System Requirements
LEXolution.DMS Pro from version 7.6
OneDrive for Business (including Azure Active Directory, for example included in Microsoft 365)
Compare OneDrive cloud storage plans | OneDrive pricing (microsoft.com)
See privacy notice
LEXolution.DMS application registration in Azure Active Directory (AAD) in the law firm's tenant
- See installation instructions
Privacy Notice
Using the Co-Authoring Feature via Microsoft OneDrive for Business
LEXolution.DMS allows you to upload documents to your personal Microsoft OneDrive for Business cloud and assign both internal and external co-authors for documents.
Data transfer from your network to the Microsoft OneDrive for Business cloud is encrypted via TLS according to the current technical guideline “BSI TR-02102-2”.
Before using this feature, you transmit data to Microsoft, making Microsoft your data processor according to Article 28 of the EU General Data Protection Regulation (GDPR). As the data controller, it is your responsibility to check all legal requirements in advance and ensure compliance.
To support you, we have submitted a general inquiry to the State Data Protection Authority of Baden-Württemberg regarding the use of this feature. In addition to the data protection agreement and the current EU standard contractual clauses, you must also consider the national laws from the parent company's country of origin (USA -> Cloud Act, Patriot Act, FISA, etc.).
The State Data Protection Authority also believes that when Microsoft Office 365 is used by professionals bound by confidentiality, a Data Protection Impact Assessment (DPIA), such as maintaining a processing register, is required.
Inquiry to the State Data Protection Authority of Baden-Württemberg
Inquiry
Dear Sir or Madam,
Our company is, among other things, a software provider for legal
professions, and in this context, we are currently evaluating the
implementation of customer requests related to our document management
software LEXolution.DMS.
Customer request:
Through our document management system LEXolution.DMS, attorneys should
be able to upload a document to their personal “OneDrive for Business”
area (part of Office 365) and use features to grant additional editors
access to this document. Once the document is finalized, it should be
re-imported and updated in LEXolution.DMS.
Possible technical implementation:
The selected document is transferred to the user's account via encrypted
transmission (TLS). As the software provider, we always ensure the
encrypted transmission is up to date with the latest technology. Once
the user finishes editing via their personal OneDrive for Business, the
document is updated, checked in, and deleted online in our program.
Impact on data protection:
Our company informs our licensee (usually the law firm) about the data
protection relevance of this specific feature. When using this feature,
the law firm must ensure that Office 365 is used in compliance with the
GDPR and—in our opinion—in addition to including it in the processing
register and risk assessment, a Data Protection Impact Assessment (DPIA)
must also be conducted.
Furthermore, when using this feature, a notice about its data protection
relevance should be displayed to the user, with the option to not show
this message again in the future.
Possible example in practice:
A lawyer reviews a contract stored as a document in our LEXolution.DMS
software. The lawyer uses our program function to place this contract in
their OneDrive for Business and grants other lawyers (from other firm
locations or other law firms) access via a link to the document. After
the contract review is completed and the document is revised, the lawyer
retrieves the changes back into the LEXolution.DMS program (software
operated only within the internal law firm network), and the document is
then deleted from OneDrive for Business.
Our questions:
- Have we, in the above implementation and described activity,
sufficiently ensured data protection compliance for our customer?
- Do you agree that the law firm (licensee and user of the
software) must conduct a DPIA?
Response
TLS (Transport Layer Security), as the name suggests, only protects
the transmission path. The involved service providers generally have
access to the data in plain text; TLS does not protect against access by
these providers.
The current standard for TLS is the technical guideline BSI TR-02102-2
"Cryptographic Procedures: Use of Transport Layer Security (TLS)" from
the Federal Office for Information Security. In our last review,
Microsoft did not comply with these requirements for MS 365. But as
already mentioned, TLS only protects the transmission, not storage or
further processing.
Not only for data protection reasons but also in the interest of your
clients, we recommend checking what technical and especially legal means
foreign authorities have to access both stored data and communication
data. This is important not only for data protection but also for
protecting clients from industrial espionage and similar threats. For
the USA, the following legal bases may apply for access by US
authorities: US CLOUD Act, FISA Section 702, Presidential Policy
Directive 28 (PPD-28), PATRIOT Act Section 215, or Executive Order
12333.
The Ministry of Education of Baden-Württemberg, in a pilot project with
significant personnel effort, together with the LfDI and senior
Microsoft representatives, examined whether Microsoft 365 can be used in
schools. The results of our consultations and recommendations have since
been published by the Ministry following a request under the Freedom of
Information Act:
https://www.baden-wuerttemberg.datenschutz.de/empfehlung-lfdi-online/
https://fragdenstaat.de/anfrage/neubewertung-des-lfdi-bezuglich-der-dsfa-von-microsoft-office-365-1/#nachricht-626585
https://fragdenstaat.de/anfrage/bewertungen-und-empfehlungen-des-lfdi-zu-office-365-an-schulen/#nachricht-639491
From these, you can see that the risks, when considered as a whole, go
well beyond what has already been described.
We generally agree with your view that a DPIA must be conducted when MS
365 is used by professionals bound by confidentiality. However, this
must also meet the requirements of Article 35 GDPR. The templates I am
aware of have significant shortcomings and mainly focus on justifying
the current situation. It is also necessary, among other things, to
examine all processing activities—especially those Microsoft carries out
for its own purposes—to consider all data flows, and to analyze access
possibilities (see above). For this, it is necessary to know exactly
what processing Microsoft performs. Contract evaluation is also needed,
especially to determine whether the specific data processing agreement
meets legal requirements.
Installation Instructions
Registering in Azure AD
Configure Integration in Azure AD
Configure Permissions in Azure AD
Note Client ID & Tenant ID
Enter IDs in LEXolution.DMS
Usage Instructions
Start & End Co-authoring
Start
When starting collaborative editing, the document is downloaded from LEXolution.DMS and uploaded to the initiating user's OneDrive for Business.
It is then stored in its own directory (\LEXolution.DMS Collaboration Storage). A sharing link to this document in OneDrive for Business is then automatically generated and saved to the document in LEXolution.DMS. The document is also locked in LEXolution.DMS.
Other editors can now join the editing session by double-clicking the locked document in LEXolution.DMS. This opens the saved sharing link for the additional editor.
End
Only the user who started the collaborative editing and whose OneDrive for Business contains the document can retrieve the document from the collaborative session and end co-authoring. The document is then downloaded from OneDrive for Business and uploaded as a new version in LEXolution.DMS.
If you only want to retrieve an interim version, the document remains in OneDrive for Business and stays locked in LEXolution.DMS. Interim versions can be retrieved as often as needed.
If the document is to be retrieved permanently, LEXolution.DMS tries to detect if it is still being edited by other users. If not, it can be retrieved directly, unlocked in LEXolution.DMS, and deleted from OneDrive for Business. If it is still being edited, it can be deleted from OneDrive for Business, but it will be recreated if other editors continue working on it. Any changes made after the final retrieval cannot be automatically imported back into LEXolution.DMS.
Invite Additional Editors
Invite External Users
Documents can also be collaboratively edited with external users. Microsoft describes the necessary requirements here: Collaborate with guests on a document | Microsoft Learn.
Collaborative editing with external users must be explicitly allowed in the Microsoft 365 SharePoint Admin Center.
Additionally, inviting externals to the tenant must be explicitly allowed in the Azure AD tenant.
Grant Access to Specific People via Code
When selecting recipients via “specific people,” the recipient receives the following email:
The link does not go directly to the document, but to a separate code entry prompt:
The code is sent in a separate email:
If the user enters this code (within 15 minutes), they will be taken to the document:
This article has been automatically translated by an AI and may therefore contain errors.
Related to