We’d like to take this opportunity to inform you how we process personal data in the context of “Zoom” use.
Purpose of processing
We use the “Zoom” tool to hold telephone conferences, online presentations, online meetings, video conferences and/or webinars (subsequently referred to as “online meetings”). “Zoom” is a service provided by Zoom Video Communications, Inc., a company based in the USA.
Responsibility for data processing directly associated with the holding of “online meetings” is held by the Goethe-Institut e.V., Oskar-von-Miller-Ring, 18, 80333 Munich (subsequently referred to as “we”)
Note: If you access the “Zoom” website, the provider of “Zoom” is responsible for data processing. However the only time you need to access the “Zoom” website is to download the software for using “Zoom”. You can also use “Zoom” by entering the ID and any other access data for the meeting you wish to attend directly via the “Zoom” app. If you don’t want to or can’t use the “Zoom” app, you can also use the basic functions via a browser version, which you can also find on the “Zoom” website.
What data is processed?
A variety of data is processed when you use the “Zoom” website. But the scope of that data also depends on the information you provide before or during an “online meeting”. The following personal details constitute the data that is processed:
User details: This includes the user name as well as an email address. This information is not verified and we do not store it.
Meeting metadata: Theme, description (optional),
Chat messages: The messages you enter in chat are visible to all users.
Audio and video recordings: MP4 files for all video, audio and presentation recordings, M4A files for all audio recordings
Text, audio and video files: You might have the option of using the chat, question or survey functions in an “online meeting”. In that case the text entries you submit are processed so that they can be displayed within the “online meeting” and recorded if applicable. Data from your device’s microphone and any video camera on your device is processed to enable video display and audio output for the duration of the meeting. As long as the host permits, you can turn off or mute the camera or microphone yourself at any time through the “Zoom” application. In the event that your video or audio is activated, your contributions become visible to all, and can be commented on in chat.
To join an “online meeting” or enter the “meeting room”, you need to provide details of your user name as a minimum.
Scope of processing
We use “Zoom” to hold “online meetings”. If we intend to record “online meetings”, we will inform you clearly of this in advance and – if required – ask for your consent. The fact that you are being recorded is also displayed in the “Zoom” app.
If it is necessary for purposes of recording the outcome of an online meeting, we will keep a record of chat content. However this is not generally the case.
With webinars we can also process the questions asked by webinar participants for the purpose of recording webinars and conducting follow-up work.
If you are registered as a user on “Zoom”, reports from “online meetings” (meeting metadata, telephone dial-in details, questions and answers in webinars) can be stored for up to a month on “Zoom”.
Automated decision-making in terms of Art. 22 GDPR does not apply.
Streaming: We may make use of the opportunity to stream the online meetings on external platforms such as Facebook or YouTube. In the event of this we will obtain your consent in advance.
Publication of recordings: The recorded videos may be published on the Goethe.de website. We will also inform you of this before publication and obtain your consent.
Legal basis for data processing
Insofar as personal data of employees of the Goethe-Institut e.V. is processed, the legal basis for data processing is § 26 BDSG (German Federal Data Protection Act). If personal data associated with “Zoom” use is not required to establish, perform or terminate employment, but is nevertheless an elementary component of “Zoom” use, then Art. 6 Para. 1 letter f) GDPR is the legal basis for data processing. In these situations our interest lies in conducting “online meetings” effectively.
Otherwise the legal basis for data processing for holding “online meetings” is Art. 6 Para. 1 letter b) GDPR, insofar as the meetings are held within the terms of contractual relations. If no contractual relationship exists, the legal basis is Art. 6 Para. 1 letter f) GDPR. In these situations our interest lies in conducting “online meetings” effectively as well.
Recipients / disclosure of data
Personal data that is processed in the context of attending “online meetings” is categorically not disclosed to third parties insofar as it is not specifically intended for disclosure. Please note that content from “online meetings”, as with face-to-face meetings, is frequently specifically for the purpose of communicating information with interested or third parties, and therefore intended for disclosure.
Further recipients: The provider of “Zoom” is informed of the above data if necessary, insofar as this is planned within the terms of our order processing contract with “Zoom”.
Data processing outside the European Union
“Zoom” is a service performed by a provider in the USA. This means that processing of personal data is also being carried out in a third country. We have entered into an order processing contract with the provider of “Zoom”, which fulfils the requirements of Art. 28 GDPR.
An appropriate level of data privacy is guaranteed, firstly through the “Privacy Shield” ertification provided by Zoom Video Communications, Inc., but also through the adoption of something known as the “EU standard contractual clauses”.
Data privacy officer
We have nominated a data privacy officer. You can contact this person as follows: Data Privacy Officer, Goethe-Institut e.V. Oskar-von-Miller-Ring 18 80333 Munich email@example.com
Your rights as data subject
You have the right to information about the personal data relating to you. You can contact us at any time for this information.
If the information request is not in writing, please appreciate that we may request proof of identity as evidence that you are the person you claim to be.
Furthermore you have a right to correction or deletion or restriction of processing, insofar as you are legally entitled to do so.
Finally you have a right to object to processing within the terms of the statutory requirements.
A right to data portability also exists within the terms of the statutory data privacy requirements.
Deletion of data
We always delete personal data if there is no longer a requirement for its continued storage. A requirement can exist especially if the data is still needed in order to perform contractual obligations, investigate and honour, or reject, warranty and possibly guarantee claims. In the event of statutory retention obligations, deletion is only considered after expiry of the applicable retention obligation.
Right of complaint to a regulatory body
You have the right to complain to a regulatory body for data privacy about the processing of personal data by us.
Further information on data privacy can be found here. Last updated: 10.04.2020