We use cookies to provide you with a better experience. Learn more in our Privacy Policy.


+44 (0)1227 470 901


Part of the PFA Group

Data Privacy Statement

Peter Fisk Associates - Privacy Policy


You have an invitation to use Microsoft 365 (M365) SharePoint Online by Peter Fisk Associates Ltd. as the responsible party within the meaning of the respective applicable data protection laws.

M365 SharePoint Online is a collaboration and exchange platform for individual users, teams and networks, which can be used both by users within the PFA Group and with clients external to the business group.

With the use of M365 SharePoint Online, personal data are processed. Please note that this data privacy statement only informs you about the processing of your personal data when using M365 SharePoint Online in cooperation with PFA. If you need information about Microsoft’s processing of your personal data, please read the appropriate declaration.

Microsoft privacy statement: https://privacy.microsoft.com/en-us/privacystatement

You can access PFA’s general data privacy statement at any time by visiting https://pfagroup.eu/privacy-policy/


1. Categories and context of personal data subject to processing when using M365 SharePoint Online

Certain information is already automatically processed when using M365 SharePoint Online. In this privacy policy, PFA specifies for you exactly which personal data are processed and on which legal basis this is done:

1.1 Your IP address used to access the M365 SharePoint Online

Legal bases for this are Article 6 para. 1 a), b) and f) General Data Protection Regulation (GDPR), as well as Article 88 GDPR in conjunction with the national laws on employee data protection.

1.2 Your user name (access data to M365 SharePoint Online), data within the scope of the so-called multi-factor authentication, which you have stored yourself in your Microsoft account (e.g. optionally the (private) mobile phone number).

The legal basis for this is Article 6 para. 1 b) and c).

1.3 Identification features: Information identifying you as the user, sender, recipient of data within M365 SharePoint Online. This includes, in particular, the following master data: name, first name, official contact data such as telephone number, e-mail address, official fax number, insofar as provided by you or if your organization transmitted it. This information is always visible in your profile, particularly in Outlook for you and other M365 users, and can be customized by you.

The legal basis for this is Article 6 para. 1 a), b), c) and f) GDPR.

1.4 Data required for authentication, license use, logging and misuse detection. M365 processes all user activities, such as time of access, date, type of access, details regarding data/files/documents accessed and all activities related to use, such as creating, modifying, deleting a document, setting up a team (and channels in teams), taking notes in the notebook, starting a chat, replying in the chat.

The legal basis for this is Article 6 para. 1 b) and c) GDPR.

1.5 User data: User data collected by you or from you. This includes, in particular communication content, files created by you or to be created by you.

The legal basis for this is Article 6 para. 1 b) and f) GDPR.

1.6 Data backups and archiving: The data collected from or about you is stored in PFA’s data backup. This serves to restore the system and the data itself. In addition, your data will be (partially) archived if this is required by law.

The legal basis for this is Article 6 para. 1 b) and c) GDPR.


2. Transfer and transmission of data

Apart from the cases explicitly mentioned in this data privacy statement, your personal data will only be disclosed without your express prior consent if it is legally permissible or necessary. This may be the case, for example, if such processing is necessary to protect the user’s vital interests of another natural person.

2.1 Data provided by you during M365 SharePoint Online registration will be shared within the PFA Group businesses for internal administrative purposes, including supplier support, to the extent necessary.

The legal basis for this is Article 6 para. 1 f) GDPR.

Any possible transfer of personal data is justified because PFA has a legitimate interest in disclosing such data for administrative purposes within the PFA Group businesses and that your rights and interests in the protection of your personal data are in accordance with Article 6 para. 1 lit. f) GDPR do not prevail.

2.2 Should it be necessary to clarify an illegal or abusive use of M365 SharePoint Online or for legal prosecution, personal data will be disclosed to law enforcement or other authorities and, if applicable, to injured third parties or legal advisors. However, this only occurs if there are indications of illegal or abusive behaviour. A transfer can also occur if this serves the enforcement of terms of use or other legal claims. PFA is also legally obliged to provide information to certain public bodies on request. These are criminal prosecution authorities, authorities that pursue administrative offences for which fines have been imposed, and financial authorities.

Any transfer of personal data is justified by the fact that

  • (1) processing is necessary to fulfil a legal obligation to which PFA is subject pursuant to Article 6 para. 1 lit. c) GDPR in conjunction with national legal requirements for the disclosure of data to criminal prosecution authorities, or
  • (2) PFA has a legitimate interest in transferring such data to the aforementioned third parties if there are indications of abusive behaviour or to enforce PFA’s legal claims and your rights and interests in the protection of your personal data within the meaning of Article 6 para. 1 lit. f) GDPR do not prevail
  • or (3) PFA processes data based on Article 88 GDPR  in connection with nationally applicable data protection law on the employment relationship to uncover criminal offences.

2.3 PFA depends on Microsoft for the use of M365 SharePoint Online. Microsoft is a so-called processor of orders and is subject to PFA’s instructions as the responsible party in the sense of the GDPR when processing personal data within the framework of Microsoft Office 365 applications used by PFA. In accordance with PFA’s legal obligations, PFA has entered into contractual agreements with Microsoft and other contract processors for the transfer of data. Microsoft’s processing of personal data takes place on servers located in the UK.

2.4 In the course of further expansion of PFA’s business, it may happen that the structure of the company changes by changing its legal form, by forming, acquiring or selling subsidiaries, parts of companies or components of companies. In such transactions, if necessary, such information may be transferred to another legal entity along with the part of the business to be transferred. Whenever personal information is transferred to third parties to the extent described above, PFA will ensure that this is done in accordance with this data privacy statement and applicable data protection laws.

Any disclosure of personal data is justified because PFA has a legitimate interest in adapting PFA’s corporate form to the economic and legal circumstances as required and that your rights and interests in the protection of your personal data do not prevail in the sense of Article 6 para. 1 lit. f) GDPR.


3. Transfer of data to third countries

A transfer to third countries, both within the Group and by commissioning contract processors and third parties, cannot be ruled out when using M365 SharePoint Online. PFA has taken appropriate guarantees to protect your data in such a case.

Microsoft may temporarily give technical staff access to outside EU/EEA for technical maintenance. To guarantee compliance with Regulation (EU) 2018/1725, this should happen in line with instructions provided by the Directorate-General for Informatics (DIGIT) regarding the common agreement and terms of use between the European Institutions and Microsoft.

In addition, Microsoft does not control or limit the regions from which the customer or its end users may access or move customer data. Therefore, if an end-user travels outside the EU/EEA and uses the services, personal data may be processed outside the EU/EEA to enable access to the online services from their location.


4. Change of purpose

Processing of your personal data for purposes other than those described above will only be carried out to the extent permitted by law or if you have consented to the changed purpose of data processing. In the event of further processing for purposes other than those for which the data were originally collected, PFA will inform you of these other purposes prior to further processing. PFA will also provide you with any other relevant information.


5. Period of data storage

PFA will delete, block or make anonymous your personal data as soon as they are no longer required for the purposes for which PFA has collected or used them in accordance with the above paragraphs. Subject to statutory deletion and retention periods, PFA stores your personal data for the duration of the contractual relationship with you. Login data and IP addresses are deleted after 90 days at the latest. Your data will also be stored in data backups, which are regularly and operationally reasonably overwritten.


6. Your rights as the data subject

6.1 Right of access to data and information

You have the right to obtain from PFA, at any time and upon request, information on personal data processed by PFA and relating to you within the scope of Article 15 GDPR. To do this, you can submit an application by post or by e-mail to the data protection officer at the address below.

6.2 Right to correction of inaccurate data

You have the right to ask PFA to correct without undue delay any personal data concerning you if it is inaccurate. To do so, please contact the data protection officer at the addresses indicated below.

6.3 Right of deletion of data

Under the conditions described in Article 17 GDPR, you have the right to request PFA for the deletion of personal data referring to you. To exercise your right of deletion, please contact the data protection officer at the addresses indicated below.

6.4 Right to restriction of processing

You are entitled to demand that PFA restrict processing in accordance with Article 18 GDPR. To exercise your right to limit processing, please contact PFA via the contact address indicated in Section 9 below.

6.5 Right to data transferability

You have the right to access any personal data concerning you provided to PFA in a structured, common, machine-readable format in accordance with Article 20 GDPR.
To exercise your right to data transferability, please contact PFA via the contact address indicated in Section 9 below.


7. Right to object

You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you, which is carried out based on Article 6, paragraph 1, a), e) or f) GDPR, in accordance with Article 21 GDPR. PFA will stop processing your personal data unless PFA can prove compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.


8. Right to lodge a complaint

You also have the right to lodge complaints with the competent supervisory authority.

Information Commissioner’s Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113

Fax: 01625 524510

Internet: https://ico.org.uk


European Data Protection Supervisor

Rue Wiertz 60, B-1047 Brussels (postal address)

Rue Montoyer 30, B-1000 Brussels (office address)

Telephone: +32 2 283 19 00

Email: edps@edps.europa.eu

Internet: www.edps.europa.eu


9. Contact

If you have any questions or comments regarding PFA’s handling of your personal data or if you would like to exercise any of the rights mentioned in points 6 and 7 as a data subject, please contact:

Ros Wildey (Director), Peter Fisk Associates Limited: ros.wildey@pfagroup.eu

If you have any questions or comments on the practical handling and operation of M365 SharePoint Online, please raise it with the PFA contact who invited you to use it, or your main point of contact at Peter Fisk Associates Limited or PFA-Brussels SRL.


10. Changes to this data privacy statement

PFA reserves the right to vary this statement from time to time in the course of maintenance of its data policies, and update the statement if changes occur in the collection, processing or use of your data.

The current version of the data privacy statement is always available at https://www.pfagroup.eu/365-privacy