Data Protection Information – Microsoft Bookings Appointment Booking

As the controller for the processing of your personal data within the meaning of Article 4 No. 7 of the General Data Protection Regulation (GDPR), we hereby provide you with information regarding the collection of your personal data in the context of appointment booking through Microsoft Bookings.

Name and Contact Information
of the Controller

(Article 13(1)(a) GDPR)

The company responsible for the processing of your personal data is as follows:

BPMnet Deutschland GmbH

Otto-Heilmann-Str. 18 A

82031 Grünwald

E-Mail: datenschutbeauftragter@bpmnet-it.com

Contact details of the Data Protection Officer

(Article 13(1)(b) GDPR)

You can reach our Data Protection Officer at the following address:

BPMnet Deutschland GmbH


Otto-Heilmann-Str. 18 A

82031 Grünwald

E-Mail: datenschutzbeauftragter@bpmnet-it.com

Purposes for which personal data is to be processed, as well as the legal basis for processing;

(Article 13(1)(c) GDPR)

The data processing is carried out for the purpose of scheduling appointments with employees of the controller. The processing is based on the legal basis of Article 6(1)(a) GDPR – “Consent.” The consent also includes the transfer of data to Microsoft Ireland Operations Ltd. for its own purposes (“legitimate business operations”). Additionally, the consent also authorizes the transfer of data to a third country within the meaning of Article 49(1)(a) GDPR (refer to the specific information regarding third-country transfers).

Information regarding data processing at Microsoft Ireland Operations Ltd. (hereinafter “Microsoft”):

A contract for the performance of data processing (DPA) has been concluded between the controller and Microsoft. However, Microsoft reserves the right to process the data for its own purposes in connection with “legitimate business operations of Microsoft.” Please note that the controller has no influence on the data processing carried out by Microsoft under its responsibility. To the extent that Microsoft processes personal data for its own purposes, Microsoft is an independent controller for this processing within the meaning of Article 4 No. 7 GDPR and is responsible for compliance with applicable data protection laws and obligations. Further information on data processing for Microsoft’s purposes can be obtained at https://privacy.microsoft.com/de-de/privacystatement.

Recipients or categories of recipients of personal data

(Article 13(1)(e) GDPR)

Intern (within the controller’s organization), those individuals who are involved in the appointment booked have access to the personal data.

Microsoft receives personal data both as a data processor and as an independent controller (“own legitimate business operations”).

Information regarding third-country transfers:

Microsoft as a data processor: Your personal data may be transferred to a third country as part of data processing. This transfer is legitimized by standard data protection clauses within the meaning of Article 46(2)(c) GDPR, which provide additional guarantees for the processing of your personal data in third countries.

Microsoft as an independent controller: Data processing by Microsoft for “legitimate business operations” may also take place in third countries (e.g., the USA).

The level of data protection in the USA is currently not considered equivalent to that of the EU. This is particularly due to extensive government access rights to personal data processed by companies and insufficient legal remedies for affected individuals.

Therefore, it is possible that the rights granted to you under the GDPR as a data subject may not be effectively exercised against a data processor in the USA, despite appropriate safeguards within the meaning of Article 46 GDPR.

Duration for which the personal data will be stored, or – if not possible – criteria for determining the storage period

(Article 13(2)(a) GDPR)

Personal data will be deleted as soon as it is no longer necessary for the purpose of its collection, and to the extent that deletion is not opposed by retention obligations to which we are legally bound.

The personal data will be deleted within three years as part of this processing.

Rights of the data subject

(Article 13(2)(b) GDPR)

You can request information about whether we process personal data about you. If so, you have the right to obtain information about this personal data, as well as additional information related to the processing (Article 15 GDPR).

In the event that personal data about you is not (or is no longer) accurate or complete, you can request correction and, if necessary, completion of this data (Article 16 GDPR).

If the legal conditions are met, you can request the deletion or restriction of processing, exercise the right to data portability, and object to the processing (Articles 16, 17, 18, 20, 21 GDPR).

Please note that data subject rights may be restricted or excluded in certain cases (Article 23 GDPR).

Please contact us if you wish to exercise a data subject right.

Right to lodge a complaint

(Article 13(2)(d) GDPR)

Any data subject has the right, without prejudice to any other administrative or judicial remedy, to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement if the data subject considers that the processing of personal data relating to them infringes upon their rights under Article 77(1) of the GDPR.

You can find the supervisory authority responsible for you at https://www.bfdi.bund.de/EN/Service/Addresses/Laender/Laender-node.html.

Necessity of providing personal data and possible consequences of not providing it

(Article 13(2)(e) GDPR)

The provision of personal data is voluntary. However, if you choose not to provide us with the personal data, it may result in the inability to book an appointment.

© BPMnet