How SDU processes your personal data in Microsoft

SDU uses several Microsoft products under Microsoft's A5 licence, including Microsoft 365, Microsoft Azure and Dynamics 365. Microsoft 365 includes tools such as Outlook, OneDrive, Teams and SharePoint. The software is maintained by Microsoft and data is stored in SDU's dedicated storage space (tenant) on Microsoft servers in Europe.

The Microsoft Azure platform supports different cloud service models. Some software is maintained and hosted by Microsoft, but it is also possible to install software hosted on the Azure platform, where SDU itself takes care of the maintenance, e.g. SDU's integrations to HCM and ERP.

Dynamics 365 is primarily a CRM (Customer Relationship Management) system and is based on the Azure infrastructure.

SDU also uses Microsoft security products, including the Defender suite and Microsoft's log collection solution, Sentinel. The Defender suite consists of various software that protects SDU from unwanted behaviour, such as hacker attacks. The services protect SDU's mobile devices (laptops, phones and tablets), Microsoft software such as Word and Excel, network traffic and third-party software such as ItsLearning and Survey Xact. This makes it possible to track a user's activities across systems, which is necessary to detect hackers who have taken over a user account.

Security logs from the various Defender products are sent to SDU's central log collection solution, Sentinel. Here you can set up alerts for specific actions that increase the risk of data compromise. Each user has a risk score that changes based on their behaviour in the system. Defender products and Sentinel use machine learning to understand the user's normal behaviour and can respond to anomalies that may indicate account compromise, such as malware execution, changes in behaviour, abnormal working hours, transfers of files to external drives (e.g. USB sticks) or third-party storage solutions like Dropbox, massive file activity (e.g. printing and deleting many files), downloading copyrighted material, or logins from two different locations within a short time interval, known as "impossible travel". These are all signs that may indicate that the account may be compromised or abused.

SDU follows up daily on the registrations made in the systems' security logs. This is both important for security and a requirement that we are monitored on. SDU regularly receives inspections from Rigsrevisionen (Danish National Audit Office) and the Danish Agency for Higher Education and Science.

SDU has a number of security measures to ensure that logs are not misused and that unauthorised persons do not have access to confidential information. SDU has a policy that employees who have access to look at central personally identifiable log information annually have their access to this approved by the Director. There are few (currently 3) trusted employees in SDU IT's SecOps (Security Operations) who have access to view log information in Sentinel. In addition, there are 5 so-called "Global admins" who have technical access, but who do not look at logs in Sentinel, and where SecOps receives alerts if they do.

SDU has more than 50,000 active user accounts, so SecOps employees do not sit "live" and monitor individual employees' use of systems, but they react to alarms as described earlier, after which they investigate whether there may be suspicious behaviour. This means that, in principle, these employees have access to see which systems and websites a user is accessing. In some situations, they will also have access to see extracts of content from emails or documents, for example if an email or document is quarantined due to a suspected virus.

SecOps employees will only have a reason to look at certain users if an alarm is triggered or the user's risk score is high. User accounts are pseudonymised where possible, and the employee must activate their privileged access if they need access to see the identity of the user. The system also logs the actions of these trusted employees, and segregation of duties has been established so that SecOps employees do not have access to change or delete these logs. The digital organisation's compliance unit conducts spot checks on trusted employees' access to log information in Sentinel.

SDU's purpose for processing these security logs is to secure the university against attacks and misuse. Security logs will never be used to monitor employee productivity. Guidelines for the use of IT for employees provide examples of acceptable private use of SDU's systems, but it is generally recommended, e.g. in the publication "Is your research in danger?" published by the Ministry of Higher Education and Science, not to mix private and work-related use of IT systems and equipment.

If you use equipment purchased and managed by SDU and thus configured according to the university's security standard, you will not experience as many security measures as users who need to use private equipment such as external lecturers.

As a starting point, SDU's resources should only be accessed from approved equipment, cf. guidelines for the use of IT. However, there may be some cases where it will be necessary for some users to use private equipment, for example if you are a student or external lecturer. You should be particularly aware that if you access SDU resources from private equipment, e.g. an external lecturer accessing a link to an exam list sent by email, the system will in some cases collect logs on subsequent browser sessions (e.g. web searches) if you do not close the browser after accessing an SDU resource. This applies even if you are on a private network on your private PC, as it is the security setting of the browser used that allows it. This is the same problem as if you open a link from Facebook, where in some cases you also allow Facebook to follow what you subsequently access in the same browser session.

SDU has rolled out security measures, which means that if you want to read SDU mail on your private phone, it is required that the phone is relatively updated and that SDU data is kept in Apps that can be secured with policies such as Outlook and Word App and the Edge browser. This means that it is no longer possible to copy SDU data from these Apps on a private phone. SDU does not have access to private documents you may also read in your Word App or content from a private email account you may also have linked to the Outlook App. SDU cannot see which websites you access from the Edge browser on your private phone unless you access a blocked website, whereby there will be a log of the website address (URL).

If you use a private device on SDU's network, you should be aware that SDU, according to requirements from the authorities, logs network traffic, but SecOps employees do not have direct access to see which websites specific users access from a private device. This would require a closer comparison of logs that can be performed if we are asked to do so, for example by the police. SecOps can see logs of the website address (URL) if a user tries to access a blocked website. SDU blocks websites based on recommendations from Microsoft and other security companies and at the request of Danish authorities.

SDU uses Microsoft services throughout the organization and uses different parts of Microsoft's software suite for research, teaching, communication and administration. SDU processes personal data as part of our performance of tasks as a university. As this involves all the information that you and others may write in, for example, a Word document or in an email, it involves the processing of ordinary, confidential and sensitive personal data.

Information about employees is primarily stored in SDU's journaling system and SDU's personnel system HCM, but many HR documents are created in Word, which is why there will be processing of employee personal data in content data even though the documents are not generally stored in Microsoft. To gain access to all of SDU's IT systems, you must be created in the central user management system with a number of master data from HCM and CRM such as name, age, gender, contact information, date of birth, job title, workplace, social security number and cost center. You are also given a username and e-mail, and system rights and any resignation date are specified.

In addition, pseudonymized information about your use of the system is processed (see the section on profiling in Microsoft security products). This means information about when systems are logged on and off, from where (city) systems are logged on, from which device (e.g. PC) systems are accessed, which programs are accessed including log of websites (only if you are on SDU's network), traffic to and from the device e.g. upload and download of files (metadata). It is important to emphasize that the information is not used to control work tasks or working hours. SDU does not subscribe to Microsoft Viva Engage premium, which can create management reports on productivity and collaboration. The information is processed solely for the purpose of protecting university data.

SDU uses Microsoft as data processor and in this connection, SDU transfers content data and some service-generated data including log data from the Defender products to Microsoft. As a data processor, Microsoft may only process this information by agreement with SDU. Content data is stored on SDU's own storage space at Microsoft on servers in Europe. Microsoft employees generally do not have access to SDU's data unless SDU grants access via Customer Lockbox, which SDU has purchased.

SDU has activated "optional connected experiences", which are a number of cloud-based services such as "insert images in Word and PowerPoint from online resources", which Microsoft offers through direct access via your SDU user profile, but where SDU's license does not cover the use, as Microsoft considers these services as an agreement directly between the end user and Microsoft. Therefore, you should be aware that you accept Microsoft's general terms and conditions and privacy policy when using the products. However, it is SDU's understanding that Danish law limits the liability of employees when the system is used as part of the work for SDU, even if Microsoft's license structure is composed in this way.

It is possible to disable the feature on Windows machines by unchecking "Enable optional connected experiences" under "Files", "Account" and "Manage settings". On Mac, you do this under the "Word" menu, "Settings..." and "Anonymity". SDU has not disabled the feature by default, as this would prevent all users from using the features.
You can read more about optional connected experiences here: https://learn.microsoft.com/en-us/deployoffice/privacy/optional-connected-experiences

We disclose some metadata to Microsoft. Disclosure in this context means that Microsoft gets data that they can use for their own independent purposes. These purposes are:

• Microsoft's own billing and account management
• Remuneration of Microsoft employees and partners (e.g. calculation of employee commissions and partner incentives)
• Microsoft internal reporting and business modeling (e.g., forecasting, revenue, capacity planning, and product strategy); and
• Microsoft financial reporting

SDU has implemented and is in the process of implementing a number of measures to reduce the risk of metadata containing confidential and sensitive personal data. SDU discloses this service-generated metadata to Microsoft on the basis of Article 6(1)(e) GDPR as part of the university's activities as a university (exercise of public authority).

Please note that "subject" in emails and "title" on calendar invitations are included in the metadata that we pass on to Microsoft. Therefore, in the future, these must not contain sensitive personal data such as health information or confidential information such as social security numbers or other confidential information such as names of people who are going to an official interview. This applies even if you "privately mark" your calendar invitation, as there may be situations where others may use email programs that do not support private marking. Therefore, you should avoid writing actual "private" information in the title field.

In general, you have the following rights:

- Right of access:
You generally have the right to see the personal data SDU processes about you. You also have the right to receive information about how your personal data is processed, including the purpose of the processing.

- Right to rectification:
In certain situations, you have the right to have inaccurate/incorrect personal data about you rectified

- Right to erasure:
You have limited access to have your personal data deleted, as SDU is covered by the rules on record keeping, among other things

- Right to object:
You have the right to object to an otherwise lawful processing of your personal data

- Right to restriction of processing:
You have the right to have the processing of your personal data restricted, for example if you have requested rectification and it has not yet been carried out.

- Right to data portability:
In certain cases, you have the right to receive your personal data and to request that the personal data is transferred from one controller to another

- Right not to be subject to an automated decision:
You have the right not to be subject to an automated decision based solely on automated processing, including profiling

If you want to exercise your rights, please contact the Rector's Office.

If you have questions about data protection and your rights, you can contact SDU's Data Protection Officer, Simon Kamber.

If you wish to complain about SDU's processing of your personal data, you can contact the Danish Data Protection Agency via www.datatilsynet.dk. Before you complain to the Danish Data Protection Agency, you must first contact SDU.

If you have any questions about this specific information letter, please contact SDU IT, Governance, Risk & Compliance.

In addition, please refer to SDU's general information letter, which you have received at the start of employment.