Data PROTECTION NOTICE in accordance with Art. 13 of the EU General Data Protection Regulation (GDPR)
for the use of Zoom on CISPA
The "Zoom X" tool is used by CISPA to conduct teleconferences, online meetings, videoconferences, online lectures and studies as part of research projects (hereinafter: "Online Meetings").
In the following, we would like to inform about the processing of personal data when using the tool "Zoom X", a cooperation between Zoom Video Communications Inc. (hereinafter referred to as "Zoom") and Telekom Deutschland GmbH (hereinafter referred to as "Telekom")in accordance with Art. 13 GDPR. This data protection notice will be sent to all Zoom participants via web link as part of the invitation and made available for inspection. In addition, an English version of the privacy notice is in progress and will be made available to participants as soon as it is finalized.
The following notice has been incorporated into the standard Zoom text modules for the respective language.
This privacy notice informs you about the processing of your personal data when using the tool "Zoom" of Zoom Video Communications, Inc. (55 Almaden Boulevard, 6th Floor, San Jose, CA 95113).
The controller for data processing within the meaning of the GDPR and other data protection regulations is:
CISPA - Helmholtz Centre for Information Security gGmbH
Stuhlsatzenhaus 5
66123 Saarbruecken
Germany
Tel.:+ 49681 87083 1001
Fax: + 49 681 87083 8801
E-mail: front-office@cispa.de
Managing Director:
CISPA is represented by the managing directors Prof. Dr. Dr. h. c. Michael Backes and Dr. Kevin Streit.
Data Protection Officer:
You can reach our data protection officer at: dsb@cispa.de
If you have any questions about data protection, you can also contact our corporate data protection & information security department at datenschutz@cispa.de.
Various types of data are processed when using "Zoom X". The scope of the data also depends on the information you provide before or during participation in an "Online Meeting".
The following personal data are subject to processing:
User data
To participate in an "online meeting" or to enter the "meeting room", you must at least provide information about your name.
When dialing in with the telephone:
If necessary, further connection data such as the IP address of the device may be stored.
Video, audio and text data
For recordings (optional)
If we want to record the "online meeting", we will inform you transparently in advance. You will also receive a technical signal indicating that the meeting will be recorded from now on. In this case, the wording "Recording" will appear at the top left of the screen with a red glowing circle in front of it. If we are recording the meeting, we will use a banner to ask for your prior consent to record. If you do not agree to the recording, you will have to leave the meeting.
Meeting metadata
Video and audio data contain your image and voice as personal data within the meaning of Art. 4 No. 1 of the GDPR, as the data relate to you as an identified or identifiable natural person. In addition, the content of your posts may allow conclusions to be drawn about your person. IP address and device/hardware information also allow inferences to be drawn about your person in principle and are therefore to be treated as personal data. The "attention monitoring" available on Zoom is deactivated. The text within the chat function is saved in a separate file and is not part of the video in case of recording.
The processing of your personal data listed under II. serves to provide you with Zoom X as a tool for conducting telephone conferences, online meetings, video conferences, online lectures and studies as part of research projects and to be able to process the formats mentioned via Zoom X.
Insofar as personal data of CISPA employees is processed in the employment relationship, Art. 88 (1) GDPR in conjunction with Section 26 of the German Federal Data Protection Act (BDSG) is the legal basis for the data processing if the data processing is necessary for the establishment, performance or termination of the employment relationship.
If other participants take part in online lectures via "Zoom X", their data will be processed on the basis of Art. 6 (1) lit. e) GDPR in order to enable the teaching operation which CISPA provides in the pursuit of public interests.
The legal basis for data processing when conducting "online meetings" is Art. 6 (1) lit. b) GDPR, insofar as the meetings are conducted in the context of contractual relationships. Should no contractual relationship exist, the legal basis is Art. 6 (1) lit. f) GDPR. The legitimate interest for the data processing lies within the effective implementation of "online meetings".
The legal basis for the processing of personal data that you can optionally disclose about yourself is your consent pursuant to Art. 6 (1) lit. a) GDPR.
Personal data processed in connection with participation in "online meetings" will not be disclosed to third parties as a matter of principle, unless they are specifically intended to be disclosed.
Telekom acts as a processor within the meaning of Art. 28 GDPR for CISPA. An order processing contract within the meaning of Art. 28 para. 3 GDPR has been concluded. Telekom necessarily obtains knowledge of the above-mentioned data insofar as this is provided for in the order processing contract.
Telekom and Zoom provide their services within Germany, the EU and the EEA in accordance with the data protection standard of the General Data Protection Regulation (GDPR). The meeting data of participants from Germany is processed on servers in Germany. Only the pseudo-nymized email address used to register for the meeting is sent to the USA so that the Zoom meeting can be started. An adequacy decision by the European Commission has been in place for the USA since July 10, 2023, which certifies that the USA has an adequate level of data protection. In addition to the network, Deutsche Telekom is responsible for the contract, order processing, nationwide service and billing. The advanced chat encryption enables secure communication in which only the intended recipient can read the secure message. When end-to-end encryption is activated, communication between all participants in a meeting is encrypted using cryptographic keys that are only known to the devices of these participants. This ensures that no third party - not even Zoom or Telekom - has access to the private keys of the meeting.
The data provided above will be stored for as long as it is required for the performance of the "Online Meetings" and related services. Your data will thus be deleted as soon as they are no longer required for the processing of the above-mentioned purposes.
If you are logged in as a user with a Zoom account, reports of "online meetings" (meeting metadata, phone dial-in data, questions and answers in online lectures, survey function in online lectures) can be stored at Zoom for up to one month.
Recorded online meetings are only stored for as long as the storage is necessary. As a rule, the purpose-related storage period for personal data collected as part of recordings is one year.
There is no automated decision-making including profiling within the meaning of Art. 22 GDPR.
You have the following rights with respect to the processing of your data by CISPA:
Independent Data Protection Center SaarlandState
Commissioner for Data Protection and Freedom of Information
Fritz-Dobisch-Strasse 12
66111 Saarbrücken
Phone : (0681) 94781-0
Fax: (0681) 94781-29
E-mail: poststelle@datenschutz.saarland.de
Right to object
If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that there are grounds for doing so that arise from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right to object, which will be implemented by us without specifying a particular situation.
If you wish to exercise your data subject rights, you may also contact us by e-mail at datenschutz@cispa.de.
Status: December 2023