Information in Accordance with Article 13/14 EU General Data Protection Regulation (GDPR) on the Use of the “Videoconferencing System Zoom” by the German Council on Foreign Relations
In view of the current SARS-CoV-2 crisis, the German Council on Foreign Relations has decided to conduct its events in hybrid or digital form. As a result, there has been a significant increase in the need to use videoconferencing systems to carry out the (decentralized) communication of foreign policy, a task that is laid down in our statutes.
After a thorough market analysis and careful consideration, the German Council on Foreign Relations has decided to use the videoconferencing solution of the company Zoom Video Communications, Inc. for our event business. Zoom was selected because, in contrast to other systems on the market, it delivers very high quality, is particularly user-friendly and transparent in its operation, and offers a large number of privacy-friendly configuration options. The service is used by the German Council on Foreign Relations in situations where face-to-face events are not possible or where we want to make our events accessible to a larger audience that cannot be physically present (streaming).
The German Council on Foreign Relations has taken extensive measures to ensure an appropriate level of data protection when using Zoom. For example, numerous default settings have been configured so as to be privacy-compliant. These individual measures are explained in more detail below.
Privacy-Compliant Configuration of the Zoom Platform
In the interest of privacy-compliant use, the following settings cannot be changed by individual conference organizers:
- Calendar and contact integration [disabled]
- Require password when creating new meetings [enabled]
- Encryption required for third party endpoints (H323/SIP) [enabled]
- Prevent participants from saving the chat [enabled]
- Auto-save chats [disabled]
- Remote control [disabled]
- Camera remote control [disabled]
- Notification before a cloud recording is deleted from the recycle bin [enabled]
- Automatic recording [disabled]
- Only the host can download cloud recordings [enabled]
- Only authorized users can view cloud recordings [enabled]
- Require password to access approved cloud recordings [enabled]
- Automatically delete cloud recordings after 120 days [enabled]
- Recording disclaimer [enabled]
- Multiple audio notifications when recording the meeting/stopping the recording [enabled]
- Show external meetings [disabled]
- Enable end-to-end chat encryption [enabled]
- Cloud storage for chat content (30 days) [enabled]
- Delete chat data from device (30 days) [enabled]
- Store edited and deleted message revisions [disabled]
- Archiving third party chat data [disabled]
- Company contacts [disabled]
The controller as defined by the GDPR and other data protection regulations is:
German Council on Foreign Relations (Deutsche Gesellschaft für Auswärtige Politik e.V. – DGAP)
Rauchstraße 17/18, 10787 Berlin, Germany
+49 30 25 42 31-0; firstname.lastname@example.org
The German Council on Foreign Relations is a registered association. It is legally represented by the President, Dr. Thomas Enders.
You can reach our Data Protection Officer at:
German Council on Foreign Relations (Deutsche Gesellschaft für Auswärtige Politik e.V. – DGAP)
Data Protection Officer
Rauchstraße 17/18, 10787 Berlin, Germany
Zoom Video Communications, Inc., 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113, acts as the processor as defined by Article 28 GDPR for the German Council on Foreign Relations.
III. Processing of Personal Data
The form of data processing depends on how the service is used. Zoom enables the flexible structuring of online meetings. As a host, the personal data stored in your Zoom account is processed for the management of Zoom rooms. As a participant, you can decide whether to join the chat or enable your microphone or camera. Essentially, the following processing is carried out by Zoom:
1. User Data
In the case of business Zoom accounts, the following data is transferred to Zoom after login and confirmation by the user (registration process):
- Pseudonym, otherwise, optionally, the full name (display name) as well as first name(s) and last names as separate fields
- Language settings
- Optional: department; the person’s official email address
- The name of the institution “DGAP”
- Optional: job title
- Optional: telephone number
- Optional: place
- Optional: company or institution
- Registration password
- If you log in with another Zoom account, the personal data stored there will be processed
- If you connect to a Zoom room (in the browser or via client) as a guest without logging in using a Zoom account, you will be asked to choose an alias for yourself so that you do not have to disclose your name to Zoom
- If you connect via telephone dial-in, your telephone number will be processed
2. Video, Audio, and Text Data
- Video data, if you have enabled the camera of your end device
- Audio data, if you have enabled the microphone of your end device
- Text data, if the chat, question, or poll feature is used
3. Meeting Metadata
- Meeting duration
- Start and end (time) of persons’ participation
- Name and description of the meeting
- Scheduled date/time of the meeting
- Chat status
- IP addresses of the end devices used for participation as well as other device/hardware information (MAC address, other device IDs (UDID), device type, operating system type and version, client version, camera type, microphone or speaker, type of connection, etc.), approximate location for establishing a connection to the nearest Zoom data center
4. Meeting Recordings (Optional)
- mp4 of all video and audio recordings and presentations
- m4a of all audio recordings
- Text file of all annotations, chats, audio log file
- Audio log file and other information shared while using the service
5. German Council on Foreign Relations Employees
Full name, official email address, billing and procurement data
In any case, video and audio data contain your likeness as well as your voice as personal data as defined by Article 4(1) GDPR, as the data relates to you as an identified or identifiable natural person. In addition, the content of your contributions may allow conclusions about your person. The IP address and device/hardware information may also allow conclusions about your person and are therefore to be treated as personal data.
The text within the chat feature is saved in a separate file and is not part of the video in the event of recording.
For further information on data processing when using Zoom, please visit https://zoom.us/privacy and https://zoom.us/docs/en-us/privacy-and-security.html. Please note that this is an external website operated by Zoom Video Communications, Inc. under its own responsibility and that personal data is processed when you visit the website.
IV. Legal Basis
We use the Zoom service in both scholarly and administrative contexts. The relevant legal basis for data processing depends on the area of application in question.
We process data of employees (members and staff) insofar as this is necessary for the fulfillment of the tasks assigned to them and thus for the execution of the employment relationship. The legal basis derives from Article 6(1) subparagraph 1 a), b), and c), paragraph 3, Article 88 GDPR.
The legal basis for the processing of personal data that you may optionally disclose is your consent in accordance with Article 6(1) subparagraph 1 a), 7 GDPR.
The data mentioned above will be processed as long as it is required for the execution of the online meetings and related services. This does not apply if, by way of derogation, a longer storage or retention period is required by law or is necessary for law enforcement within the statutory limitation periods. If data is only retained for the aforementioned purposes, data access is limited to the extent necessary for this purpose.
If the online meeting is recorded, you will be informed of this via a prior notice from the German Council on Foreign Relations and/or via technical signaling. You can disable your camera and microphone independently and leave the meeting at any time. With recording, the data of the audio and video stream and optionally the messages in the chat, question, or poll feature are stored and remain stored beyond the duration of the meeting. The recordings stored on the cloud servers of the provider of “Zoom” are automatically deleted after 30 days at the latest. If online meetings are not recorded, the provider states that it does not store the meeting content after the meeting is over.
If you are logged in with a Zoom account, online meeting reports (meeting metadata, telephone dial-in data, questions and answers in webinars, poll feature in webinars) can be stored in Zoom for up to one month.
The internal recipients are those German Council on Foreign Relations employees who require the data for their activities in the performance of their duties. Additional recipients shall exist in the event that we are legally obligated to disclose the data.
As an external recipient, Zoom Video Communications, Inc. processes your data within the scope of the order processing relationship to the extent described above.
The external recipients of the data you disclose during the online meeting also include the other participants of the online meeting.
VII. Data Processing Outside the EU/EEA
When Zoom is used, personal data is processed outside the EU/EEA. The transfer of data takes place on the basis of standard data protection clauses of the EU Commission as an appropriate guarantee for an adequate level of data protection in accordance with Article 46(2) c) GDPR.
Zoom is configured in such a way that the data collected directly during online meetings (such as image, sound, meeting content) is generally processed at the nearest server location, and thus regularly within the EU, and otherwise exclusively on US servers. The remaining so-called metadata is processed on US servers.
Since Zoom meetings require the sound and image of the speaker to be transmitted to a large number of people in high quality, the connection does not use end-to-end encryption, but transport encryption.
On October 14, 2020, Zoom announced the technical preview of an end-to-end encryption (E2EE). The German Council on Foreign Relations will test this option internally in the coming weeks. Currently, the following features are not usable in conjunction with E2EE encryption: e.g. entering before the host, cloud recording, streaming, live transcription, breakout rooms, polling, 1:1 privacy chat, and meeting responses.
IX. Data Processing in the Cloud
Please note that we have no direct influence on the security of data when using cloud services. Although the German Council on Foreign Relations has configured the service to minimize data, we nevertheless ask that you do not disclose an unnecessarily large amount of data about yourself.
X. Your Rights
With regard to your personal data, you have the following rights:
- Right to withdraw your consent with effect for the future (Article 7(3) GDPR)
- Right to confirmation as to whether your personal data is being processed and right to information about the data processed, further information about the data processing and copies of the data (Article 15 GDPR)
- Right to rectification or completion of inaccurate or incomplete data (Article 16 GDPR)
- Right to immediate erasure of your personal data (Article 17 GDPR)
- Right to restriction of processing (Article 18 GDPR)
- Right to receive the data in a structured, common, and machine-readable format, provided that the processing is based on consent in accordance with Article 6(1), subparagraph 1, a) or Article 9(2) a), or on a contract in accordance with Article 6(1), subparagraph 1, b), and no exception applies (Article 20 GDPR)
- You also have the right to complain to a supervisory authority about the processing of your personal data by the German Council on Foreign Relations (Article 77 GDPR). The supervisory authority as defined by Article 51(1) GDPR for the German Council on Foreign Relations is, in accordance with Section 8 of the Berlin Data Protection Act (BlnDSG): The Berlin Data Protection and Freedom of Information Officer, email@example.com.
XI. Right to Object in Accordance with Article 21 GDPR
You have the right to object to the future processing of your data, provided that the data is processed in accordance with Article 6(1), subparagraph 1, a) or c) GDPR.
Conditions of Use
Copyright and Personal Rights
The content of the events and all materials (documents, recordings provided, etc.) is – unless indicated otherwise – the intellectual property of the speaker in question and protected by copyright. It may only be used by you as a person registered for the event. In particular, publication, reproduction, passing on, or processing, in whole or in part, are not permitted, nor is the recording of an event in audio or video or by means of screenshots. The unauthorized publication of a recording violates the participants’ right to the spoken word (Section 201 German Criminal Code (StGB)) or the right to one’s own image (Sections 22, 23, and 33 German Law on the Protection of Copyright in Works of Art and Photographs (KUG)). Any misuse may result in legal action.
As a participant, you agree to respect the copyrights and to only use the (live) video conferences individually for your own use within the scope of the invitation by the German Council on Foreign Relations.