Information on data protection for use of video conferencing systems


This privacy information refers to the processing of personal data in the context of the provision and use of video conferencing systems.

Note: If you join using the “Zoom” website or the website of another provider we use, the provider is responsible for the data processing. Accessing the website is necessary for the use of the respective tool, or in order to download the software for the use of the respective tool application, if applicable. However, the respective tool can also be used without the application by clicking on the respective invitation and, if necessary, entering further access data for the respective online lesson directly in the browser version of the tool. The basic functions of the respective tool can be used via the browser version, which can be found on the website of the respective tool.

A. General information

1. Contact details of the controller

The controller, i.e. the organisation responsible for data processing as defined in data protection legislation, especially the General Data Protection Regulation (GDPR), is the:

Hochschule für Musik und Theater München
Arcisstraße 12
80333 München

tel. (switchboard): 089/289-03
email: verwaltung(at)hmtm.de

The University of Music and Performing Arts Munich is an organisation under public law and a state institution (article 11 (1) of the Bavarian Higher Education Act (BayHSchG)). It is legally represented by its President, Professor Bernd Redmann.

2. Contact details of the Data Protection Officer

Data Protection Officer of the University of Music and Performing Arts Munich (HMTM):

Mr Mike Gangkofner
Standort Gasteig
Kellerstraße 6
81667 München

tel: 089/48098-4508
email: datenschutz(at)hmtm.de 

3. Purpose of and legal basis for the processing of personal data

Personal data is processed exclusively for the provision and use of the video conferencing systems as an aid for teaching, research and administration, including statistical evaluation. The purpose of the data processing is the use for cooperation within the scope of the official activities at the uni-versity for the fulfilment of the university tasks according to article 2 of the BayHSchG.

This covers the use of licensed products and services, the provision of updates, the guarantee of information security as well as technical and customer-related support in the following scenarios:
For seminars, lectures, events, etc. with a focus on presentation or discussion via audio/video. Conditionally suitable for video conferences of a confidential nature such as committee meetings, internal consultations, examinations, defences.  This offer is a contracted service from a commercial provider, Zoom (https://zoom.us/privacy).

Data processing for purposes other than those specified or permitted by law (e.g., for internal security system checks and to ensure internal network and information security in accordance with article 6 (1) of the Bavarian Data Protection Act (BayDSG)) does not take place.

Any use for private purposes within the scope of the licenses provided is excluded.

There will be no performance or behavioural monitoring based on your use. Use for the creation of personal statistics is not permitted..

Legal basis:

  • For voluntary use: article 6 (1) point a of the GDPR (consent)
  • For the performance of official duties: article 6 (1) point e, article 6 (2) & (3) of the GDPR in connection with article 4 (1) of the BayDSG and article 2 of the BayHSchG
  • For teaching: article 6 (1) point e of the GDPR in connection with article 4 of the BayDSG (article 55 (2) of the BayHSchG).
  • For employees and staff:
    • article 6 (1) point b of the GDPR in connection with article 4 of the BayDSG (section 106 of the Trade, Commerce and Industry Regulation Act (GewO))
    • article 6 (1) point c of the GDPR in connection with article 4 of the BayDSG (article 33 (5) Basic Law for the Federal Republic of Germany (Grundgesetz – GG))
    • article 6 (1) point c of the GDPR in connection with section 3a(1) of the Workplace Ordinance (ArbStättV)
  • For statistics: article 6 (1) point e of the GDPR in connection with article 4 of the BayDSG (article 10 (1) BayHSchG, article 7 of the Bayerische Haushaltsordnung (Bavarian budget code BayHO)

4. Categories of personal data

Depending on the type and scope of use of the video conferencing systems, the following personal data may be processed:

No.  
Description of the data
1 User profile: given name, surname, phone (optional), email, password (if SSO is not used), profile picture (optional), department (optional)
2 Meeting metadata: topic, description (optional), attendee IP addresses, device/hardware information
3 Meeting recordings: MP4 of all video and audio recordings and presentations, M4A of all audio recordings, text file of all in meeting, chats, audio log file
4 IM chat logs
5 Telephony usage data (optional): caller's phone number, country name, IP address, 911 address (registered service address), start and end time, host name, host email, MAC address of device used
6 Billing and procurement data

5. Categories of data subjects

Category no.   
Description of the data
1–5 Users
3–4 Other persons mentioned in the communication  
6 Procurer, requester

6. Recipients of personal data

Personal data processed in connection with the use of Zoom will generally not be disclosed to third parties unless it is specifically intended for disclosure.

The video conferencing provider Zoom as well as any subcontractors necessarily obtain knowledge of the processed data to the extent that this is required or provided for in the context of the order processing agreement or any contractual relationships with subcontractors.

For details, please refer to the following overview.

If necessary, your data is transmitted to the competent supervisory and auditing authorities so that they can fulfil their duties.

In the event of electronic transmission, data may be forwarded to the Landesamt für Sicherheit in der Informationstechnik (Bavarian state office for security in information technology) in order to prevent risks to information technology security and processed there on the basis of article 12 et seq. of the Bavarian E-Government Act (Bayerischen E-Government-Gesetzes – BayEGovG).

Category no.
Recipient                                     
Reason for Disclosure Data Storage Location
1–6 Zoom Video Communications, Inc.
San Jose, USA
Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!
Data Processing United States of America and subcontracted processors
  Subcontracted processors Sales, Success and Support, Relationship Management, Billing, Infrastructure The storage location depends on the respective subcontracted processor. Additional and updated information is published by Zoom Video Communications at https://zoom.us/subprocessors.

7. Transferring Personal Data to a non-EU Country

We use a software solution from the provider Zoom, headquartered in San Jose, California/USA, for the provision and execution of video conferences. Thus, data processing takes place in a third country. An adequate level of data protection is guaranteed by the conclusion of so-called EU standard data protection clauses, which Zoom has concluded with the subcontractors (see article 46 GDPR).

In April 2020, a joint Master Subscription Agreement (MSA) was signed with Zoom Video Communications, Inc. by the Stabsstelle IT-Recht für die bayerischen staatlichen Hochschulen und Universitäten (IT law office for the Bavarian state universities). This results in the following legal improvements compared to the standard GTCs:

  • Subcontracted data processing is undoubtedly included; ecclesiastical data protection law can also be applied
  • Fulfilment of university tasks clearly counts as lawful use of the license (e.g., in the case of cooperation)
  • SLA now applies not only per month but also per year
  • Minor improvements in warranty law
  • Choice of law: German law

8. Storage period for personal data

We will delete your data pursuant to article 17 (1) point a) of the GDPR if we no longer need it for the purposes for which it was collected or otherwise processed. In the event that your data is processed on the basis of a declaration of consent or if you have submitted a justified objection to processing, we will delete your data immediately. Something else applies in the event that we are obligated to retain the data due to legal retention obligations or if the data is transferred to the state archives (Landesarchiv).

B. Rights of the data subject

1. General regulations

Pursuant to articles 15 et seq. of the GDPR, you, the data subject, are entitled to the following rights concerning the processing of your data: 

  • You can ask for information about whether data concerning you is being processed. If this is the case, you are entitled to information about which data is processed and other information relating to the processing (article 15 of the GDPR). Please note that this right to information can be restricted or excluded in certain cases (see in particular article 10 of the BayDSG).
  • If the personal data concerning you is/has become inaccurate or incomplete, you can request that this data is rectified and/or completed (article 16 of the GDPR).
  • If the legal requirements are met, you can request that your personal data be deleted (article 17 of the GDPR) or processing of your data be restricted (article 18 of the GDPR). The right to deletion pursuant to article 17 (1) and (2) of the GDPR does not apply in certain cases, however, such as if the processing of personal data is vital for the performance of a task that is in the public interest or is performed in the exercise of official authority (article 17 (3) point b) of the GDPR).
  • If you have consented to data processing or there is a contract concerning data processing and data is processed automatically, you may be entitled to data portability (article 20 of the GDPR).
  • You are entitled to file a complaint concerning the processing of your personal data with a supervisory authority as defined in article 51 of the GDPR. The pertinent supervisory authority for the Bavarian public service is the Bavarian Data Protection Commissioner, Wagmüllerstraße 18, 80538 München. 

2. Right to object

You may object to the processing of your personal data at any time due to reasons based on your personal circumstances (pursuant to article 21 of the GDPR). If the legal requirements are met, we will then not further process your personal data.

If you choose to exercise the rights stated above, the public office will check whether the legal requirements for doing so have been met.

C. Amendments to our data protection declaration

The HMTM reserves the right to change this data protection declaration to accommodate changes to legislation or changes in the services we provide (e.g., if we introduce new services).

If you have any further questions, please feel free to contact the Data Protection Officer.