Data protection with Zoom
The switch to digital teaching, which was decreed by the state government, has posed serious challenges for the DFNconf service, through which the University of Hohenheim and other German universities have so far offered conference services. The platform, which is currently being further expanded, was not able to cope with the sharp increase in demand. The same applies to our own video conference system webconf (Adobe Connect). In the face of the Covid crisis, it was therefore necessary to create a short-term alternative to maintain communication within the digital teaching, research, and work environment.
After experiences with other systems such as WebEx, Skype for Business, Microsoft Teams, or Jitsi, Zoom has proven to be a very reliable and user-friendly solution with high conference quality. Considerations such as functionality, stability, security, and data protection were taken into account when deciding on Zoom.
Due to the lockdowns in the context of the Covid crisis, Zoom is enjoying great popularity worldwide as a platform for audio/video conferences. As a result, Zoom is now, within a short period of time, the focus of close observation by security experts worldwide. Zoom was also surprised by the developments and is now reacting to the diverse requirements both technically and organizationally in a short time.
In the course of these exams, new questions and criticisms about Zoom arise almost daily, which we take up here in the Zoom FAQs. So far, we have been able to ascertain that Zoom reacts very quickly to enquiries and has also provided appropriate technical solutions. As things stand at present, we are confident that all the security issues discussed so far can be resolved by Zoom.
We are able to adapt the configurations to a large extent and, from our point of view, switch off problematic functions directly or configure them to meet our requirements. This means that the meetings conducted with our Edu licenses have better security than when using the free version of Zoom.
Purpose of processing
Zoom is used in administration, teaching, and research to conduct virtual meetings, interactive online courses, and Online-Seminars (online meetings). The purpose of data processing is to use Zoom as a tool for cooperation within the framework of the official activities at the University of Hohenheim for the fulfillment of university tasks (teaching, research, and administration).
It is not permissible to use Zoom for private purposes within the scope of the EDU licenses.
There is no performance or behavioral monitoring based on your use of Zoom. The use of Zoom to generate personal statistics is not permitted.
Conditions for permitted use
- Content with high protection requirements (university exams, appointment procedures, job interviews ...)
If you use Zoom for sensitive conversations, please enable tap-proof end-to-end encryption. Note that this will make the following features unavailable: Breakout Rooms, Polls, Participation in Browser, Phone Dial-in. If end-to-end encryption is not an option, it is preferable to use webconf or DFNconf. Both services do not have end-to-end encryption, but are at least hosted in Germany. - Recording only without students and only with the explicit consent of all participants
The default settings in Zoom must be selected so that no automatic recording is made. A recording may only be made with the express consent of the participants concerned and only to the extent that this is necessary within the framework of applicable law and for official purposes or for the specific performance of tasks. In the case of recordings, copyrights and the personal rights of the persons concerned must be respected in particular. The fact that the meeting is being recorded is shown to the participants in the Zoom app. The recording of events with students as well as the use of the chat recording is not permitted.
If you would like to record online courses, please note the university's regulations regarding technology and data privacy:
handreichung_aufzeichnung_online-lehre.pdf - No exchange of files with high data protection requirements
For the exchange of particularly sensitive files between participants, existing secure channels should generally be used (shared drives, FEX, possibly BwSync&Share). - Storage of recording
The storage of recordings is only permitted on Hohenheim internal servers or local data carriers. Recorded events may only be stored as long as this is necessary for the fulfillment of the respective task and as long as there is no obligation to delete them. - no private use of the EDU licenses
It is not permissible to use Zoom for private purposes within the scope of the EDU licenses.
Further information on data protection
- Avoid unauthorized data processing
In the context of the use of Zoom it must be ensured that no unauthorized data processing takes place. It must also be ensured that the confidentiality of official matters is maintained.
Make sure that smart devices, such as Alexa, Siri, Google Home, are not near where you are working or are not active to prevent unauthorized data processing or recording. - Adjust privacy settings before meeting
Before using Zoom, the possible data protection settings must be made in such a way that personal data is processed by Zoom only for the purposes mentioned and within the scope of the applicable laws. The data protection principles privacy by default, data minimization, data economy, and purpose limitation must be observed. - Tracking
You can exclude advertising cookies and tracking (Google Analytics, Google Ads,...) by making the appropriate settings in Zoom and in the software used (e.g. browser). - Hide background
To protect your privacy, you can replace your background with an overlay. Your head can still be seen, but your surroundings cannot.
Privacy configurations in Zoom
To ensure that your personal data is protected in the best possible way, we have configured Zoom in all functional areas so that only a minimum of data is transmitted and stored.
Participation in meetings
- All meetings start with participant videos turned off. The video image must be actively switched on by the participants.
- Participants are muted when they enter the meeting.
- Email addresses are not displayed via watermark.
- A password is set by default for all meetings, even for participation by telephone.
- Feedback to Zoom at the end of a meeting is disabled.
- Remote control via screen sharing is disabled.
- Remote support is deactivated.
- Camera remote control is deactivated.
- Notification of the host when participants enter before the host is disabled.
- Automatic notification of participants when a meeting is cancelled is disabled.
Technical settings
- Restriction of the data centers used to USA and Europe
- Encryption of all data between the Zoom Cloud and the Zoom Client.
- If there are only two people in a meeting, a peer-to-peer connection is established.
- Sending emails via the Zoom website is deactivated.
- Snapshot in the iOS task switching function is blurred to hide any confidential information from the snapshot of the Zoom main window. This snapshot is displayed as a preview screen in the iOS task switching feature when multiple apps are open.
- By default, screen sharing always requires a specific application to be shared; sharing the entire desktop is disabled. This default setting can be overridden in the personal settings.
Data exchange with other services
- Data exchange with Office 365 is deactivated.
- CDN use is disabled.
Meeting content storage
- Participants are not allowed to save the chat communication.
- The automatic saving of chat communication for the host is disabled.
- The automatic saving of whiteboard contents is disabled.
- Recording meetings in the Zoom cloud is deactivated.
- Local recording of meetings is disabled, but this can be overridden by the host.
- Automatic recording at meeting start is generally disabled.
- Participants must give their consent to the recording of a meeting.
- Audio notifications when starting or restarting the meeting recording.
User profile and scope of processing of personal data
For your user profile you only need to enter your name and your Hohenheim email address (@uni-hohenheim.de) in the initial form. On a voluntary basis, you can store further information and edit it yourself at any time. Only the data that is necessary for the respective purpose should be used. Moreover, the principles of data minimization, purpose limitation, storage limitation, and confidentiality should be taken into account.
Processing personal data
We only process the personal data that you have made available to us. In order to be able to use Zoom, the following personal data is required from you
- Last name
- First name
- Hohenheim email address (@uni-hohenheim.de).
Within the scope of use, further personal data can be processed by Zoom. This depends on the settings you have chosen and the content you use.
User information
First name, surname, phone (optional), email address, password (if Single-Sign-On is not used), profile picture (optional), department (optional)
Information for unregistered users
In order to participate in an online meeting or to enter the meeting room, you must at least provide information about your name even if you are not registered. But this can also be a pseudonym.
Meeting meta-data
Topic, description (optional), participant IP addresses, device/hardware information, e.g. browser
For recordings (optional)
MP4 file of all video, audio, and presentation recordings, M4A file of all audio recordings, text file of online meeting chat
When dialing in by phone:
information on incoming and outgoing phone number, country name, start and real time. If necessary, further connection data such as the IP address of the device can be saved.
Text, audio, and video data
You may have the option of using the chat, question, or survey functions in an online meeting. To this extent, the text entries you make are processed in order to display and, if necessary, log them in the online meeting.
To enable the display of video and the playback of audio, the data from the microphone of your end device and from any video camera on the end device are processed for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time using the zoom applications.
Cookies
Information on the processing of cookies can be found in the Zoom cookie policy.
Scope of processing, recordings
- Recording only with the explicit consent of all participants
The default settings in Zoom must be selected so that no automatic recording is made. A recording may only be made with the express consent of the participants concerned and only to the extent that this is necessary within the framework of applicable law and for official purposes or for the specific performance of tasks. In the case of recordings, copyrights and the personal rights of the persons concerned must be respected in particular. The fact that the meeting is being recorded is shown to the participants in the Zoom app.
- Storage of recording
The storage of recordings is only permitted on Hohenheim internal servers or local data carriers. Recorded events may only be stored as long as this is necessary for the fulfillment of the respective task and as long as there is no obligation to delete them. - Online-Seminars
In the case of Online-Seminars, questions asked by Online-Seminars participants can also be processed for the purposes of recording and follow-up of Online-Seminars. - Reports
If you are registered as a user at Zoom, reports on online meetings (meeting metadata, phone dial-in data, questions and answers in Online-Seminars, survey functions in Online-Seminars) can be stored for up to one month by Zoom. - Profiling
The use of Zoom in the context of automatic decision-making within the meaning of Art. 22 GDPR or for profiling does not take place and is not permitted.
Lawfulness of data processing, legal basis
Data processing is carried out in accordance with and on the basis of the General Data Protection Regulation (GDPR) and other applicable data protection regulations:
- for the (voluntary) use of Zoom in accordance with Art. 6(1) a GDPR (consent)
- for the performance of official duties pursuant to Art. 6(1) e, para. 2, 3 GDPR
- for teaching in accordance with Art. 6(1) e GDPR
- for employees and staff pursuant to Art. 6(1) b GDPR
- for data processing within the framework of contractual relationships in accordance with Art. 6(1) b GDPR
Zoom is a remote conferencing service with headquarters in San Jose, California/USA. In this respect, the data processing takes place in a non-EU country. Zoom also fulfills the data protection guarantees according to Art. 44ff. GDPR, as it has joined the EU-US Privacy Shield. On the other hand, the appropriate level of data protection is guaranteed by the conclusion of EU standard data protection clauses, which Zoom has concluded with the subcontractors (cf. Art. 46 GDPR).
Transmission and recipients of personal data
Personal data that is processed in connection with the use of Zoom will not be passed on to third parties, unless it is intended to be passed on.
The provider Zoom and any subcontractors will necessarily be informed of the processed data to the extent that this is necessary or intended within the framework of the contract processing agreement or any contractual relationships with subcontractors.
Erasing data and the user account
Data will be erased as soon as the purpose of the data processing has been achieved and if there is no obligation to retain the data.
You can delete your user account in Zoom itself, you can find the necessary information on Zoom’s website:
The account is to be deleted as soon as the service is no longer required for the fulfilment of tasks, at the latest when leaving the University of Hohenheim.
Declaration of consent
Zoom is operated by Zoom Video Communications, Inc.
In order to use it, you must agree to the Zoom Terms of Use, Zoom's Privacy Policy and the Terms of Use, Data Use Notices, and Privacy Information on this site and the KIM's Terms of Use. The terms of use applicable at the time of use are decisive.
The decision to activate the user account for Zoom is voluntary. Without your consent and, if applicable, registration, the use of Zoom is not possible.
Categories of data and processing
Categories of personal data
| No. | Designation of the data |
|---|---|
| 1 | User profile |
| 2 | Meeting meta-data: Topic, description (optional), participant IP addresses, device/hardware information |
| 3 | Meeting recordings: Mp4 of all video and audio recordings and presentations, M4A of all audio recordings, text file of all in the meeting, chats, audio log file |
| 4 | Chat logs (deactivated at the University of Hohenheim) |
| 5 | Telephone usage data (optional): If applicable, phone number of the caller, name of the country, IP address, start and end time, host name, host email |
| 6 | Invoicing and procurement data (only visible to administrators) |
Categories of data subjects
| No. according to data categories | Designation of the data |
|---|---|
| 1 - 5 | Users |
| 3 - 4 | Other persons mentioned in the communication |
| 6 | Procurer, requester |
Recipients of personal data
Categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organizations
(https://zoom.us/de-de/subprocessors.html)
| No. | Recipient | Reason for disclosure | Storage location |
|---|---|---|---|
| 1 - 5 | Zoom Video Communications, Inc. | Data processing | United States of America and subcontracted processors |
| Subcontracted processors | |||
| 6 | People.ai | Sales, CRM | United States of America |
| 1 - 6 | Zendesk | Support | United States of America |
| 1 ,6 | Wootric | Customer surveys | United States of America |
| 6 | Totango | Onboarding, customer experience | United States of America |
| 1 - 6 | Answerforce | Customer support | United States of America |
| 1 | Rocket Science Group, LLC | Email notifications | United States of America |
| 1 - 6 | Five9 | Call center | United States of America |
| 1 - 6 | EPS Ventures | Support | Malaysia |
| 1 - 6 | WKJ Consultancy | Support | Malaysia |
| 6 | Salesforce | Client management | United States of America |
| 1 - 6 | CyberSource | Payment and fraud prevention | United States of America |
| 1 - 6 | Adyen | Payment and fraud prevention | Europe |
| 6 | Zuora | Subscription management | United States of America |
| 1 - 6 | Amazon Web Services | Infrastructure (IT) | United States of America, EU, Canada, Australia |
| 1 - 6 | Bandwidth | Infrastructure (telephony) | United States of America |
International Organization
| No. according to data categories | Non-EU country or international organization | Appropriate guarantees in the case of a transfer under Art. 49(1), second subsection, GDPR |
|---|---|---|
| 1 - 6 | United States of America |
|
| 1 - 6 | United States of America, Malaysia, Canada, Australia | Subcontractors guarantee through standard data protection clauses |
Do you have questions or comments about this site? contact form