Zoom Privacy Policy
Information according to Art. 13/14 EU General Data Protection Regulation (GDPR) on the use of the video conferencing system ZOOM at the University of Freiburg
As of: February 10, 2021
In view of the current SARS-CoV-2 crisis situation and the associated restrictions, all universities are facing the major challenge of offering face-to-face events almost entirely digitally. In this respect, the need to use video conferencing systems has increased massively. Due to the current impossibility of scaling the in-house systems used by the university, cloud-based online settings from external providers must be used to cope with the current pandemic-related restrictions in teaching, research and administration.
In this respect, a contingent of licenses for the video conferencing solution of ZOOM Video Communications, Inc. was procured for the implementation of online lectures as well as larger online meetings. The decision in favor of ZOOM was made because the faculties, in particular the deans of studies, have expressly spoken out in favor of the use of ZOOM. In contrast to other systems available on the market, ZOOM delivers very high quality and functionality, can be used reliably, especially with large groups, is user-friendly and transparent in its operation, and offers a large number of privacy-friendly setting options. For this reason, ZOOM is also used by other state universities as well as universities and colleges throughout Germany. The service is used at the University of Freiburg in situations where face-to-face lectures are not possible and the university's own systems cannot be used.
Due to the current restrictions on study operations, examinations in presence are currently only possible in exceptional cases. In this respect, there is an urgent need to be able to conduct online examinations under video supervision, especially because many first-semester events take place in the winter semester, which leads to examinations with high numbers of participants. For this reason, the University has approved the use of ZOOM for examinations that are conducted using electronic information and communication systems (online examinations) for the 2020/2021 winter semester and the 2021 summer semester due to the ongoing restrictions on study activities caused by the Corona pandemic. The use of ZOOM is subject to the provision that the reliable and trouble-free performance of the online examination cannot be guaranteed with another information and communication system, in particular one operated by the University itself.
The protection of your personal data is a major concern of the University of Freiburg. For this reason, the University has done everything in its power to ensure that data processing when using ZOOM is secure, transparent and data-saving in accordance with legal requirements. This data protection declaration enables you to inform yourself in detail about the processing of your personal data when using ZOOM.
Privacy Policy
I. Responsible party
The responsible party for data processing under the terms of the GDPR as well as other data protection regulations is:
University of Freiburg
Friedrichstraße 39, 79098 Freiburg
datenschutz@uni-freiburg.de
The University of Freiburg is a public corporation. It is legally represented by the Rector Prof. Dr. Kerstin Krieglstein.
You can reach our data protection officer at:
University of Freiburg
Data protection officer
Fahnenbergplatz, 79085 Freiburg
datenschutzbeauftragter@uni-freiburg.de
II. External processor
ZOOM Video Communications, Inc., 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, is acting as a processor under the terms of Article 28 GDPR for the University of Freiburg.
Processing of personal data
The mode of data processing depends on how the service is used. ZOOM provides flexible online meetings. As a host or moderator, the personal data entered in your ZOOM account is processed for the administration of the ZOOM rooms. As a participant, you can decide whether you want to take part in the chat or whether you want to share your microphone or camera. As a rule, the following personal data is processed when us-ing ZOOM:
- User data
- For official ZOOM accounts, the following data is transferred to ZOOM after login and confirmation by the user (registration process):
- Pseudonym, otherwise optionally the full name (display name) as well as first name(s) and last name as separate fields;
- language setting;
- department (optional);
- the official e-mail address of the person
- the name of the institution "University of Freiburg
- job title (optional);
- telephone number (optional);
- city (optional);
- company or institution (optional);
- password for registration
- b. If you log in with another ZOOM account, the personal data stored there will be processed.
- c. If you connect to a ZOOM room (in the browser or via client) as a guest without logging in using a ZOOM account, you will be asked to choose an alias for yourself so that you do not have to disclose your name to ZOOM.
- d. If you connect via telephone dial-in, your telephone number will be processed
- For official ZOOM accounts, the following data is transferred to ZOOM after login and confirmation by the user (registration process):
- Video, audio and written data
- Videodata if you enable the camera on your device
- Audiodata, if you enable the micrphone on your device
- Written data, if you use the chat, question or survey function
- Meeting metadata
- Meeting length
- The person’s beginning and ending time of participation
- Name and description of the meeting
- Planned date and time of the meeting
- Chat status
- IP addresses of the end devices used for participation as well as other device/hardware information (MAC address, other device IDs (UDID), device type, operating system type and version, client ver-sion, camera type, microphone or speaker, type of connection, etc.), approximate position for establishing a connection to the nearest ZOOM data center.
- mp4 of all video and audio recordings and presentation
- m4a of all audio recordings
- Text file of all annotations, chats and audio protocol files
- Audio protocol file and other information that are shared during the use of the service
- Employees in administration/procurement:
- Full name,
- Business e-mail address,
- Invoice and procurement data.
Video and audio data contain your image and your voice as personal data under the terms of Article 4 No. 1 of the GDPR, as the data relate to you as an identified or identifiable natural person. In addition, the content of your contributions may allow conclusions to be drawn about your person.
IP address and device/hardware information may also allow conclusions to be drawn about your person and are therefore to be treated as personal data. If you use ZOOM with private devices, you will not be identifiable outside the University by means of the data transmitted in accordance with section 3f if you use a VPN connection.
The "attention monitoring" available with ZOOM is deactivated. The text within the chat function is stored in a separate file and is not part of the video in case of recording.
Further information on data processing when using ZOOM can be found at https://zoom.us/de-de/privacy.html and https://zoom.us/docs/de-de/privacy-and-security.html. Please note that this is an external website operated by ZOOM Video Communications, Inc. under its own responsibility and that personal data is processed when the website is visited
III. Legal basis
The University of Freiburg uses ZOOM in the areas of study and teaching, science and research, as well as in the context of administration and press and public relations work. The relevant legal basis for data pro-cessing depends on the respective area of application. The University processes personal data of students, employees, other members and affiliates as well as, if applicable, external persons for participation in courses, online examinations, discussions and other online meetings.
The processing of this data is necessary for the fulfillment of the University's tasks in the public interest and for the fulfillment of a legal obligation of the University. The legal basis is Article 6(1) subparagraph 1 lit. c), e), paragraph 3 GDPR in conjunction with the tasks assigned to the University by the Landeshochschulgesetz (state law on higher education) (LHG), in particular by §§ 2, 12, 32 a, 32 b LHG, as well as by other legal pro-visions.
In the context of press and public relations work, the University may also exceptionally invoke its legitimate interest in data processing pursuant to Article 6(1) sentence 1 lit. f) GDPR, unless the interests or fundamen-tal rights and freedoms of the data subject, which require the protection of personal data, prevail.
The University processes personal data of applicants and employees (members and staff) insofar as this is necessary for the establishment, implementation, termination or settlement of the respective service or em-ployment relationship or for the implementation of internal planning, organizational, personnel, social or budgetary and cost accounting measures, in particular for the purposes of personnel planning and personnel deployment, or as provided for in a legal provision, a collective agreement or a service or works agreement (collective agreement). The legal basis results from Article 6 (1) subparagraph 1 lit. b), e), paragraph 3, Article 88 GDPR in conjunction with. §§ 12 LHG, § 15 Landesdatenschutzgesetz (state data protection law) (LDSG) and §§ 83 ff. Landesbeamtengesetz (State Civil Servants Law) BW (LBG).
The legal basis for the processing of personal data that you can optionally disclose is your consent pursuant to Article 6 (1) subparagraph 1 lit. a), 7 GDPR.
IV. Storage
The data specified above will be processed for as long as is necessary for the performance of the online meetings and related services. This does not apply if, in deviation from this, a longer storage or retention period is required by law or is necessary for legal enforcement within the statutory limitation periods.
If an online meeting is being recorded, you will be informed of this via an advance notice from the organ-izer and/or via technical signaling. You can deactivate your camera and microphone yourself and leave the meeting at any time. With the recording, the data of the audio and video stream and optionally the messages in the chat, question or survey function are saved and remain stored beyond the duration of the meeting. The data stored on the cloud server of the ZOOM provider is automatically deleted after 30 days at the latest. Insofar as online meetings are not recorded, the provider states that it does not save the meeting content after the meeting has ended.
A recording of online examinations or other storage of image or sound data does not take place unless it is necessary for the transmission of the online examination under video supervision (intermediate stor-age).
If you are logged in with a ZOOM account, reports of "online meetings" (meeting metadata, telephone dial-in data, questions and answers in webinars, survey function in webinars) can be stored at ZOOM for up to one month.
V. Data processign outside the EU/EEA region
The University's ZOOM account has been elevated to an EU cluster and configured to process meeting and webinar data exclusively in data centers in Germany or, exceptionally, in data centers within the EU / EEA (Netherlands and Sweden).
Currently, it is not yet possible to configure ZOOM in such a way that all data specified under III. above is processed exclusively in data centers within the EU / EEA. The meeting metadata listed under III. 1. 3 will continue to be processed in data centers in the USA. The transfer of the meeting metadata to the USA takes place on the basis of the standard contractual clauses (SCC) of the EU Commission concluded between ZOOM and the University (Article 46(2)(c) GDPR). To this end, ZOOM and the University are in the process of concluding a further agreement on the SCC with additional guarantees in accordance with the requirements of the State Commissioner for Data Protection and Freedom of Information.
According to ZOOM, the transmission of the data is necessary to control the utilization of the ZOOM servers. Without this control, the service cannot be provided reliably. In Europe, the necessary infrastructure has not yet been established, but this is planned for the future. If you would like to limit the transmission of meeting metadata, we recommend that you log in to ZOOM meetings with a pseudonym that does not allow any conclusions to be drawn about your name or person and that you participate via a VPN connection.
VI. Recipients
Internal recipients are those employees of the University who require the data for their activities within the scope of fulfilling their tasks. Additional recipients exist in the event that we are legally obligated to disclose the data.
External recipients of the data you disclose during the online meeting are also the other participants of the online meeting.
As a processor, ZOOM Video Communications, Inc. processes your data to the extent described above within the scope of the processing relationship.
VII. Encryption
In addition to transport encryption, ZOOM now also offers the option of end-to-end encryption (E2EE) of the connection. Please make use of this option, especially for meetings with sensitive content, or ask the host/organizer to set up the meeting accordingly. Further information on E2EE can be found here: https://blog.zoom.us/de/zoom-rolling-out-end-to-end-encryption-offering/
VIII. Data processing in the cloud
ZOOM has made a commitment to the University to process personal data in accordance with data protection regulations. To this end, the University has done everything possible to ensure that data processing is secure, transparent and economical in accordance with legal requirements. Nevertheless, it should be noted that the University cannot directly influence the security of data processing when using external cloud services and is therefore dependent on the compliance of the contractual partner. You should therefore avoid disclosing unnecessary or confidential data and, if possible, use the University's own services such as Big-BlueButton or AdobeConnect.
IX. Your rights
With respect to personal data concerning you, you have the following rights:
- Right to withdraw your consent with effect for the future (Article 7(3) GDPR).
- The right to obtain confirmation as to whether data concerning you is being processed and to obtain information about the data being processed, further information about the data processing and co-pies of the data being processed (Article 15 GDPR).
- Right to have inaccurate or incomplete data corrected or completed (Article 16 GDPR).
- Right to have data concerning you deleted without delay (Article 17 GDPR).
- Right to restriction of processing (Article 18 GDPR).
- Right to data portability or to receive the data in a structured, common and machine-readable format, provided certain conditions are met (Article 20 GDPR).
- You also have the right to lodge a complaint with a supervisory authority about the processing of personal data concerning you by the University of Freiburg (Article 77 GDPR). The supervisory authority within the meaning of Article 51(1) GDPR regarding the University of Freiburg is, pursuant to Section 25(1) LDSG: The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, poststelle@lfdi.bwl.de.
Corresponding information from ZOOM can be found here: https://zoom.us/de-de/privacy.html#_Toc44414845
X. Right of Appeal according to Article 21 GDPR
You have the right to object to the future processing of data concerning you, if the data are processed in accordance with Article 6(1), first subparagraph, lit. e) or f) GDPR.