Data Protection Information for Digital Collaboration, Online Meetings and AI Functions for Employees and Service Providers

 

1. Introduction and Scope 

This data protection notice describes how we process personal data in the context of digital collaboration. 

  • Online meetings (e.g., with Microsoft Teams or similar platforms)
  • Collaboration in Microsoft 365 (Outlook, Teams, OneDrive, SharePoint, Calendar, etc.)
  • AI-supported functions (e.g., Microsoft 365 Copilot, Microsoft Facilitator, Kamium)
  • Joint editing and sharing of files – internally and with service providers 

This information applies to:

  • all employees of the companies in the Medicos Group ,
  • service providers, external cooperation partners and other third parties , who communicate with us or exchange files within the scope of projects, online meetings or digital collaboration. 

It is not a consent document, but serves transparency in accordance with Art. 13, 14 GDPR. The external privacy policy for website visitors remains unaffected by this.

 

2. Controller and Data Protection Contact 

Medicos Kosmetik GmbH & Co. KG
 Hafengrenzweg 3 
48155 Münster Germany 
datenschutz@dermasence.de 

Data Protection Officer:
Said-Elham Sadat | DSB Münster GmbH
Martin-Luther-King-Weg 42 – 44 
48155 Münster Germany 
datenschutz@dermasence.de 
 

Data subjects may contact this address with any questions regarding the processing of their personal data and the exercise of their rights.

 

3. Purposes of Processing

Personal data is processed in the context of digital collaboration particularly for the following purposes:

  1. Documentation of meetings – Traceability of discussed content and outcomes.
  2. Creation of minutes and traceability – Preparation and follow-up of meeting minutes, decision bases and action lists.
  3. Training and knowledge management – Use of online meetings and digital content for internal training, knowledge retention and further education.
  4. Transparency and traceability of decisions – Transparent documentation of votes, responsibilities and resolutions.
  5. Project support and documentation of coordination – Support for project work, coordination and collaboration with internal and external stakeholders.
  6. Quality assurance and internal improvement processes – Optimisation of workflows, processes and collaboration.
  7. Accessibility and aids for understanding – Support for people with hearing impairments or language barriers (e.g., through transcripts and subtitles).
  8. Creation of meeting summaries and AI-supported minutes – Use of AI functions (e.g., Microsoft 365 Copilot, Microsoft Facilitator, Kamium) to analyse and prepare content in an understandable way.
  9. Onboarding and knowledge retention – Use of documentation and summaries for onboarding new employees and for long-term knowledge retention.

     

4. Categories of Processed Data

4.1 Meeting Data
In the context of online meetings, the following data may be processed:

  • Audio data (spoken content by participants)
  • Video data (camera image of participants, if activated)
  • Spoken contributions in text form (transcript, live transcription)
  • Content from screen sharing and presentations
  • Chat messages in the meeting (e.g., questions, links, comments)
  • Reactions, emojis, raising hands and similar meeting interactions

     

4.2 Identity and Metadata 

  • Name and, where applicable, function/role designation
  • Email address / account ID in the respective system
  • Affiliation to an organisation (company, department)
  • Role in the meeting (e.g., organiser, speaker, participant)
  • Technical metadata (e.g., time of joining and leaving, device type, IP address, log entries)

     

4.3 AI-related Data

The use of AI functions (e.g., Microsoft 365 Copilot, Microsoft Facilitator, Kamium) may generate the following content from the aforementioned meeting and collaboration data:

  • Automatically generated meeting ‑ summaries
  • Lists of topics, decisions and open items
  • Automatically suggested to-dos / actions
  • Assignment of contributions to speakers (speaker identification)
  • AI-based content classification (e.g., assignment to subject areas)
  • Prepared minutes, chapters, marking of relevant sections

 

4.4 Data of Digital Collaboration (M365 & External Cloud Storage) 

In the context of digital collaboration, the following may also be processed:

  • Emails and calendar information (invitations, appointment data, subject, participant lists)
  • Documents and files in Microsoft OneDrive, SharePoint and Microsoft Teams
  • Documents shared via external cloud storage (e.g., Google Drive, iCloud Drive or similar services)
  • Comments, notes, whiteboards and shared editing statuses
  • Chat history in Microsoft Teams outside of meetings
     

 

5. Legal Bases

The processing of personal data in the context of digital collaboration is carried out – depending on the situation – on the following legal bases:

  • Art. 6 para. 1 (b) GDPR where processing is necessary for the initiation, execution or termination of contractual or cooperative relationships (e.g., communication with service providers, project partners, customers).
  • Art. 6 para. 1 (f) GDPR on the basis of our legitimate interests in efficient, secure and transparent collaboration, documentation, knowledge management, quality assurance and accessibility.
  • § 26 BDSG for the processing of personal data of employees of the Medicos Group, insofar as processing is necessary for the performance of the employment relationship. 
     

Note regarding recordings and transcriptions: 
When using functions such as recording or transcription in Microsoft Teams or similar platforms, the system displays a notice or dialogue. For recordings, it may be necessary for participants to explicitly consent within the tool before microphone/camera are re-enabled. This technical consent in the system supplements the legal bases mentioned above, but does not replace them as the legal basis for processing.

 

6. Recipients and Access Groups

Access to the data processed as part of digital collaboration is granted – only to the extent necessary and based on an authorisation concept – to:

  1. Employees of the companies in the Medicos Group insofar as this is necessary for the performance of their respective tasks and roles.
  2. Service providers and external cooperation partners e.g., in the context of joint projects, online meetings or shared documents/releases.
  3. Microsoft Ireland Operations Ltd. as the provider of Microsoft 365, Microsoft Teams and Azure services, including the sub-processors named in the Microsoft Data Protection Addendum (DPA) .
  4. Internal IT administration Administration and support staff of the IT departments of the Medicos Group, insofar as this is necessary for system management, troubleshooting, security monitoring or ensuring operation.
  5. External IT service providers e.g., for the operation or configuration of AI services:
  6. Zweitag GmbH, Alter Fischmarkt 12, 48143 Münster (e.g., Kamium AI, hosted within the Microsoft Azure environment of the Medicos Group) 

These service providers process personal data solely on the basis of a data processing agreement (Art. 28 GDPR) on behalf of the Medicos Group. 

 

7. AI Processing and AI‑supported Further Processing

AI functions may be used in meetings and digital collaboration, for example, to:

  • Automatically summarise meeting content
  • Identify decision points and tasks
  • Structure topics
  • Create minutes or documentation
     

For this, the AI accesses meeting data (audio, transcript, chat, shared content) as well as collaboration data (e.g., documents in OneDrive/SharePoint) as needed for the purposes described above.

Kamium / Zweitag (Azure On-Premise) Kamium AI functions (provided by Zweitag GmbH) are operated within the Microsoft Azure environment of the Medicos Group. The data remains within this environment; Zweitag acts as a processor.

No fully automated individual decisions There are no decisions based solely on automated processing with legal effect or similarly significant impairment within the meaning of Art. 22 GDPR. 

 

8. Retention Period

The retention period depends on the type of data and the respective purpose:

  1. Transcripts of online meetings – Transcripts are usually deleted automatically after 30 days . – Content transferred from transcripts into minutes, action lists or other documents may have different (project-related or legal) retention periods.
  2. Recordings (audio/video) of online meetings – Meeting recordings are usually deleted automatically after 30 days . – Content derived from recordings (e.g., exported excerpts, manually created training content) may be retained for longer periods if required for training, documentation or evidence purposes.
  3. AI evaluations (summaries, action items, etc.) – AI-generated content (e.g., summaries, task lists, structured minutes) is treated like ordinary Microsoft 365 documents and is not deleted automatically . – They are subject to the respective project-related or organisational deletion and retention rules.
  4. Documents in OneDrive/SharePoint and Teams – Files and documents are stored in the respective project folders, team rooms and storage structures. – There is no central uniform deletion period ; retention depends on project durations, internal guidelines and statutory retention requirements.
  5. External cloud storage and sharing – For documents shared via external cloud storage (e.g., Google Drive, iCloud Drive), the deletion and retention rules of the respective external providers or partners apply. – The Medicos Group has only limited direct influence on these storage environments.

     

9. Transfer to Third Countries

The systems for digital collaboration are primarily operated within the European Union (e.g., Microsoft EU Tenant, Azure regions within the EU).

If, in individual cases, service providers or sub-processors based outside the EU/EEA are involved, this is only done using guarantees permitted under the GDPR (e.g., standard contractual clauses, EU Data Boundary, additional technical and organisational measures).

 

10. Rights of Data Subjects

Data subjects have – within the legal requirements – the following rights:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing based on legitimate interests (Art. 21 GDPR)

For employees, the provisions of § 26 BDSG apply additionally. 

To exercise these rights, data subjects may contact the controller or the data protection contact mentioned above.

There is also the right to lodge a complaint with the competent data protection supervisory authority.

 

11. Objection and Conduct in Online Meetings

If a data subject does not wish their contributions or camera image to be transcribed or recorded in a meeting, the following options exist: 

  1. They can inform the organiser before or during the meeting and request appropriate consideration (e.g., refrain from transcription/recording, targeted breaks, alternative communication channels).
  2. They can participate in the meeting with microphone and camera deactivated and only listen passively or communicate via alternative channels (e.g., chat).
  3. They can leave the meeting if they do not agree to transcription or recording. 

Note regarding recordings: When using recording functions, the system (e.g., Microsoft Teams) displays a clear notification. Participants who do not consent to recording can use the options mentioned above.

 

12. Security of Processing 

The Medicos Group and its service providers implement appropriate technical and organisational measures to protect personal data from loss, misuse and unauthorised access. These include, among others: 

  • Access controls and authorisation concepts
  • Encryption during transmission and storage (where available, e.g., in Microsoft 365/Azure)
  • Use of secure data centres
  • Multi-factor authentication (MFA) for particularly sensitive access
  • Regular updates and security checks
  • Logging and monitoring of security-relevant events

There is no covert monitoring of employees or service providers ; the processing described serves exclusively the purposes stated in section 3. 

 

13. Changes to this Data Protection Information 

This data protection information may be adjusted if legal requirements, technical systems or purposes of processing change.

The current version is available at the relevant URL, e.g. :

www.dermasence.de/organizational-privacy-notice