Data protection with Zoom

The switch to digital teaching, which was decreed by the state government, has posed serious challenges for the DFNconf service, through which the University of Hohenheim and other German universities have so far offered conference services. The platform, which is currently being further expanded, was not able to cope with the sharp increase in demand. The same applies to our own video conference system webconf (Adobe Connect). In the face of the Covid crisis, it was therefore necessary to create a short-term alternative to maintain communication within the digital teaching, research, and work environment.

After experiences with other systems such as WebEx, Skype for Business, Microsoft Teams, or Jitsi, Zoom has proven to be a very reliable and user-friendly solution with high conference quality. Considerations such as functionality, stability, security, and data  protection were taken into account when deciding on Zoom.

Due to the lockdowns in the context of the Covid crisis, Zoom is enjoying great popularity worldwide as a platform for audio/video conferences. As a result, Zoom is now, within a short period of time, the focus of close observation by security experts worldwide. Zoom was also surprised by the developments and is now reacting to the diverse requirements both technically and organizationally in a short time.

In the course of these exams, new questions and criticisms about Zoom arise almost daily, which we take up here in the Zoom FAQs. So far, we have been able to ascertain that Zoom reacts very quickly to enquiries and has also provided appropriate technical solutions. As things stand at present, we are confident that all the security issues discussed so far can be resolved by Zoom.

We are able to adapt the configurations to a large extent and, from our point of view, switch off problematic functions directly or configure them to meet our requirements. This means that the meetings conducted with our Edu licenses have better security than when using the free version of Zoom.

Purpose of processing

Zoom is used in administration, teaching, and research to conduct virtual meetings, interactive online courses, and Online-Seminars (online meetings). The purpose of data processing is to use Zoom as a tool for cooperation within the framework of the official activities at the University of Hohenheim for the fulfillment of university tasks (teaching, research, and administration).

It is not permissible to use Zoom for private purposes within the scope of the EDU licenses.

There is no performance or behavioral monitoring based on your use of Zoom. The use of Zoom to generate personal statistics is not permitted.

Conditions for permitted use

  • Content with high protection requirements (university exams, appointment procedures, job interviews ...)
    If you use Zoom for sensitive conversations, please enable tap-proof end-to-end encryption. Note that this will make the following features unavailable: Breakout Rooms, Polls, Participation in Browser, Phone Dial-in.

  • Recording only with the explicit consent of all participants
    The default settings in Zoom must be selected so that no automatic recording is made. A recording may only be made with the express consent of the participants concerned and only to the extent that this is necessary within the framework of applicable law and for official purposes or for the specific performance of tasks. In the case of recordings, copyrights and the personal rights of the persons concerned must be respected in particular. The fact that the meeting is being recorded is shown to the participants in the Zoom app.

  • No exchange of files with high data protection requirements
    For the exchange of particularly sensitive files between participants, existing secure channels should generally be used (shared drives, FEX, possibly BwSync&Share).

  • Storage of recording
    The storage of recordings is only permitted on Hohenheim internal servers or local data carriers. Recorded events may only be stored as long as this is necessary for the fulfillment of the respective task and as long as there is no obligation to delete them.

  • no private use of the EDU licenses
    It is not permissible to use Zoom for private purposes within the scope of the EDU licenses.

Further information on data protection

  • Avoid unauthorized data processing
    In the context of the use of Zoom it must be ensured that no unauthorized data processing takes place. It must also be ensured that the confidentiality of official matters is maintained.

    Make sure that smart devices, such as Alexa, Siri, Google Home, are not near where you are working or are not active to prevent unauthorized data processing or recording.

  • Adjust privacy settings before meeting
    Before using Zoom, the possible data protection settings must be made in such a way that personal data is processed by Zoom only for the purposes mentioned and within the scope of the applicable laws. The data protection principles privacy by default, data minimization, data economy, and purpose limitation must be observed.

  • Tracking
    You can exclude advertising cookies and tracking (Google Analytics, Google Ads,...) by making the appropriate settings in Zoom and in the software used (e.g. browser).

  • Hide background
    To protect your privacy, you can replace your background with an overlay. Your head can still be seen, but your surroundings cannot.

Privacy configurations in Zoom

To ensure that your personal data is protected in the best possible way, we have configured Zoom in all functional areas so that only a minimum of data is transmitted and stored.

Participation in meetings

  • All meetings start with participant videos turned off. The video image must be actively switched on by the participants.
  • Participants are muted when they enter the meeting.
  • Email addresses are not displayed via watermark.
  • A password is set by default for all meetings, even for participation by telephone.
  • Feedback to Zoom at the end of a meeting is disabled.
  • Remote control via screen sharing is disabled.
  • Remote support is deactivated.
  • Camera remote control is deactivated.
  • Notification of the host when participants enter before the host is disabled.
  • Automatic notification of participants when a meeting is cancelled is disabled.

Technical settings

  • Restriction of the data centers used to USA and Europe
  • Encryption of all data between the Zoom Cloud and the Zoom Client.
  • If there are only two people in a meeting, a peer-to-peer connection is established.
  • Sending emails via the Zoom website is deactivated.
  • Snapshot in the iOS task switching function is blurred to hide any confidential information from the snapshot of the Zoom main window. This snapshot is displayed as a preview screen in the iOS task switching feature when multiple apps are open.
  • By default, screen sharing always requires a specific application to be shared; sharing the entire desktop is disabled. This default setting can be overridden in the personal settings.

Data exchange with other services

  • Data exchange with Office 365 is deactivated.
  • CDN use is disabled.

Meeting content storage

  • Participants are not allowed to save the chat communication.
  • The automatic saving of chat communication for the host is disabled.
  • The automatic saving of whiteboard contents is disabled.
  • Recording meetings in the Zoom cloud is deactivated.
  • Local recording of meetings is disabled, but this can be overridden by the host.
  • Automatic recording at meeting start is generally disabled.
  • Participants must give their consent to the recording of a meeting.
  • Audio notifications when starting or restarting the meeting recording.

User profile and scope of processing of personal data

For your user profile you only need to enter your name and your Hohenheim email address (@uni-hohenheim.de) in the initial form. On a voluntary basis, you can store further information and edit it yourself at any time. Only the data that is necessary for the respective purpose should be used. Moreover, the principles of data minimization, purpose limitation, storage limitation, and confidentiality should be taken into account.

Processing personal data

We only process the personal data that you have made available to us. In order to be able to use Zoom, the following personal data is required from you

  • Last name
  • First name
  • Hohenheim email address (@uni-hohenheim.de).

Within the scope of use, further personal data can be processed by Zoom. This depends on the settings you have chosen and the content you use.

User information

First name, surname, phone (optional), email address, password (if Single-Sign-On is not used), profile picture (optional), department (optional)

Information for unregistered users

In order to participate in an online meeting or to enter the meeting room, you must at least provide information about your name even if you are not registered. But this can also be a pseudonym.

Meeting meta-data

Topic, description (optional), participant IP addresses, device/hardware information, e.g. browser

For recordings (optional)

MP4 file of all video, audio, and presentation recordings, M4A file of all audio recordings, text file of online meeting chat

When dialing in by phone:
information on incoming and outgoing phone number, country name, start and real time. If necessary, further connection data such as the IP address of the device can be saved.

Text, audio, and video data

You may have the option of using the chat, question, or survey functions in an online meeting. To this extent, the text entries you make are processed in order to display and, if necessary, log them in the online meeting.

To enable the display of video and the playback of audio, the data from the microphone of your end device and from any video camera on the end device are processed for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time using the zoom applications.

Cookies

Information on the processing of cookies can be found in the Zoom cookie policy.

Scope of processing, recordings

  • Recording only with the explicit consent of all participants
    The default settings in Zoom must be selected so that no automatic recording is made. A recording may only be made with the express consent of the participants concerned and only to the extent that this is necessary within the framework of applicable law and for official purposes or for the specific performance of tasks. In the case of recordings, copyrights and the personal rights of the persons concerned must be respected in particular. The fact that the meeting is being recorded is shown to the participants in the Zoom app.
  • Storage of recording
    The storage of recordings is only permitted on Hohenheim internal servers or local data carriers. Recorded events may only be stored as long as this is necessary for the fulfillment of the respective task and as long as there is no obligation to delete them.

  • Online-Seminars
    In the case of Online-Seminars, questions asked by Online-Seminars participants can also be processed for the purposes of recording and follow-up of Online-Seminars.

  • Reports
    If you are registered as a user at Zoom, reports on online meetings (meeting metadata, phone dial-in data, questions and answers in Online-Seminars, survey functions in Online-Seminars) can be stored for up to one month by Zoom.

  • Profiling
    The use of Zoom in the context of automatic decision-making within the meaning of Art. 22 GDPR or for profiling does not take place and is not permitted.

Lawfulness of data processing, legal basis

Data processing is carried out in accordance with and on the basis of the General Data Protection Regulation (GDPR) and other applicable data protection regulations:

  • for the (voluntary) use of Zoom in accordance with Art. 6(1) a GDPR (consent)
  • for the performance of official duties pursuant to Art. 6(1) e, para. 2, 3 GDPR
  • for teaching in accordance with Art. 6(1) e GDPR
  • for employees and staff pursuant to Art. 6(1) b GDPR
  • for data processing within the framework of contractual relationships in accordance with Art. 6(1) b GDPR

Zoom is a remote conferencing service with headquarters in San Jose, California/USA. In this respect, the data processing takes place in a non-EU country. Zoom also fulfills the data protection guarantees according to Art. 44ff. GDPR, as it has joined the EU-US Privacy Shield. On the other hand, the appropriate level of data protection is guaranteed by the conclusion of EU standard data protection clauses, which Zoom has concluded with the subcontractors (cf. Art. 46 GDPR).

Transmission and recipients of personal data

Personal data that is processed in connection with the use of Zoom will not be passed on to third parties, unless it is intended to be passed on.

The provider Zoom and any subcontractors will necessarily be informed of the processed data to the extent that this is necessary or intended within the framework of the contract processing agreement or any contractual relationships with subcontractors.

Erasing data and the user account

Data will be erased as soon as the purpose of the data processing has been achieved and if there is no obligation to retain the data.

You can delete your user account in Zoom itself, you can find the necessary information on Zoom’s website:

The account is to be deleted as soon as the service is no longer required for the fulfilment of tasks, at the latest when leaving the University of Hohenheim.

Declaration of consent

Zoom is operated by Zoom Video Communications, Inc.

In order to use it, you must agree to the Zoom Terms of Use, Zoom's Privacy Policy and the Terms of Use, Data Use Notices, and Privacy Information on this site and the KIM's Terms of Use. The terms of use applicable at the time of use are decisive.

The decision to activate the user account for Zoom is voluntary. Without your consent and, if applicable, registration, the use of Zoom is not possible.


Categories of data and processing

Categories of personal data

No.Designation of the data
1User profile
2Meeting meta-data: Topic, description (optional), participant IP addresses, device/hardware information
3Meeting recordings: Mp4 of all video and audio recordings and presentations, M4A of all audio recordings, text file of all in the meeting, chats, audio log file
4Chat logs (deactivated at the University of Hohenheim)
5Telephone usage data (optional): If applicable, phone number of the caller, name of the country, IP address, start and end time, host name, host email
6Invoicing and procurement data (only visible to administrators)

Categories of data subjects

No. according to data categoriesDesignation of the data
1 - 5Users
3 - 4Other persons mentioned in the communication
6Procurer, requester

Recipients of personal data

Categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organizations

(https://zoom.us/de-de/subprocessors.html)

No.RecipientReason for disclosureStorage location
1 - 5Zoom Video Communications, Inc.Data processingUnited States of America and subcontracted processors
Subcontracted processors
6People.aiSales, CRMUnited States of America
1 - 6ZendeskSupportUnited States of America
1 ,6WootricCustomer surveysUnited States of America
6TotangoOnboarding, customer experienceUnited States of America
1 - 6AnswerforceCustomer supportUnited States of America
1Rocket Science Group, LLCEmail notificationsUnited States of America
1 - 6Five9Call centerUnited States of America
1 - 6EPS VenturesSupportMalaysia
1 - 6WKJ ConsultancySupportMalaysia
6SalesforceClient managementUnited States of America
1 - 6CyberSourcePayment and fraud preventionUnited States of America
1 - 6AdyenPayment and fraud preventionEurope
6ZuoraSubscription managementUnited States of America
1 - 6Amazon Web ServicesInfrastructure (IT)United States of America, EU, Canada, Australia
1 - 6BandwidthInfrastructure (telephony)United States of America

International Organization

No. according to data categoriesNon-EU country or international organizationAppropriate guarantees in the case of a transfer under Art. 49(1), second subsection, GDPR
1 - 6United States of America
1 - 6United States of America, Malaysia, Canada, AustraliaSubcontractors guarantee through standard data protection clauses

Do you have questions or comments about this site? contact form