Forschungszentrum Jülich GmbH runs BigBlueButton for education purposes. Our goal is to enable remote students to have a high quality online learning experience.
We take the privacy of your personal information very seriously.
This document will help you better understand the personal information we collect, why we collect it, how we use it, and how we protect it. In full compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), which comes into effect May 25, 2018, this document also explains the various rights of the data subject, including the right of access and the right to erasure (aka “the right to be forgotten”).
BigBlueButton is a web conferencing system designed for online learning. It enables students and instructors to collaborate in real-time. This collaboration includes sharing one or more of audio, video, slides, chat, screen, emojis, and responding to polls.
The collaboration may also be recorded.
We capture personal information when you login to BigBlueButton and when you share information during a live session (such as an online class). Furthermore, if the session is recorded, then personal information may also appear in the subsequent recording (such as your chat messages).
When you login to BigBlueButton through a Front End, we receive (at minimum) two pieces of information: your full name and an ID (this is a unique identifier internal to the Front End).
We also receive additional information during the join process, which may include:
We use this additional data to provide you support (such as troubleshooting a support ticket to see if your browser is out-of-date) and for creating usage reports that we make available to the Data Controller.
During a live meeting, you may exchange audio, video, slides, desktop, chat, and emoji icons, responses to polls, closed captioning, and whiteboard annotations, and other content during a session. We collectively refer to this content as “Meeting Data”.
The BigBlueButton client sends/receives Meeting Data to the server via encrypted channels (RTMPS, HTTPS, and DTLS).
Not all Meeting Data is stored. Storage of the Meeting Data depends on whether (a) the meeting was recorded, and whether (b) the moderator (usually the instructor) marked any segments of the meeting for later processing into a recording for playback.
Generally speaking, there are three cases for the storage of Meeting Data:
Case 1: For an unrecorded meeting, we do not store any Meeting Data on the BigBlueButton server after the meeting finishes.
Case 2: For a recorded meeting withoutStart/Stop record marks, we store the Meeting Data on the BigBlueButton server for 14 days, after which it is automatically deleted.
Case 3: For a recorded meeting withStart/Stop record marks, we still store the Meeting Data on the BigBlueButton server for 14 days (after which it is automatically deleted); however, the BigBlueButton server also compresses the Meeting Data (“Compressed Meeting Data”) and uploads it to our hosting infrastructure where it is processed into a recording that you can later view by clicking a URL (a “Recording Link”) in the Front End.
The actual recording may include more than one format, such as a video file or an HTML5 page that summarizes user statistics for the session (“Meeting Statistics”).
For some customers, we automatically delete their Meeting Data (and any associated recordings) within 7 or 14 days. For others, we delete their Meeting Data only upon request by the instructor (using a “delete recording” button in the Front End).
For access to live meeting sessions, users can only login via the Front End or by invitation from a moderator (a guest link).
For access to a Recording Link, users can login via the Front End to access the link.
While we can’t prevent a user from recording their screen while watching a recording, with Restricted Recording Links, we’ve made it more difficult for users to casually share a recording that might include your personal information.
What information do we retain for support purposes and for how long?
As described above, we capture user metrics and logs during a session to better enable us to provide customer support. BigBlueButton servers record metrics for each meeting and for each user in a meeting (“Support Data”).
We use this Support Data to resolve support issues such as:
This Support Data includes:
We store all Support Data on servers in Jülich, Germany.
We adhere to a number of industry best practices for securing our infrastructure, which include:
The DPO is Frank Rinkens. You can contact him at DSB@fz-juelich.de
Your privacy rights
You have the right of Information pursuant to Art. 15 GDPR, the right of rectification pursuant to Art. 16 GDPR, the right of deletion pursuant to Art. 17 GDPR, the right of restriction of processing pursuant to Art. 18 GDPR and the right of data transfer pursuant to Art. 20 GDPR. In addition, there is a right of appeal to a data protection supervisory authority (Art. 77 GDPR).
We recommend you first contact the Data Controller (the organization providing the Front End for accessing BigBlueButton).
You may request a full report on the personal information we hold for you by sending an e-mail to dsb@fz-juelich.de
In the subject line, please indicate “Request for Personal Information”. In your email, please specify:
Please note that we will need to share your request with the Data Controller to verify and action it. We will endeavor to fulfill all access requests within 30 days of receipt.
How Can You Request Deletion of Your Personal Information?
We recommend you first contact the Data Controller (the organization providing the Front End for accessing BigBlueButton).
You may request deletion of personal information by sending an e-mail to dsb@fz-juelich.de
Use the subject “Request for Deletion”
In the subject line, please indicate “Request for Deletion”. In your email, please specify:
Please note that we will need to share your request with the Data Controller to verify and action it. We will endeavor to fulfill all access requests within 30 days of receipt.
If you have any questions about this document or our support for GDPR or about our Privacy Policy, please contact us directly at DSB@fz-juelich.de
Scope of your obligations to provide us with your data
You only need to provide data which is necessary for the establishment and execution of a business relationship or for a pre-contractual relationship with us or which we are legally obliged to collect. Without this data, we will generally not be able to conclude or execute the contract. This may also refer to data required later within the framework of the business relationship. If we also request data from you, you will be informed of the voluntary nature of the information separately.
Your right to appeal to the competent supervisory authority
They have the right to appeal to the data protection supervisory authority (Art. 77 GDPR). The supervisory authority responsible for us is:
Landesbeauftragte für Datenschutz und Informationsfreiheit
Nordrhein-Westfalen
Postfach 20 04 44
40102 Düsseldorf
Or contact directly our Data Protection Officer
Frank Rinkens
DSB Forschungszentrum Jülich GmbH
Tel: 02461-61-9005
E-Mail: DSB@fz-juelich.de