Information on the collection of personal data in accordance with Articles 13 & 14 of the General Data Protection Regulation (Regulation (EU) 2016/679 of April 27, 2016)

Personal data is collected and processed in connection with the operation and provision of the Webex application at RWTH Aachen University. The following is published for the information of those affected:

I. Person responsible for data processing

The responsible party within the meaning of the EU General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

Rector of RWTH Aachen University

Templergraben 55

52062 Aachen (Home address)

52056 Aachen (Post address)

Telefon: +49 241 80 1

Telefax: +49 241 80 92312   

E-Mail: rektorat@rwth-aachen.de

Website: www.rwth-aachen.de/rektorat

Responsible party for internal processing:

IT Center of RWTH Aachen University

Seffenter Weg 23

52074 Aachen

E-Mail: servicedesk@itc.rwth-aachen.de

Website: www.itc.rwth-aachen.de

II. Data Protection Officer

Contact details of the officially appointed data protection officer:

Data Protection Office of RWTH Aachen University

Templergraben 83

52062 Aachen (Home address)

52056 Aachen (Post address)

Telefon: +49 241 80 94114

E-Mail: dsb@rwth-aachen.de

Website: www.rwth-aachen.de/datenschutz

III. General information on data processing

1. Scope and nature of the processing of personal data

Purpose of data processing

RWTH Aachen University offers Webex as a service to its members, relatives and external users. Private chats can be started with individuals and so-called areas and teams can be created in which several people can communicate and collaborate with each other at the same time. Webex offers video calling options via the RWTH telephone infrastructure and the Webex cloud. It is also possible to participate in and plan video conferences and meetings.

Visibility of your activities

• Your activities may be visible whenever you communicate with other users when using Webex.
• Other users can search for and invite you as part of the service. Your surname, first name, the associated institution (organization code), your e-mail address and your work telephone number may be visible.
• Unless deactivated, other users will see your availability status and a read confirmation of received messages.

User profile (data of the persons concerned)

When you use Webex, the following information is collected from you as a user:

• Surname and first name
• Associated institution (organization code)
• RWTH-SSO identifier
• E-mail addresses
• Work telephone number

Data categories and data subjects

The following categories of data are processed and stored in encrypted form when using Webex:

• Documents and files that are exchanged between users
• Messages in chat rooms
• Conversation, video and other media content during telephone calls

The following categories of data are processed and stored when using Webex:

• Personal basic and contact data (first and last name, email address, business telephone number)
• Authentification data (user IDs and pseudonymous IDs)
• Log and administratively necessary log data
• System-generated log data (e.g. access and change history)

When using Webex, the data of the following data subjects are processed or stored to the extent specified:

• People who use or administer Webex (all categories)

2. Legal basis for the processing of personal data

Legal basis for data processing

The provision of Webex and its use by employees, students and employees of external institutions (with a contractual basis) of RWTH Aachen University is based on the following legal basis:

• Data transfer to Cisco for the purpose of contract fulfillment (Art. 6 para. 1 sentence 1 lit. b) GDPR)
• Data processing for the purpose of performing official duties in accordance with Art. 6 para. 1 sentence 1 lit. e), para. 3, Art. 88 para. 1 GDPR in conjunction with § Section 18 (1) DSG NRW

Without the collection and processing of this data, the use of Webex is not possible.

3. Data Deletion and Storage Duration

In principle, the accounts of RWTH employees are automatically deleted after the loss of the corresponding status in IdM, e.g. due to leaving the university. The following deletion periods apply to the data stored in Webex:

• Individual chats: 3 years
• Group chats: 3 years
• Meetings: 7 days

The personal data will be deleted at the latest 7 days after either the user no longer needs it or withdraws their consent.

4. Groups of persons or persons entitled to access

Persons authorized to access data are generally the employees of the responsible body who have access to certain relevant data due to their position or function:

• Administrators have full administrative access to all data categories
• Support staff have read access to data in the user directory for support purposes if RWTH Aachen University permits this or approves it in the individual case review.

5. Further recipients of the data

Personal data is exchanged exclusively with the manufacturer of the Webex application, Cisco, for the purpose of operation. Your data will be processed exclusively on the basis of the above-mentioned legal bases.

The data residence at Webex for RWTH Aachen University is the EU, i.e. the data processing takes place exclusively on servers in the EU. There are the following exceptions where cross-border transfers of personal data still take place. These exceptions are regulated in the data processing agreement (DPA) with Cisco:

• when a user registers on a Cisco platform (e.g. via https://www.webex.com/ or https://www.cisco.com/) or registers via a Cisco service in order to find out more about Cisco products or events.
• when a user provides order information (business contact information)
• when a user works with users outside the EU region
• when a user requests technical support through Cisco's Technical Assistance Center (TAC) (in this case, the information a user provides in the initial TAC request may be transferred outside the region)
• when a user activates certain optional features
• when a user activates "push" notifications via cell phone (in this case, the mobile service provider associated with the iOS or Android functionality may transfer data outside the region)

Cisco is also certified under the current adequacy decision (EU-U.S. Data Privacy Framework) in accordance with Art. 45 (1) GDPR.

IV. Rights of data subjects

In accordance with Article 15 et seq. GDPR, under the conditions defined therein, you have the right to information about the personal data concerned and to rectification or erasure or restriction of processing, a right to object to processing and the right to data portability. In accordance with Article 77 GDPR, you also have the right to lodge a complaint with the data protection supervisory authority (https://www.ldi.nrw.de/) if you are of the opinion that the processing of your personal data violates this regulation.