Zoom - Privacy statement and information on data processing
The University of Bayreuth is not liable for inaccuracies or mistakes in this English translation. In case of doubt, the German originals are to be used in a court of law.
I. Name and address of the party responsible
The party responsible within the meaning of the Basic Data Protection Regulation and other national data protection laws of Member States as well as other provisions of data protection law is the:
Universität Bayreuth
Universitätsstraße 30
95440 Bayreuth
Deutschland
Represented by your President
Prof. Dr. Stefan Leible
Universitätsstraße 30
95440 Bayreuth
Tel.: +49 (0)921 / 55-5201
E-Mail: praesident@uni-bayreuth.de
II. Name and address of data protection officer
The data protection officer of the party responsible is:
Thomas Frahnert
ZUV, Raum 1.17
Universitätsstraße 30
95440 Bayreuth
Deutschland
Tel.: +49 (0)921 / 55-5335
E-Mail: datenschutz@uni-bayreuth.de
III. Data subject rights
1. General
With regard to the processing of your personal data, you, as a data subject, have the following rights under Art. 15 e.g. GDPR to:
- You can request information about whether we process personal data from you. If this is the case, you have the right to information about these personal data as well as to other information related to the processing (Art. 15 GDPR). Please note that in certain cases this right of access may be limited or excluded (see in particular Art. 10 BayDSG).
- In the event that personal data about you is no longer (no longer) accurate or incomplete, you may request a correction and, if necessary, completion of such data (Art. 16 GDPR).
- If the legal requirements are met, you can request the deletion of your personal data (Art. 17 GDPR) or the restriction of the processing of this data (Art. 18 GDPR). However, the right to erasure under Art. 17 sec. 1 and 2 GDPR does not exist, among other things, if the processing of personal data is necessary for the performance of a task. This is in the public interest or is in the exercise of official authority (Art. 17 sec. 3(3) (b GDPR).
- If you have consented to the processing or if there is a contract for data processing and the data processing is carried out by means of automated procedures, you may have the right to data portability (Art. 20 GDPR).
- You have the right to complain to a supervisory authority within the meaning of Article 51 GDPR about the processing of your personal data. The Bavarian State Commissioner for Data Protection, Wagmüllerstraße 18, 80538 Munich, is responsible for the supervisory authority for Bavarian public authorities.
2. Withdrawal
Insofar as the processing is carried out on the basis of consent, you have the right to withdraw your consent at any time. The revocation only works for the future; that is, the revocation does not affect the legality of the processing carried out on the basis of the consent until the revocation.
3. Right to object
For reasons arising from your particular situation, you can also object to the processing of personal data concerning you by us at any time (Art. 21 GDPR). If the legal requirements are met, we will no longer process your personal data.
4. Further information
Automated decision-making or profiling in the legal sense does not take place. You will not be able to use the Application without providing your personal information.
IV. Purposes and legal bases of the processing
1. Purposes
Reference and use of the webinar solution as a tool for teaching, research and administration, including static evaluation.
This includes the use of licensed products and services, provision of updates, security assurance, and technical and customer support.
2. Legal bases
For statistics
- Art. 6 Abs. 1 lit. e i.V.m. Art. 4 BayDSG
For teaching
- Art. 6 Abs. 1 lit. e DSGVI i.V.m Art. 4 BayDSG (Art. 55 Abs. 2 BayHSchG)
For employees and staff
- Art. 6 Abs. 1 lit. b DSGVO i.V.m. Art. 4 BayDSG (§ 106 Gewerbeordnung)
- Art. 6 Abs. 1 lit. c DSGVO i.V.m. Art. 4 BayDSG (Art. 33 Abs. 5 GG)
- Art. 6 Abs. 1 lit. c DSGVO i.V.m. § 3a Abs. 1 ArbStättV
For recordings of events
- Art. 6.1c GDPR (for statutory documentation obligations, e.g. examinations)
- Art. 6.1b GDPR for contracts with recording obligations
- Art. 6.1a GDPR in other cases
V. Categories of personal data
|
Number |
Name of data |
|
1 |
User profile: first name, last name, phone (optional), email, password (if SSO is not used), profile picture (optional), department (optional) |
|
2 |
Meeting metadata: topic, description (optional), participant IP addresses, device/hardware information |
|
3 |
Meeting recordings: Mp4 of all video and audio recordings and presentations, mp4 of all audio recordings, text file of everyone in the meeting, chats, audio log file |
|
4 |
IM chat logs |
|
5 |
Telephony usage data (optional): caller's phone number, caller's phone number, country name, IP address, 911 address (registered service address), start and end time, host name, host email, MAC address of the device used |
|
6 |
Invoice and procurement data (available only in the Administrator role) |
VI. Categories of data subjects
|
No. of data categories |
Name of data |
|
1-5 |
Users |
|
3-4 |
Persons, in communication mentioned |
|
6 |
Buyer |
VII. Categories of recipients
|
No. of data categories |
Recipient |
Reason for disclosure |
Location |
|
1-6 |
Zoom Video Communications, Inc. |
Processor |
United States, Canada, India, Australia, Brazil, Japan, Hong Kong |
|
Subprocessor |
|||
|
6 |
People.ai |
Vertreib, CRM |
United States of America |
|
1-6 |
Zendesk |
Support |
United States of America |
|
6 |
Wootric |
Kundenumfragen |
United States of America |
|
1-6 |
Totango |
Onboarding, Kundenerfahrung |
United States of America |
|
1,6 |
Answerforce |
Customer |
United States of America |
|
1 |
Rocket Science Group, LLC |
Mail Notifications |
United States of America |
|
1, 6 |
Five9 |
Call |
United States of America |
|
1-6 |
EPS Ventures |
Support |
Malaysia |
|
1-6 |
WKJ Consultancy |
Support |
Malaysia |
|
6 |
Salesforce |
Customer management |
United States of America |
|
1, 6 |
CyberSource |
Payment and fraud prevention |
Europe |
|
1, 6 |
Adyen |
Payment and fraud prevention |
United States of America |
|
6 |
Zuora |
Subscription management |
United States of America |
| 1-5 | Oracle Inc. | Infrastruktur (IT) | United States of America |
| 1-5 | Microsoft Corp. | Infrastruktur (IT) | United States of America |
|
1-5 |
Amazon Web Services |
Infrastructure (IT) |
United States, EU, Canada, Australia |
|
1-5 |
Bandwidth |
Infrastructure (telephony) |
United States of America |
VIII. Transfers of personal data to a third country or to an international organisation
|
No. of data categories |
Third country or international organisation |
Appropriate guarantees in the case of transmission in accordance with the second subparagraph of the second subparagraph of the second subparagraph |
|
1-6 |
United States, Canada, India, Australia, Brazil, Japan, Hong Kong |
|
|
1-6 |
United States, Malaysia, Canada, Australia |
IX. Time limits for the deletion of the different categories of data
|
No. of data categories |
Retention period |
|
1 |
30 days after deleting the account or ending the contract |
|
2 |
30 days after the deletion or the end of the contract |
|
3 |
7 days after revocation of consents required for the publication and storage of the drawing. |
|
4 |
Locally stored chat messages are deleted if they are older than 30 days. Storage in the cloud has been disabled. |
|
5 |
30 days after the deletion or the end of the contract |
|
6 |
Internally in accordance with bugdet and tax law |
The archive law remains unaffected by the retention periods.