This privacy information refers to the processing of personal data in the context of the provision and use of video conferencing systems.
Note: If you join using the “Zoom” website or the website of another provider we use, the provider is responsible for the data processing. Accessing the website is necessary for the use of the respective tool, or in order to download the software for the use of the respective tool application, if applicable. However, the respective tool can also be used without the application by clicking on the respective invitation and, if necessary, entering further access data for the respective online lesson directly in the browser version of the tool. The basic functions of the respective tool can be used via the browser version, which can be found on the website of the respective tool.
1. Contact details of the controller
The controller, i.e. the organisation responsible for data processing as defined in data protection legislation, especially the General Data Protection Regulation (GDPR), is the:
Hochschule für Musik und Theater München
tel. (switchboard): 089/289-03
The University of Music and Performing Arts Munich is an organisation under public law and a state institution (article 11 (1) of the Bavarian Higher Education Act (BayHSchG)). It is legally represented by its President, Professor Bernd Redmann.
2. Contact details of the Data Protection Officer
Data Protection Officer of the University of Music and Performing Arts Munich (HMTM):
Mr Mike Gangkofner
3. Purpose of and legal basis for the processing of personal data
Personal data is processed exclusively for the provision and use of the video conferencing systems as an aid for teaching, research and administration, including statistical evaluation. The purpose of the data processing is the use for cooperation within the scope of the official activities at the uni-versity for the fulfilment of the university tasks according to article 2 of the BayHSchG.
This covers the use of licensed products and services, the provision of updates, the guarantee of information security as well as technical and customer-related support in the following scenarios:
For seminars, lectures, events, etc. with a focus on presentation or discussion via audio/video. Conditionally suitable for video conferences of a confidential nature such as committee meetings, internal consultations, examinations, defences. This offer is a contracted service from a commercial provider, Zoom (https://zoom.us/privacy).
Data processing for purposes other than those specified or permitted by law (e.g., for internal security system checks and to ensure internal network and information security in accordance with article 6 (1) of the Bavarian Data Protection Act (BayDSG)) does not take place.
Any use for private purposes within the scope of the licenses provided is excluded.
There will be no performance or behavioural monitoring based on your use. Use for the creation of personal statistics is not permitted..
4. Categories of personal data
Depending on the type and scope of use of the video conferencing systems, the following personal data may be processed:
||Description of the data
|1||User profile: given name, surname, phone (optional), email, password (if SSO is not used), profile picture (optional), department (optional)|
|2||Meeting metadata: topic, description (optional), attendee IP addresses, device/hardware information|
|3||Meeting recordings: MP4 of all video and audio recordings and presentations, M4A of all audio recordings, text file of all in meeting, chats, audio log file|
|4||IM chat logs|
|5||Telephony usage data (optional): caller's phone number, country name, IP address, 911 address (registered service address), start and end time, host name, host email, MAC address of device used|
|6||Billing and procurement data|
5. Categories of data subjects
||Description of the data|
|3–4||Other persons mentioned in the communication|
6. Recipients of personal data
Personal data processed in connection with the use of Zoom will generally not be disclosed to third parties unless it is specifically intended for disclosure.
The video conferencing provider Zoom as well as any subcontractors necessarily obtain knowledge of the processed data to the extent that this is required or provided for in the context of the order processing agreement or any contractual relationships with subcontractors.
For details, please refer to the following overview.
If necessary, your data is transmitted to the competent supervisory and auditing authorities so that they can fulfil their duties.
In the event of electronic transmission, data may be forwarded to the Landesamt für Sicherheit in der Informationstechnik (Bavarian state office for security in information technology) in order to prevent risks to information technology security and processed there on the basis of article 12 et seq. of the Bavarian E-Government Act (Bayerischen E-Government-Gesetzes – BayEGovG).
||Reason for Disclosure||Data Storage Location|
|1–6||Zoom Video Communications, Inc.
San Jose, USA
|Data Processing||United States of America and subcontracted processors|
|Subcontracted processors||Sales, Success and Support, Relationship Management, Billing, Infrastructure||The storage location depends on the respective subcontracted processor. Additional and updated information is published by Zoom Video Communications at https://zoom.us/subprocessors.|
7. Transferring Personal Data to a non-EU Country
We use a software solution from the provider Zoom, headquartered in San Jose, California/USA, for the provision and execution of video conferences. Thus, data processing takes place in a third country. An adequate level of data protection is guaranteed by the conclusion of so-called EU standard data protection clauses, which Zoom has concluded with the subcontractors (see article 46 GDPR).
In April 2020, a joint Master Subscription Agreement (MSA) was signed with Zoom Video Communications, Inc. by the Stabsstelle IT-Recht für die bayerischen staatlichen Hochschulen und Universitäten (IT law office for the Bavarian state universities). This results in the following legal improvements compared to the standard GTCs:
8. Storage period for personal data
We will delete your data pursuant to article 17 (1) point a) of the GDPR if we no longer need it for the purposes for which it was collected or otherwise processed. In the event that your data is processed on the basis of a declaration of consent or if you have submitted a justified objection to processing, we will delete your data immediately. Something else applies in the event that we are obligated to retain the data due to legal retention obligations or if the data is transferred to the state archives (Landesarchiv).
1. General regulations
Pursuant to articles 15 et seq. of the GDPR, you, the data subject, are entitled to the following rights concerning the processing of your data:
2. Right to object
You may object to the processing of your personal data at any time due to reasons based on your personal circumstances (pursuant to article 21 of the GDPR). If the legal requirements are met, we will then not further process your personal data.
If you choose to exercise the rights stated above, the public office will check whether the legal requirements for doing so have been met.
The HMTM reserves the right to change this data protection declaration to accommodate changes to legislation or changes in the services we provide (e.g., if we introduce new services).
If you have any further questions, please feel free to contact the Data Protection Officer.