piwik-script

Deutsch Intern
    Information Technology Centre

    Zoom - Privacy Policy and information on data processing

    Controller

    Julius-Maximilians-University Würzburg
    (Corporation of Public Law)

     Its president represents the university.

    Sanderring 2, 97070 Würzburg

    Telephone: + 49 931 31-0
    Fax:  + 49 931 31-82600

    Data Protection Officer of the Julius-Maximilians-University Würzburg

    Sanderring 2, 97070 Würzburg

    Telephone: + 49 931 31-0
    datenschutz@uni-wuerzburg.de

    Scope of application

    The scope of this information is limited to the use of Zoom with accounts of the University of Würzburg and to participation in meetings and webinars organized by the University of Würzburg.

    Data subject rights

    General

    With regard to the processing of your personal data, you, as a data subject, have the following rights under Art. 15 e.g. GDPR to:

    • You can request information  about whether we process personal data from you. If this is the case, you have the right to information about these personal data as well as to other information related to the processing (Art. 15 GDPR). Please note that in certain cases this right of access may be limited or excluded (see in particular Art. 10 BayDSG).
    • In the event that personal data about you is no longer (no longer) accurate or incomplete, you may request a correction  and, if necessary,  completion of such data (Art. 16 GDPR).
    • If the legal requirements are met, you can request the deletion of your personal data (Art. 17 GDPR) or the restriction of the processing of this data (Art. 18 GDPR). However, the right to erasure under Art. 17 sec. 1 and 2 GDPR does not exist, among other things, if the processing of personal data is necessary for the performance of a task. This is in the public interest or is in the exercise of official authority (Art. 17 sec. 3(3) (b GDPR).
    • If you have consented to the processing or if there is a contract for data processing and the data processing is carried out by means of automated procedures, you may have the right to data portability  (Art. 20 GDPR).
    • You have the right to complain to a supervisory authority within the meaning of Article 51 GDPR about the processing of your personal data. The Bavarian State Commissioner for Data Protection, Wagmüllerstraße 18, 80538 Munich, is responsible for the supervisory authority for Bavarian public authorities.

    Withdrawal

    Insofar as the processing is carried out on the basis of consent, you have the right to withdraw your consent at any time. The revocation only works for the future; that is, the revocation does not affect the legality of the processing carried out on the basis of the consent until the revocation.

    Right to object

    For reasons arising from your particular situation, you can also object to the processing of personal data concerning you by us at any time (Art. 21 GDPR). If the legal requirements are met, we will no longer process your personal data.

    Further information

    Automated decision-making or profiling in the legal sense does not take place. You will not be able to use the Application without providing your personal information.

    Purposes and legal bases of the processing

    Purposes

    Reference and use of the webinar solution as a tool for teaching, research and administration, including static evaluation.

    This includes the use of licensed products and services, provision of updates, security assurance, and technical and customer support.

    Legal bases

    For statistics

    • Art. 6.1e i.V.m. Art. 4 BayDSG

    For teaching

    • Art. 6.1e GDPR i.V.m Art. 4 BayDSG (Art. 55 sec. 2 BayHSchG)

    For employees and staff

    • Art. 6.1b GDPR in accordance with Art. 4 BayDSG (Section 106 Of the Commercial Code)
    • Art. 6.1c GDPR i.V.m. Art. 4 BayDSG (Art. 33.5 GG)
    • Art. 6.1c GDPR i.V.m. Section 3a.1 ArbStättV

    For recordings of events

    • Art. 6.1c GDPR (for statutory documentation obligations, e.g. examinations)
    • Art. 6.1b GDPR for contracts with recording obligations
    • Art. 6.1a GDPR in other cases

    Categories of personal data

    Number

    Name of data

    1

    User profile: first name, last name, phone (optional), email, password (if SSO is not used), profile picture (optional), department (optional)

    2

    Meeting metadata: topic, description (optional), participant IP addresses, device/hardware information

    3

    Meeting recordings: Mp4 of all video and audio recordings and presentations, mp4 of all audio recordings, text file of everyone in the meeting, chats, audio log file

    4

    IM chat logs

    5

    Telephony usage data (optional): caller's phone number, caller's phone number, country name, IP address, 911 address (registered service address), start and end time, host name, host email, MAC address of the device used

    6

    Invoice and procurement data (available only in the Administrator role)

    Categories of data subjects

    No. of data categories

    Name of data

    1-5

    Users

    3-4

    Persons, in communication mentioned

    6

    Buyer

    Categories of recipients

    No. of data categories

    Recipient

    Reason for disclosure

    Location

    1-6

    Zoom Video Communications, Inc.

    Processor

    United States, Canada, India, Australia, Brazil, Japan, Hong Kong

       

    Subprocessor

     
     

    People.ai

    Vertreib, CRM

    United States of America

      Sendgrid by Twilio Transactional email provider United States of America
      Task US Billing and technical support Philippines
      KMC Solutions Billing and technical support Philippines
      Forethought Automated customer support response tool United States of America
      ADA Inc Support chat bot United States of America, Canada
     

    Zendesk

    Support

    United States of America

     

    Wootric

    Kundenumfragen

    United States of America

     

    Totango

    Onboarding, Kundenerfahrung

    United States of America

     

    Answerforce

    Customer

    United States of America

     

    Rocket Science Group, LLC

    Mail Notifications

    United States of America

     

    Five9

    Call

    United States of America

     

    EPS Ventures

    Billing and technical support

    Malaysia

     

    WKJ Consultancy

    Billing and technical support

    Malaysia

     

    Salesforce

    Customer management

    United States of America

     

    CyberSource

    Payment and fraud prevention

    Europe

     

    Adyen

    Payment and fraud prevention

    United States of America

     

    Zuora

    Subscription management

    United States of America

      Oracle Inc. Infrastruktur (IT) United States of America
      Microsoft Corp. Infrastruktur (IT) United States of America
     

    Amazon Web Services

    Infrastructure (IT)

    United States, EU, Canada, Australia

     

    Bandwidth

    Infrastructure (telephony)

    United States of America

    Transfers of personal data to a third country or to an international organisation

    No. of data categories

    Third country or international organisation

    Appropriate guarantees in the case of transmission in accordance with the second subparagraph of the second subparagraph of the second subparagraph

    1-6

    United States, Canada, India, Australia, Brazil, Japan, Hong Kong

    Standard data proctection clauses
    EU-US-Privacy Shield

    1-6

    United States, Malaysia, Canada, Australia, Philippines

    The same standard data protection clauses

    Time limits for the deletion of the different categories of data

    No. of data categories

    Retention period

    1

    30 days after deleting the account or ending the contract

    2

    30 days after the deletion or the end of the contract

    3

    7 days after revocation of consents required for the publication and storage of the drawing.
    Alternatively: After no need for publication and storage of the recording

    4

    Locally stored chat messages are deleted if they are older than 30 days. Storage in the cloud has been disabled.

    5

    30 days after the deletion or the end of the contract

    6

    Internally in accordance with bugdet and tax law

    The archive law remains unaffected by the retention periods.

    Regulations and rules of conduct for Zoom recordings

    The following supplementary regulations apply in accordance with § 7 section 10 User Regulations for Information Processing Systems of the University of Würzburg:

    1. A recording will only be made if the person to be recorded has given his or her consent via Zoom Client.
    2. He or she generally agrees to the video recording and thus undertakes to act in accordance with the current copyright law as well as to inform the auditorium by means of Zoom Client before each recording that this event is being recorded. After completion of the recording, the video must be sent to the University's Information Technology Center.
    3. The Information Technology Center and its contracted service providers (currently Microsoft Ireland Operations Ltd.) are permitted to add closed captions to the video for accessibility purposes, including translations of the closed captions into other languages.
    4. The video data and subtitles are streamed via a video streaming server. Depending on the wishes of teachers, the video material will be integrated as course material in one area of the respective WueCampus courses.
    5. Upon request, the recorded videos and subtitles can be made available for download.
    6. On the streaming server, the recorded videos are kept for a maximum of 2 years. Afterwards they will be deleted from the server. The persons will be informed about the deletion before this time.

    If you have any questions regarding the recording, please contact the multimedia services team: multimedia@uni-wuerzburg.de.