Information on the processing of personal data regarding online meetings

We would like to inform you about the processing of your personal data when you participate in an online meeting or conference call via one of the services described below.

General information

Purposes of processing

We use software tools to conduct conference calls, webinars or meetings (hereafter collectively referred to as “online meetings”) with internal and external participants. Details related to the respective video conferencing tools can be found in the relevant part of the section on software tools.

Controller

The controller, as defined by the GDPR for any processing in connection to these “online meetings,” is the European Council on Foreign Relations (“ECFR”), a non-profit think tank whose main office is located in Berlin, Germany. This is true even if you have been invited to participate by someone from one of our other national offices.

Our contact details are:

ECFR Deutschland GmbH
Unter den Linden 17
10117 Berlin

Phone: +49 (0)30 32505100

E-Mail: [email protected]
Website : www.ecfr.eu

Please note:

While visiting the website of the respective provider, e.g. Zoom, this provider is the controller and thereby responsible for the processing of your personal data for the duration of your visit on the website. You do not, however, have to visit the provider’s website other than for the initial download of the video conferencing application.

You can use the video conferencing tools by entering the meeting-ID and any other login details for the meeting directly within the application.

If you prefer to participate without installing an application, you may use the video services in your browser via the respective website for online meetings held with Zoom or Microsoft Teams. However, in this case, you will only be able to use basic functionalities.

Data Protection Officer

We have appointed a data protection officer (DPO). In case of any queries you may contact the DPO by using our above contact details and adding “attn of The DPO” or via e-mail: [email protected]

Processing your personal data

Processed data

Usage of the video conferencing tools leads to the processing of various personal data, the scope of which is partly dependent on what details you enter before and during your participation in our online meeting. Details on the personal data processed by the respective tools can be found in section on software tools.

Scope of data processing

We use video conferencing tools to conduct online meetings and, in certain instances, record these meetings for internal documentation and future reference. In case of on-the-record meetings we may also provide a recording of the meeting to interested parties, for example on our website.

Usually, this will only apply to hosts and speakers, however if you do choose to actively take part, for example by asking a question or making a statement, please be aware that your image and voice will become part of the recording. If you do not wish for recordings of your image or voice to be included you may opt out at at any time simpy by deactivating your microphone and camera. Needless to say, we would love to see and hear you!

When we do record a meeting, you will be able to tell via the recording icon in the respective application.

No automated decision-making within the context of art. 22 GDPR will take place as a result or part of these online meetings.

Event invitations

Upon your registration to our event, we will add you to the list of participants. Usually the personal data we collect will include your name job title, affiliation and e-mail address. In case we co-host an event we would share the list of participants with our partner organization. Upon registration, we will automatically complete your registration with Zoom and send you the link to take part in the Zoom conference.

Registered participants will be entered into our database so we may contact them about similar future events. If you do not want to receive event invitations from us, you may object, simply by sending an e-mail to [email protected] or by replying to the event invitation, without incurring costs other than the basic transmission costs.

Storage period

Online recordings may be stored both on our servers or on servers hosted by the respective provider and will be deleted when we no longer require to keep the recordings. As a rule we will carry out a yearly check of which recordings can be deleted.

As a matter of principle, we delete personal data when they are no longer needed for the relevant purposes. A requirement to further store personal data may exist if they are still needed to fulfil contractual services, or in the context of warranty and guarantee claims. Should we be legally obliged to further store your data, deletion may only take place after this legal obligation has expired.

Where specific retention periods apply related to personal data processed by the respective video conferencing tools, we kindly ask you to refer to section on software tools.

Legal basis for processing

Insofar as processing the personal data of our employees is concerned, the legal basis will be § 26 of the German data legislation (BDSG). Where the processing of data in connection with the usage of Zoom is not an essential feature of the employment but still essential for the usage of Zoom, the legal basis will be art 6 paragraph 1 lit f GDPR. Our legitimate interest in these cases is the effective hosting of online meetings.

As far as external participants are concerned, the legal basis will be art. 6 paragraph 1 lit b GDPR in those cases where the online meeting is held as part of a contractual relationship.

If no contractual relationship exists, the legal basis will be art. 6 paragraph 1 lit f GDPR. Here too, we are interested in the effective hosting of online meetings.

Data recipients

As a rule, the personal data we process during these online meetings will not be passed on to third parties, unless they are specifically intended for distribution. As you will be aware, though, online meetings (just like personal meetings) will frequently be aimed towards the sharing of information with donors, sponsors, prospects or other third parties and their content therefore intended for disclosure.

Other than this, naturally the providers of the video conferencing tools will be party to the above-mentioned personal data as our contractors, as far as this is intended within the framework of our data processing agreements with these providers.

Processing of personal data outside the EU

Generally, the processing of your personal data within the context of these online meetings will take place within the European Union (EU).

However, data may be routed via internet servers located outside the EU, in particular if any of the meeting’s participants are located outside the EU at the time of the online meeting.

Having said this, your data is encrypted during transport over the internet and thus protected against unauthorized access by third parties.

With regards to data processed by Microsoft in the US during online meetings held with Microsoft Teams, we again refer you to the section on software tools.

Software tools

Zoom application

Zoom is a service provided by Zoom Video Communications Inc., a company based in the USA. Zoom has, however, agreed to host all the personal data processed in the course of online meetings held via Zoom exclusively on servers in the European Union.

To participate in an online meeting, you will be required to at least provide your name.

Furthermore, the following data will be processed:

  • User details: name, telephone (optional), e-mail address, password (if “Single-Sign-On” is not used), profile picture (optional), department (optional)
  • Contents: topics and contents of the online meeting, including chat messages and shared files
  • Metadata: topic, description (optional), participants’ IP-address, device/hardware details
  • In case of optional recordings: audio, video and presentation files, text file of the online meeting chat
  • If you participate via your phone: incoming and outgoing phone number, country, time of start and end of call. Additional connection data may be stored, such as the IP-address of your device.
  • Text, audio and video data: If you use the chat, question or survey tool during an online meeting, the text entered by you will be used to display during the meeting and possibly to document the meeting. To enable the display of your video or broadcasting of your audio, data provided by your camera or microphone will be processed. You may mute the microphone or turn off the camera at any time within the Zoom application or in your browser.

If you are registered as a Zoom user, Zoom may store reports about online meetings containing data such as metadata or data about calling in via phone for up to a month.

Online recordings will be deleted when we no longer require to keep the recordings. As a rule we will carry out a yearly check of which recordings can be deleted. All other meeting data will be deleted within 48 hours of the meeting having concluded.

Microsoft Teams

Microsoft Teams is a service provided by the Microsoft Corporation, a company based in the USA.

Please note:

While we are working on moving our data hosted by Microsoft to EU servers, for the time being Microsoft will process personal data in connection to online meetings in the UK.

For those cases where Microsoft processes data in the US, we’d like to make you aware that the US is currently regarded by the European Commission as not having an adequate level of protection for your personal data. Even though we have agreed standard contractual clauses with Microsoft as an appropriate safeguard acc. to art. 46 GDPR, there is a risk that these might not be sufficient, and that US authorities might have access to this data without your knowledge.

We will inform you about this fact separately in the invitation to the online meeting and ask for your consent. The legal basis for any transfer of your personal data to the US is thus art. 6 a GDPR.

If you are unhappy about this, please approach us about using a different tool for your online meeting.

The following data will be processed:

  • User details: display name, e-mail address (optional), profile picture (optional), preferred language
  • Contents: topics and contents of the online meeting, including chat messages and shared files
  • Metadata: e.g. date, time, meeting-ID, phone numbers, city
  • In case of optional recordings: audio, video and presentation files, text file of the online meeting chat
  • Text, audio and video data: If you use the chat, question or survey tool during an online meeting, the text entered by you will be used to display during the meeting and possibly to document the meeting. To enable the display of your video or broadcasting of your audio, data provided by your camera or microphone will be processed. You may mute the microphone or turn off the camera at any time within the Microsoft Teams application or in your browser.

Any chat contents will be logged by Microsoft Teams and stored for up to 12 months.

Tixeo

Tixeo is a service provided by TIXEO SARL, a company based in France. All personal data processed during online meetings held via Tixeo is being processed exclusively on servers in France.

To participate in an online meeting, you will be required to download the client application via the link sent to you in the invite and at least provide your name and e-mail-address.

Furthermore, the following data will be processed:

  • User details: name, e-mail address, password
  • Contents: topic and contents of the online meeting including chat messages
  • Metadata: such as date, time, title of the online meeting

These data are only processed for the duration of the meeting and deleted afterwards.

All meetings conducted with Tixeo are end-to-end encrypted. Please note that we are not recording any of the online meetings held with Tixeo.

Your rights

Your rights as data subjects

You have the right of access to any personal data processed about you. You can contact us for information at any time.

In the case of a request for information which is not made in writing, we ask for your understanding that we may require you to provide evidence to prove that you are indeed the person you claim to be.

Furthermore, you have the right to correction or deletion or to limitation of the processing, as far as you are legally entitled.

Finally, you have the right to object to the processing of your personal data within legal boundaries.

You also have a right to data transferability within the framework of EU data protection regulations.

Right of appeal to a supervisory authority

You have the right to complain to a supervisory data protection authority about our processing of your personal data.