We, the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation), take the protection of your personal data and its confidential treatment extremely seriously. Therefore, we wish to inform you about the processing of your personal data in connection with holding online meetings, video conferences and/or webinars (hereinafter referred to as “online meetings”) by the DFG and the rights to which you are entitled. The processing of your personal data takes place exclusively within the framework of the applicable statutory provisions of data protection laws, in particular the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

I. What is the subject matter of data protection?(Anchor Link)

II. Who is responsible for the data processing and who is the data protection officer?(Anchor Link)

III. Which items of my personal data are processed?(Anchor Link)

IV. What is the purpose of processing my personal data and on what legal basis is the processing carried out?(Anchor Link)

V. Will my personal data also be collected from third parties?(Anchor Link)

VI. Does automated decision-making or profiling take place?(Anchor Link)

VII. Am I required to provide my personal data?(Anchor Link)

VIII. Who has access to my personal data and which recipients is the data shared with?(Anchor Link)

IX. Will my personal data be transferred to third countries?(Anchor Link)

X. For how long will my data be stored?(Anchor Link)

XI. What are my rights as a data subject?(Anchor Link)

XII. Who can I contact if I have any questions or wish to assert my rights as a data subject?(Anchor Link)

I. What is the subject matter of data protection?

The subject matter of data protection is personal data. This is all information which relates to an identified or identifiable natural person (so-called data subject). This includes information such as name, postal address, e-mail address and telephone number.

II. Who is responsible for the data processing and who is the data protection officer?

1. The controller for the processing of your personal data is:

The party responsible for processing data which is directly related to holding online meetings is:

Deutsche Forschungsgemeinschaft e. V. (DFG)
Kennedyallee 40
53175 Bonn
Germany
Tel. +49 228 885-1
postmaster@dfg.de(externer Link)
www.dfg.de/en(interner Link)

a) DFG video conferencing systems

aa) Notes regarding WebEx: 

WebEx is a service from Cisco Systems, Inc. (hereinafter “Cisco”), with its headquarters in the USA, which the DFG obtains from T-Systems International GmbH / Telekom Deutschland GmbH (hereinafter “Telekom”) within the context of the data processing agreement. This means that Cisco and Telekom only process your data for the purposes intended by the DFG. 

However, it is only necessary to access the website of Cisco in order to download the software required for using WebEx. It is not necessary to register separately with Cisco. 

Invitation to an online meeting is given via a meeting link. A person can participate via the browser by clicking on this link. However, it is only necessary to access the website to use WebEx in order to download the software required for using WebEx. 

You may also use WebEx via the app by entering the respective meeting ID and, where applicable, any additional login details relating to the meeting directly into the WebEx app. If you do not want to use the WebEx app or cannot use it. then the basic functions can also be used via a browser version, which you can also find on the Cisco website. You can also use WebEx on your phone or smartphone.

bb) Notes regarding Microsoft Teams: 

Microsoft Teams is a service from Microsoft Corporation with its headquarters in the USA. The service is used within the context of the processing agreement. This means that your data will only be processed for the purposes intended by the DFG.

Invitation to an online meeting via Microsoft Teams is given via a meeting link. A person can participate via the browser by clicking on this link. It is only necessary to access the Microsoft Teams website if you wish to download the desktop application. Those who have been invited to participate in a meeting are not required to register separately.

Microsoft Teams can be used directly via the browser. It is also possible to use the Microsoft Teams app (desktop or mobile) by clicking the meeting link or entering the meeting ID and, where applicable, any additional login information. 

If you do not want to use the app or cannot use it then the basic functions can also be used via a browser version. As a general rule, you can also participate in a Microsoft Teams meeting by telephone.

b) Video conferencing systems of third parties

Notes regarding DFN-Conf:

Invitation to an online meeting via DFN-Conf is given via a meeting link. A person can participate via the browser by clicking on this link. It is not necessary to register separately with DFN-Conf. You can also use DFN-Conf by other means (e.g. on your phone, your smartphone or via Microsoft Teams) if you enter the respective meeting ID and any additional login details for the online meeting. 

The German National Research and Education Network, Alexanderplatz 1, 10178 Berlin (Verein zur Förderung eines Deutschen Forschungsnetzes e.V.) is responsible for processing your data from a technical perspective within the context of holding the meeting. You can find additional information on how your personal data is processed by the DFN e.V. here(externer Link) (in German only).

The DFG only processes your data as part of interacting with you during the online meeting.

2. You can contact our data protection officer as follows:

Attorney-at-law Dr. Philip Lüghausen
BHO Consulting GmbH
Vorgebirgstraße 132
50969 Köln
Germany
Tel. +49 (0) 221 204 63 884
dfg-dsb@bho-consulting.com(externer Link)
www.bho-consulting.com/en(externer Link)

III. Which items of my personal data are processed?

By using WebEx, DFN-Conf and Microsoft Teams within the context of online meetings, information which is necessary for providing the video conferencing service is processed automatically. This includes, for example, your IP address, your username and the length of the video conference.

Furthermore, we only process the personal data of those who are directly connected with the respective online meeting which is organised and led by the DFG. 

Specifically, this may include:

WebEx:

• Information about the user: First name (optional), surname, telephone number (optional), e-mail address, password (if “single sign-on” is not used), profile picture (optional), department / company name (optional)
• Meeting metadata: Topic, description (optional), name of host, IP addresses of participants, device / hardware information
• If meetings are recorded (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chats
• When dialling in by phone: Information on incoming and outgoing telephone numbers, country names, start and end times, any connection data relating to the device such as e.g. the IP address.
• Text, audio and video data: You may use to use the chat, questions and survey functions during an online meeting. Accordingly, the text entered by you is processed so that it can be displayed during the online meeting and recorded if necessary. Chat messages are used for the purpose of communication and are necessary to hold the online meeting; they are only saved in the case of recordings. In order to make it possible to display videos and play back audio, the data from the microphone on your end device as well as from any video camera on your end device is processed during the course of the meeting. You can switch off or mute the camera or the microphone yourself at any time via the WebEx applications.

Microsoft Teams:

• Information about the user: First name, surname, telephone (optional), e-mail address, profile picture (optional)
• Meeting metadata: Topic, description (optional), IP addresses of participants, device / hardware information
• When dialling in by phone: Information on incoming and outgoing telephone numbers, country names, start and end times, any connection data relating to the device such as e.g. the IP address.
• Text, audio and video data: You may use the chat functions during an online meeting. Accordingly, the text entered by you is processed so that it can be displayed during the online meeting and recorded if necessary. Chat messages are used for the purpose of communication and are necessary to hold the online meeting; these are saved in Outlook depending on the participant’s settings. In order to make it possible to display videos and play back audio, the data from the microphone on your end device as well as from any video camera on your end device is processed during the course of the meeting. You can switch off or mute the camera or the microphone yourself at any time during the online meeting.

DFN-Conf:

• You can find information on how your personal data is processed by the DFN e.V. here(externer Link) (in German only).
• The DFG only processes the personal data which are shared by you during the conference in connection with holding the online meeting. 

For all services, the following applies: In order to participate in an online meeting or enter the “meeting room”, you must at least provide information about your name and e-mail address.

IV. What is the purpose of processing my personal data and on what legal basis is the processing carried out?

1. Processing your data as part of the employment relationship

Insofar as personal data is processed by DFG employees, Article 88(1) GDPR in conjunction with § 26(1)(1) BDSG shall form the legal basis of the data processing. If personal data is not required for justifying, implementing or terminating the employment relationship in connection with the use of WebEx, DFN-Conf and Microsoft Teams, but nonetheless forms an essential component of the use of WebEx, DFN-Conf” and Microsoft Teams, Article 6(1)(f) GDPR shall form the legal basis for the data processing. In these cases, it is in the DFG’s interest to hold the relevant online meeting effectively.

2. Processing the data of external users

The legal basis for processing the data of external users (e.g. members of a DFG committee, conference participants within the framework of research funding) when holding online meeting is Article 6(1)(b) GDPR, insofar as the online meetings are held within the scope of contractual relationships between the DFG and external users.

If no contractual or precontractual relationship exists, the legal basis shall be Article 6(1)(f) GDPR. Here too, it is in the DFG’s interest to hold online meetings effectively.

3. Recording of online meetings

Online meetings held when using DFN-Conf and Microsoft Teams are not recorded.

If the DFG wants to record online meetings when using WebEx, we will inform you of this transparently beforehand. It will also be displayed in the WebEx app that the meeting is being recorded. In the case of webinars, the DFG can also process the questions asked by the participants for the purpose of recording and following up on a webinar.

a) Providing the contractual relationship with you serves as a legal basis for recording the meeting, the DFG processes your data on the basis of Article 6(1)(b) GDPR.

b) In all other cases, the data is processed based on the consent of the participant (Article 6(1)(a) GDPR). It is not possible to participate without giving consent. 

Consent can be withdrawn at any time. Please note that the withdrawal shall only apply with future effect Withdrawal does not affect the lawfulness of data processing that has already been carried out on the basis of your consent prior to the withdrawal.

V. Will my personal data also be collected from third parties?

We primarily process the personal data which we receive from you directly in connection with your participation in an online meeting. In a few cases, the DFG obtains your personal data from third parties in advance in order to invite you to online meetings. These third parties may include, for example:

• Our business partners / cooperation partners,
• Your business partners / cooperation partners or business partners / cooperation partners of your employer,
• Your employer.

VI. Does automated decision-making or profiling take place?

We do not use automated decision-making or profiling in accordance with Article 22 GDPR.

VII. Am I required to provide my personal data?

In connection with an online meeting of the DFG, you are required to provide the personal data which is necessary for holding the online meeting or which the DFG is legally obliged to process. Without providing this data, you might not be able to participate in the DFG online meeting.

VIII. Who has access to my personal data and which recipients is the data shared with?

Within the DFG, only employees of the DFG Head Office have access to your personal data. Personal data which is processed in connection with participating in online meetings is generally not passed on to third parties, providing it is not explicitly intended for this purpose. Please note that contents of the online meetings serve the purpose of communicating information, and therefore are intended to be passed on to the participants of the online meeting.

The DFG only passes your personal data on to external recipients if a legal basis exists for this or if you have given your consent to such. At the same time, the DFG respects the principle of data economy and only ever passes on data to the extent required for the specific purpose. This applies in particular to special categories of data. Data is not passed on to third parties for exclusively commercial purposes. 

Any external recipients of the data depend on the respective video conferencing system used. We use the following processors:

• WebEx: Telekom (Cisco functions as a sub-processor on behalf of Telekom)
• Microsoft Teams 

For this reason, the DFG has signed a data processing agreement with the companies named above which ensures that the processor and the sub-processor may only process your personal data for the purposes specified by the DFG. 

IX. Will my personal data be transferred to third countries?

WebEx and Microsoft Teams are services which are provided from the USA. Personal data is therefore also processed in third countries. The DFG signed a data processing agreement with Telekom with regard to using WebEx which meets the requirements of Article 28 GDPR. The same applies to Microsoft. In the event of data being transferred to a third country, an adequate level of data protection is ensured by suitable guarantees in the form of standard contractual clauses between the DFG and Cisco. For further information, please read data protection notice of Cisco Webex(externer Link). 

X. For how long will my data be stored?

We erase the data once it is no longer necessary for the purposes pursued by us and provided that no other legal requirements, in particular statutory or contractual retention periods, apply. Insofar as we process your data in accordance with a consent, we will erase the data when the storage period specified in the declaration of consent has expired or should you have revoked the consent and no other legal basis is present. Should the latter situation apply, we erase the data once the other legal basis is no longer applicable.

If you are registered with WebEx as a user, reports relating to online meetings (meeting metadata, phone records, questions and answers in webinars, survey functions in webinars) can be stored by Cisco. More detailed information on the storage periods can be found here(externer Link). 

XI. What are my rights as a data subject?

You are entitled to the following rights in connection with the processing of your personal data:

1. Right of access 

You have the right to receive confirmation from us as to whether we process personal data relating to you or not. Should this be the case, you have the right to receive information concerning your personal data and to receive further details concerning the processing.

2. Right to rectification

You have the right to request the rectification of incorrect personal data relating to you and to have incomplete personal data completed.

3. Right to erasure (“right to be forgotten”)

Under certain circumstances, you have the right to request that we erase your personal data. For example, this right exists if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed or if the personal data was processed unlawfully.

4. Restriction of processing

Under certain circumstances, you have the right to request that the processing of your personal data be restricted. In such a case, we will only store such personal data in relation to which you have given your consent or processing is permitted by the GDPR. For example, you may have a right to restrict processing if you have disputed the correctness of your personal data.

5. Data portability

Should you have provided us with personal data under a contract or with your consent, then provided that the statutory requirements are met, you can request to receive the data which you have provided in a structured, commonly used and machine-readable format or request that we transfer this data to another controller.

6. Withdrawal of consent

Should you have given us your consent to the processing of your personal data, you can withdraw this at any time with effect for the future. The lawfulness of the processing of your personal data prior to the withdrawal remains unaffected by this.

7. Objection against processing on the basis of a “legitimate interest”

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(f) GDPR (data processing in accordance with a balancing of interests). Should you raise an objection, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.

8. Right to lodge a complaint with a supervisory authority

You also have the right to lodge a complaint with the responsible supervisory authority, should you consider that the processing of your data breaches applicable laws. For this purpose, you can contact the data protection authority which is responsible for your place of residence, place of employment or the location of the alleged breach or the data protection authority which has jurisdiction over us. The supervisory authority of the German Federal State in which you reside or work or where an alleged breach which forms the subject of the complaint has taken place holds jurisdiction.

XII. Who can I contact if I have any questions or wish to assert my rights as a data subject?

Should you have any questions concerning the processing of your personal data or should you wish to assert your rights as a data subject which are set out in Number XI. 1-7, you can contact us free of charge. Please use the contact details under Number I., 1. To withdraw your consent, you can also use the contact channel which you selected when submitting the declaration of consent.