Data Protection - Microsoft 365 at TU Wien

Campus IT Home
Microsoft Data Protection Impact Assessment

This page has been translated using AI for informational purposes. In case of discrepancies, the German version shall prevail.

On this page, users of Microsoft 365 services can find information on data protection-related aspects that were taken into account during implementation at TU Wien. This information is intended for students and staff at TU Wien who use Microsoft 365 services (including Teams).

Data Protection Compliance

TU Wien is the data controller under the GDPR for the use of Microsoft 365 and has engaged Microsoft Ireland Operations Limited as a data processor. Microsoft has been contractually and legally vetted for data protection compliance; compliance is continuously monitored. In particular, TU Wien has:

entered into a Data Processing Agreement (DPA) with Microsoft and reviewed the relevant contractual documents,
conducted a Data Protection Impact Assessment (DPIA) with a risk assessment,
conducted a Transfer Impact Assessment (TIA) to evaluate potential risks associated with transfers to third countries,
Concrete technical and organizational measures (TOM) have been defined and implemented to minimize specific risks associated with the use of Microsoft 365.

Microsoft 365 is used as a resource at TU Wien. It facilitates university-wide communication and collaboration in academic studies, teaching, research, and administration.

Processing of Personal Data

Depending on the context of use, Microsoft 365 applications can generally process all types of personal data, including special categories of data as defined in Article 9 of the GDPR and data under Article 10 of the GDPR. The legal basis always depends on the primary purpose of the respective processing. For example, in the case of processing for research purposes, the relevant provisions of the Research Organization Act (FOG) are particularly applicable; for study-related processing, the relevant provisions of the Universities Act (UG) 2002 apply. Therefore, when processing content on Microsoft 365, users must ensure that data protection requirements are complied with. The systems themselves have been reviewed by TU Wien; as the controller within the meaning of the GDPR, it has decided to use Microsoft 365 as a tool.

Certain service-related metadata remain under Microsoft’s control as an independent data controller, in particularbilling and cost calculation purposes, to provide and securely operate the services (support, troubleshooting), and for product improvement and optimization purposes. Some of this processing is technically necessary for the provision of services; certain features are built into the product and can only be configured or disabled to a limited extent. TU Wien takes its social responsibility as a university and its protective role toward students and staff seriously: It has thoroughly examined the associated risks, consulted relevant research reports, and assessed necessity and proportionality as part of a data protection impact assessment; on this basis, risk-minimizing default configurations have been established and are regularly reviewed.

Personalized License

To use Microsoft 365 at TU Wien, you need a TU Wien Microsoft account (Azure Active Directory) with a personal named-user license. Every student automatically receives a license as long as they are eligible for software access

Employees: The license is valid for as long as the employment relationship remains active or until it is returned via the service portal.
Students: The license is valid for as long as the student is enrolled at TU Wien—license verification for installed apps is performed via the internet connection.

An internet connection must be available at least every 30 days for license verification. If a device is offline for longer than this, Microsoft 365 switches to a limited functionality mode: The apps remain installed, and documents can be viewed and printed, but cannot be created or edited. As soon as an internet connection is reestablished, full functionality is automatically reactivated.

Implemented Measures

The following measures have been implemented or are planned at TU Wien to reduce risks associated with the use of Microsoft 365:

Authentication. For student accounts, multi-factor authentication is mandatory for access outside the TU Wien network. The implementation of multi-factor authentication for staff is planned and currently underway.
Logging and risk-based detection. A general audit log of user actions is not used; only targeted audit logs with strictly restricted access are employed. These serve in particular to detect suspicious login attempts, unusual location changes, risky sign-ins, potentially compromised accounts, and to log specific administrative processes. In addition, there is an encrypted, tenant-specific background log for data security investigations, which can only be accessed on a case-by-case basis following active initiation by Global Admins; access by Global Admins is also logged.
Support access by Microsoft. Microsoft’s access to tenant content is technically restricted. Support access to tenant data is only possible in exceptional cases following explicit approval by TU Wien via Customer Lockbox and is fully logged.
Encryption. Connections between end devices and cloud services are secured by transport encryption (TLS). Media streams for one-on-one meetings are transmitted in encrypted form; no equivalent end-to-end encryption is currently available for group meetings. Centralized tenant-side encryption using BYOK/CustKey is currently being planned at the organizational level.
Connected Experiences. For the Microsoft applications at TU Wien, a differentiated configuration of the “Connected Experiences” are planned. Accessibility features and general quality-of-life features are to remain enabled, while Connected Experiences that involve Microsoft accessing data are to be disabled. Features that involve the processing of user-related data will first be tested with a test group as part of a pilot phase.
Partner Apps in Teams. By default, users cannot install partner apps themselves.
Telemetry and diagnostic data. Telemetry data will be centrally restricted to the minimum necessary level. Corresponding policies will be rolled out for centrally managed TUclient devices; for unmanaged endpoints (BYOD), privacy-friendly default settings are recommended.
Contractual and organizational safeguards. In addition, TU Wien relies on contractual and organizational safeguards, in particular the EU Data Boundary, the Microsoft DPA 2025 including additional safeguards, the conclusion of standard contractual clauses, integration into the Data Privacy Framework, and the conduct of a Transfer Impact Assessment.
Ongoing review. The measures and configurations are continuously reviewed as part of data protection and risk management and adjusted as needed.

Storing data in OneDrive and SharePoint

By default, Microsoft 365 stores content from OneDrive and SharePoint Online—including files created or uploaded via Office apps—within the EU/EFTA. As of February 2025, the EU Data Boundary has been fully implemented; this means that account data and content data for Microsoft 365 are stored and processed in EU/EFTA data centers. Even in support cases, the resulting Professional Services data (e.g., support logs, case notes) remain within the EU/EFTA region.

Microsoft encrypts data in transit and at rest. OneDrive/SharePoint use, among other things, AES-256 at the file/chunk level as well as additional server-side encryption and key management; connections are provided exclusively via TLS.

Malware Protection/Scans. Microsoft uses built-in virus protection for SharePoint, OneDrive, and Teams. Files are scanned asynchronously or upon download; files identified as malicious are blocked and cannot be opened or shared. (No comprehensive content profiling is performed for other purposes.)

Usage Notes. OneDrive is personal storage based on the SharePoint platform and can be accessed via a web browser or sync app/file manager. Specific sharing policies are defined internally by the TU.

Data Retention

For retention periods following deletion/termination, please refer to the Microsoft documentation on data retention/deletion.

Terms of Use

When using Microsoft 365, Microsoft’s privacy policies and TUW’s internal guidelines (privacy, IT security policies) apply. Additional terms and conditions regarding AI features and related experiences will be announced separately where necessary.

Name	Purpose	Lifetime	Type	Provider
CookieConsent	Saves your settings for the use of cookies on this website.	1 year	HTML	Homepage TU Wien
SimpleSAML	This is needed to distinguish between the sessions of the logged-in users.	session	HTTP	Login TU Wien
SimpleSAMLAuthToken	This is needed to distinguish between the sessions of the logged-in users.	session	HTTP	Login TU Wien
fe_typo_user	Is needed so that in case of a Typo3 frontend login the session ID is recognized to grant access to protected areas.	session	HTTP	Homepage TU Wien
staticfilecache	Is needed to optimize the delivery time of the website.	session	HTTP	Homepage TU Wien
JESSIONSID	Is needed so that in case of a LectureTube the session ID is recognized to grant access to protected areas.	session	HTTP	LectureTube TU Wien
_shibsession_lecturetube	This is needed to distinguish between the sessions of the logged-in users.	session	HTTP	LectureTube TU Wien

Name	Purpose	Lifetime	Type	Provider
_pk_id	Used to store a few details about the user such as the unique visitor ID.	13 months	HTML	Matomo TU Wien
_pk_ref	Is used to store the information of the users home website.	6 months	HTML	Matomo TU Wien
_pk_ses	Is needed to store temporary data of the visit.	30 minutes	HTML	Matomo TU Wien

Name	Purpose	Lifetime	Type	Provider
facebook	Is used to Enable ad delivery or retargeting	90 days	HTTP	Meta
__fb_chat_plugin	Is needed to store and track interactions (marketing/tracking).	persistent	HTTP	Meta
_js_datr	Is needed to save user settings.	2 years	HTTP	Meta
_fbc	Is needed to save the last visit (marketing/tracking).	2 years	HTTP	Meta
fbm	Is needed to store account data (marketing/tracking).	1 year	HTTP	Meta
xs	Is needed to store a unique session ID (marketing/tracking).	1 year	HTTP	Meta
wd	Is needed to log the screen resolution.	1 week	HTTP	Meta
fr	Is needed to serve ads and measure and improve their relevance.	3 months	HTTP	Meta
act	Is needed to store logged in users (marketing/tracking).	90 days	HTTP	Meta
_fbp	Is needed to store and track visits to various websites (marketing/tracking).	3 months	HTTP	Meta
datr	Is needed to identify the browser for security and website integrity purposes, including account recovery and identification of potentially compromised accounts.	2 years	HTTP	Meta
dpr	Is used for analysis purposes. Technical parameters are logged (e.g. aspect ratio and dimensions of the screen) so that Facebook apps can be displayed correctly.	1 week	HTTP	Meta
sb	Is needed to store browser details and security information of the Facebook account.	2 years	HTTP	Meta
dbln	Is needed to store browser details and security information of the Facebook account.	2 years	HTTP	Meta
spin	Is needed for promotional purposes and social campaign reporting.	session	HTTP	Meta
presence	Contains the "chat" status of logged in users.	1 month	HTTP	Meta
cppo	Is needed for statistical purposes.	90 days	HTTP	Meta
locale	Is needed to save the language settings.	session	HTTP	Meta
pl	Required for Facebook Pixel.	2 years	HTTP	Meta
lu	Required for Facebook Pixel.	2 years	HTTP	Meta
c_user	Required for Facebook Pixel.	3 months	HTTP	Meta
bcookie	Is needed to store browser data (marketing/tracking).	2 years	HTTP	LinkedIn
li_oatml	Is needed to identify LinkedIn members outside of LinkedIn for advertising and analytics purposes.	1 month	HTTP	LinkedIn
BizographicsOptOut	Is needed to save privacy settings.	10 years	HTTP	LinkedIn
li_sugr	Is needed to store browser data (marketing/tracking).	3 months	HTTP	LinkedIn
UserMatchHistory	Is needed to provide advertising or retargeting (marketing/tracking).	30 days	HTTP	LinkedIn
linkedin_oauth_	Is needed to provide cross-page functionality.	session	HTTP	LinkedIn
lidc	Is needed to store performed actions on the website (marketing/tracking).	1 day	HTTP	LinkedIn
bscookie	Is needed to store performed actions on the website (marketing/tracking).	2 years	HTTP	LinkedIn
X-LI-IDC	Is needed to provide cross-page functionality (marketing/tracking).	session	HTTP	LinkedIn
AnalyticsSyncHistory	Stores the time when the user was synchronized with the "lms_analytics" cookie.	30 days	HTTP	LinkedIn
lms_ads	Is needed to identify LinkedIn members outside of LinkedIn.	30 days	HTTP	LinkedIn
lms_analytics	Is needed to identify LinkedIn members for analytics purposes.	30 days	HTTP	LinkedIn
li_fat_id	Required for indirect member identification used for conversion tracking, retargeting and analytics.	30 days	HTTP	LinkedIn
U	Is needed to identify the browser.	3 months	HTTP	LinkedIn
_guid	Is needed to identify a LinkedIn member for advertising via Google Ads.	90 days	HTTP	LinkedIn