Data protection information for the use of ‘Zoom’ and ‘Microsoft Teams’
Within the scope of digital communication, Esche Schümann Commichau Partnerschaftsgesellschaft mbB and ESC Wirtschaftsprüfung GmbH (hereinafter: ‘ESC’) use the services “Zoom” and ‘Microsoft Teams’ (collectively: ‘the Services’). Below, we provide information about how personal data is processed in this context and what rights you have.
We use the services to conduct telephone conferences, online meetings, video conferences and/or webinars (hereinafter: ‘online meetings’). The use of “Teams” also serves the purpose of collaboration with our customers and internally between our employees, including the exchange of chat messages and files (hereinafter: ‘collaboration’).
‘Online meetings’ and ‘collaboration’ are summarised as ‘service use’ in this privacy policy.
‘Zoom’ is a service provided by Zoom Video Communications, Inc., which is based in the United States. “Teams” is a service provided by Microsoft Corporation, which is also based in the United States, and is part of the ‘Microsoft 365’ environment.
The controller responsible for data processing directly related to the ‘use of the service’ is, depending on the entity communicating with you, Esche Schümann Commichau Partnerschaftsgesellschaft mbB or ESC Wirtschaftsprüfung GmbH (respective address: Am Sandtorkai 44, 20457 Hamburg).
Please note: If you visit the ‘Zoom’ or ‘Teams’ website, the provider specified there is responsible for data processing. However, visiting the respective website is only necessary for the use of the services in order to download the software for using “Zoom” and/or ‘Teams’.
You can also use the services if you enter the respective meeting ID and, if necessary, additional access data for the meeting directly in the ‘Zoom’ or ‘Teams’ app.
If you do not want to or cannot use the ‘Zoom’ or ‘Teams’ app, the basic functions can also be used via a browser version, which you can also find on the “Zoom” or ‘Teams’ website.
Various types of data are processed when using the services. The scope of the data also depends on the information you provide before or during participation in an ‘online meeting’ and/or within the framework of ‘collaboration’.
The following personal data is subject to processing:
User information: first name, surname, telephone number (optional), email address, password (if ‘single sign-on’ is not used), profile picture (optional), department (optional)
Metadata: topic, description (optional), participant IP addresses, device/hardware information
For recordings (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.
When dialling in by telephone: Information on the incoming and outgoing telephone number, country name, start and end time. Additional connection data, such as the IP address of the device, may also be stored.
Text, audio and video data: You may have the option of using the chat, question or survey functions in an ‘online meeting’. In this respect, the text entries you make will be processed in order to display them in the ‘online meeting’ and, if necessary, to log them. To enable the display of video and the playback of audio, the data from the microphone of your end device and from any video camera of the end device will be processed for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time using the ‘Zoom’ or ‘Teams’ applications.
To participate in an ‘online meeting’ or enter the ‘meeting room’, you must at least provide your name.
In addition, ‘collaboration’ allows you to exchange text, audio and video files.
We use the services for ‘service use’. If we wish to record ‘online meetings’, we will inform you of this transparently in advance and, where necessary, ask for your consent. The fact that the meeting is being recorded will also be displayed in the “Zoom” or ‘Teams’ app.
If necessary for the purpose of recording the results of an online meeting, we will log the chat content. However, this will not usually be the case.
In the case of webinars, we may also process questions asked by webinar participants for the purpose of recording and following up on webinars.
If you are registered as a user with ‘Zoom’ or ‘Teams’, reports on ‘online meetings’ (meeting metadata, telephone dial-in data, questions and answers in webinars, survey function in webinars) can be stored for up to one month with “Zoom” or ‘Teams’.
Automated decision-making within the meaning of Art. 22 GDPR is not used.
Insofar as personal data of employees of Esche Schümann Commichau Partnerschaftsgesellschaft mbB and ESC Wirtschaftsprüfung GmbH is processed, Section 26 of the Federal Data Protection Act (BDSG) forms the legal basis for data processing. If, in connection with the ‘use of services’, personal data is not required for the establishment, implementation or termination of the employment relationship, but is nevertheless an essential component of the use of the services, Art. 6 (1) (f) GDPR is the legal basis for data processing. In these cases, our interest lies in the effective implementation of the ‘use of services’.
Otherwise, the legal basis for data processing within the scope of ‘service use’ is Art. 6 (1) (b) GDPR, insofar as communication is carried out within the scope of contractual relationships.
If no contractual relationship exists, the legal basis is Article 6(1)(f) GDPR. Here, too, our interest lies in the effective implementation of the ‘use of services’.
Personal data processed in connection with the ‘use of services’ is not passed on to third parties unless it is specifically intended for disclosure. Please note that content from ‘online meetings’ and ‘collaboration’ – as is often the case with face-to-face meetings – is frequently used to communicate information to customers, interested parties or third parties and is therefore intended for disclosure.
The providers of the services (see above) necessarily become aware of the above-mentioned data to the extent that this is provided for in our data processing agreement with them. In some cases, the providers of the services also process your personal data for their own purposes. Further information on this can be found in the providers' data protection notices.
In some cases, we use external service providers to process personal data. These have been carefully selected and commissioned by us and are bound by our instructions.
The following are also considered recipients:
- Courts, tax offices, employment offices, patent and trademark offices, registration and other authorities in the context of legal disputes, tax matters and other legal matters, courts, tax offices, employment offices, patent and trademark offices, registration and other authorities in the context of legal disputes, tax matters and other legal matters,
- attorneys at law, certified auditors, tax consultants,
- Service providers such as debt collection agencies, credit agencies, detective agencies, IT services, banking services, communication services, services in the area of our financial management and the destruction of data carriers, couriers, freight forwarders and carriers, interpreters and translators, printing companies and letter shops.
- Recruiters and personnel consultants who support us in our search for personnel and, if necessary, in our decision to establish an employment relationship.
Both services are provided by US-based providers. This means that personal data is also processed in a third country. We have concluded a data processing agreement with each of the service providers that complies with the requirements of Article 28 of the GDPR.
An adequate level of data protection is ensured by the conclusion of the so-called EU standard contractual clauses and by the adequacy decision on the EU-US Data Privacy Framework.
Data protection officer
You can contact the data protection officer of the above-mentioned companies at the following email address: datenschutz.esche.pg@beckservice.gmbh
1. Information, correction, deletion, restriction of processing and data portability
Under the GDPR, you have the following rights as a data subject:
• Art. 15 GDPR: Right of access by the data subject
You have the right to obtain information from us about which data we process about you. Please note that we cannot comply with your request for information in all cases, in particular if the client confidentiality we are required to observe in accordance with Section 29 of the Federal Data Protection Act (BDSG) prevents us from providing the information.
• Art. 16 GDPR: Right to rectification
If the data concerning you is incorrect or incomplete, you may request that incorrect data be rectified or incomplete data be completed.
• Art. 17 GDPR: Right to erasure
Under the conditions of Art. 17 GDPR, you may request the erasure of your personal data. Your right to erasure depends, among other things, on whether the data concerning you is still required by us to fulfil our contractual and legal obligations.
• Art. 18 GDPR: Right to restriction of processing
Under the conditions of Art. 18 GDPR, you may request the restriction of the processing of personal data concerning you.
• Art. 20 GDPR: Right to data portability
Under the conditions of Art. 20 GDPR, you may receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or request its transfer to another controller. Please note that we may not be able to comply with such a request in all cases, in particular if this conflicts with the client confidentiality we are required to observe in accordance with Section 29 of the German Federal Data Protection Act (BDSG).
2. Revocation of consent
If you have given your consent to the processing of your data, you can revoke this consent at any time without affecting the lawfulness of the processing carried out until the revocation. The permissibility of processing the data on the basis of other legal grounds may also remain unaffected. If your consent was the sole legal basis for the processing of your data, in particular if we have no legitimate interest in the processing pursuant to Art. 6 para. 1 sentence 1 letter f GDPR, we will delete the data immediately after you withdraw your consent.
3. Objection to certain processing operations pursuant to Art. 21 GDPR
Insofar as we base the processing of your personal data on a balancing of interests (Art. 6 para. 1 sentence 1 letter e or f GDPR), you may object to the processing of the personal data concerned at any time for reasons arising from your particular situation. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and either stop or adjust the data processing or point out to you our compelling legitimate reasons for continuing the processing.
4. Complaints to the supervisory authority
You also have the right to complain to the supervisory authority if you believe that the processing of your data is not lawful (Art. 77 GDPR). The address of the supervisory authority responsible for us is: The Hamburg Commissioner for Data Protection and Freedom of Information, Kurt-Schumacher-Allee 4, 20097 Hamburg.
We delete personal data when the conditions for its lawful storage no longer apply. We delete your personal data as soon as the purpose for its storage no longer applies. We may also store data if this is provided for by European or national legislators in EU regulations, national laws or other regulations to which we are subject. Exceptions to the principle of deletion after the purpose has been achieved may arise, for example, from the provisions of the GDPR and the provisions of German federal law, in particular the BDSG. Furthermore, deletion will not take place, for example, as long as commercial, tax and professional law retention obligations exist. Longer storage may also be necessary in individual cases due to the assertion or possible assertion of claims against us in connection with a contract or pre-contractual measures. This would be the case, for example, if there are indications that you will assert claims against us. The same applies if, in individual cases, we assert claims, intend to assert claims or consider asserting claims due to specific circumstances. The data will then be stored for as long as the processing of the data is necessary for the assertion, exercise or defence of legal claims, plus the duration of any statutory retention obligation that may exist. If a statutory retention obligation prevents deletion, we will initially store your data in such a way that it can only be processed by a limited group of people and will only delete it after the retention obligation has expired.