Office 365 privacy notification

Office 365 privacy notification


Lundbeck uses Microsoft Office 365 in order to provide a number of collaboration services to its users, namely partners and business relations (the “Services”), and H. Lundbeck A/S (“Lundbeck”) is a data controller of the personal data we receive and collect as part of your sign-up to receive this service.


In processing personal data, Lundbeck will always comply with applicable legislation, including the General Data Protection Regulation (“GDPR”) and the Danish Act on Processing of Personal Data. 

Information collected and used by Lundbeck

In the context of being able to provide the Service, we collect and process the following types of personal data about you when you sign up to receive the Services:


  • e-mail address; and
  • name or workplace, if your e-mail address reveals this.

We process your personal data for the following purpose:


  • to facilitate collaboration and sharing of documents and data through Office 365 as part of your collaboration or business relation with Lundbeck;

  • to authenticate you; and
  • to ensure the security and integrity of IT systems or data.

How did we obtain your personal data?

Contact information such as your email is provided by your Lundbeck contact person or the person who invited you to join the service.

The legal basis of processing of personal data

Your personal data is processed on the basis of the following legal basis:


  • in order to comply with an agreement with you (GDPR Art. 6 (1) (b)); or
  • to fulfill a legitimate interest, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (GDPR Art. 6 (1) (f)). A legitimate interest for Lundbeck can be that the personal data collected in order to provide users with the Office 365 service or to ensure the security and integrity of IT systems or data.

Our third party Data Processors

Office 365 is hosted and operated by Microsoft (a data processor of Lundbeck), and its subprocessors.


In addition, Lundbeck may use other data processors, to manage and support our Office 365 Services, who may also process your data on Lundbeck's behalf.


All third-party data processors will be obligated by Lundbeck to safeguard the confidentiality of your data and to take adequate technical and organizational measures to protect your data against accidental or unlawful destruction, loss or alteration, unauthorized disclosure or abuse, or other unlawful processing.

Transfer of data to countries outside the EU/EEA

Your personal data is stored in Microsoft data centers, within the European Economic Area.


However, depending on the context, we and Microsoft may transfer personal data to other countries, some of which have not yet been determined by the European Commission to have an adequate level of data protection. Lundbeck will ensure that such transfer(s) will be carried out in accordance with the applicable data protection legislation, including the GDPR.


Transfers to countries outside the EU/EEA may take place if the recipient adheres to the EU-US Privacy Shield[1] (if the transfer is to the United States of America) or when ensuring that the recipient enters into the EU Standard Contractual Clauses[2]. The transfer can also be made if the recipient is located in a country providing an adequate level of data protection (see the full list of these ‘secure countries’ on the EU Commissions’ website[3]).


If your personal data is transferred to other Lundbeck affiliates, the transfer will be based on the Lundbeck Intra Group Agreements (or the Binding Corporate Rules, one approved). A copy hereof can be obtained by contacting Lundbeck using the below contact information.

Storage of Data (Data Retention)

Lundbeck will keep your personal data only for as long as reasonably necessary for the purposes for which it was collected or received.


Once a file or workspace you have interacted with through the Services is deleted, personal data connected to the file or workspace will be erased after 90 days. However, we will retain personal data for a longer period if we are required to do so by law or if we need to establish, exercise or defend our legal rights.

Your right

Lundbeck has taken necessary and adequate steps in order to protect your personal data and ensure your rights as a data subject. Please note that certain limitations may apply to your ability to exercise these rights. Subject to these limitations, you have the following rights:


Right of access


You have the right to request access to the personal data Lundbeck processes about you.


Right to rectification


You have the right to rectification of inaccurate personal data concerning you, including completion of incomplete personal data.


Right to erasure (right to be forgotten)


You have the right to the erasure of the personal data concerning you.


Right to restriction


You have the right to restrict Lundbeck's processing of personal data concerning you.


Right to data portability


Where processing is based on a consent or a contract and the processing is carried out by automated means, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format. You have the right to transmit this personal data to a third party without hindrance from Lundbeck, If technically possible.


Automated individual decision-making, including profiling


As a general rule you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or affects you significantly. This does not apply if, among other things, automated decision-making and profiling is necessary for entering into, or performing, a contract between you and Lundbeck.

Right to object

  • You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on legitimate interests as legal basis for the processing (as set out in article 6(1)(f) of the GDPR and section 6 of the Danish Data Protection Act), including profiling based on this provision.
  • Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, Lundbeck must no longer process the personal data for such purposes.

If processing of your personal data is based on your consent, you may withdraw your consent at any time. Please note that this does not affect Lundbeck's processing of your personal data prior to the withdrawal of your consent.


You also have the right to lodge a complaint with the competent supervisory authority, such as the the Danish Data Protection Agency.


If you wish to exercise any of your rights as described above or have any questions, please contact the Lundbeck Group Data Protection Officer by using the contact information provided below.

Contact details of Lundbeck and Lundbeck’s Group Data Protection Officer

Should you have any questions in regards to the protection of your personal data or if you wish to exercise your legal rights, please contact Lundbeck or Lundbeck’s Group Data Protection Officer by using the below contact details:



H. Lundbeck A/S

Ottiliavej 9

2500 Valby

Phone no.: +45 3630 1311


Lundbeck’s Group Data Protection Officer



Letter: Use above address, att.: Data Protection Officer

Phone: Use above phone number and ask to speak to the Data Protection Officer


If you contact our DPO via the above email address, H. Lundbeck A/S, and other Lundbeck group entities, will process the personal data you provide to us with in order to handle and respond to your inquiry. Please read our privacy notice regarding this processing activity here.