Data Protection Notice for Online Meetings, Teleconferences and Online Seminars with Zoom
Purpose of processing
We use Zoom software to hold teleconferences, online meetings, video conferences and/or online seminars (hereinafter "online meetings"). Zoom is a service provided by Zoom Video Communications, Inc., which is based in the US.
Responsible person
The person responsible for data processing directly related to the organisation of online meetings is the Max Delbrück Center for Molecular Medicine at the Helmholtz Association, Robert-Rössle-Str. 10, 13125 Berlin.
Note: When you access the Zoom website, the provider of Zoom is responsible for data processing. However, it is only necessary to access the website to download the software required to use Zoom.
You can also use Zoom by entering the meeting ID and any other required login information directly in the Zoom app.
If you do not wish to use or are unable to use the Zoom app, the basic features can also be used in a browser version, which is also available on the Zoom website.
What data is processed?
When you use Zoom, various kinds of data are processed. The scope of the data also depends on what data you provide prior to or during an online meeting.
The following personal data is processed:
Information about the user: First name, surname, telephone number (optional), e-mail address, password (unless using single sign-on), profile picture (optional),
department (optional)
Meeting metadata: Topic, description (optional), attendees' IP addresses, device/hardware information
In the case of recordings (optional): MP4 file of all recorded video, audio and presentations, M4A file of all recorded audio, text file of online meeting chat.
If dialling in by phone: Information about the incoming and outgoing number, country name, start and end time. Additional connection data such as the IP address of the device may also be stored.
Text, audio and video data: During an online meeting you may have the option of using the chat, question or survey features. Any text you enter will be processed in order to display it during the meeting and, if applicable, to record it. To allow video to be viewed and audio to be played back, data from your device's microphone and any video camera on the device will be processed for the duration of the meeting. You can disable or mute the camera or microphone at any time using the Zoom applications.
To join an online meeting or enter the meeting room, you must at least provide your name.
Scope of processing
We use Zoom to hold online meetings. If we intend to record an online meeting, we will notify you of this transparently in advance and – where necessary – seek your consent. You will also be notified in the Zoom app that the meeting is being recorded.
We will record the content of the chat if this is necessary for the purposes of recording the outcomes of an online meeting. However, this will not normally be the case.
In the case of online seminars, we may process the questions asked by attendees for the purposes of recording and following up on the online seminar.
If you are registered as a Zoom user, reports on online meetings (meeting metadata, data on phone dial-in, questions and answers in online seminars, survey feature in online seminars) may be stored by Zoom for up to one month.
The option of 'attention tracking' by the software available in online meeting tools like Zoom is disabled.
Automated decision-making as set out in Article 22 of the GDPR is not used.
Legal basis for data processing
Where personal data is processed by employees of MDC, the legal basis for data processing is Section 26 of the German Federal Data Protection Act (BDSG). If personal data relating to the use of Zoom is not necessary for establishing, carrying out or terminating the employment relationship, but is nonetheless an elementary component of the use of Zoom, Article 6(1) point f) of the GDPR is the legal basis for data processing. In these cases, our interest is the effective organisation of online meetings.
In all other respects, the legal basis for data processing in relation to the organisation of online meetings is Article 6(1) point b) of the GDPR, assuming that the meetings take place in the context of contractual relationships.
If no contractual relationship exists, the legal basis is Article 6(1) point f) of the GDPR. Here too, our interest is the effective organisation of online meetings.
Recipients / Forwarding of data
Personal data processed in connection with participation in online meetings is not normally forwarded to third parties unless it is specifically intended for dissemination. Please note that, as with face-to-face meetings, the content of online meetings often serves the purpose of communicating information to customers, interested parties or third parties and is therefore intended for dissemination.
Other recipients: The provider of Zoom necessarily has access to the above data where this is stipulated in our data processing agreement with Zoom.
Data processing outside the European Union
Zoom is a service offered by a provider in the US. Personal data is therefore also processed in a third country. We have concluded a data processing agreement with the provider of Zoom which complies with the requirements of Article 28 of the GDPR.
An adequate level of data protection is guaranteed by the Privacy Shield certification of Zoom Video Communications, Inc. and also by the conclusion of EU Standard Contractual Clauses.
Data protection officer
We have designated a data protection officer.
This person can be contacted using the details below: Max-Delbrück-Centrum für Molekulare Medizin, Datenschutzbeauftragte [Data Protection Officer], Robert-Rössle-Str. 10, 13125 Berlin, e-mail: Datenschutz@mdc-berlin.de
Your rights as a data subject
You have the right to be informed about personal data relating to you. You may contact us at any time to request this information.
Where requests for information are not made in writing, please be aware that we may require evidence to show that you are the person you claim to be.
You also have the right to have your personal data corrected or deleted and to restrict processing of your personal data where permitted by law.
Finally, you have the right to object to the processing of your personal data within the scope permitted by law.
The right to data portability also applies within the scope permitted by data protection law.
Deletion of data
As a general principle, we delete personal data when there is no requirement to continue storing it. Such a requirement may exist if the data is still needed to perform contractual services or to verify and grant or refute guarantee or, if applicable, warranty claims. Where there is a legal obligation to retain the data, deletion is only possible once the obligatory retention period has expired.
Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint about the processing of your personal data by us with a supervisory authority for data protection.
Changes to this Data Protection Notice
We will revise this Data Protection Notice in the event of changes to the data processing or in response to other events which make this necessary. The current version will always be available on this website.
Date: 2 April 2020