Microsoft 365 Products Privacy Statementnet
Home

Microsoft 365 Products in Aptiv Privacy Notice

Scope of this Privacy Statement

Aptiv Global Operations Limited and its affiliates and related entities (“Aptiv”), as a Data Controller, is committed to protecting the privacy and security of your Personal Data. “Affiliates” includes all entities controlled by, under common control with, or controlling Aptiv Global Operations Limited, provided that control will mean direct or indirect control or ownership of more than 50% of the voting stock or equity of such entity.

This Privacy Notice describes how we collect and process Personal Data about you when you use Aptiv’s Microsoft 365 products (such as Teams, Outlook, SharePoint and PowerPoint). It describes the categories of Personal Data that might be collected, how the Personal Data is used, how it is secured, when it may be transferred, and the rights you have over your Personal Data. We take steps to ensure that the Personal Data that we collect about you is adequate, relevant, not excessive, and processed for limited purposes.

Personal Data We Collect

Personal Data means any information about an individual from which that person can be identified.

Depending on the Microsoft 365 product in use, and context of your interaction(s), the Personal Data we collect and process might include among others, the following:

  • Name and contact details, such as email address, phone number, job title, site location, organization, etc.,
  • Login credentials and identifiers, account activities, IT network and system metadata
  • Photograph/profile picture, video/audio, chats, recordings and transcriptions,
  • Calendar items, meeting attendance, calls history,
  • Documents and files (e.g. Excel, Word, PowerPoint), stored (e.g. on SharePoint and OneDrive files), printed, and/or shared, as appropriate.                                         


Purposes for Collecting Your Personal Data

The purposes for which we may collect and process your Personal Data may include the following:

To create, provision, and/or enable access to, your Microsoft 365 user account(s) and enable you to access and use any of the Microsoft 365 products and services, for which you have appropriate license and permissions,

  • To identify you, your job title, job function, organization, and/or organizational hierarchy,
  • To allow you to create work product linked to your user account (the ownership of which remains with Aptiv),
  • To communicate with you and facilitate communication with colleagues and (as appropriate) third parties,
  • To collaborate with you and facilitate (as appropriate) collaboration, teamwork, and file sharing,
  • To video/audio stream during meetings, calls, and chats,
  • To video/audio record during meetings, calls and chats (with your consent),
  • To collect your survey feedback,
  • To facilitate room booking, calendar availability and booking, etc.,
  • To operate and manage the IT and communications systems and processes, including Cybersecurity,
  • To comply with regulatory, legislative or statutory obligations, which vary in regions (for example, compliance investigations, data subject requests, law enforcement directives, court orders, subpoenas, etc.), and
  • To fulfil other purposes associated with or related to the above purposes.

How We Obtain Your Personal Data

Depending on the context of the interactions with the Microsoft 365 products, we obtain your Personal Data either directly or indirectly from you.

  • Directly, when you engage and interact with the Microsoft 365 products and input your Personal Data (e.g., when you upload your profile picture in Microsoft Teams, or upload personal data into files, meetings, etc.).
  • Indirectly, when during the normal course of business your personal data is collected or input into Microsoft 365 products (e.g., when your Microsoft user profile is provisioned, or when you join a meeting, call etc.).


Our Lawful Bases for Processing your Personal Data

Our lawful bases for processing your Personal Data will be appropriate for the purpose of processing, the type of data involved, and applicable law. We process your Personal Data when it is necessary for:

  • Carrying out our legitimate interests or that of a Third Party, and
  • The performance of tasks for which you have given your consent.

Where we rely on your consent as our lawful basis of processing (e.g., for audio/video recording), users must remember that consent must be informed, freely given, an unambiguous indication of their wishes, and is withdrawable at any time.

Disclosure of Personal Data

All Personal Data processed by Microsoft 365 products is stored on Aptiv servers; however, in limited circumstance, Microsoft might have access to some of your data. Where the latter is applicable, Microsoft will only process your Personal data on Aptiv’s documented instructions. In such instances, Microsoft is required to take appropriate Technical and Organizational measures to protect your Personal Data, based on the associate risks, and is subject to a duty of confidentiality.

Cross Border Data Transfers of Personal Data

We may be required to transfer your Personal Data across International borders, in line with applicable law. To ensure that International Transfers of Personal Data are adequately protected, we have put in place appropriate safeguards as required to ensure both your Personal Data and your Rights are protected.

For International Data Transfers, we comply with the requirements of applicable law, including safeguards such as Standard Contractual Clauses (SCCs) where required (e.g., for transfers of EU Personal Data outside of EU (and areas deemed to provide Adequate Protection), SCCs in accordance with Article 46(2) of the GDPR). For more information on the appropriate safeguards in place to protect your Personal Data, please contact us using the details at the end of this statement.

Retention of Information

We will retain your Personal Data only as long as necessary to fulfil the purpose(s) for which it was collected, or as required by law. We retain your Personal Data in accordance with applicable laws and our Records Management Policy and Retention Schedule. Otherwise, we aim to keep our files current and will make reasonable efforts to remove Personal Data that is no longer relevant for the purposes for which it was collected.

Security and protection of Personal Data

Aptiv is committed to safeguarding the security of your Personal Data, via a system of governance, policies, and processes, and have dedicated Privacy and Security teams to manage risk and implement controls. We have implemented appropriate security measures in order to protect your Personal Data from unauthorized access, use, copying, modification, disclosure, destruction, and alteration. We abide by the key principles of Data Protection and Privacy in our Personal Data collection and handling, namely: accountability; lawfulness, fairness, and transparency; data minimisation; purpose limitation; storage limitation; managing the confidentiality, integrity, and accuracy of Personal Data.

Data Subjects’ Rights in Relation to the Processing of Their Personal Data

In accordance with applicable law, in certain circumstances, you may have the following rights regarding the processing of your Personal Data.

  • The right to be informed about the processing of your data.
  • The right to access your data.
  • The right to correct your data if it is incorrect.
  • The right to have your data erased/deleted.
  • The right to restrict processing of your data.
  • The right to object to processing, including the right to object to direct marketing.
  • The right to have a copy of your data transferred to different Third Party

In the US, these rights are limited to California residents. The right to object (including direct marketing) is not applicable in California because we do not sell or share your Personal Data, or use your sensitive Personal Data, for any purposes that are incompatible with the purposes listed in the Notice, unless we provide you with notice of those additional purposes.

Making Data Subject Rights Requests You may exercise Your Rights via our online form here. In some jurisdictions, you may also designate an authorized agent to make a request on your behalf.

To protect your data from unauthorized access, all requests regarding your Personal Data will be subject to verification of the identity of the requesting individual.

The response time for Data Subject Rights Requests varies depending on your jurisdiction and applicable law. If we require more time to respond to your Request, we will inform you.

Automated decision-making

Automated decision-making takes place when an electronic system uses Personal Data to make a decision without human intervention.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you in advance.

Complaint Procedure

If you are an Aptiv employee and concerned about the collection, use or sharing of your Microsoft 365 related Personal Data, you can at any time discuss the matter with your manager, your HR department, or via privacy@aptiv.com.

Otherwise, depending on your jurisdiction, you also have a right to make a complaint at any time to your local Data Protection Supervisory Authority (find a list of EEA Authorities here). Aptiv Global Operations Limited is an Irish Company, and it’s lead EU Regulator is the Irish Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD 28, Ireland or by e-mailing info@dataprotection.ie.

Updated: 10 April 2024