Microsoft 365 Products Privacy Notice 2026 Live
Home

Microsoft 365 Products in Aptiv Privacy Notice

 

Scope and Overview

Aptiv Global Operations Limited and its affiliates and related entities (“Aptiv”), as a Data Controller, is committed to protecting the privacy and security of your Personal Data. “Affiliates” includes all entities controlled by, under common control with, or controlling Aptiv Global Operations Limited, provided that control will mean direct or indirect control or ownership of more than 50% of the voting stock or equity of such entity. This Privacy Notice describes how we collect and process Personal Data about you when you use Aptiv’s Microsoft 365 products (such as Teams, Outlook, SharePoint and PowerPoint). It describes the categories of Personal Data that might be collected, how the Personal Data is used, how it is secured, when it may be transferred, and the rights you have over your Personal Data. We take steps to ensure that the Personal Data that we collect about you is adequate, relevant, not excessive, and processed for limited purposes.

Personal Data We Collect

Personal Data means any information about an individual from which that person can be identified either directly indirectly, such as name, email and IP address Depending on the Microsoft 365 product in use, and context of your interaction(s), the Personal Data we collect, and process might include among others, the following:

  • Name and contact details, such as email address, phone number, job title, site location, organization, etc.,
  • Login credentials and identifiers, account activities, IT network and system metadata
  • Photograph/profile picture, video/audio, chats, recordings and transcriptions,
  • Calendar items, meeting attendance, calls history,
  • Documents and files (e.g. Excel, Word, PowerPoint), stored (e.g. on SharePoint and OneDrive files), printed, and/or shared, as appropriate.

Purposes for Collecting Your Personal Data

The purposes for which we may collect and process your Personal Data may include the following:

  • To create, provision, and/or enable access to, your Microsoft 365 user account(s) and enable you to access and use any of the Microsoft 365 products and services, for which you have appropriate license and permissions,
  • To identify you, your job title, job function, organization, and/or organizational hierarchy,
  • To allow you to create work product linked to your user account (the ownership of which remains with Aptiv),
  • To communicate with you and facilitate communication with colleagues and (as appropriate) third parties,
  • To collaborate with you and facilitate (as appropriate) collaboration, teamwork, and file sharing,
  • To video/audio stream during meetings, calls, and chats,
  • To video/audio record during meetings, calls and chats (with your consent),
  • To transcribe or convert meeting spoken words into text in real time, displaying it in a side pane with speaker attribution and timestamps using AI (with your consent),
  • To collect your survey feedback,
  • To facilitate room booking, calendar availability and booking, etc.,
  • To operate and manage the IT and communications systems and processes, including Cybersecurity,
  • To comply with regulatory, legislative or statutory obligations, which vary in regions (for example, compliance investigations, data subject requests, law enforcement directives, court orders, subpoenas, etc.), and
  • To fulfil other purposes associated with or related to the above purposes.

How We Obtain Your Personal Data

Depending on the context of the interactions with the Microsoft 365 products, we obtain your Personal Data either directly or indirectly from you.

  • Directly, when you engage and interact with the Microsoft 365 products and input your Personal Data (e.g., when you upload your profile picture in Microsoft Teams, or upload personal data into files, meetings, etc.).
  • Indirectly, when during the normal course of business your personal data is collected or input into Microsoft 365 products (e.g., when your Microsoft user profile is provisioned, or when you join a meeting, call, etc.).

Our Lawful Bases for Processing your Personal Data

Our lawful bases for processing your Personal Data will be appropriate for the purpose of processing, the type of data involved, and applicable law. We process your Personal Data when it is necessary for:

  • Carrying out our legitimate interests or that of a Third Party, and
  • The performance of tasks for which you have given your consent.

Where we rely on your consent as our lawful basis of processing (e.g., for audio/video recording), users must remember that consent must be informed, freely given, an unambiguous indication of their wishes, and is withdrawable at any time.

Disclosure of Personal Data

All Personal Data processed by Microsoft 365 products is stored on Aptiv servers; however, in limited circumstances, Microsoft might have access to some of your Personal Data. Where the latter is applicable, Microsoft will only process your Personal Data on Aptiv’s documented instructions. In such instances, Microsoft is required to take appropriate Technical and Organizational measures to protect your Personal Data, based on the associated risks, and is subject to a duty of confidentiality.

Cross Border Data Transfers of Personal Data

We may be required to transfer your Personal Data across International borders, in line with applicable law. To ensure that International Transfers of Personal Data are adequately protected, we have put in place appropriate safeguards as required to ensure both your Personal Data and your Rights are protected.

For International Data Transfers, we comply with the requirements of applicable law, including safeguards such as Standard Contractual Clauses (SCCs) where required (e.g., for transfers of 3 EU Personal Data outside of EU (and areas deemed to provide Adequate Protection) and SCCs in accordance with Article 46(2) of the GDPR). For more information on the appropriate safeguards in place to protect your Personal Data, please contact us using the details at the end of this statement.

Retention of Information

We will retain your Personal Data only as long as necessary to fulfil the purpose(s) for which it was collected, or as required by law. We retain your Personal Data in accordance with applicable laws and our Records Management Policy and Retention Schedule. Otherwise, we aim to keep our files current and will make reasonable efforts to remove Personal Data that is no longer relevant for the purposes for which it was collected.

Security and protection of Personal Data

Aptiv is committed to safeguarding the security of your Personal Data, via a system of governance, policies, and processes, and has dedicated Privacy and Security teams to manage risk and implement controls. We have implemented appropriate security measures to protect your Personal Data from unauthorized access, use, copying, modification, disclosure, destruction, and alteration. We abide by the key principles of Data Protection and Privacy in our Personal Data collection and handling, namely: accountability; lawfulness, fairness, and transparency; data minimization; purpose limitation; storage limitation; and managing the confidentiality, integrity, and accuracy of Personal Data.

Data Subjects’ Rights in Relation to the Processing of Their Personal Data

In accordance with applicable law, in certain circumstances, you may have the following rights regarding the processing of your Personal Data:

  • The right to be informed about the processing of your data.
  • The right to access your data.
  • The right to correct your data if it is incorrect.
  • The right to have your data erased/deleted.
  • The right to restrict the processing of your data.
  • The right to object to processing, including the right to object to direct marketing.
  • The right to have a copy of your data transferred to different Third Party

In the US, these rights are limited to California residents. The right to object (including direct marketing) is not applicable in California because we do not sell or share your Personal Data, or use your sensitive Personal Data, for any purposes that are incompatible with the purposes listed in this Notice, unless we provide you with notice of those additional purposes.

Making Data Subject Rights Requests You may exercise Your Rights via our online form here. In some jurisdictions, you may also designate an authorized agent to make a request on your behalf.

To protect your data from unauthorized access, all requests regarding your Personal Data will be subject to verification of the identity of the requesting individual.

The response time for Data Subject Rights Requests varies depending on your jurisdiction and applicable law. If we require more time to respond to your Request, we will inform you.

Automated decision-making

Automated decision-making takes place when an electronic system uses Personal Data to make a decision without human intervention.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you in advance.

Complaint Procedure

If you are an Aptiv employee and concerned about the collection, use or sharing of your Microsoft 365 related Personal Data, at any time you can discuss the matter with your manager, your Human Resources department, or via privacy@aptiv.com.

Otherwise, depending on your jurisdiction, you also have a right to make a complaint at any time to your local Data Protection Supervisory Authority (find a list of EEA Authorities here). Aptiv Global Operations Limited is an Irish Company, and its lead EU Regulator is the Irish Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD 28, Ireland or by e-mailing info@dataprotection.ie.