We use the videoconference system Zoom X (hereinafter referred to as “Zoom X“), to hold conference calls, online meetings, video conferences and/or webinars (hereinafter “online meetings“). Zoom is provided by Telekom Deutschland GmbH (hereinafter “provider”) in collaboration with Zoom Video Communications, Inc. based in the USA. The service is hosted on servers in Germany.
FIZ Karlsruhe is responsible for data processing that is directly related to performing online meetings.
Please note: If you access the Zoom website, the provider of ZoomX and its partners are responsible for processing the data.
Type and scope of the data processing
If Zoom X is used, different types of data are processed. The scope of the data used depends on which data you have disclosed during or prior to participating in an online meeting. To participate in an online meeting (or to enter the “meeting room”) you must at least indicate your name. We recommend to correctly indicate your name, in particular, if there are many participants. Otherwise we recommend to disclose as few personal data as possible.
The following personal data may be subject to processing:
User information: first name, last name, phone number (optional), e-mail address, password (if “single sign-on“ is not used), profile picture (optional), department (optional).
Meeting metadata: subject, description (optional), participant IP addresses, device/hardware information, start and end time of the videoconference.
In addition for dial-in by phone: incoming and outgoing phone number, country. Other data such as the device’s IP address may also be stored.
Video and audio files: To enable the display of video and the playback of audio, the data from the microphone and the video camera of your terminal device are processed during the meeting. You can switch off or mute the camera or the microphone at any time via the Zoom applications or the web browser.
Recordings (optional): Files with all video, audio, and presentation information of the online meeting. If we would like to record an online meeting, we will inform you beforehand in a transparent way and ask for your consent, if necessary. The Zoom App will also show you that the meeting is recorded. In addition, you can decide yourself if and to what extent you will be present in the recording by switching off the camera and/or the microphone.
We strongly recommend to use recordings only in cases when this is absolutely necessary. In these cases we recommend to store the data on the local systems of FIZ Karlsruhe.
Text data: You may have the option to use chat, question, and survey functions in an online meeting. The texts you have entered will be processed in order to display them during the online meeting and, in exceptional cases, also to log them for further processing of the online meeting. If we would like to store text data for further processing, we will inform you beforehand with all transparency required and ask for your consent, if necessary.
This applies to webinars respectively.
If you participate in online meetings, the provider of Zoom will store the related data (meeting metadata; data for phone dial-in; questions and answers in webinars, if any; survey function in webinars).
Automated decision-making according to Art. 22 GDPR is not used.
Content data are stored and processed in Germany. Diagnostic data: meeting and telemetric data are also stored in Germany. Other data generated by the service, account data and data required for support, if any, may also be stored outside Europe.
Legal basis and data processing
To the extent that personal data of FIZ Karlsruhe staff are processed, Art. 26 BDSG and Art. 6 para. 1 lit. f) GDPR are the legal basis for the data processing. In these cases, our interest is to efficiently perform online meetings.
Otherwise, the legal basis for data processing when performing online meetings is Art. 6 (1) lit. b) GDPR, if the meetings are conducted in the context of contractual relationships.
If there is no contractual relationship, the legal basis is Art. 6 para. 1 lit. f) GDPR. Here, too, our interest lies in the effective performance of online meetings.
A data protection agreement in accordance with EU standard contractual clauses was concluded between the provider and Zoom Video Communications Inc.
Receiver/forwarding of data
Personal data processed within the scope of online meetings are not forwarded to any third parties, unless there is a legal basis for this.
Other receivers: The provider of Zoom will necessarily receive knowledge of the a.m. data, as far as this is required within the scope of our contractual relationship with the provider.
Duration of the data storage
Zoom will store your data only as long as this is required for the purposes mentioned above.
This does not apply if a longer storage or retention period is required by law or is necessary for legal enforcement within the statutory limitation periods. If data is only retained for the aforementioned purposes, data access is limited to the extent necessary for this purpose.
The data mentioned above will be processed for as long as it is necessary to perform the online meetings and related services.
Communication-related metadata will be deleted as soon as storage is no longer required in order to provide or maintain the service.
In case of a recording, the data of the audio and video transmission as well as optionally the messages in the chat, question or survey function, are stored and remain stored beyond the duration of the meeting. The recordings stored on the provider's cloud servers are automatically deleted after thirty (30) days at the latest. Data stored on local systems of FIZ Karlsruhe will only be stored in order to and as long as it is necessary to fulfil the respective purpose. Data in reports and on the dashboard of the provider will be deleted after twelve (12) months.
Data processing outside the European Union
Zoom X is a service provided in collaboration with Zoom Video Communications, Inc., which is based in the USA. The service is hosted on servers in Germany.
This means that personal data are also processed outside the EU. The service is configured in such a way that the data traffic during online meetings (e.g., image, sound, content) is stored and processed within the EU. The metadata of the meeting are also processed outside the EU, in particular on US servers. We have concluded an order processing agreement with the provider that complies with the regulations of Art. 28 GDPR. To ensure an appropriate level of data protection, i.e., a level comparable to the European standard, we have agreed on the EU standard contractual clauses and implemented technical security measures. These are in particular password-protected meeting rooms with controlled access, the selection of the provider’s European data processing centers for storing the data generated in meetings, and end-to-end transport encryption of all data traffic.