Data Protection for Zoom Meetings

Information pursuant to Art. 13 GDPR about the processing of personal data when participating in online meetings, telephone and video conferences with "Zoom"

In the following, we inform you about the scope of data collection, storage and use (hereinafter: "processing", used in the sense of Art. 4 No. 2 GDPR) in the context of participation in online meetings, telephone and video conferences
(hereinafter: "online meetings") of the Helmholtz Zentrums München (HMGU) with the software Zoom of the company Zoom Video Communications Inc. based in the USA.

To participate in an online meeting, you can either use the desktop app, the browser or a mobile app.

Note:

Insofar as you call up the website of "Zoom", the provider of "Zoom" is responsible for processing. However, calling up the website is only necessary for using "Zoom" in order to download the software for using "Zoom".

You can also use "Zoom" if you enter the respective meeting ID and, if applicable, further access data for the meeting directly in the "Zoom" app.

If you do not want to or cannot use the "Zoom" app, the basic functions can also be used via a browser version, which you can also find on the "Zoom" website.


1. Purpose of processing
 
We use the software Zoom to be able to conduct online meetings among employees, but also with third parties, such as business and cooperation partners. Processing takes place exclusively to enable participation in online
meetings.

2. Categories of processing in the context of conducting online meetings

When participating in online meetings of Zoom, different types of data are processed. In this context, the scope of the data also depends on the information on data you provide before or during participation in an online meeting.  

The following personal data are subject to processing:

User details: first name, last name, phone (optional), e-mail address, password (if "single sign-on" is not used), profile picture (optional), department (optional)

Meeting metadata: Topic, description (optional), participant IP addresses, device/hardware information. For technical reasons, this data must necessarily be processed with regard to the respective online meeting.

For recordings: MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat. Online meetings are generally not recorded. Should a recording take place in exceptional cases – for example for later use for downloading by third parties or similar – we will inform you transparently in advance and obtain your consent.

When dialing in with the telephone: information on the incoming and outgoing call number, country name, start and end time. If necessary, further connection data such as the IP address of the device may be stored. For technical reasons, this data must also necessarily be processed with regard to the respective online meeting.

Text, audio, and video data: You may have the option of using the chat, question or survey functions in an online meeting. To this extent, the text entries you make are processed in order to display them in the online meeting and,
if necessary, to log them. If it is necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this will not usually be the case.

If you participate with verbal contributions and/or also use the video function to enable visual transmission of your image, this personal content data will be processed for the purposes of communication within the webinar. It is up
to you to use these functions. Only if you activate the microphone or the camera of your end device yourself, the aforementioned processing can take place. You can switch off or mute the camera or microphone yourself at any time via the Zoom applications.

To participate in an online meeting or to enter the "meeting room", you must at least provide information about your name. If you do not wish to provide true information, you may provide untrue information and to that extent maintain
your identity.


3. Legal basis of processing

Insofar as the use of Zoom involves the processing of personal data of HMGU employees, the legal basis for data processing is Section 26 (1) BDSG. If the processing of personal data of HMGU employees is not necessary in
connection with the employment relationship when using Zoom, but is nevertheless an elementary component of the use of Zoom, the legal basis for the data processing is Art. 6(1) point (f) GDPR. The legitimate interest of HMGU
in these cases is the effective and secure conduct of online meetings.

Besides that, the legal basis for processing when conducting online meetings is Art. 6(1) point (b) GDPR, insofar as the webinars are conducted in the context of contractual relationships. Should no contractual relationship exist, the
legal basis is Art. 6(1) point (f) GDPR. Here, too, there is the legitimate interest of the HMGU in the effective and secure conduct of online meetings.

4. Recipients of the data and third country transfer (Non-EU/EEA countries)

Personal data processed in connection with participation in online meetings is generally not disclosed to third parties unless it is specifically intended for disclosure. Please note that the content of online meetings, as well as personal
meetings, is often used to communicate information with customers, interested parties or third parties and is therefore intended to be passed on.

The recipient of your data in the aforementioned context is the software provider Zoom Video Communications Inc. which provides the Zoom software. This company processes the data on our behalf. Accordingly, a processing agreement has been concluded with Zoom Video Communications Inc. in accordance with Art. 28 GDPR. The provider is based (USA) in a so-called unsafe third country. As a result, the provider had to guarantee us compliance with an adequate level of protection within the meaning of Art. 44 et seq. GDPRS. An adequate level of data protection is guaranteed on the one hand by the conclusion of the so-called EU standard contractual clauses.

As additional protective measures, we have also configured Zoom in such a way that only data centers in the EU, the EEA or secure third countries such as Canada or Japan are used to conduct "online meetings".

Furthermore, other participants in the online meeting will see and hear you and your contributions, and to that extent they are recipients of your data. Furthermore, please keep in mind that content from online meetings, as well as face-to-face meeting content, is often used precisely to communicate information with customers, interested parties, or third parties, and thus there is a possibility that other participants may communicate your contributions
to third parties.

Personal data will not be passed on to third parties outside the scope described here without express consent.  

Also, the transmission to state institutions and authorities entitled to receive information will only take place within the framework of the legal obligations to provide information or if we are obliged to provide information by a court
decision.

5. Duration of processing, deletion of data

We generally delete personal data when there is no need for further storage. A requirement may exist in particular if the data is still needed to fulfill contractual services or to be able to check, grant or defend against warranty and, if applicable, guarantee claims. In the case of statutory retention obligations, deletion will only be considered after expiry of the respective retention obligation.

6. Rights of Data Subjects under the GDPR

You are entitled to the rights set out below in connection with the processing of your personal data:

  • Under Art. 7 GDPR, you have the right to withdraw your consent to data processing at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

  • Under Art. 15 GDPR, you have the right to access any personal data relating to you that is processed by Helmholtz Zentrum München.

  • Under Art. 16 GDPR, you have the right to the immediate rectification or completion of any inaccurate or incomplete data we hold about you.

  • Under Art. 17 GDPR, you have the right to demand the erasure of all the personal data we hold about you, provided that processing is not required in order to exercise the right to freedom of expression and information; in order to comply with a legal obligation to which Helmholtz Zentrum München is subject; in order to complete a task that is in the public interest; or in order to establish, exercise or defend legal claims.

  • Under Art. 18 GDPR, you may demand that processing of your personal data be restricted, if you contest the accuracy of the data, or the data is processed unlawfully.

  • Under Art. 20 GDPR, you have the right to obtain the data we hold about you in a structured, commonly-used and machine-readable format, and to transmit that data to another controller without hindrance, or to arrange for us to transmit the data.

  • Under Art. 21 GDPR, you have the right to object to the processing of your personal data, provided there are grounds for doing so relating to your particular situation. If you object, your data will no longer be processed unless Helmholtz Zentrum München can demonstrate compelling legitimate grounds for processing that override the interests, rights and freedoms of the Data Subject, or where processing is required to establish, assert or defend legal claims.

  • Under Art. 77 GDPR, you have the right to lodge a complaint against Helmholtz Zentrum München with the relevant supervisory authority, specifically:

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Husarenstr. 30, 53117 Bonn
Tel.: +49 (0)228-997799-0
e-mail: poststelle@bfdi.bund.de


7. Controller's contact details

The Controller in relation to the processing of the personal data described above, and to any requests or queries
associated with it, is:

Helmholtz Zentrum München  
Deutsches Forschungszentrum für Gesundheit und Umwelt (GmbH)
Ingolstädter Landstraße 1
D-85764 Neuherberg

If you have any questions regarding data protection, please contact our Data Protection Officer:

Data Protection Officer
Helmholtz Zentrum München  
Deutsches Forschungszentrum für Gesundheit und Umwelt (GmbH)
Ingolstädter Landstraße 1
D-85764 Neuherberg
e-mail: