Privacy Policy for Panopto

valid after 25th May 2018

German version


Kaiserslautern, 19. November 2018

Contents

2 Right of correction

3 Right of restriction of processing

4 Right of deletion

5 Right of duty to inform

6 Right of data portability

7 Right to object

8 Right to revoke the data protection declaration of consent

9 Automated individual decision-making, including profiling

10 Right of appeal to a supervisory authority

IX Final Provision

1 Changes in the privacy policy

2 Validity

I Responsibilities

1 Name and Address of the responsible Party

The responsible party in accordance of the Basic Data Protection Regulation and other national
data protection laws of the Member States as well as other data protection regulations is:


VCRP – Virtueller Campus Rheinland Pfalz
Postfach 3049
67653 Kaiserslautern
Germany

Tel.: +49 631 205-4949
E-Mail: info@vcrp.de
Website: https://www.vcrp.de

2 Name and Address of the data protection commissioner

The Data Protection Commissioner is:
Peter Daehn

Tel.: +49 631 205-4944
E-Mail: datenschutz@vcrp.de

II General information on data processing

1 Scope of processing of personal data

In principal, we only collect and use personal data of our users, as far as this is necessary to
be able to provide a functional videoserver as well as its contents and functionalities.

Personal data appears at various points in the system with different visibilities. Below you can find
a listing of the data.

Personal Information
is limited to user name, surname, first name and e-mail address.
In Groups
the group creator sees the first and last name of the group members.
Comments on Videos
are public and are marked with first and last name.
Notes on Videos
are generally not public but can be enabled manually and will then
contain first and last name.
Uploaded files in the personal folder
are generally not public but can be manually
enabled.
Uploaded files in shared folders
are visible to all who have access to this folder.
Invite people
is used when someone wants to share a video with others. After entering
the first 2 letters, a selection of possible hits (first and last name) is displayed. This
becomes more concrete when entering more letters.

Tracking datato a video is made available to the video creator only pseudonymized.

2 Legal basis for the processing of personal data

The VCRP is a scientific institution according to §93 HochSchG RLP. The tasks were defined in
the organisational statutes of the Virtual Campus Rheinland-Pfalz (VCRP) of 7 April 2003 and
continuously adapted by the associated steering committee. This also includes the provision of the
video server.
Provided that we obtain the consent of the data subject for the processing of personal data, Art. 6
(1) lit. A EU General Data Protection Regulation (GDPR) serves as the legal basis for the
processing of personal data.
Is the processing of personal data required for the performance of a contract to which the data
subject is a party, Art. 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing
operations that are necessary to carry out pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our
company is subject, Art. 6 (1) lit. c GDPR shall serve as legal basis. In the event that the vital
interests of the affected person or any other natural person make it necessary to process personal
data Art. 6 (1) lit. d GDPR shall serve as legal basis.
If the processing is necessary to protect a legitimate interest of the VCRP or that of a third party
and it does not outweighs the interests, fundamental rights and freedom of the concerned Person
Art. 6 (3) sentence 1 lit. b GDPR serves as a legal basis for processing.

3 Data erasure and storage times

The personal data of the person concerned will be deleted or blocked as soon as the purpose of
storage ceases to apply. In addition, data may be stored if this is specified by the European or
national legislator in EU regulations, laws or other regulations to which the responsible party is
subject to. The Data will also be blocked or deleted if a storage period prescribed by the
aforementioned standards expires, unless it is necessary for the further storage of the data to
conclude or fulfil a contract.
In order to be able to safely bridge research-, vacation-, foreign- or practical semesters, accounts
will be deleted regularly and after prior announcement after one year of non-use.

III Provision of the Videoserver and creation of log files

1 Description and scope of data processing

Every time our offer is accessed, our system automatically collects data and information from the
computer system of the accessing computer. Following data is collected:

  1. Information about the browser type and version used
  2. The user’s operating system
  3. The user’s Internet service provider
  4. The user’s IP Address
  5. Date and time of access
  6. Websites from which the user’s system reaches our website
  7. Websites accessed by the user’s system through our website

Data will be stored in log files as well. The IP addresses of the user or other data that would enable to
assign the data to a user are not affected by this. Storage of this data together with other Personal
data of the user does not take place.

2 Legal basis for data processing

The legal basis for the temporary storage of data and log files is Art. 6 (3) sentence 1 lit. b GDPR i.V. m. § 3 LDSG.

3 Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the delivery of the
contents to the user?s computer. For this the IP address of the user must remain stored for the
duration of the session. The data is stored in Log files to ensure the functionality of the application.
In addition, the data serves us to optimize the application and to ensure the security of our
information technology systems.
An evaluation of the data for marketing purposes in this context does not take place.
In this purpose also lies our legitimate interest in data processing pursuant to Art. 6 (1) lit. f
GDPR.

4 Duration of storage

The data will be deleted as soon as it is no longer needed to achieve the purpose for which it was
collected. In the case of collecting data for the provision of the website, this is the case when the
respective session is terminated.
In the case of data stored on Log files this is the case after seven days. Further storage is
possible. In this case, the IP addresses of the users are deleted or alienated so that an
assignment to the accessing client is no longer possible.

5 Possibility of objection and elimination

The collection of data for the provision of the offer and the storage of data in Log files is absolutely
necessary for the operation of the Website. Consequently, there is no possibility of objection on
the part of the user.

IV Usage of cookies

1 Description and scope of data processing

Our offer uses cookies. Cookies are text files that are stored in the Internet browser or by the
Internet browser on the users? computer system. If a user visits a Website, a cookie may be
stored on the user?s operating system. This cookie contains a characteristic string that allows a
clear identification when reloading the website. The following data is stored and transmitted in the
cookies:

  1. Session variable
  2. 2. Log-In-Information

2 Legal basis for data processing

The legal basis for the processing of personal data using cookies is Art. 6 (3) sentence 1 lit. b GDPR i.V. m. § 3 LDSG.

3 Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use of Websites for users.
For following application we use cookies:

  1. Administration of the session cookies
  2. 5 Administration of Log-In-Information

The user data collected by technically necessary cookies is not used to create user profiles.

4 Duration of storage, possibility of objection and elimination

Cookies are stored on the users Computer and are transmitted to our Site by the user. Therefore,
you as user have the full control over the use of cookies. By changing the settings in your Internet
browser you can deactivate or restrict the transmission of cookies. Cookies that have already been
saved can be deleted at any time. This can also be done automatically. If cookies are deactivated
for our Website, you cannot log in.

V Backup

1 Description and scope of data processing

In order to be able to restore Panopto to a previous state after a major System Failure, backups of
the required data are created. For this purpose, a

  1. backup of the data directory and
  2. backup of the data base

is made.

2 Legal basis for data processing

Legal basis for the creation of backups is Art. 6 (3) sentence 1 lit. b GDPR i.V. m. § 3 LDSG.

3 Purpose of data processing

Backups are a suitable means in order to meet the requirements of Art 32 (1) lit. c GDPR the
ability to rapidly restore the availability of and access to personal data in the event of a physical or
technical incident. This is also where our legitimate interest in data processing pursuant to Art. 6
abs. 1 lit. f GDPR lies.

4 Durations of storage

The data records are deleted after a maximum of 1 year, snapshots are stored for 3 months.

5 Possibility of objection and elimination

The deletion or correction of your data from the backups is carried out automatically after the given time for regular processes. Any other changes made will be manually transferred
to the backups.

VI Registration

1 Registration via Panopto

1.1 Description and scope of data processing

Our unrestricted offer can only be used after you have registered by providing personal data. The
data is entered by an administrator into an input mask and saved. The passing on to third parties
does not take place.
The following data is collected during the registration process:

  1. E-Mail address
  2. User name
  3. Password
  4. Surname
  5. First name

At the time of registration, following data is also stored:

  1. Users IP address
  2. Date and time of the registration

Guest access is possible without registration. This way you can only see generally shared
videos.

2 Registration via Single-Sign-On (SSO) using Shibboleth

2.1 Description and scope of data processing

Our unrestricted offer can only be used after you have registered by providing personal data. With
the SSO via Shibboleth, certain data is automatically transferred by the universities to your
Panaptotenant.
After successful authentication by your University, surname, first name, user name and e-mail will
be stored in Panopto.
The universities inform the users about the transmitted data and obtain the approval for the data
transfer.
The following data is collected during the registration process:

  1. E-Mail address
  2. User name
  3. Surname
  4. First Name

At the time of registration following data is stored:

  1. Users IP address
  2. Date and time of registration

The consent to the transfer of data is given when the login page of the respected university is
accessed.

3 Legal basis for data processing

Legal basis for the creation of backups is Art. 6 (3) sentence 1 lit. b GDPR i.V. m. § 3 LDSG.

4 Purpose of data processing

A user registration is required to keep your videos available and to be able to share them with
specific users or user group.

5 Duration of storage

The data will be deleted as soon as it is no longer needed to achieve the purpose for which it was
collected.
In order to be able to safely bridge research-, vacation-, foreign- or practical semesters, accounts
will be deleted regularly and after prior announcement after one year of non-use.

6 Possibility of objection and elimination

As a user you have the ability to cancel the registration at any time. You can change the data
stored about you at any time.
If an account is to be deleted immediately, please send an e-mail from the address you use in
Panopto to the address of your tenant specified under Support .If you have problems with the data
correction, you can proceed in the same way.

VII E-Mail distribution via Panopto

1 Description and scope of data processing

In the user settings, you can specify whether a notification is sent by e-mail after processing has
been completed (for example, transcoding).

2 Legal basis for data processing

Legal basis for the creation of backups is Art. 6 (3) sentence 1 lit. b GDPR i.V. m. § 3 LDSG.

3 Purpose of data processing

The processing of personal data from the system serves to inform registered users. Herein lays
the necessary legitimate interest in the processing of data.
The other personal data processed during the sending process serves to prevent misuse of the
e-mail function and to ensure the security of our information technology systems.

4 Duration of storage

The data will be deleted as soon as it is no longer needed to achieve the purpose for which it was
collected. The additional personal data collected during the sending process will be deleted at the
latest after a period of 7 days.

5 Possibility of objection and elimination

The user has the possibility to change the setting for sending e-mails in the user settings at any
time.

VIII Rights of the affected person

If personal data of yours is processed, you are affected in terms of the GDPR and have following
rights towards the responsible party:

1 Right of information

You can demand a confirmation from the responsible party whether or not personal data of yours
is being processed by the responsible party.
If such processing has taken place, you can demand from the responsible party following
information about:

  1. the purposes for which the personal data is being processed;
  2. the categories of personal data, which are processed
  3. the recipients or categories of recipients to whom the personal data concerning you
    has been or is still being disclosed to
  4. the planed duration of the storage of personal data concerning you or, if this is not
    possible to specify, the criteria for determining the storage period
  5. the existence of a right to correct or delete personal data concerning you, a right to
    limit ate the processing by the responsible party or a right to object to such processing
  6. the existence of a right of complaint to a supervisory authority
  7. any available information about the origin of the data, if the personal data was not
    collected from the data subject himself
  8. the existence of an automated process including profiling referred to in Art. 22 (1) and
    4 GDPR and (at least in these cases) meaningful information about the logic involved
    as well as the significance and intended effect of such processing for the data subject

In accordance with Art. 15 (3), the responsible party, will provide a copy of the requested personal
data in an appropriate form. Further copies will be liable to costs. Requests submitted
electronically will be made available in a common electronic form.
You have the right to request information as to whether your personal data has been transferred to
a third country or an international organisation. In this context, you can demand to be
informed about suitable guarantees in accordance to Art. 46 GDPR connected to this
transmission.
This right to information may be restricted, if it makes it impossible or seriously interferes with the
realisation of the research or statistical purposes and the limitation is necessary for the fulfilment
of the research or statistical purposes.

2 Right of correction

You have the right of correction and / or completion by the party responsible, if the processed
personal data is incorrect or incomplete. The party responsible must make the correction without
undue delay.
Your right to correction may be restricted, if it makes it impossible or seriously interferes with the
realisation of the research or statistical purposes and the limitation is necessary for the fulfilment
of the research or statistical purposes.

3 Right of restriction of processing

Under following circumstances, you may demand the restriction of processing of your personal
data:

  1. If you dispute the accuracy of personal data of which you are affected by for a time,
    that enables the responsible party to verify the correctness of the personal data,
  2. if the processing is illegal and you object to the deletion of the personal data and
    instead demand the restriction of use of the personal data,
  3. The responsible party no longer needs the personal data for the purpose of
    processing, but you need them to assert, exercise or defend legal rights or
  4. if you have filed an objection to the processing pursuant to Art. 21 (1) GDPR and it
    has not yet been determined whether the legitimate reasons of the party responsible
    outweigh your reasons.

If the processing of personal data concerning you has been restricted, such data may only be
processed – apart from being stored – with your consent or for the purpose of asserting, exercising
or defending rights or protecting the rights of another natural or legal person or on grounds of an
important public interest of the Union or a Member State.
If the processing has been restricted in accordance to the above conditions, you will be informed
by the responsible party before the restriction is lifted.
Your right to restriction of processing may be limited, if it makes it impossible or seriously interferes
with the realisation of the research or statistical purposes and the limitation is necessary for the
fulfilment of the research or statistical purposes.

4 Right of deletion

  • Obligation of deletion
    You can demand from the responsible party, that the personal data concerning you is
    deleted immediately and the responsible party is obliged to delete the respective data
    without undue delay if one of the following grounds applies:
  1. The personal data concerning you is no longer necessary in relation to the
    purpose for which it was collected or processed.
  2. You withdraw you consent of processing in accordance with Art. 6 (1) lit. A or
    Art. 9 (2) lit a GDPR and there is no other legal ground for processing.
  3. You object pursuant to Art. 21 Abs 1 GDPR to the processing and there is no
    overriding legal legitimation for the processing or you object to the processing
    pursuant to Art. 21 (2) GDPR.
  4. The personal data concerning you has been processed illegally.
  5. The deletion of personal data concerning you is in compliance with a legal
    obligation in Union or Member State law to which the responsible party is subject.
  6. The personal data concerning you was collected in relation to the offer of
    information society services referred to in Art. 8 (1) GDPR.

  • Information to third parties
    Has the responsible party made the personal data public, it is obliged pursuant to Art. 17 (1)
    GDPR to erase the personal data, the responsible party, taking account of available
    technology and the cost of implementation, shall take reasonable steps, including technical
    measures, to inform controllers which are processing the personal data that the data subject

 

has requested the deletion by such controllers of any links to, or copy or replication of
personal data.

  • Exceptions
    the right of deletion shall not apply if processing is necessary
    1. for exercising the right of freedom of expression and information;
    2. for compliance with a legal obligation which requires processing by Union
      or Member State law to which the responsible party is subject or for the
      performance of a task carried out in the public interest or in the exercise of official
      authority vested in the responsible party;
    3. for reasons of public interest in the area of public health in accordance with Art.
      9 (2) lit. h and i as well as Art. 9 (3) GDPR;
    4. for archiving purposes in the public interest, scientific or historical research
      purposes or statistical purposes in accordance with Art. 89 (1) GDPR in so far
      as the right referred to in section a. is likely to render impossible or seriously
      impair the achievement of the objectives of that processing; or
    5. for the establishment, exercise or defence of legal claim.

 

5 Right of duty to inform

If you have asserted your right to correction, deletion or restriction of the processed data against
the responsible party, the responsible party is obliged to communicate any rectification
or deletion of personal data or restriction of processing carried to each recipient to
whom the personal data has been disclosed, unless this proves impossible or involves
disproportionate effort. You have the right to be informed by the responsible party about those
recipients.

6 Right of data portability

You shall have the right to receive the personal data concerning you, which you have
provided the responsible party, in a structured, commonly used and machine-readable
format. Also you have the right to transmit this data to another responsible party without
hindrance from the responsible party to which the personal data has been provided,
where

  1. the processing is based on consent pursuant to Art. 6 (1) lit. a GDPR or Art. 9 (2) lit.
    a GDPR or on a contract pursuant to Art. 6 (1) lit b GDPR and
  2. 2. the processing is carried out by automated means.

In exercising this right to data portability you shall have the right to have your personal data
transmitted directly from one responsible party to another, where technically feasible. The freedom
and rights of other persons must not be affected by this.
The right of data portability shall not apply to processing of personal data necessary for the
performance of a task carried out in the public interest or in the exercise of official authority vested
in the responsible party.

7 Right to object

You shall have the right, on grounds relating to your particular situation, to object at any time to the
processing of personal data concerning you which is based on Art. 6 (1) lit. e or f GDPR; this also
includes profiling based on those provisions.
The responsible party shall no longer process your personal data unless the responsible party can
demonstrate compelling legitimate grounds for the processing which override your interests, rights
and freedom or the processing serves the establishment, exercise or defence of legal
claims.
Should your personal data be processed for direct marketing purposes, you have the right to
object at any time to the processing of your personal data for such marketing, this also includes
profiling to the extent which is related to such direct marketing.
If you object to processing for direct marketing purposes, your personal data shall no longer be
processed for such purposes.
You have the possibility, in the context of the use of information society services, and
notwithstanding directive 2002/58/EC, to exercise your right to object by automated means using
technical specifications.
Where your personal data is processed for scientific or historical research purposes or
statistical purposes pursuant to Art. 89 (1) GDPR, you, on grounds relating to your
particular situation, shall have the right to object to processing of personal data concerning
you.
Your right to object may be limited, if it makes it impossible or seriously interferes with the
realisation of the research or statistical purposes and the limitation is necessary for the fulfilment
of the research or statistical purposes.

8 Right to revoke the data protection declaration of consent

You have the right to revoke your consent of the data protection declaration at any time. The
revocation of consent, does not affect the legality of the processing carried out on basis of the
consent before the revocation.

9 Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including
profiling, which produces legal effects concerning you or which similarly affects you in a significant
way. This does not apply if the decision

  1. is necessary for entering into, or performance of, a contract between you and the
    responsible party,
  2. is authorised by Union or Member State law to which the responsible party is subject
    to and which also lays down suitable measures to safeguard your rights and freedoms
    and legitimate interests or
  3. is based on your explicit consent.

Although, decisions should not be based on special categories of personal data referred to in Art. 9
(1) GDPR unless Art. 9 (2) lit a or g applies and suitable measures to safeguard your rights and
freedoms and legitimate interests are in place.
In the cases referred to in points (1) and (3), the responsible party shall implement suitable
measures to safeguard your rights and freedoms and legitimate interests, at least the right to
obtain human intervention on the part of the responsible party, to express his or her point of view
and to contest the decision.

10 Right of appeal to a supervisory authority

Without prejudice to any other administrative or judicial legal remedy, you have the right of appeal
to a supervisory authority, in particular in the Member State where you are staying, working or at
the location of the suspected breach, if you believe that the processing of personal data
concerning you is contrary to the GDPR.
The supervisory authority, to which the complaint was submitted, will inform the complainant on
the status, including the possibility of judicial legal remedy under Art. 78 GDPR, of the
complaint.

The responsible supervisory authority is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz
Postfach 30 40
55020 Mainz
Telefon: +49 (0) 6131 208-2449
Telefax: +49 (0) 6131 208-2497
E-Mail: poststelle@datenschutz.rlp.de

Please contact the responsible party or he Data commissioner first. In most cases, this allows
questions to be clarified and complaints can be resolved.

IX Final Provision

1 Changes in the privacy policy

In order to keep you up to date in accordance with current legal requirements or to implement
changes to our offer in the data protection declaration, we reserve the right to make appropriate
changes.

2 Validity

This data protection declaration is currently valid and was last amended on 18. November
2018.