The following provides you with information about the processing of personal data in relation to the use of the Zoom solution.
Purpose of processing
We use the Zoom tool to host conference calls, online meetings, videoconferences and/or webinars (hereinafter collectively ‘online meetings’). Zoom is a service provided by the US-based Zoom Video Communications, Inc.
The data controller, who is responsible for data processing in the immediate context of the hosting of online meetings, is Zukunft – Umwelt – Gesellschaft (ZUG) gGmbH.
Please note: Insofar as you access the Zoom website itself, then the Zoom provider is responsible for data processing. However, accessing this website is necessary to use Zoom only in the sense that you need to do so to download the software to actually use Zoom.
You can also use Zoom simply by entering the respective meeting ID and any other meeting login credentials directly into the Zoom app.
If you do not want to (or cannot) use the Zoom app, then the basic features are also available from the browser version of Zoom, which you will also find on the Zoom website.
What kinds of data are processed?
Various types of data are processed while using Zoom. The scope of this data also depends on the kinds of data and information that you share before or during an online meeting.
The following items of personal data form part of processing:
- User information: first name, last name, phone (optional), email address, password (if you are not using ‘single sign-on’), profile picture (optional), department (optional)
- Meeting metadata: topic, description (optional), participant IP addresses, device/hardware information
- For recordings (optional): MP4 file with all video, audio and presentation recordings, M4A file with all audio recordings, text file with the online meeting chat.
- If accessing Zoom over a phone line: details of the incoming/outgoing phone number, country name, start/finish time. Other connection data such as the device IP address may also be stored.
Text, audio and video data: in an online meeting, you may be given the opportunity to chat, ask questions or conduct surveys/polls. In this case, the text input you enter will be processed to display this in the online meeting and it may also be logged. To be able to display video and play audio in the meeting, data from your device’s microphone and from a camera provided by your device will also be correspondingly processed for the duration of the meeting. You can of course use the Zoom apps to turn off your camera or mute your microphone at any time during the meeting.
To participate in an online meeting – i.e. to ‘enter’ the virtual meeting room – you must at least state your name.
Scope of processing
We use Zoom in order to conduct online meetings. If we want to record online meetings, then we will make sure you are fully informed of this beforehand and ask for your consent if required to do so. The Zoom app also lets you know when meetings are being recorded.
We will also log the chat history if this is necessary in order to keep a record of the events that occurred during an online meeting. Typically, however, this will not be necessary.
In the case of webinars, we may also process the questions asked by webinar participants for the purposes of record-keeping and webinar follow-up work.
If you have a registered Zoom user account, then you can store reports about online meetings (meeting metadata, data about your phone access number, webinar Q&A sessions and webinar surveys/polls) for up to a month as part of the Zoom user service.
Automated decision-making in the sense defined by article 22 of the GDPR is not utilised.
Legal basis of data processing
Where personal data from employees of Zukunft – Umwelt – Gesellschaft (ZUG) gGmbH is processed, the legal basis of data processing is section 26 of the German Federal Data Protection Act (BDSG). If personal data, when considered in conjunction with Zoom usage, is not necessary for justifying, conducting or terminating the employment relationship but nonetheless forms an elementary part of using Zoom, then point (f) of Art. 6(1) of the GDPR forms the legal basis of data processing. Our interest in these cases consists of the effective hosting of online meetings.
In cases where online meetings are conducted in the context of contractual relationships, the legal basis for data processing when hosting these meetings is formed by point (b) of Art. 6(1) of the GDPR.
If no contractual relationship exists, then the legal basis is formed by point (f) of Art. 6(1) of the GDPR. Our interest in this case also consists of the effective hosting of online meetings.
Personal data processed in conjunction with participation in online meetings is not shared with third parties as a general rule unless this data is explicitly intended to be shared in this way. Please note that, as with face-to-face conference-style meetings, online meeting content is often deliberately designed to communicate information to (potential) customers or third parties and is therefore explicitly intended to be shared.
Other recipients: the items of data mentioned above are necessarily shared with the Zoom service provider where this sharing is envisaged by our commissioned data processing contract.
Data processing outside the European Union
Zoom is a service that is offered by a provider based in the USA. Accordingly, this involves the processing of personal data in a third country. We have signed a commissioned data processing contract with the Zoom provider that fulfils the requirements of Art. 28 of the GDPR.
An appropriate level of data protection is firstly ensured by the use of the EU Standard Contractual Clauses (SCCs). To provide an additional level of protection, we have also configured Zoom in such a way to ensure that our online meetings are hosted only using data centres based within the EU, the EEA or secure third countries such as Canada or Japan.
Data Protection Officer
We have appointed a company Data Protection Officer (DPO).
Our DPO can be reached by phone on +49 30 700 181 142 or emailed at datenschutz(at)z-u-g.org.
The postal address is: Ms Mandy Knoblauch, DPO, Zukunft – Umwelt – Gesellschaft (ZUG) gGmbH, Köthener Straße 4, 10963 Berlin, Germany.
Your rights as a data subject
You have the right of access to the personal data that is stored about you. You can exercise this right of access by contacting us at any time.
If you do not contact us in writing to exercise this right, we may need to request some form of identification from you that confirms you are indeed the person who is requesting access to your data.
You also have rights of rectification and erasure (‘right to be forgotten’) and also to restrict processing to the extent granted to you by the law.
Furthermore, you also have a right to object to processing as set out in the relevant legislation.
In addition, you have a right to data portability, as granted by data protection law.
Erasure of data
As a rule, we erase personal data when there is no longer any requirement to keep storing this data. Such a requirement may exist if the data is still required in order to render contractual performance, to verify claims made under a warranty or a guarantee, or to honour or to defend ourselves against such claims. In the case of legal data retention obligations, erasure is possible only after the expiry of the applicable retention period.
Right to lodge a complaint with a supervisory authority
Lastly, you also have the right to lodge a complaint about the processing of your personal data with a supervisory authority for data protection.
Last updated: 26 April 2021