In the current coronavirus situation, the University of Cologne (UoC) has decided to use Zoom – initially for a limited period – in teaching, research and administration. The decision in favour of Zoom was taken by the Rectorate together with the Faculties because Zoom has proven to be a very efficient videoconferencing system. Prior to its purchase, the use of Zoom was assessed in terms of data privacy legislation. Data processing takes place in compliance with and on the basis of the General Data Protection Regulation (GDPR), the North Rhine-Westphalia Data Protection Act and other applicable data protection regulations.

In reports on Zoom in the media over the past weeks, various references were made to security gaps, which are not, however, directly relevant to the UoC’s contract with Zoom. Some of these security gaps can be avoided with the help of corresponding settings. In addition, Zoom has reacted to this criticism, eliminated technical errors, corrected individual statements and adjusted its data privacy guidelines. Against this background, in the UoC’s opinion using Zoom continues to be justifiable. The UoC will also review this point at regular intervals. The UoC has not committed itself permanently through its decision to use Zoom for a limited period of time.

For particularly confidential matters, the DFNconf service remains available and can be used by members of the University to hold video conferences – free of charge and without the need for separate registration. However, due to the sharp increase in its use as a result of the coronavirus pandemic, the system’s availability is currently limited.

Apart from Zoom, other tools are available for digital teaching/learning formats (https://portal.uni-koeln.de/digital-education) and for working from home (https://rrzk.uni-koeln.de/support-information/informationen-zu-tools-fuer-kollaboratives-arbeiten).

The general rule applies that staff of the University of Cologne should only use those tools for their official work which have been purchased and are operated centrally by the University.

1. Use of Zoom in administration, teaching and research

Zoom is used in administration, teaching and research to hold video conferences and meetings, run interactive online courses and webinars and support teaching and research activities. The UoC makes licences available for the use of Zoom (the range of functions equates to a business licence).

Zoom can be used for committee meetings. For confidential ballots, other software should be used (e.g. EvaSys).

Zoom can be used for professorial appointment procedures, job interviews and university examinations. However, care should be taken that personal and particularly sensitive data and information are discussed in an anonymized form (e.g. expert opinions in professorial appointment procedures).

Zoom may not be used to exchange particularly confidential information (e.g. counselling on delicate issues, data from personnel files, data related to people’s health, disciplinary proceedings). Please note that when using Zoom no end-to-end encryption in the real sense takes place.

Purpose of data processing

The purpose of data processing is the use of Zoom as a collaboration tool in the framework of official duties at the UoC in order to fulfil the University’s statutory obligations.
It includes the use of the licensed products and services, provision of updates, safeguarding of information security as well as technical and customer support.

No data processing takes place for purposes other than the ones stated above or permitted by law.

Use of Zoom for private purposes in the framework of the UoC licences provided is not permitted.

There is no monitoring of conduct and performance based on the use of Zoom nor does the UoC gather any statistical data from Zoom which could facilitate such monitoring. Using Zoom to compile person-related statistics is not permitted.

Conditions for permitted use

The minimum age for using Zoom is 16 years.

As a rule, no information should be exchanged via Zoom which is particularly sensitive or highly confidential (see above). To exchange sensitive data, participants should use secure channels or protected file servers.

2. Information on data privacy

You can obtain a Zoom licence by registering in the Zoom portal of the University of Cologne with your university account. This is the one also used for KLIPS, ILIAS, the email address "@uni-koeln.de" and for accessing other services.

The UoC is responsible for the use of the licensed Zoom service in accordance with data privacy legislation, insofar as an invitation to participate in Zoom communications was issued from a university account (@uni-koeln.de). Issuing invitations to participate in Zoom communications from such an email address without a Zoom licence of the UoC is not permitted.

When using Zoom, personal data are processed and saved. Some data are essential for its usability, other data depend on your communication and usage behaviour. This data processing complies with data privacy legislation and guarantees an appropriate level of security for the usage purposes described above. In this document, you will find information on this data processing in accordance with Article 13 GDPR and in the section below an overview of categories of data and processing purposes.

Processing of personal data

For your user profile, you need to enter just your name and your university account (@uni-koeln.de) when you start the software for the first time. You can enter further information on a voluntary basis and edit it yourself at any time.
Your personal data are processed in order to allow you to participate in communication via Zoom, i.e. so that you can set up and use the connection. As a rule, your name and your business or student email address are transmitted to Zoom for this purpose.

Whether other categories of data apply depends on your usage behaviour. Zoom also uses these data to maintain the service’s functionality and security. In the case of the Zoom communications described here, which are managed from a university account, Zoom as the technical service provider does not use such data for its own purposes.

When using Zoom, the following data are gathered:

User information:

• First name, last name
• Business email address
• Registration data from uniKIM, the University’s identity management system
• Password
• Other contact data (optional), profile picture (optional)

Technical usage information, i.e. meeting metadata:

• Topic, description (optional)
• Participant IP addresses, device/hardware information (e.g. IP address, operating system data of your end device)

Text, audio and video data:

• In order to show videos and play audio recordings, the data are processed by the end device’s microphone and/or video camera, if applicable, for the duration of the meeting. The camera and the microphone can be switched off/muted at any time via the Zoom app.
• Text inputs in the chat are processed in order to display them in the online meeting.

Recordings (optional):

• MP4 file of all video, audio and presentation recordings 
• Text file of online meeting chats

Registration for/participation in courses:
As a rule, no registration is required in order just to participate in a course. Students can access and attend courses in full via a link sent by the moderator. In the case of solely passive participation, only the technical meeting metadata indicated above are processed. Moderators can, however, for security reasons limit course participation to registered participants.
You can find further information on the use of cookies under https://zoom.us/cookie-policy.

The provision of personal data and the use of Zoom is obligatory for University employees in the framework of their employment relationship. For students, especially examinees, the use of Zoom for courses without compulsory attendance and for oral examinations is currently voluntary. If a student does do not want to make use of this form of examination, the examination will be postponed to a point in time when face-to-face courses are possible again or endeavours will be made to enable the student to participate in a later course.

Recording and transcription of communication via Zoom

As a rule, communication via Zoom is not recorded. Recordings may only be made with the express consent of the participants concerned and only insofar as these are permitted within applicable legislation and for official purposes or to fulfil specific duties. This includes, for example, the transcription of examination results or committee decisions. Participants are notified of this prior to the meeting and asked for their consent and can also recognize that the meeting is being recorded while it is in progress.

If recording and transcription take place, your data (video/audio data, questions and chat messages) are stored on Zoom servers and deleted at the latest after 30 days. Subsequent storage on UoC servers is subject to the general rules in accordance with subject-specific retention periods.

When using Zoom, please ensure that smart devices, such as Alexa, Siri or Google Home, are not nearby or active in order to ensure that unauthorized data processing or recordings are prevented.

Zoom as data processor of the UoC

Zoom functions as data processor for the University of Cologne, i.e. Zoom is obliged through a contract processing agreement to use personal data solely for the University’s purposes and not for its own business purposes. This contract processing takes precedence over Zoom’s privacy policy, the scope of which is partially broader. Within the framework of contract processing, personal data are also transmitted to servers at locations outside the EU. This transmission is permissible because Zoom is partly based on an adequacy decision of the European Commission (“Privacy Shield”) and has furthermore concluded what are referred to as standard contractual clauses with the University, which under the GDPR legitimize such transmission to third countries.

3. Terms of use for hosts/moderators

It is generally recommended that you control access to Zoom meetings. In addition to (system-wide enabled) password protection, you have the option to set up a waiting room (for meetings with just a few participants) from which you can admit the participants individually/manually to the meeting.

Publishing ("posting") Zoom links or credentials on social networks or other publicly readable websites is strictly prohibited due to the dangers involved (including "Zoom bombing"). Meetings which have been made public in this way will be deleted by the administrators if necessary.

If as host you want to make recordings of meetings, please ask all participants for their consent before you start recording (the participants must additionally give their consent to the recording in the Zoom app). Delete recordings from the Zoom cloud at the first possible opportunity. You should preferably make all your recordings available via ILIAS.

Insofar as copyright-protected works are used in the framework of teaching to the extent permitted, actively restricting the circle of users to the course participants is required by law. In this case choose Registration for meetings in the meeting options. Please be aware that students generally should be able to use Zoom without registration/account. So choose this option only if necessary, have a look at the advisory of the legal department regarding copyright (unfortunately only available in German).

Privacy-compliant configuration of the Zoom platform

To safeguard privacy-compliant use, it is not possible for individual hosts to adjust the following settings:

• Calendar and contacts integration [disabled]
• Require password when scheduling new meetings [enabled]
• Require encryption for third-party endpoints (H323/SIP) [enabled]
• Prevent participants from saving chat [enabled]
• Auto-save chats [disabled]
• Remote control [disabled]
• Far end camera control [disabled]
• Notification before a cloud recording is deleted from the trash [enabled]
• Automatic recording [disabled]
• Only the host can download cloud recordings [enabled]
• Only authenticated users can view cloud recordings [enabled]
• Require password to access shared cloud recordings [enabled]
• Automatically delete cloud recordings after 120 days [enabled]
• Recording consent [enabled]
• Multiple audio notifications of recorded meeting/recording stopped [enabled]
• Show third-party meetings [disabled]
• Enable end-to-end encryption [enabled]
• Cloud storage for chat messages (30 days) [enabled]
• Delete chat messages from local device (30 days) [enabled]
• Save edited and deleted messages [disabled]
• Message archiving with third-party storage [disabled]
• Business contacts [disabled]

The software provider has meanwhile removed the software-enabled “attention tracking” feature previously available.