Data protection According to Art. 13 DS-GVO for Usage of the videoconferencing technology Zoom
DAHW, 27.11.2020
1. person responsible
Responsible for the data processing described below is the
DAHW German Leprosy and Tuberculosis Relief Association Raiffeisenstrasse 3 97080 Würzburg E-mail: info@dahw.de Telephone: 0931 7948-0
2. scope and legal basis of data processing
2.1 Conducting online meetings using Zoom
To conduct conference calls, online meetings, video conferences and webinars (hereinafter: online meetings), we use the video conferencing solution Zoom.
- Personal data (e.g. first and last name, e-mail address, profile picture),
- Meeting metadata (e.g. date, time and duration of communication, name of the meeting, participant IP address),
- Device/hardware data (e.g., IP addresses, MAC addresses, client version).
- Text, audio, and video data (e.g., chat histories, video, audio, and presentation recordings), and personal data from uploaded files,
- Connection data (e.g. phone numbers, country names, start and end times, IP addresses),
- Other data that you voluntarily provide, disclose or communicate yourself in the course of using Zoom.
Insofar as your data is required for the purpose and in the interest of conducting online meetings, we process your data on the basis of Art. 6 (1) lit. f DS-GVO.
Insofar as participation in the online meeting is necessary for the performance of a contract concluded between you and us, we process your data on the basis of Art. 6 (2) p. 1 lit. b DS-GVO. The same applies if the implementation of the online meeting is necessary for the implementation of pre-contractual measures, which are carried out at your request.
If, in the context of using Zoom, you also voluntarily provide information about yourself or voluntarily use functions that are not required, the associated data processing will be based on your revocable consent pursuant to Art. 6 (1) sentence 1 lit. a DS-GVO.
You can revoke your consent at any time with effect for the future. Please note that processing that took place before the revocation is not affected by this.
The contents of the communication are only accessible to the persons involved in the communication process. There is also a central storage of user master data as well as an intermediate storage of communication data on servers of our order processor, Zoom Video Communications, Inc, 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113.
Depending on the country in which a communication partner is located, data transfers to third countries are possible. Encrypted storage of communication and user data also takes place on servers of Zoom Video Communications, Inc. in the USA.
If data is transferred to the USA, there is a risk that authorities in third countries may access data for security and monitoring purposes without you being informed or being able to appeal. We take measures to eliminate this risk. For example, transfers to Zoom are secured by entering into the European Commission's standard contractual clauses with the service provider. As a measure supplementing the standard contractual clauses, data transfer is also secured by end-to-end encryption.
2.2 Documentation of data protection compliance
If you give us your consent, we also process your personal data (e.g., first name, last name, e-mail address and signature) in order to be able to prove your consent as part of the accountability obligation incumbent upon us pursuant to Article 5 (2) DS-GVO. If you exercise your data subject rights under the GDPR, we process your personal data in order to be able to prove that we have complied with the legal requirements of the GDPR when processing your request. In addition, we may forward your personal data to our company data protection officer at datenschutz süd GmbH, who will assist us in complying with the requirements of the DS-GVO.
In each case, the processing is carried out on the basis of Art. 6 para. 1 p. 1. lit. c and f DS-GVO.
3. storage period
As a matter of principle, we store your data for as long as it is required to achieve the aforementioned purposes, you have not objected to its use or revoked your consent, and provided that there are no statutory retention obligations to the contrary.
3.1 Storage period when conducting online meetings using Zoom
As a matter of principle, we only process your data during an ongoing video conference. Your data will not be stored beyond this time.
3.2 Storage period for documentation of data protection compliance
If you give us your consent, we will process your data in connection with the granting as long as you have not revoked your consent. In the event of revocation, we will store your data until the expiry of three years, beginning with the end of the year in which you revoked your consent.
If you assert your rights as a data subject under the GDPR, we will store your data related to the exercise of your rights until the expiry of three years, starting with the end of the year in which you exercised your right.
4 Necessity of data processing and voluntariness of providing your data
You are not obliged to provide your data. However, insofar as you wish to use Zoom to conduct online meetings with us, the processing of the above-mentioned data is necessary for the implementation.
To the extent that you voluntarily provide, disclose or communicate other personal data in addition, the provision is neither required by law nor by contract. To the extent that you do not provide this data, you may not be able to fully use certain features of Zoom beyond conducting the online meeting.
5. your rights
When processing your personal data, the GDPR grants you certain rights:
5.1 Right of access (Art. 15 DS-GVO)
You have the right to request confirmation as to whether personal data concerning you is being processed; if this is the case, you have a right to information about this personal data and to the information listed in detail in Art. 15 DS-GVO.
5.2 Right to rectification and erasure (Art. 16 and 17 DS-GVO)
You have the right to request without undue delay the rectification of any inaccurate personal data concerning you and, where applicable, the completion of any incomplete personal data.
You also have the right to request that personal data concerning you be deleted without delay, provided that one of the reasons listed in detail in Art. 17 DS-GVO applies, e.g. if the data is no longer required for the purposes pursued.
5.3 Right to restriction of processing (Art. 18 DS-GVO)
You have the right to request the restriction of processing if one of the conditions listed in Art. 18 DS-GVO applies, e.g. if you have objected to the processing pursuant to Art. 21 DS-GVO or for the duration of any examination as to whether our legitimate interests outweigh your interests as a data subject.
5.4 Right to data portability (Art. 20 DS-GVO)
In certain cases, which are listed in detail in Art. 20 DS-GVO, you have the right to receive the personal data concerning you in a structured, common and machine-readable format or to request the transfer of this data to a third party.
5.5 Right of objection (Art. 21 DS-GVO)
If data is collected on the basis of Art. 6 (1) p. 1 lit. f DS-GVO (data processing for the protection of legitimate interests), you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are demonstrably compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
5.6 Right of withdrawal (Art. 7 para. 3 p. 1 DS-GVO)
If your personal data is processed on the basis of consent pursuant to Art. 6 (1) p. 1 lit. a DS-GVO, you have the right to revoke your consent pursuant to Art. 7 (3) p. 1 DS-GVO. You can revoke your consent at any time with effect for the future.
5.7 Right of appeal to a supervisory authority (Art. 77 DS-GVO)
Pursuant to Art. 77 DS-GVO, you have the right to lodge a complaint with a supervisory authority if you are of the opinion that the processing of data concerning you violates data protection provisions. The right of complaint may be asserted in particular before a supervisory authority in the Member State of your residence, your place of work or the place of the alleged infringement.
The supervisory authority responsible for us is the Bavarian State Office for Data Protection Supervision, Postfach 1349, 91504 Ansbach.
6. contact details of the data protection officer
Our company data protection officer will be happy to provide you with information or suggestions on the subject of data protection:
datenschutz süd GmbH
Password: "DAHW"
Wörthstrasse 15
97082 Würzburg
E-mail: office(at)datenschutz-sued.de
Phone: 0931 304 976 0
