8. Use of video conferencing tools
8.1. Purposes and legal bases
We use platforms, for example, to offer certain services (e.g., conducting webinars or training courses, etc.) or simply to enable communication (both internal and external). The use of the platforms and other related purposes is therefore necessary for the provision of our services and, in principle, for the provision of our products and services. necessary for the performance of contracts (cf. Art. 6 para. 1 lit. b DS-GVO, § 26 para. 1 BDSG).
In addition, the use of the platforms is regularly in our legitimate interest (cf. Art. 6 para. 1 lit. f DS-GVO), as it simplifies the implementation or provision of our services and accelerates communication (both internal and external) or even makes it possible in the first place, especially if face-to-face events should not be possible. In the context of the provision of use, it may also be in our legitimate interest to carry out troubleshooting and generate evaluations.
Furthermore, the platforms may also be used on the basis of consent (cf. Art. 6 para. 1 lit. a DS-GVO), in particular in connection with any recording within the scope of use. We will inform you of this separately in advance in each case, in particular with regard to the personal data processed in connection with the recording (e.g. recording of image and spoken contributions or transcription of these).
8.2. The processed (personal) data
When using the platforms, we process (personal) data. Which (personal) data is processed and to what extent depends in particular on the service offered, the platform used, the technical functions used and the information you provide before, during or after participating in a meeting, e.g. a webinar. During a meeting, content can therefore also be exchanged, uploaded or otherwise made available. Typically, we process the following (personal) data in particular:
Meeting participant details: In order to participate in a meeting or enter the meeting room, at least the first and last name must usually be entered (depending on the platform used). Under certain circumstances, it is also possible to enter only a pseudonym. In addition to first and last name, we process the e-mail address and the access password to the meeting, optionally the profile picture and the telephone number.
If necessary, the information will be processed after the meeting for further purposes (e.g. issuance of participation confirmations). As a rule (depending on the platform and configuration used), the information is deleted 30 days after the end of the meeting. More information about the duration of personal data storage and deletion can be found below under No. 5.
Metadata: The following metadata may be generated as part of a meeting: Time and date of meeting, duration of meeting, interruptions of meeting, log-in and log-out time(s), measurement of behavior in the meeting, e.g. share of speech (optional), participant IP addresses, information on hardware and software used.
If necessary, metadata is used after the meeting for troubleshooting or evaluation, among other things. Metadata is usually deleted 30 days after the meeting ends (depending on the platform and configuration used). More information about the duration of personal data storage and deletion can be found below under No. 5.
Text, audio and video data: It is possible (if the function is enabled) to use the chat, question or poll function in a meeting. Text entries made are processed in order to display them in the meeting and log them if necessary. In addition, to enable the display of video and the playback of audio, (personal) data from the video camera and the microphone of the terminal device are processed during the duration of the meeting. The video camera and/or microphone can be switched off or muted by the user at any time.
Text, audio and video data will only be processed for specific purposes after the meeting (e.g. providing a link to view the webinar afterwards). After the purpose ceases to apply (e.g. expiry of the validity of the link), the data is deleted as a matter of principle, insofar as no further purpose justifies the processing. More information about the duration of personal data storage and deletion can be found below under No. 5.
Recording, storage: Optionally, video, audio and presentation recordings are made or, if necessary, a transcription of the spoken word. Recordings require that the camera and microphone are switched on, the screen is shared if necessary and the resulting functions are also used. If necessary, the transcription can also be used anonymously (depending on the platform and configuration used) by setting.
If the chat function is also used, the information you provide will be stored in the meeting chat text file. This also applies to sent files.
Recordings or other stored data are generally only processed after the meeting to the extent that this is necessary to achieve the purpose (e.g. subsequent provision of a link to view the webinar). If the purpose ceases to apply (e.g. expiry of the validity of the link), the records or other stored data are deleted as a matter of principle, insofar as no further purpose justifies the processing. More information about the duration of personal data storage and deletion can be found below under No. 5.
Dialing in with the telephone: As a rule, the phone number and country are processed, optionally location and connection data.
Where necessary, dial-in data is used after the meeting, e.g. for troubleshooting or evaluation. They are usually deleted 30 days after the end of the meeting (depending on the platform and configuration used). More information on the subject of the duration of storage of personal data and deletion can be found below under No. 5.
8.3. Platforms used, recipients of the (personal) data
To fulfill the aforementioned purposes, we currently use the following platforms in particular: Teams and Skype from Microsoft, GoToMeeting from LogMeIn, WebEx from Cisco and Zoom from Zoom Video Communications.
The data protection declarations of the platform providers (hereinafter “Providers”), with each of which we have concluded a commissioned processing agreement pursuant to Art. 28 DS-GVO, can be found here:
Teams and Skype from Microsoft:
GoToMeeting from LogMein:
WebEx from Cisco:
Cisco Online Privacy Statement – Cisco
Zoom from Zoom Video Communications:
Privacy | Zoom
Within our company, (only) those internal departments or employees receive personal data insofar as they need it to fulfill the aforementioned purposes in particular (enabling communication via a platform by creating a meeting). However, the data recipients are each required to use personal data only to the extent necessary.
If we transfer personal data to other (external) persons, companies or other third parties (e.g. downstream transfer of the recording of the meeting to participants) or grant them other access to personal data, this will only be done on the basis of legal permission or appropriate consent. If we commission third parties with the processing of personal data on the basis of a so-called “order processing agreement” and thereby secure the necessary powers of influence or control with regard to the processing and use of personal data, among other things, this is done on the basis of Art. 28 DS-GVO. However, we remain responsible to you for the lawfulness of the data processing. In this context, we also ensure that the providers maintain appropriate technical and organizational measures to protect personal data.
In addition, providers may also process personal data for their own purposes. Please note that in this case, the providers themselves are responsible and must fulfill the obligations arising from the GDPR (e.g. obligation to inform, obligation to delete after the purpose has been achieved, etc.). You can find more information in the privacy statements of the providers (see above).
8.4. Processing of personal data in a third country
As far as possible, we will carry out the processing of personal data on the territory of the Federal Republic of Germany, in another member state of the European Union or in another state party to the Agreement on the European Economic Area (e.g., we will store (have stored) the data generated in the course of use in an “EU cluster”).
However, if processing of personal data in third countries (e.g. USA) is necessary, in particular in connection with the commissioning of providers, we will ensure that the specific legal requirements for such processing operations are met and thus that an adequate level of data protection prevails in the respective third country. This includes, in particular, checking whether the European Commission has decided that an adequate level of protection exists in a third country (cf. Art. 45 GDPR) or whether suitable or adequate safeguards (e.g. standard contractual clauses) are in place and the enforcement of your rights is guaranteed, as well as whether sufficient technical and organizational measures are in place to protect the personal data.
For information on the appropriate or adequate safeguards and how and where to obtain a copy of them, please contact [email protected].
8.5. Duration of storage of personal data, deletion
In principle, we process or store personal data for the duration of a meeting or webinar and any subsequent services/processes (e.g. issuing certificates of attendance, providing the link to a webinar or transcription, etc.). In addition, we may also process or store personal data for other purposes, such as troubleshooting and evaluation purposes.
If the processing or storage is no longer necessary, we delete the personal data. This does not apply if, among other things, legally prescribed retention periods prevent deletion (cf. Art. 17 (3) DS-GVO) and/or another case of Art. 17 (3) DS-GVO applies. 3 GDPR exists and/or a new purpose justifies further processing.
Incorrect and/or incomplete data will be deleted according to. Art. 5 par. 1 lit. d) DS-GVO deleted or – as far as possible – corrected without delay.
8.6. Technical and organizational measures
To ensure that personal data is protected, the following technical and organizational measures are taken in particular:
- User authentication;
- Possibility for two-factor authentication (e.g. with Zoom and MS Teams);
- Transport / end-to-end encryption;
- Possibility to pixelate backgrounds after activating camera;
- Possibility participation with video/sound by default;
- Participation without creating account (guest account);
- Participation without installing application (web client);
- Recording and storage turned off by default, only after consent recording is started.
8.7. Further data protection information
When contacting us (via contact form, telephone, fax, mail or e-mail), your personal data will be used to process your request and handle it in accordance with the German Data Protection Act. Art. 6 par. 1 lit. b and lit. f DS-GVO processed. The information marked as mandatory in the contact form is required for the processing of your request.
As a rule, we delete requests 3 months after their receipt, at the latest, however, if they have been answered. In the case of legal storage obligations that must be observed, the deletion takes place after their expiration.
10. Deletion, anonymization and retention
The personal data processed by us will be deleted in accordance with Art. 17 DS-GVO. Unless expressly stated within the scope of this data protection declaration, the personal data stored by us will be deleted as soon as it is no longer required for its intended purpose and, in particular, the deletion is not precluded by any statutory retention obligations. Unless the personal data is deleted because its processing is required for other and legally permissible purposes, the processing will be restricted. This means that the personal data is blocked and not processed for other purposes.
Instead of deleting your personal data, we will, if necessary, anonymize it in a way that irreversibly excludes the possibility of recovering the personal data in the future.
According to the legal requirements, a storage takes place in particular for 6 years according to. § 257 para. 1 HGB (commercial books, inventories, opening balances, annual financial statements, commercial letters, accounting vouchers, etc.) as well as for 10 years in accordance with the German Commercial Code (HGB). § 147 para. 1 AO (books, records, management reports, accounting vouchers, commercial and business letters, documents relevant for taxation, etc.).
11. Your rights
You have the right to withdraw a granted consent to the processing of your personal data pursuant to. Art. 7 par. 3 DS-GVO at any time with effect for the future. Processing that took place before the revocation therefore remains lawful.
Gem. Art. 15 DS-GVO you can request information about your personal data processed by us.
Gem. Art. 16 DS-GVO, you can request the immediate correction of incorrect or completion of your personal data stored by us.
Gem. Art. 17 DS-GVO, you can demand the deletion of your personal data stored by us in accordance with the conditions stated there, unless legally prescribed retention periods prevent immediate deletion (cf. Art. 17 para. 3 DS-GVO) and/or another case of Art. 17 para. 3 GDPR exists and/or a new purpose justifies further processing.
Gem. Art. 18 par. 1 DS-GVO, you may request the restriction of data processing if one or more conditions pursuant to. Art. 18 par.1 DS-GVO lit. a to d are present.
Gem. Art. 20 par. 1 DS-GVO, you can receive the personal data we process in a structured, common and machine-readable format, as well as transfer this data to another controller without hindrance from us.
Furthermore, according to Art. 21 para. 1 DS-GVO against the processing of your personal data. In the event of an objection, we will terminate the processing of your personal data. However, the right to object only applies in the event of special circumstances arising from your personal situation. In addition, compelling legitimate grounds which justify the processing may prevail. In addition, certain processing purposes may conflict with your right to object.
Gem. Art. 21 par. 2 DS-GVO, you have the right to object to the processing of personal data concerning you for the purpose of direct marketing at any time without further requirements. This also applies to profiling, insofar as it is associated with such direct advertising. If you object, your personal data will no longer be processed for these purposes (cf. Art. 21 (3) DS-GVO).
Without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with the competent supervisory authority (cf. Art. 77 DS-GVO) if you believe that the processing of your data violates data protection provisions. In this context, however, we ask you to address a possible complaint to us first. We will then try to remedy the situation as quickly and as best as possible.