Data protection – Technische Hochschule Nürnberg Georg Simon Ohm

Data protection notice

Why Zoom?

The current and continuing pandemic and the accompanying transition to online instruction led to an increased demand for video conferencing services. The management and CIOs at institutions of higher education in Bavaria selected Zoom as a robust solution. Zoom has come under increasing scrutiny over the past year as a result of the lockdown, and a number of privacy and security issues have been identified that the company has been and is still working on aggressively. Security and data protection are a main focus and the use of Zoom is observed closely. Within the framework of the campus license, multiple settings are available that considerably increase the security and data protection. Besides the standard license, a contract with Zoom related to data processing has been closed that remediates many of the critical points related to data protection and security according to the assessment of the Bavarian “Stabsstelle für IT-Recht”. Further improvements to the legal conditions are provided by the additionally agreed Master Subscription Agreement with Zoom and a new Data Processing Addendum. A good overview of the current status of Zoom as related to data protection and security aspects and its use at Bavarian institutions of higher education is available on the website of the Bavarian “Stabstelle für IT-Recht”, which is also the source of some of the texts on this page:

https://www.rz.uni-wuerzburg.de/de/dienste/it-recht/it-vertraege/zoom/

In order to mitigate the expected strains on the services provided, the Ohm offers various services to enable online teaching. Besides Zoom, MS Teams and the DFN services pexip and Adobe Connect are also offered. These different offers are available to provide variable solutions to best meet your needs.

Settings for Zoom at the Technische Hochschule Nürnberg

The Zoom instance of the Technische Hochschule Nürnberg has all data protection and securtiy-relevant options activated, provided they do not conflict with the intended purpose of its use. More information and recommendations that can increase security can be found under the ‘Tips for using Zoom’. Furthermore, the Technische Hochschule Nürnberg Georg Simon Ohm has adopted regulations on recording at the university.

Data protection information on the processing of personal data (Bavaria)

Responsible party and their data protection officer (besides the license party)

Zoom Video Communications, Inc., 55 Almaden Boulevard, San Jose, CA 95113, United States privacy statement:

https://zoom.us/privacy?zcid=1231

Affected individual’s rights

General

Related to the processing of your personal information, you have the following rights pursuant to Art 15 ff GDPR as an affected individual:

You may request the information, if we process personal information related to you. If this is the case, you have the right to information about the personal information and about further information related to the processing (Art. 15 GDPR). Please note that this right to information may be restricted in some instances or may be excepted (see in particular, Art. 10 BayDSG).
In instances where personal information related to you is not (or no longer) correct or is incomplete, you may request a correction or, if applicable, completion of this information.
If the legally required conditions are fulfilled, you may request the deletion of your personal information (Art. 17 DSGVO) or restriction of the processing of this information (Art. 18 DSGVO). The right to have information deleted pursuant to Art. 17 (1) and (2) DSGVO does not exist, inter alia, if the processing of personal information is necessary to perform a task. In the public interest or in the exercise of public authority (Art. 18 (3) letter b DSGVO).
If you have agreed to data processing or a data processing agreement exists and data processing is being carried out using an automated process, you are entitled to data portability if required (Art. 20 GDPR)
You have the right to complain to a supervisory authority in accord with Art. 51 GDPR about the processing of your personal information. The responsible supervisory authority for Bavarian public offices is the Bavarian State Data Protection Officer, Wagmüllerstraße 18, 80538 Munich.

We will inform you of your right of revocation and your right to object, specifically.

Right of Revocation

You may object to the processing of your personal information by us at any time for reasons arising from your specific situation (Art. 21 GDPR). If the legal conditions are met, we will subsequently discontinue processing your personal information.

Purpose

Procurement and use of the video conferencing solution as a tool for teaching, research, and administration. This comprises the use of the licensed product and services, provision of updates, assurance of information security, and technical and customer support.

Legal basis for the processing

For statistical purposes

Art. 6 Para. 1 (e) in conjunction with Art. 4 BayDSG (Art. 10 Para. 1 BayHschG, Art. 7 BayHO)

For teaching purposes

Art. 6 Para. 1 (e) GDPR in conjunction with Art. 4 BayDSG (Art. 55 Para. 2 BayHschG)

For employees

Art. 6 Para. 1 (b) GDPR in conjunction with Art. 4 BayDSG (§ 106 Gewerbeordnung)
Art. 6 Para. 1 (c) GDPR in conjunction with Art. 4 BayDSG (Art. 33 Para. 5 GG)

For recording events

Art. 6 Para. 1 (c) GDPR (for regulated documentation requirements, e.g., examinations)
Art. 6 Para. 1 (b) GDPR for contracts with recording obligations
Art. 6 para. 1 (a) GDPR for all other cases

Data categories (only with registration with Zoom)

User profile: Given name, family name, telephone (optional), email, password (if SSO is not used), profile image (optional), department (optional)
Meeting metadata: Topic, description (optional), participant IP-addresses, device/hardware information (are always compiled)
Meeting recordings: mp4 of all video and audio recordings and presentations, M4A of all audio recordings, text files of all in the meeting, chats, audio protocol files. At the Technische Hochschule Nürnberg, it is currently not possible to record meetings. They are not recorded by default nor is there the possibility to record meetings as a user.
IM Chat Protocols
Telephone use information (optional): caller number, caller number, country name, IP address, 911 address (registered business address), start and end times, host name, host email, MAC address of the device used
Billing and procurement information

Categories of affected persons

For data categories 1-5: persons who use or administer Zoom.
For data categories 3-4: persons who are identifiable in communications and documents.
For data category 6, procurer and requesting party

Receiver

Can be read at:

https://zoom.us/de-de/subprocessors.html

1-6	Zoom Video Communications, Inc.	Data processing	United States of America and subcontracted processing agents
		Subcontracted processing agents
1-6	Zendesk	Support	United States of America
1	Rocket Science Group, LLC	Email notifications	United States of America
1-6	Amazon Web Services	Infrastructure (IT)	United States of America, EU, Canada, Australia
1-6	Oracle	Cloud Service Provider/IT infrastructure	United States of America

Storage period

Data category 1: 90 days after deletion of the account or end of contract
Data category 2: 90 days after request for deletion or end of contract
Data category 3: 7 days after deletion of the recording
Data category 4: 7 days after deletion of the chat
Data category 5: 90 days after request for deletion or end of contract
Data category 6: Internal according to budget and tax law

Advance deletion is always possible with an order for deletion from Zoom.