Collaborating on a Document

System Requirements

LEXolution.DMS Pro from version 7.6​

OneDrive for Business​ (including Azure Active Directory, for example included in Microsoft 365)

LEXolution.DMS application registration in Azure Active Directory (AAD) in the law firm's tenant​

  • See installation instructions

Privacy Notice

Using the Co-Authoring Feature via Microsoft OneDrive for Business

LEXolution.DMS allows you to upload documents to your personal Microsoft OneDrive for Business cloud and assign both internal and external co-authors for documents.

Data transfer from your network to the Microsoft OneDrive for Business cloud is encrypted via TLS according to the current technical guideline “BSI TR-02102-2”.

Before using this feature, you transmit data to Microsoft, making Microsoft your data processor according to Article 28 of the EU General Data Protection Regulation (GDPR). As the data controller, it is your responsibility to check all legal requirements in advance and ensure compliance.

To support you, we have submitted a general inquiry to the State Data Protection Authority of Baden-Württemberg regarding the use of this feature. In addition to the data protection agreement and the current EU standard contractual clauses, you must also consider the national laws from the parent company's country of origin (USA -> Cloud Act, Patriot Act, FISA, etc.).

The State Data Protection Authority also believes that when Microsoft Office 365 is used by professionals bound by confidentiality, a Data Protection Impact Assessment (DPIA), such as maintaining a processing register, is required.

Inquiry to the State Data Protection Authority of Baden-Württemberg

Inquiry

Dear Sir or Madam,

Our company is, among other things, a software provider for legal professions, and in this context, we are currently evaluating the implementation of customer requests related to our document management software LEXolution.DMS.

Customer request:
Through our document management system LEXolution.DMS, attorneys should be able to upload a document to their personal “OneDrive for Business” area (part of Office 365) and use features to grant additional editors access to this document. Once the document is finalized, it should be re-imported and updated in LEXolution.DMS.

Possible technical implementation:
The selected document is transferred to the user's account via encrypted transmission (TLS). As the software provider, we always ensure the encrypted transmission is up to date with the latest technology. Once the user finishes editing via their personal OneDrive for Business, the document is updated, checked in, and deleted online in our program.

Impact on data protection:
Our company informs our licensee (usually the law firm) about the data protection relevance of this specific feature. When using this feature, the law firm must ensure that Office 365 is used in compliance with the GDPR and—in our opinion—in addition to including it in the processing register and risk assessment, a Data Protection Impact Assessment (DPIA) must also be conducted.
Furthermore, when using this feature, a notice about its data protection relevance should be displayed to the user, with the option to not show this message again in the future.

Possible example in practice:
A lawyer reviews a contract stored as a document in our LEXolution.DMS software. The lawyer uses our program function to place this contract in their OneDrive for Business and grants other lawyers (from other firm locations or other law firms) access via a link to the document. After the contract review is completed and the document is revised, the lawyer retrieves the changes back into the LEXolution.DMS program (software operated only within the internal law firm network), and the document is then deleted from OneDrive for Business.

Our questions:
-       Have we, in the above implementation and described activity, sufficiently ensured data protection compliance for our customer?
-       Do you agree that the law firm (licensee and user of the software) must conduct a DPIA?

Response

TLS (Transport Layer Security), as the name suggests, only protects the transmission path. The involved service providers generally have access to the data in plain text; TLS does not protect against access by these providers.
The current standard for TLS is the technical guideline BSI TR-02102-2 "Cryptographic Procedures: Use of Transport Layer Security (TLS)" from the Federal Office for Information Security. In our last review, Microsoft did not comply with these requirements for MS 365. But as already mentioned, TLS only protects the transmission, not storage or further processing.

Not only for data protection reasons but also in the interest of your clients, we recommend checking what technical and especially legal means foreign authorities have to access both stored data and communication data. This is important not only for data protection but also for protecting clients from industrial espionage and similar threats. For the USA, the following legal bases may apply for access by US authorities: US CLOUD Act, FISA Section 702, Presidential Policy Directive 28 (PPD-28), PATRIOT Act Section 215, or Executive Order 12333.

The Ministry of Education of Baden-Württemberg, in a pilot project with significant personnel effort, together with the LfDI and senior Microsoft representatives, examined whether Microsoft 365 can be used in schools. The results of our consultations and recommendations have since been published by the Ministry following a request under the Freedom of Information Act:

https://www.baden-wuerttemberg.datenschutz.de/empfehlung-lfdi-online/
https://fragdenstaat.de/anfrage/neubewertung-des-lfdi-bezuglich-der-dsfa-von-microsoft-office-365-1/#nachricht-626585
https://fragdenstaat.de/anfrage/bewertungen-und-empfehlungen-des-lfdi-zu-office-365-an-schulen/#nachricht-639491

From these, you can see that the risks, when considered as a whole, go well beyond what has already been described.

We generally agree with your view that a DPIA must be conducted when MS 365 is used by professionals bound by confidentiality. However, this must also meet the requirements of Article 35 GDPR. The templates I am aware of have significant shortcomings and mainly focus on justifying the current situation. It is also necessary, among other things, to examine all processing activities—especially those Microsoft carries out for its own purposes—to consider all data flows, and to analyze access possibilities (see above). For this, it is necessary to know exactly what processing Microsoft performs. Contract evaluation is also needed, especially to determine whether the specific data processing agreement meets legal requirements.

Installation Instructions

Registering in Azure AD

Graphical user interface, text, application Description automatically generated

Configure Integration in Azure AD

Graphical user interface, text, application, email Description automatically generated

Configure Permissions in Azure AD

Graphical user interface, text, application, email Description automatically generated

Note Client ID & Tenant ID

 Graphical user interface, text, application Description automatically generated

Enter IDs in LEXolution.DMS

 Graphical user interface, text, application, email Description automatically generated

Usage Instructions

Start & End Co-authoring

Graphical user interface, text, application, email Description automatically generated
Start

When starting collaborative editing, the document is downloaded from LEXolution.DMS and uploaded to the initiating user's OneDrive for Business.

It is then stored in its own directory (\LEXolution.DMS Collaboration Storage). A sharing link to this document in OneDrive for Business is then automatically generated and saved to the document in LEXolution.DMS. The document is also locked in LEXolution.DMS.

Other editors can now join the editing session by double-clicking the locked document in LEXolution.DMS. This opens the saved sharing link for the additional editor.

End

Only the user who started the collaborative editing and whose OneDrive for Business contains the document can retrieve the document from the collaborative session and end co-authoring. The document is then downloaded from OneDrive for Business and uploaded as a new version in LEXolution.DMS.

If you only want to retrieve an interim version, the document remains in OneDrive for Business and stays locked in LEXolution.DMS. Interim versions can be retrieved as often as needed.

If the document is to be retrieved permanently, LEXolution.DMS tries to detect if it is still being edited by other users. If not, it can be retrieved directly, unlocked in LEXolution.DMS, and deleted from OneDrive for Business. If it is still being edited, it can be deleted from OneDrive for Business, but it will be recreated if other editors continue working on it. Any changes made after the final retrieval cannot be automatically imported back into LEXolution.DMS.

Invite Additional Editors

Graphical user interface, application, table, Excel Description automatically generated

Invite External Users

Documents can also be collaboratively edited with external users. Microsoft describes the necessary requirements here: Collaborate with guests on a document | Microsoft Learn.

Graphical user interface, text, application Description automatically generated

Collaborative editing with external users must be explicitly allowed in the Microsoft 365 SharePoint Admin Center.

Graphical user interface, text, application Description automatically generated

Additionally, inviting externals to the tenant must be explicitly allowed in the Azure AD tenant.

Graphical user interface, text, application, email Description automatically generated

Grant Access to Specific People via Code

When selecting recipients via “specific people,” the recipient receives the following email:

Graphical user interface, application Description automatically generated

The link does not go directly to the document, but to a separate code entry prompt:

Graphical user interface, application Description automatically generated
Graphical user interface, application Description automatically generated

The code is sent in a separate email:

Graphical user interface, application, Word Description automatically generated

If the user enters this code (within 15 minutes), they will be taken to the document:

Graphical user interface, application Description automatically generated
Graphical user interface, text, application, Word Description automatically generated
------------------------------------------------------------------------------------------------------------------
This article has been automatically translated by an AI and may therefore contain errors.

Related to