Skip to main content
DA / EN
DA / EN

Search

Menu

Information notice for students on the use of Microsoft (M365)

The university sector is the most targeted globally by cyberattacks. To protect SDU’s data from unauthorized access, extensive security measures are necessary. Modern security tools also process personal data. This page explains how SDU handles your personal data within Microsoft services.

SDU uses several Microsoft products under the Microsoft E5 license, including Microsoft 365, Microsoft Azure, and Dynamics 365.

  • Microsoft 365 includes programs such as Outlook, OneDrive, Teams, and SharePoint. These services are maintained by Microsoft, and data is stored in SDU’s dedicated tenant on Microsoft servers located in Europe.

  • Microsoft Azure supports various cloud service models. Some software is maintained and hosted by Microsoft, while other applications—such as SDU’s integrations with HCM and ERP—are hosted on Azure but maintained by SDU.

  • Dynamics 365 is primarily a CRM (Customer Relationship Management) system built on Azure infrastructure.

SDU also uses Microsoft’s security products, including the Defender suite and Sentinel, Microsoft’s centralized log collection solution. The Defender suite protects SDU against malicious activity such as cyberattacks. It secures mobile devices (laptops, phones, tablets), Microsoft software (e.g., Word, Excel), network traffic, and third-party applications like ItsLearning and SurveyXact. These tools allow SDU to monitor user activity across systems, which is essential for detecting compromised accounts.

Security logs from the various Defender tools are sent to Sentinel, where alerts can be configured for actions that pose a risk of data compromise. Each user is assigned a risk score that changes based on their behaviour. Defender and Sentinel use machine learning to understand normal user behaviour and detect anomalies that may indicate account compromise, such as:

  • Malware execution
  • Behavioural changes
  • Unusual working hours
  • Transfers to external drives (e.g., USB sticks) or cloud services (e.g., Dropbox)
  • High-volume file activity (e.g., mass printing or deletion)
  • Downloading copyrighted material
  • Logins from geographically distant locations within a short time frame (so called "impossible travel")

These indicators help identify potential misuse or compromised accounts.

SDU monitors security logs daily, both for safety concerns and to meet regulatory requirements. SDU is regularly audited by the National Audit Office and Danish Agency for Higher Education and Science.

To prevent misuse of logs and protect confidential data, SDU has strict access controls. Only a few trusted employees in SDU IT’s SecOps (Security Operations) team can access log data in Sentinel. Their access is reviewed and approved annually by the Director. With over 60,000 active user accounts, SecOps does not monitor individual users in real time. Instead, they respond to alerts and investigate suspicious activity.

This means that SecOps has access to see which systems and websites are being used by individual users and in some cases, SecOps may view email/document content if it is quarantined due to suspected malware. However, access to user identity is restricted and requires privileged access, which is logged and monitored. Functional separation ensures that SecOps staff cannot alter or delete logs.

SDU processes these logs to protect the university from attacks and misuse. Students are also encouraged to read the Guidelines for the use of IT by students at the University of Southern Denmark.

Personal equipment

Be aware that when you access SDU resources from personal equipment – for example, by click-ing a link to a digital exam sent via email – the system may, in some cases, collect logs from subsequent browser sessions (such as web searches) if you do not close the browser after accessing an SDU resource. This applies even when you are on a private network using your own computer, as it depends on the browser’s security settings. This is similar to how Facebook can track your activity if you open a link within its app and continue browsing in the same session.

Equipment provided by SDU

In special cases, students may be given equipment purchased and managed by SDU. This could include borrowing an exam computer or being required to use SDU-provided equipment for your thesis work. If you use equipment purchased and managed by SDU and configured according to the university’s security standards, you will generally encounter fewer security measures compared to when using personal equipment.

SDU’s network

If you use a personal device on SDU’s network, please note that SDU logs network traffic as required by authorities. However, SecOps staff do not have direct access to see which websites individual users visit from a personal device. Identifying specific user activity would require log correlation, which may be performed if requested by authorities, such as the police. SecOps can view URL logs if a user attempts to access a blocked website. SDU blocks websites based on recommendations from Microsoft, other security firms, and Danish authorities.

Microsoft processes two types of personal data:

Content data

This data about you or somebody else is typed in, created, or stored by yourself. Content data would often appear in a Word document with your own notes, in a header/footer in a PowerPoint presentation, an email signature, etc. Content data also includes your personal data, which a SDU staff member processes in a case about you.

Metadata

This is data generated by using Microsoft programs, such as language settings or error logs. Microsoft needs to process this data to deliver its services. Metadata is usually aggregated and not directly linked to individuals, but in some cases—especially related to security—it can be tied to a specific user. As SDU uses the Defender suite and Sentinel, these tools may also contain personal data about user behaviour in non-Microsoft systems, e.g. third-party platforms such as ItsLearning or SDU’s network traffic.

SDU uses Microsoft services across the organization for research, teaching, communication, and administration. Personal data is processed as part of SDU’s role as a university, including non-sensitive personal data, confidential personal data, and sensitive personal data.

Student data is primarily stored in SDU’s case management system, but many documents are created in Word. This means that personal data may be processed in Microsoft programs even if not stored there. Examples include communication with students or cases handled by the Study Board, such as exemption requests, complaints, or suspected exam misconduct. These documents are typically not stored in Microsoft 365 but are entered into SDU’s electronic case and records management system. Thus, the specific content depends on the nature of the student’s case.

To access SDU’s IT systems, users are registered in the central user management system, Microsoft Azure AD (Active Directory), which includes basic information such as name, age, gender, contact details, date of birth, and CPR number (Danish central registration number). Users also receive a username, email address, system permissions, and when relevant an end date.

Your own data

Students may use Microsoft services for personal purposes, such as saving notes in OneDrive. You are responsible for ensuring lawful use of this data, including when you collect data for your bachelor or master’s theses.

Data about you

SDU processes your personal data based on:

  • GDPR Article 6(1)(a): Consent
  • GDPR Article 6(1)(c): Legal obligation (e.g., required by the Danish Act on Universities)
  • GDPR Article 6(1)(e): Public interest or in the exercise of official authority vested in SDU
  • Danish Data Protection Act §11: Processing of CPR numbers
  • GDPR Article 9(2)(f) or (g) and the Danish Data Protection Act §7(4): Processing of sensitive data to establish legal claims (e.g., health information in Study Board decisions)
  • GDPR Article 10: Processing of personal data relating to criminal convictions and offences.

Processing includes data collection and storage during admission, study administration, ongoing administration, exam management, and archiving under the Danish Archives Act.

Microsoft processes data on behalf of SDU. As a processor Microsoft may only process content data and certain service-generated data (including Defender logs) according to SDU’s instructions. Content data is stored in SDU’s dedicated space on Microsoft servers in Europe. Microsoft employees do not have access to SDU’s data unless SDU grants access via Customer Lockbox, which SDU has purchased.

SDU has enabled Optional Connected Experiences, which are cloud-based features like inserting online images in Word or PowerPoint. These services are offered directly to users by Microsoft and are not covered by SDU’s license. Be aware that when using these features, you accept Microsoft Services Agreement and Privacy Statement.

You can disable these features by unchecking “Enable optional connected experiences” under: "File" > "Account" > "Account Privacy" > "Manage Settings"

SDU has not disabled this feature by default to allow users access to these tools.

Learn more about Optional Connected Experiences here.

Microsoft is working toward offering a fully European operational setup, meaning that all services and support will eventually be handled within Europe. As a European customer, SDU is gradually transitioning to this setup. However, some services—such as the processing of security signals from Defender products—still involve data processing primarily in the United States.

Microsoft is certified under the EU-U.S. Data Privacy Framework. Therefore, transfers are made in accordance with GDPR Article 45, based on the adequacy decision by the European Commission stating that transitions based on the Data Privacy Framework are sufficiently secure. In cases where Microsoft uses sub-processors located in third countries without an adequacy decision, the transfer is made from Microsoft Ireland to the sub-processor under GDPR Article 46(2)(c) (standard contractual clauses).

Important: Content data is never transferred or disclosed to third countries.

You can view Microsoft’s updated list of sub-processors here.

Some metadata is shared with Microsoft. In this context, “sharing” means that Microsoft may use the data for its own independent purposes, including:

  • Billing and account management
  • Employee and partner compensation (e.g., calculating commissions and incentives)
  • Internal reporting and business modelling (e.g., forecasting, revenue, capacity planning, product strategy)
  • Financial reporting

SDU has implemented and is continuing to implement measures to reduce the risk that metadata contains confidential or sensitive personal data. Metadata is shared with Microsoft under GDPR Article 6(1)(e), as part of SDU’s exercise of official authority.

Be aware: The subject line of emails and title of calendar invitations are included in metadata shared with Microsoft. Therefore, these subject lines must not contain confidential personal data, sensitive personal data or confidential business information (e.g., health information, CPR numbers). This applies even if the calendar event is marked as “private,” as some email clients may not support this setting. You should therefore avoid including truly private information in the subject line.

When you leave SDU, your Microsoft account will be deactivated. All associated data, including the account itself, mailbox, and OneDrive content, is deleted after 3 months.

Metadata generated from your use of the systems is deleted after 6 months.

Right of access

You can request to see the personal data which SDU processes about you, including information about how your personal data is processed and the purpose of the processing.

Right to rectification

You can request correction of inaccurate or incorrect personal data.

Right to erasure (‘right to be forgotten’)

You have the right to request erasure of your personal data. Beware that SDU is subject to archiving and recordkeeping law and that this limits SDU’s authority to erase personal data under Danish law.

Right to object

You can object to otherwise lawful processing of your personal data. The right to object applies to the processing of data based on Article 6(1)(e). You always have the right to withdraw your consent when your data is processed based on Article 6(1)(a).

Right to restriction of processing

You can request that processing of your personal data be restricted, for example, while a correction request is being handled.

Right to data portability

In certain cases, you can request to receive your personal data or have it transferred to another data controller.

Right not to be subject to automated decision-making

You have the right not to be subject to decisions made solely by automated processing, including profiling.

To exercise your rights, please contact the Rector’s Office.

If you have questions about data protection in SDU or your rights, you can contact SDU’s Data Protection Officer, Simon Kamber, dpo@sdu.dk.

If you wish to file a complaint about SDU’s processing of your personal data, you can contact the Danish Data Protection Agency via www.datatilsynet.dk. Before contacting the agency, you must first reach out to SDU.

You can also refer to SDU’s general privacy information letter provided at the start of your studies


The Danish version of this document was reviewed by student representatives in the University Council on February 23, 2024. Based on their feedback, clarifying adjustments were made.

Revised in January 2026.

Last Updated 29.01.2026