In the following, we would like to inform you about the processing of personal data in connection with the use of Zoom.
Purpose of data processing
We use the Zoom tool to hold telephone conferences, online meetings, video conferences and/or web seminars (hereafter referred to as online meetings). Zoom is a service provided by Zoom Video Communications, Inc., which is based in the United States.
Zoom is operated by Zoom Video Communications, Inc.
The decision to activate the user account for Zoom is voluntary. Without your consent and, if applicable, registration, the use of Zoom is not possible.
The entity responsible for data processing directly related to online meetings is Global Young Academy as part of the Leopoldina e.V.
Note: Zoom as a service provider is responsible for the data processing once you access their website. This is only required to download the software for using Zoom.
You can use Zoom by entering the respective meeting ID and, if necessary, additional access data for the meeting directly in the Zoom app. If you do not wish to use the Zoom app, you have the basic functionality available via the browser version accessible through the Zoom website.
Which data is processed?
When using Zoom, the service processes different types of data. How much data it will process exactly, somewhat depends on how much (additional) information you enter before and during an online meeting.
Personal data that may be processed:
User information: first name, last name, telephone (optional), e-mail address, password (if single sign-on is not used), profile picture (optional), and department (optional)
Meeting metadata: subject, description (optional), participant IP addresses, device / hardware information
For recordings (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.
When dialling in with the phone: information on the incoming and outgoing phone number, country name, start and end time. Further data such as the IP address of the device may be stored.
Text, audio and video data: You may have the option of using the chat, question or survey functions. Text entries you make are processed in order to display them and, if necessary, to record them. The data from your microphone and any video camera on your device will be processed during the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time via the Zoom app.
To take part in an online meeting or to enter the meeting room, you must at least provide some information about your name.
Extent of data processing
We use Zoom to organise and run some of our online meetings. Some of these meetings will be recorded. In this case, you will be informed in advance and asked for your consent. If and when a recording is running, the Zoom app will display this information.
During web seminars, we might process the questions asked by participants for the purpose of recording and following up webinars. Same applies for chats during normal online meetings, as Q&A sessions are then usually run chat-based.
If you are registered as a user at Zoom, reports on “Online Meetings” (meeting metadata, data on telephone dial-in, questions and answers in webinars, survey function in webinars) can be saved for up to one month in Zoom.
An automated decision-making acc. to Article 22 EU GDPR is not used.
Legal basis for data processing
Data processing is carried out in accordance with and on the basis of the General Data Protection Regulation (GDPR) and other applicable data protection regulations:
- for the (voluntary) use of Zoom in accordance with Art. 6(1) a GDPR (consent)
- for the performance of official duties pursuant to Art. 6(1) e, para. 2, 3 GDPR
- for employees and staff pursuant to Art. 6(1) b GDPR
Insofar as personal data is processed by employees of Global Young Academy (Leopoldina), Section 26 of the Germany’s Federal Data Protection Act (BDSG) is the legal basis for data processing. If, in connection with the use of Zoom, personal data is not required for the establishment, implementation or termination of the employment relationship, but is an elementary component in the use of Zoom, Article 6 (1) (f) of the GDPR the legal basis for data processing. In these cases, we are solely interested in the effective implementation of online meetings.
In addition, the legal basis for data processing when conducting online meetings is Article 6 (1) (b) of the GDPR, insofar as the meetings are held in the context of contractual relationships.
If there is no contractual relationship, the legal basis is Article 6 (1) (f) of the GDPR. The legitimate interest in this case is the effective implementation of online meetings.
Recipient / transfer of data
In principle, personal data processed in connection with participation in online meetings is not passed on to third parties unless specifically intended to be shared. Please note that content from online meetings as well as from personal meeting meetings is often used to communicate information with customers, interested parties or third parties and is therefore intended to be passed on.
The provider of Zoom is necessarily informed of the data mentioned above, where this is provided for under our data processing agreement with Zoom.
Please visit the Third-Party Subprocessors page provided by Zoom for further information of what data is shared with which subprocessors: https://zoom.us/subprocessors
Data processing outside the European Union
Zoom is a service provided by a US-based company, thus the processing of personal data conducted for and because of the participation in Zoom-based online meetings also takes place in a non-EU country. For further details, please see the Zoom Global Data Processing Addendum at https://zoom.us/docs/doc/Zoom_GLOBAL_DPA.pdf
As an additional protective measure, we are striving to have our zoom configuration set so only data centers in the EU, the EEA or secure third countries such as Canada or Japan can be used. At this point, the US data centers are auto-enabled but we are in talks with Zoom to disable them.
Data protection officer
The appointed data protection officer is Klaus Hoogestraat (), Bürgerstraße 81, D-01127 Dresden, Germany.
Rights as a data subject & Erasure of data
You can delete your user account in Zoom itself; you can find the necessary information on Zoom’s website: Deleting or terminating your account (https://support.zoom.us/hc/en-us/articles/201363243-Deleting-or-terminating-your-account)
Right of appeal to a supervisory authority
You have the right to complain to a data protection supervisory authority about the processing of personal data by us.
Changes to this notice
We revise this data protection notice in the event of changes in data processing or other events that make this necessary. The current version can always be found on this website at https://globalyoungacademy.net/gdpr-zoom/
Timestamp: 12 November 2020