oose.
Welcome to oose

Data Protection Information for Online Meetings, Telephone Conferences and Webinars via “Zoom” of oose eG

We hereby inform you about the processing of personal data in connection with your use of “Zoom.”

Purpose of Processing

We use the “Zoom” tool to conduct telephone conferences, online meetings, video conferences and/or webinars (collectively, “Online Meetings”). “Zoom” is a service provided by Zoom Video Communications, Inc., based in the USA.

Controller

The controller responsible for data processing directly related to the conduct of Online Meetings is:
oose eG
Schomburgstraße 50
22767 Hamburg, Germany.

Note: If you visit Zoom’s website directly, Zoom Video Communications, Inc. is the controller for any data processing that occurs on their site (e.g. to download their software). You may also join a meeting by entering the meeting ID and any required access data directly into the Zoom app. If you cannot or do not wish to use the Zoom app, you can use the browser-based version available on Zoom’s website.

Categories of Processed Data

Depending on what you provide before or during an Online Meeting, Zoom may process:

  • User Information: first name, last name, telephone number (optional), email address, password (if Single-Sign-On is not used), profile picture (optional), department (optional)

  • Meeting Metadata: meeting topic, description (optional), participant IP addresses, device/hardware information

  • Recordings (optional): MP4 of video, audio & screen-sharing; M4A of audio only; text file of in-meeting chat

  • Telephone Dial-In: incoming/outgoing phone numbers, country name, start/end times; possibly device IP address

  • Chat, Q&A, Poll Data: any text you enter via chat, Q&A or polls is processed to display and log it in the meeting

  • Audio & Video Streams: your microphone and camera data are processed to allow live audio/video; you can mute or disable them at any time

  • Identification: to join, you must at least provide your name

Scope of Processing

  • We use Zoom to host Online Meetings. If we plan to record a meeting, we will inform you in advance and, if required, request your consent; Zoom also displays a recording indicator.

  • We typically do not log chat contents unless needed for meeting minutes.

  • For webinars, we may record questions asked by participants for follow-up.

  • If you are a registered Zoom user, Zoom may retain meeting reports (metadata, telephone dial-in data, Q&A and poll results) for up to one month.

  • Zoom’s “attention tracking” feature is disabled.

  • No fully automated decision-making under Art. 22 GDPR is used.

Legal Bases for Processing

  • For employees of oose eG, processing is based on § 26 BDSG (employment context).

  • If personal data processing is not required for your employment but is essential for using Zoom, it is based on our legitimate interests under Art. 6(1)(f) GDPR (effective conduct of Online Meetings).

  • Otherwise, if meetings relate to contractual relationships, processing is based on Art. 6(1)(b) GDPR.

  • If no contract exists, processing is based on our legitimate interests under Art. 6(1)(f) GDPR.

Recipients and International Transfers

  • Personal data processed in connection with Online Meetings are not passed on to third parties except as intended (e.g. sharing meeting content with clients).

  • Zoom, as our processor under an Art. 28 GDPR agreement, necessarily accesses the data to provide the service.

  • Zoom is based in the US, so data may be processed there. We have signed standard contractual clauses and rely on Zoom’s Privacy Shield certification to ensure adequate protection.

Data Protection Officer

Our appointed Data Protection Officer is:

Karsten Klug
Externer Datenschutzbeauftragter (TÜV zert.) Klug Datenschutz-Consulting
Kaiser-Wilhelm-Str. 93
20355 Hamburg
Tel.: +49(40) 411 89 38 28
Fax.: +49(40) 411 89 38 37
klug@elblaw.de

Your Rights

You have the right to request access to, correction or deletion of your personal data, or restriction of processing, as provided by law. You may also object to processing (Art. 21 GDPR) and request data portability (Art. 20 GDPR). To verify your identity when requesting access, we may ask for proof.

Data Retention and Deletion

We delete personal data when no further storage is required—e.g. after event reporting is complete, warranty claims have expired, or legal retention periods have ended.

Right to Lodge a Complaint

You may lodge a complaint with a data protection supervisory authority if you believe your rights under the GDPR have been violated.

Updates to This Notice

We will update this information when our data processing practices change. The current version is always available on this page.

Version Date: 23 April 2020