Information pursuant to Art. 13 GDPR

Notes on the usage of Zoom

Table of Contents

Identity and contact details of the data controller

The data controller responsible in accordance with the purposes of the General Data Protection Regulation (GDPR) of the European Union and other data protection regulations is:

talessio GmbH
Alexanderstr. 52
72072 Tübingen

Phone: +49.7071.53938.0
Fax: +49.7071.53938.90
Email: [email protected]

Note: If you access the Zoom website, the Zoom provider is responsible for data processing. However, accessing the website is only necessary to download the software for using Zoom. You can also use Zoom if you enter the respective meeting ID and, if applicable, further access data for the meeting directly in the Zoom app. If you do not want to or cannot use the Zoom app, the basic functions can also be used via a browser version, which you can also find on the Zoom website.

Contact details of the data protection officer

The designated data protection officer is:

DataCo GmbH
Dachauer Str. 65
80335 Munich

Phone: +49.89.7400.45840

Purpose and legal basis of the processing

We use the Zoom tool to conduct telephone conferences, online meetings, video conferences and/or webinars (hereinafter: “Online Meetings”). Zoom is a service of Zoom Video Communications, Inc. which has its registered office in the USA.

When using Zoom, various types of data are processed. The scope of the data also depends on the data you provide before or during participation in an online meeting.

The following personal data are subject to processing:

  • User details: first name, last name, phone (optional), email address, password (if single sign-on is not used), profile picture (optional), department (optional).
  • Note: To join an online meeting or enter the meeting room, you must at least provide details of your name.
  • Meeting metadata: Topic, description (optional), participant IP addresses, device/hardware information.
  • When dialing in by telephone: details of the incoming and outgoing telephone number, country name, start and end time, if applicable further connection data such as the IP address of the device and the browser used.
  • Text, audio and video data: You may have the option of using the chat, question and poll function in an online meeting. In this respect, the text entries you make are processed in order to display them in the online meeting and, if necessary, to record them. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device are processed according to the duration of the meeting. You can switch off or mute the camera and microphone yourself at any time via the Zoom app.
  • For recordings (optional): MP4 files of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online chat.
  • Please note: As a rule, online meetings are not recorded. An exceptional recording will only be made with your consent. The fact of the recording will also be displayed to you in the Zoom app. If it is necessary for the purposes of recording the results of an online meeting, we will record the chat content. However, this will not usually be the case. In the case of webinars, we may also process questions asked by webinar participants for the purposes of recording and following up webinars.

If you are registered as a user with Zoom, then reports of online meetings (meeting metadata, telephone dial-in data, questions and answers in webinars, survey function in webinars) can be stored with Zoom for up to one month.

Automated decision-making within the meaning of Article 22 of the GDPR is not used.

Insofar as personal data is processed by employees of talessio GmbH, § 26 BDSG is the legal basis for data processing.

If, in connection with the use of Zoom, personal data is not required for the establishment, implementation or termination of the employment relationship, but is nevertheless an elementary component in the use of Zoom, the legal basis for data processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is to register your participation in the online meeting and to ensure the organisational flow of the online meeting as well as to carry out a follow-up of the online meeting, if necessary. You have the right to object to the use of your data for the purpose of conducting online meetings at any time.

If the online meeting is recorded, the data processing is based on your consent pursuant to Art. 6 para. 1 lit a. GDPR.

Furthermore, the legal basis for data processing when conducting online meetings is Art. 6. para. 1 lit. b GDPR, insofar as the meetings are conducted within the scope of contractual relationships.

If there are no contractual relationships, the legal basis is Art. 6 para. 1 lit. f GDPR. Our legitimate interest in this case is also to register your participation in the online meeting and to ensure the organisational process of the online meeting and, if necessary, to carry out a follow-up to the online meeting. You have the right to object to the use of your data for the purpose of conducting online meetings at any time.

Recipients and categories of recipients of the personal data

Personal data processed in connection with participation in online meetings will not be disclosed to third parties as a matter of principle, unless they are specifically intended to be disclosed.

Please note that content from online meetings, as well as face-to-face meeting content, is often intended precisely to communicate information to clients, prospects or third parties and is therefore intended to be shared.

Other recipients: Zoom’s provider necessarily obtains knowledge of the above-mentioned data insofar as this is provided for under our order processing agreement with Zoom.

Transfer of personal data to a third country

Zoom is a service provided by a provider from the USA. Processing of personal data therefore also takes place in a third country. We have concluded an order processing agreement with the provider of Zoom, which complies with the requirements of Art. 28 GDPR. An adequate level of data protection for the transfer to a third country can be assumed in accordance with Art. 46 para. 2 lit. c of the GDPR through the use of the EU standard contractual clauses and other appropriate protective measures (end-to-end encryption, use of data routing, etc.).

Duration of the storage of personal data

We generally delete personal data when there is no need for further storage. A requirement may exist in particular if the data is still needed to fulfil contractual services, to check and grant or ward off warranty and, if applicable, guarantee claims. In the case of statutory retention obligations, deletion is only considered after expiry of the respective retention obligation.

Data subjects' rights

According to the General Data Protection Regulation (GDPR), you have the following rights:

  • If your personal data is processed, you have the right to obtain information about the data stored about you (Art. 15 GDPR).
  • If inaccurate personal data is processed, you have the right to rectification (Art. 16 GDPR).
  • If the legal requirements are met, you may request the erasure or restriction of processing as well as object to processing (Art. 17, 18 and 21 GDPR).
  • If you have consented to the data processing or if there is a contract for data processing and the data processing is carried out with the help of automated procedures, you may have a right to data portability (Art. 20 GDPR).
  • Furthermore, there is a right of appeal to a supervisory authority (Art. 77 GDPR).

Should you make use of your above-mentioned rights, talessio GmbH will check whether the legal requirements for this are met. To exercise your rights, please contact the official data protection officer(s).

Right of withdrawal for consent

If you have consented to the processing by the data controller by means of a corresponding declaration, you can revoke your consent at any time for the future. The lawfulness of the data processing carried out on the basis of the consent until the revocation is not affected by this.