German company. In principle, the data remains within the EU or the EEA. Accordingly, a third-country transfer does not take place as a rule. If we do, we have agreed the EU standard contractual clauses with SAP for such third-country transfers. We have also concluded an order processing agreement with SAP, which grants us corresponding rights in accordance with art. 28 of the GDPR.
The data protection notice and further information on the handling of personal data by SAP can be found here.

Data processing when using the feedback function

For the feedback function we use the service upvoty.com of the company Upvoty HQ, Hurksestraat 19, NL-5652 AH, Eindhoven, The Netherlands. The data remain within the EU or the EEA. We have concluded an order processing contract with the company Upvoty HQ, which assures us the rights according to art. 28 of the GDPR.

The purposes of data processing: The data processing takes place in order to be able to process your feedback.

The legal basis for the data processing: You give us feedback voluntarily and on your own initiative. The data processing is therefore based on your consent according to art. 6 para. 1 lit. a of the GDPR, or alternatively on our legitimate interest according to art. 6 para. 1 lit f) of the GDPR. The legitimate interest consists of the above-mentioned purposes.

Duration of the archiving: We store the personal data until we have fully processed the feedback from you and, if applicable, sent you a response and the conversation is recognisable finally ended. As soon as the processing of personal data is no longer necessary, we remove the personal reference by anonymisation, as we have no interest in processing personal data for further processing of your feedback.

The right to object and the right to erasure: You can easily avoid data processing by not using the feedback option. You can also prevent further data processing of personal data afterwards by revoking your consent.

 

Encryption of the data transmissions of the app

The app and therefore the data transmissions using these forms are encrypted to the SSL standard (HTTPS-protocol).

Transmission of personal data to a third country (countries outside Germany but in the EU/EEA)

It is possible that personal data may be transferred to a country outside the European Union (EU) or the European Economic Area (EEA) (“third country transfer”). If this is done or if there is the possibility of this, then we point this out in the description of the respective data processing above. We do this, among other things, by showing the location of the provider’s registered office (e.g. “USA”), as well as, as a rule, by providing further information on the possible transfer of data to so-called third countries.

We would like to point out that we have checked in advance whether there is a suitable legal basis for each third country transfer. The legal bases result from sec. 44 – 50 of the GDPR. If there is no EU decision on an adequate level of data protection in the recipient country, we have regularly agreed the EU standard contractual clauses with the data recipient. The data recipient undertakes to take extensive measures to protect the data so that the level of data protection is considered adequate.

It is also possible that a data recipient has its own company data protection rules approved by the competent data protection authority (so-called Binding Corporate Rules, BCR). If this is the case, we can also process the data transfer on the basis of these BCR.

In the case of data transfers to the USA, we have tried to ensure the protection of the data through further agreements and additional guarantees.

You can request all documents on the provision of sufficient guarantees for the transfer of data to a third country, which we have agreed with the respective data recipient, from us using the contact options provided.

C. Rights of data subjects

If your personal data is processed you are a “data subject” and you are entitled to the following rights in respect of us as the controller.

The right to be informed

You have the right to receive a confirmation from us free of charge whether we are processing personal data relating to you. In this case you have the right to information about this personal data and other information which you can see in sec. 14 of the GDPR. You can contact us for this purpose by post or email.

The right to rectification

You have the right to require that we immediately correct inaccurate personal data relating to you. You also have the right, for the purposes set out above, to require additions to incomplete personal data, including by means of a supplementary declaration. You can contact us for this purpose by post or email.

 

The right to erasure

You have the right to require the immediate deletion of personal data relating to you if one of the conditions of sec. 17 of the GDPR is met. You can contact us for this purpose by post or email.

 

The right to restrict processing

You have the right to require the restriction of processing if one of the conditions of sec. 18 of the GDPR is met. You can contact us for this purpose by post or email.

 

The right to information

If you have asserted the right to the correction, deletion or restriction of the processing to the controller, the latter is obliged to inform all recipients to which the personal data relating to you was disclosed about the correction or deletion of the data or about the restriction of the processing unless this proves to be impossible or is associated with disproportionate effort.

You have the right to be informed by the Controller about these recipients.

 

The right to data portability

You have the right to receive the personal data you sent to us relating to you in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller without hindrance from us if the conditions of sec. 20 of the GDPR are met. You can contact us for this purpose by post or email.

The right to object to processing because of a legitimate interest

In so far as we process personal data on by way of exception the basis of sec. 6, para. 1, lit. f) of the GDPR (therefore for reason of a legitimate interest) you have the right, for reasons arising from your particular situation, to object at any time to our processing of the personal data relating to you. We will cease processing your data if we can demonstrate no compelling reasons worthy of protection for the further processing which override your interests, rights and freedoms or if we are processing your data for the purposes of direct advertising (cf. sec. 21 of the GDPR). You can contact us for this purpose by post or email.

The right to revoke consent

You have the right at any time to revoke an agreement you have given for the collection and use of personal data with effect for the future. You can contact us for this purpose by post or email. The lawfulness of the processing undertaken by reason of the consent you gave up to the time of its revocation is not affected.

 

Automatic decision-making including profiling

You have the right not to be subject to a decision based exclusively on automated processing (including profiling) which has a legal effect on you or which is significantly to your detriment in a similar manner unless the decision is necessary for the conclusion of an agreement between you and us, is admissible by reasons of provisions of law of the European Union or member states to which we are subject and these provisions of law contain reasonable measures to protect your rights, freedoms and legitimate interests, or the decision is taken with your express consent.
We do not take automated decisions of this nature.

Voluntary provision of data
If the provision of the personal data is stipulated by law, we will always point this out when the data is collected. The data we collect is sometimes necessary for the conclusion of a contract, to be specific, if we are unable to meet our contractual obligation to you or cannot adequately meet them in any other way. You are under no obligation to provide personal data. However, the failure to provide such information can mean that we are unable to perform or offer the service, action, measure or similar you require, or that it is impossible to conclude a contract with you.

The right to complain to a supervisory authority

Notwithstanding other rights, if you are of the opinion that the processing of personal data relating to you infringes data protection law, you have the right at all times to complain to a supervisory authority for data protection, particularly in the member state where you reside, where you work or the place of the alleged infringement.

The supervisory body responsible for us is: The Baden-Württemberg State Commissioner for Data Protection and Freedom of Information, Königstraße 10A, 70173 Stuttgart, website: www.baden-wuerttemberg.datenschutz.de

 

Changes to this privacy notice

We always keep this privacy notice up to date. The current version of the data protection notice is https://teamlinx42.app/privacy

Data Protection Information version: 04.04.2022