Information on dealing with Webex

Notice according to Article 13 and Article 14 GDPR for the use of the conference and collaboration solutions at the University of Stuttgart

The English translation is provided solely for informative purposes.

Information according to Articles 13 and 14 General Data Protection Regulation (GDPR)

The University of Stuttgart uses the Webex conferencing and collaboration solutions from Cisco Systems (in short: Webex services) to conduct web and video conferences. In the following, we would like to inform you about the processing of personal data in connection with the use of these services.

Webex services are

  • the video conferencing platform Webex Meetings (with the special forms Webex Training, Support and Events) and
  • the collaboration platform Webex (formerly Teams).
  1. Responsible in the data protection sense of Article 4 No. 7 GDPR
    University of Stuttgart
    Keplerstrasse 7
    70174 Stuttgart
    Tel: +49 711 685-0
    E-mail
  2. Data Protection Officer
    University of Stuttgart
    Data Protection Officer
    Breitscheidstr. 2
    70174 Stuttgart
    Tel: +49 711 685-83687
    Fax: +49 711 685-83688
    E-mail
  3. Technical contact
    University of Stuttgart
    IZUS/TIK - Webex Support
    Allmandring 30a
    70569 Stuttgart
    Tel: +49 711 685-88000
    E-mail
  4. Purposes of processing
    The University of Stuttgart offers Cisco's Webex services for use by its members, affiliates, and external users to enable meetings, committee meetings, and events in online format for the fulfillment of its duties under the State University Act (LHG) for the purposes of teaching, science, and self-government, among others.

    Videoconferencing and other forms of online collaboration are prerequisites, especially during the Corona/COVID-19 pandemic, to replace university face-to-face meetings and events. Meetings such as lectures, oral exams, committee meetings, and in-service meetings are essential in the orderly operation of the university to fulfill its university-legal responsibilities. Webex-supported communication serves as a substitute for this purpose

  5. Legal bases of the processing
    To fulfill the tasks of the university, we process your personal data on the basis of

    • Art. 6 para. 1 lit. e in conjunction with Art. 6 para. 3 GDPR in conjunction with
        • § 12 para. 1 LHG in conjunction with § 2 para. 1 LHG or, in the case of employees, § 15 para. 1 State Data Protection Act (LDSG),
        • § 12 para. 2 LHG or, in the case of employees, § 15 para. 2 LDSG, insofar as special categories of personal data (as defined in Art. 9 GDPR) are processed,
        • § 10 a LHG, insofar as the processing consists of image and sound transmissions of meetings of the organs and bodies of the university,
        • § 32 a LHG in conjunction with the respective examination regulations, insofar as the processing takes place in the context of an online examination;
      • Art. 6 (1) lit. a GDPR (consent) or, if special categories of personal data are processed, Art. 9 (2) lit. a GDPR (consent) in the case of
        • records or
        • voluntary disclosures of optional data.

  6. Categories of personal data / details of personal data processed
    1. Participation in video conferences without Webex account
      If you use Webex services for video conferencing without using a Webex account, you will be asked for a name and optionally an email address when you log in. Your entries are visible to other participants and the host person during a video conference. However, you can also participate under a pseudonym and leave the e-mail address field blank.In the case of telephone dial-in, other participants can recognize that you are participating by telephone, but will not see your telephone number.
    2. Participate in video conferences or use Webex (formerly Teams) with Webex account
      If you participate using a Webex account, the name and email address you provide will be visible to other participants and the hosting person.
    3. Visibility in the search function
      A host person can search for people by personal rooms or when scheduling a meeting or creating a group at Webex (formerly Teams). After entering two characters, a list of up to 10 registered or previously invited people will be displayed where this string appears either in the name or in the email address. Your name and email address can become visible this way to people with Webex account.
    4. Audio and video
      During a video conference, you can be visible and audible to the other participants if your microphone and camera are activated. You can tell if this is the case by the icons or the labeling of the corresponding buttons. The default settings for the respective video conference may differ. You will also see whether a recording is running.
    5. Reports
      For each videoconference, reports are automatically generated that contain information about the participants (name, e-mail address, start and end of participation as well as participation duration; in case of participation via an existing Webex account, the further data stored in the profile; in case of participation by telephone, the dial-in number dialed by the participating person is displayed). These reports are only visible to the host person of the respective video conference.
    6. Other data processed by the system
      The following additional data is processed by Cisco when using the Webex services. The English terms used by Cisco in their "Privacy Data Sheets" are given in brackets:

      • Webex Meetings (also applies to Webex Training, Support and Events)

        • User Information
          • Name, e-mail address, browser, unique user ID (UUID)
          • optional: phone number, postal address, profile picture
        • Host and Usage Information
          • Name, e-mail address of all participants
          • IP address, user agent identifier, IP addresses along the network path (this refers to the IP addresses of the components through which the videoconference is established, in particular the nodes through which the participants are connected), geographic region, client version, service version
          • hardware type, operating system type and version, screen resolution, joining method
          • Meeting information (host name, meeting ID number, meeting page URL, date and time, title, frequency, meeting duration and attendance time per participant, number, quality, network activity and network connectivity, actions, method of joining)
          • Number of meetings, number of participants, number of screen sharing and non-screen sharing meetings - related to host person
          • Performance, troubleshooting and diagnostic information, actions taken
            Call information (email address, IP address, username, phone number, room device)
        • User-Generated Information
          • Meeting recordings
          • Uploaded files (only for Webex Events and Training)

      • Webex (formerly Teams)

        • User Information
          • Display name, email address, name, unique user identifier (UUID), company name, organization ID.
          • optional: profile picture
        • Host and Usage Information
          • Device name, geolocation, IP address, user agent identifier, operating system type and version, client version, IP addresses along the network path (this refers to the IP addresses of the components through which the videoconference is established, especially the nodes through which the participants are connected), MAC address, time zone, domain name, activity logs.
        • User-Generated Information
          • Room activity (date, time, person and activity), messages (content, sender, recipient, date, time and read receipts), shared content (files, file names, sizes and types), whiteboard content.
          • Meeting and call information (title, invitation content, participants, link, date, time, duration, and quality ratings), attendance (user status)
          • Meeting records

      • Technical support
        If the Webex support of IZUS/TIK would like to involve the technical support of Cisco (Technical Assistance Center, TAC) for the clarification and elimination of a malfunction and has to transmit further personal data to Cisco for this purpose, the technical support of IZUS/TIK will inform you individually in advance and ask for your cooperation.

  7. Recipient categories
    • The purpose of the Webex services is to share information with other participants. Accordingly, the respective participants can receive the data required for this purpose (e.g. name of the participants and the host person, meeting URL) and the shared content.
    • When using the Webex services - if activated - sound and images of you as well as the chat with user name and, if applicable, your shared content are received by the other participants of the respective video conference or collaboration.
    • The host person of a video conference can generate reports after its conclusion, which contain information about the participants (name, e-mail address, start and end of participation as well as participation duration; in case of participation via an existing Webex account, the further data stored in the profile; joining from external/internal).
      For configuration, support and analysis purposes, the IZUS/TIK Webex admins have access to account information and host and usage information, but not to user-generated information. An IZUS/TIK Webex support person may be granted rights to access User Generated Information ("compliance designee"). This is provided for when there are indications of a compliance breach or a request for information is being processed under Article 15 of the GDPR.
    • Cisco (see following item) may have read access to account information and host and usage information for support and analysis purposes as requested by the University.
    • All data is processed by Cisco Systems, Inc. with registered office at 170 West Tasman Drive, San Jose, California 95134, USA as a processor. The processor uses subcontractors for the processing. 
      These can be found for Webex Meetings (with the special forms) in the "Privacy Data Sheet" for "Cisco Webex Meetings" under item 8 (https://trustportal.cisco.com/c/dam/r/ctp/docs/privacydatasheet/collaboration/cisco-webex-meetings-privacy-data-sheet.pdf). The subcontractors used for the Webex collaboration platform (formerly Teams) can be found in the "Privacy Data Sheet" for "Cisco Webex app & Webex Messaging" under point 8 (https://trustportal.cisco.com/c/dam/r/ctp/docs/privacydatasheet/collaboration/cisco-webex-app-and-messaging-privacy-data-sheet.pdf).
    In the context of the use of Webex services, personal data is also processed outside the European Union / European Economic Area. The University of Stuttgart intends to conclude the so-called standard data protection clauses with Cisco Systems, Inc. in accordance with the EU Commission's Implementing Decision (EU) 2021/914.

  8. Duration of storage and deletion
    For information on the duration of storage and deletion of account information, user-generated information, and host and usage information for Webex Meetings (including the special forms), please refer to the "Privacy Data Sheet" for "Cisco Webex Meetings" under section 6 (https://trustportal.cisco.com/c/dam/r/ctp/docs/privacydatasheet/collaboration/cisco-webex-meetings-privacy-data-sheet.pdf). Item 8 also contains information about the retention period for subcontractors.
    User-generated information in areas of the collaboration platform Webex (formerly Teams) is stored for up to 360 days if the area was created by a person with a Webex account at the University of Stuttgart. Please refer to the "Privacy Data Sheet" for "Cisco Webex app & Webex Messaging" under section 6 (https://trustportal.cisco.com/c/dam/r/ctp/docs/privacydatasheet/collaboration/cisco-webex-app-and-messaging-privacy-data-sheet.pdf) for details on the duration of storage and deletion of account information, user-generated information, and host and usage information for the Webex (formerly Teams) collaboration platform.
    Webex account information will be deleted in any case as soon as the university SIAM account (ac, st, gs account) is deleted, with the exception of name and UUID. Cisco deletes these at the latest 7 years after the end of the order processing.

  9. Rights of the data subjects
    In terms of the GDPR, you have the following rights as a data subject:
    • Right to information (Art. 15 GDPR)
    • Right to rectification (Art. 16 GDPR)
    • Right to erasure (Art. 17 GDPR)
    • Right to restriction of processing (Art. 18 GDPR)
    • Right to data portability (Art. 20 GDPR), if and to the extent that the processing is based on your consent
    Right to object to processing (Art. 21 GDPR), if and insofar as the processing is based on Art. 6 (1) lit. e GDPR
    If the use of Webex services is based on your consent, you have the right to revoke your consent at any time. However, the revocation will only take effect in the future. The processing based on the consent up to the time of the revocation therefore remains lawful. If you wish to exercise your rights, please contact the data protection officer of the University of Stuttgart or the Webex support of IZUS/TIK. You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR) if you believe that the processing of personal data concerning you violates the law. The supervisory authority in Baden-Württemberg is

    Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
    Lautenschlagerstraße 20
    70173 Stuttgart
    https://www.baden-wuerttemberg.datenschutz.de

  10. Validity of this information
    We reserve the right to adapt the content of this data protection declaration at any time. This is usually done in the event of further development or adaptation of the services used. You can always view the current privacy policy on our website.

    Status of this declaration: 07/20/2021

  11. Further Information
    This and further data protection information of the University of Stuttgart can be found at
    https://www.uni-stuttgart.de/en/privacy-notice/.

Information about your right to object according to Article 21 para. 1 GDPR

You have the right to object at any time, on grounds relating to your particular situation, to the processing of data relating to you which is carried out on the basis of Article 6 Paragraph 1 Letter e GDPR (data processing in the public interest).

To the top of the page