On this page you will find the privacy policy (pursuant to Art. 13 GDPR) in the context of using Cisco Secure Endpoint as antivirus protection on clients and servers.

1. Person Responsible for Data Processing (Data Controller)

The person responsible within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

Rector of RWTH Aachen University
Templergraben 55
52062 Aachen (physical address)
52056 Aachen (mailing address)
Phone: +49 241 80 1
Fax: +49 241 80 92312   
Email: rektorat@rwth-aachen.de
Website: www.rwth-aachen.de/rectorate

For the implementation of the central management of the Cisco instance:

RWTH Aachen University
IT Center
Management of the organization Prof. Dr. rer. nat. Matthias Müller
Seffenter Weg 23
52074 Aachen

Email: servicedesk@itc.rwth-aachen.de
Website: www.itc.rwth-aachen.de

2. Contact Data of the officially appointed Data Protection Officer

Contact data of the Data Protection Office of RWTH Aachen University:

Data Protection Office of RWTH Aachen University
Templergraben 83
52062 Aachen (physical address)
52056 Aachen (mailing address)
Germany
Telefon: +49 241 80 94114
Email: dsb@rwth-aachen.de
Website: www.rwth-aachen.de/dataprotection

3. General information about data processing

a) Scope and purpose of the processing of personal data

Use of the cloud-based security solution Cisco Secure Endpoint at RWTH Aachen University. Mechanisms/products for detecting and preventing security risks on computers and in the network (viruses, exploits, malicious websites, potentially dangerous software) are used. The processed data is necessary for the corresponding analytical activities and for the authentication of administrators on the administration platform. The software can therefore be used on business devices and servers.

b) Recipient of the Data

The collected data can be viewed by an administrator for devices and users in their institution in the form of log entries, a dashboard that displays active “alarms” (critical events that require attention), and specific reports based on the log. These include, in particular, reports about:

• virus detections and their technical context (file and registry accesses registered in connection with the critical process, network connections).
• connected devices.
• summaries of user/device-specific events.

IT Center administrators, who are responsible for the administration of the central Cisco instance (“Multi-Org Console”) and the management of licenses, also have technical access to the sub-instances of the facilities and therefore also to the data contained therein.

In order to be able to use the functionality of Cisco Secure Endpoint, data is transferred to Cisco and its subcontractors for analysis in accordance with the data processing agreement (DPA). This data transfer is based on a data processing agreement between RWTH Aachen University and Cisco, and the adequacy decision on data transfer between the EU and the USA. Cisco is certified under the EU-U.S. Data Privacy Framework.

The transfer takes place either automatically through the software or, for example, as part of a manual transfer of a file to be checked (“sample”). A list of the specific data can be found in the following table:

(1) Activated by default, can be deactivated manually
(2) Deactivated by default, users can opt in manually, e.g. when transferring files (“samples”) for analysis

Additionally, Axians, as a framework agreement partner for the license agreement with Cisco, has access to RWTH's Multi-Org Console in order to assign the licenses purchased by RWTH within the console.

c) Legal basis for the processing of personal data

The legal basis for the processing of personal data in connection with the antivirus protection of Cisco Secure Endpoint is Art. 6 para. 1 sentence 1 lit. e), para. 3 GDPR in conjunction with Section 58 para. 1 DSG NRW.

d) Data erasure and storage duration

• Account data of the setup administrators (data no. 1-3): Deletion takes place on request by contacting Cisco
• Log data (data no. 4-5,7): Up to 30 days
• File contents (6)*: Up to 24 months
• Behavioral data (8) **: Up to 24 months
• User feedback (9): Up to 24 months

* The file contents can only be viewed by the institution administrator.
** Data can be deleted by contacting Cisco.

4. Rights of the data subject

If personal data of the data subject is processed, they have the following rights vis-à-vis the data controller.

Pursuant to Article 15 ff. GDPR, the data subject has the right of access to the personal data concerned, the right to rectification or erasure or restriction of processing, the right to object to processing and the right to data portability. The data subject also has the right to lodge a complaint with the responsible data protection supervisory authority pursuant to Article 77 GDPR if they consider that the processing of their personal data infringes this regulation. If the processing is based on the consent of the data subject (see Art. 6 para. 1 sentence 1 lit. a), Art. 9 para. 2 lit. a) GDPR), they also have the right to withdraw their consent at any time without affecting the lawfulness of processing based on consent prior to its withdrawal; the withdrawal will only take effect for the future.

To exercise the aforementioned rights, the data subject should send an email to servicedesk@itc.rwth-aachen.de.