Data protection for Go-to-webinars

Information according to Art. 13 GDPR on the processing of personal data through the Helmholtz Zentrum München (HMGU) when carrying out webinars with the GoToWebinar software

1.    Scope of data processing
In the following we want to inform you about the scope of data collection, storage and use (hereinafter referred to as "data processing", used within the meaning of Art. 4 No. 2 GDPR) in connection with the registration and execution of webinars through the Helmholtz Zentrum München (HMGU) with the GoToWebinar software from LogMeIn Inc. based in the USA.

We use the GoToWebinar software to offer you activities such as trainings, workshops or scientific lectures online. Data processing is carried out exclusively for the purpose of conducting these webinars. To participate in the webinar, you can use either the desktop application, a browser, a mobile app or your telephone.

2.    Purposes of data processing
Data is processed solely for the purpose of offering and conducting webinars.

3.    Categories of data processing    

3.1    Before the webinar    

3.1.1    User details during registration
To attend a session as an attendee, you must register for the webinar using the registration URL (in your GoToWebinar invitation) via a form. When registering for the webinar, you will be asked to enter a first name, last name, your e-mail address and, depending on the meeting, your organizational unit to receive the access link to the webinar.

If you provide your e-mail address, you will receive the link to the webinar by e-mail.
If you do not wish to give any information about your identity in the registration form, you can choose a pseudonym and thus maintain your anonymity. Without entering a real existing email address, you will find the link to the webinar as follows: After submitting the registration form with the pseudonym information, a confirmation window will appear. There you will see "You`re Registered" in the headline as well as the name and time of the event. In the confirmation window you will be offered several options; one of them is the sentence "At the time above, join the webinar.” The end part of the sentence is highlighted in blue and it is hyperlinked. Click on it, copy the URL and open it in your browser. This is your participation link. In this way, participation is also possible while preserving your anonymity and we take the principle of data minimisation into account.   

3.1.2    Preliminary information of speakers and moderators about webinar participants
For some scientific lectures it is important and necessary for the speakers to be informed in advance about the participating persons and, if necessary, about their organizational units (such as company or Institution) in order to prepare the event in the best possible way and to be able to specifically address the participants during the event.
In these cases, participant information (last name, first name, organizational unit) is communicated in advance to the respective speaker and the moderator. There will be no further use of the participant information for the preparation and delivery of the specific event.    

Again, you can protect your anonymity by choosing a pseudonym when you register.

3.2    During the webinar   

3.2.1 Information on meeting metadata
When you participate in a webinar, so-called meeting metadata associated with you is processed. These are the following categories of data: Subject, description (optional), participant IP address, device/hardware information, location, language settings, operating system.
For technical reasons, this data must be processed for the webinar in question. 
  
3.2.2    Data categories when dialling in with the telephone
When dialling in by telephone, information on the incoming and outgoing telephone number, country name, start and end time are processed. If necessary, further connection data such as the IP address can be stored in the case of Voice-over-IP (VOIP).
For technical reasons, this data must also be processed for each webinar.

3.2.3    Processing of text data
If you use the chat, question or survey function in a webinar, this content data is processed for the purpose of communication within the webinar. In addition, the chat history is stored in a text file that contains the last name, first name (or a pseudonym) and the text of the chat message. This data is processed only for the purpose of follow-up work on the webinar and is only passed on in an anonymous form within our research center.

3.2.4    Processing of audio and video data
All webinars are recorded. If you participate in a webinar verbally and/or use the video function to enable a visual transmission of your image, this personal data will be processed for communication purposes within the webinar. It is up to you to use these functions. Only if you activate the microphone or camera of your end device yourself, the aforementioned data processing can take place.    

3.2.5    Data processing for calculating the attentiveness
During the webinar, the software registers whether the webinar window is the primary window on the attendee's screen. This information is communicated to the organizer in a non-personalized form during the webinar ("attentiveness 75%"). This is for the organizer or speaker to monitor if the group attention levels. This function replaces the view into the auditorium during physical seminars and helps the speaker to lead the event. It also helps us to continuously work on the content of the event. A person-specific evaluation of the interest rating is not performed.    

3.2.6    Data processing for the calculation of the interest rating
GoToWebinar offers us as a provider the opportunity to have a so-called interest rating per registered participant displayed after the event. This is calculated from seven factors, such as participation in short surveys, whether chat contributions were made and the "attentiveness" mentioned above.
This interest rating serves the purpose of proving participation in a webinar, e.g. in the case of mandatory training courses, where certificates of participation are later issued.    

We do not use this function in our webinars. However, it is unfortunately not possible to deactivate this function. Therefore we have to inform you about the following: It is theoretically possible that if you do not participate in any other form during the webinar and your interest rating consists only of the attention factor, the interest rating will show you if and how long you used the GoToWebinar as primary and active window during the webinar.
Again, you can maintain your anonymity by choosing a pseudonym when you register. In this case we will only be able to verify that a certain person has a certain interest rating, but not which person this is.   

3.2.7    Data processing when recording webinars
Webinars are always recorded. If you have activated a video or microphone function before we share it with any third parties, we will obtain your consent. You can see at any time whether a recording is taking place: This is indicated by the red record button in the GoToWebinar software.

One more note: LogMeIn Inc., the provider of GoToWebinar, has enabled Google Analytics on its corporate website. We have no control or access to this data processing performed by LogMeIn Inc. Nevertheless, we would like to draw your attention to this data processing: Details on the use of Google Analytics by LogMeIn Inc. can be found here  (https://www.logmeininc.com/de/legal/privacy/us#analytics). You can also set your browser not to accept cookies before you click on the registration or participation link.

4.    Legal basis of the data processing
When the personal data of employees of the HMGU is processed, when using GoToWebinar, Section 26(1) BDSG is the legal basis for data processing. If the use of GoToWebinar requires the processing of personal data of employees of the HMGU which is not necessary for carrying out the employment contract, but is nevertheless an elementary component of the use of GoToWebinar, Art. 6(1) lit. f GDPR is the legal basis for data processing. The legitimate interest of the test in these cases is the effective and secure execution of webinars.    

In all other cases, the legal basis for data processing when conducting webinars is Art. 6(1) lit. b GDPR, insofar as the webinars are conducted within the framework of contractual relationships. If no contractual relationship exists, the legal basis is Art. 6(1) lit. f GDPR. Here too, the test has a legitimate interest in the effective and safe execution of webinars.

5.    Recipients of the data and transfer to third countries (Non-EU countries)
The recipient of your data in the above-mentioned context is the software provider LogMeIn Inc. which provides the GoToWebinar software. This company processes the data on our behalf. Accordingly, a contract has been concluded with LogMeIn Inc. in accordance with article 28 GDPR. The provider has its headquarters (USA) in a so-called unsafe third country. As a consequence, the provider had to assure us of an adequate level of protection within the meaning of Art. 44 et seq. GDPR. This appropriate level of protection is guaranteed by the use of the so-called EU standard data protection clauses within the framework of the data processing agreement.

In addition, other participants of the webinar will see and hear you and your contributions and in this respect they are the recipients of your data. Please also keep in mind that content from the webinars as well as from personal meetings is often used to communicate information with customers, interested parties or third parties and that there is the possibility that other participants may communicate your contributions to third parties.

Personal data will not be passed on to third parties outside of the scope described here without express consent.

Also the transmission to governmental institutions and authorities entitled to receive information is only carried out within the scope of the legal obligations to provide information or if we are obliged to provide information by a court decision.    

6.    Duration of processing, deletion of data
All data concerning the webinar will be deleted 6 months after the event at the latest, unless there is a legal obligation to retain the data.    

7.    Rights of Data Subjects under the GDPR
You are entitled to the rights set out below in connection with the processing of your personal data:

  • Under Art. 15 GDPR, you have the right to access any personal data relating to you that is processed by Helmholtz Zentrum München.
  • Under Art. 16 GDPR, you have the right to the immediate rectification or completion of any inaccurate or incomplete data we hold about you.
  • Under Art. 17 GDPR, you have the right to demand the erasure of all the personal data we hold about you, provided that processing is not required in order to exercise the right to freedom of expression and information; in order to comply with a legal obligation to which Helmholtz Zentrum München is subject; in order to complete a task that is in the public interest; or in order to establish, exercise or defend legal claims.
  • Under Art. 18 GDPR, you may demand that processing of your personal data be restricted, if you contest the accuracy of the data, or the data is processed unlawfully.
  • Under Art. 20 GDPR, you have the right to obtain the data we hold about you in a structured, commonly-used and machine-readable format, and to transmit that data to another controller without hindrance, or to arrange for us to transmit the data.
  • Under Art. 21 GDPR, you have the right to object to the processing of your personal data, provided there are grounds for doing so relating to your particular situation. If you object, your data will no longer be processed unless Helmholtz Zentrum München can demonstrate compelling legitimate grounds for processing that override the interests, rights and freedoms of the Data Subject, or where processing is required to establish, assert or defend legal claims.
  • Under Art. 77 GDPR, you have the right to lodge a complaint against Helmholtz Zentrum München with the relevant supervisory authority, specifically:

    Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
    Husarenstr. 30, 53117 Bonn
    Tel.: +49 (0)228-997799-0
    E-Mail: poststelle@bfdi.bund.de

8. Controller's contact details
The Controller in relation to the processing of the personal data described above, and to any requests or queries associated with it, is:

Helmholtz Zentrum München
Deutsches Forschungszentrum für Gesundheit und Umwelt (GmbH)
Ingolstädter Landstraße 1
D-85764 Neuherberg

If you have any questions regarding data protection, please contact our Data Protection Officer:

Datenschutzbeauftragter
Helmholtz Zentrum München
Deutsches Forschungszentrum für Gesundheit und Umwelt (GmbH)
Ingolstädter Landstraße 1
D-85764 Neuherberg
E-Mail: