10.2 Privacy policy for online meetings, conference calls, and webinars using “Zoom”
In the following, we would like to provide you with information about the processing of personal data in connection with the use of Zoom.
Purpose of the data processing
We use the tool Zoom to conduct conference calls, online meetings, video conferences and/or webinars (subsequently referred to hereinafter as “online meetings”). Zoom is a service provided by Zoom Video Communications, Inc., which is based in the USA.
Responsible organization
The Cologne Tourist Board is responsible for the data processing that is done in direct connection with the performance of online meetings.
Note: Insofar as you call up the website of Zoom, the provider of Zoom is responsible for the data processing. However, you do not need to call up the website in order to use Zoom. You only need to do so to download the software for the use of Zoom. You can also use Zoom if you directly enter the respective meeting ID and any additional access data for the meeting into the Zoom app. If you cannot use the Zoom app or do not wish to do so, you can use the basic functions via a browser version, which you can also find on the Zoom website.
Which data are processed?
A variety of types of data are processed whenever you use Zoom. The scope of the data processed also depends on the data you produce before or during your participation in an online meeting.
The following personal data are processed:
Information about the user: First name, surname, telephone number (optional), e-mail address, password (if the single sign-on option is not used), a profile picture (optional), department (optional)
Meeting metadata:
Topic, description (optional), IP addresses of the participants, device/hardware information
When recording meetings (optional):
MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.
When dialling in by phone:
The telephone numbers of the outgoing and incoming calls, the name of the country, the starting and finishing time. Where appropriate, additional connection data such as the IP address of the device in question may also be stored.
Text, audio and video data:
During an online meeting, if appropriate you can use the chat, question and survey functions. The texts you enter will be processed insofar as they are to be displayed in the online meeting and, if necessary to log them. To enable the display of video and the replay of audio, the data from microphone and video camera (if applicable) of your terminal will be processed accordingly for the duration of the meeting. You can turn off/mute the camera and the microphone at any time via the Zoom applications.
In order to take part in an online meeting or enter the “meeting room”, you will have to give your name at the very least.
Scope of data processing
We use Zoom in order to conduct online meetings. Whenever we want to record online meetings, we will transparently notify you of this fact in advance and, if necessary, ask for your approval. The Zoom app also shows you if a meeting is being recorded.
We will also record chat content if this is necessary in order to document the results of an online meeting. However, this is generally not done.
In order to record and follow-up webinars, we can also process the questions posed by webinar participants.
If you are registered as a user of Zoom, reports about online meetings (meeting metadata, dial-in data, the questions and answers during webinars, surveys during webinars) can be stored at Zoom for up to one month.
We do not use automated decision-making in the sense of Art. 22 of the GDPR.
The legal basis for the data processing
If personal data of the employees of the Cologne Tourist Board are processed, the legal basis of the data processing is Section 26 BDSG (German Data Protection Act). If personal data associated with the use of Zoom are not needed for the performance of the employment relationship or its termination but be essential for the use of Zoom, the legal basis for the data processing is Art. 6 (1) (f) of GDPR. In such cases, our interest is that online meetings are effectively carried out.
Apart from that, the legal basis for data processing in connection with the performance of online meetings is Art. 6 (1) (b) GDPR if the meetings are conducted within the context of contractual relationships.
If no contractual relationship exists, the legal basis is Article 6 (1) (f) GDPR. In such cases, our interest is also that online meetings are effectively carried out.
Recipient/transfer of data
Personal data that is processed in connection with a person’s participation in online meetings are in principle not forwarded to third parties insofar as they are not specifically intended for such a transfer. Please note: As is the case with face-to-face meetings, the content from online meetings is often specifically intended to be forwarded in order to communicate information to customers, interested individuals, or third parties.
Other recipients: The provider of Zoom necessarily learns of the aforementioned data insofar as this is specified in our data processing contract with Zoom.
Data processing outside of the European Union
Zoom is a service offered by a provider based in the USA. As a result, personal data is also processed in a non-EU country. However, we have concluded a data processing contract with the provider of Zoom that fulfils the requirements of Art. 28 GDPR.
An appropriate level of data protection is guaranteed by signing of the standard contractual clauses of the EU.