GDPR

GDPR Compliance

Overview

Forschungszentrum Jülich GmbH runs BigBlueButton for education purposes. Our goal is to enable remote students to have a high quality online learning experience.

We take the privacy of your personal information very seriously.

This document will help you better understand the personal information we collect, why we collect it, how we use it, and how we protect it. In full compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), which comes into effect May 25, 2018, this document also explains the various rights of the data subject, including the right of access and the right to erasure (aka “the right to be forgotten”).

Hosting for BigBlueButton

BigBlueButton is a web conferencing system designed for online learning. It enables students and instructors to collaborate in real-time. This collaboration includes sharing one or more of audio, video, slides, chat, screen, emojis, and responding to polls.

The collaboration may also be recorded.

Our Collection and Use of Your Personal Information

We capture personal information when you login to BigBlueButton and when you share information during a live session (such as an online class). Furthermore, if the session is recorded, then personal information may also appear in the subsequent recording (such as your chat messages).

What happens when you login?

When you login to BigBlueButton through a Front End, we receive (at minimum) two pieces of information: your full name and an ID (this is a unique identifier internal to the Front End).

We also receive additional information during the join process, which may include:

• a URL back to the Front End (this enables BigBlueButton to return you back to the Front End after you log out);
• the associated course ID/name (this is usually embedded in the Logout URL); and
• your IP address, browser, and OS in our web server logs.

We use this additional data to provide you support (such as troubleshooting a support ticket to see if your browser is out-of-date) and for creating usage reports that we make available to the Data Controller.

What data do we receive when you participate in a meeting?

During a live meeting, you may exchange audio, video, slides, desktop, chat, and emoji icons, responses to polls, closed captioning, and whiteboard annotations, and other content during a session.  We collectively refer to this content as “Meeting Data”.

The BigBlueButton client sends/receives Meeting Data to the server via encrypted channels (RTMPS, HTTPS, and DTLS).

Where do we store Meeting Data?

Not all Meeting Data is stored.  Storage of the Meeting Data depends on whether (a) the meeting was recorded, and whether (b) the moderator (usually the instructor) marked any segments of the meeting for later processing into a recording for playback.

Generally speaking, there are three cases for the storage of Meeting Data:

Case 1: For an unrecorded meeting, we do not store any Meeting Data on the BigBlueButton server after the meeting finishes.

Case 2: For a recorded meeting withoutStart/Stop record marks, we store the Meeting Data on the BigBlueButton server for 14 days, after which it is automatically deleted.  

Case 3: For a recorded meeting withStart/Stop record marks, we still store the Meeting Data on the BigBlueButton server for 14 days (after which it is automatically deleted); however, the BigBlueButton server also compresses the Meeting Data (“Compressed Meeting Data”) and uploads it to our hosting infrastructure where it is processed into a recording that you can later view by clicking a URL (a “Recording Link”) in the Front End.

The actual recording may include more than one format, such as a video file or an HTML5 page that summarizes user statistics for the session (“Meeting Statistics”).

For how long do we store Meeting Data?

For some customers, we automatically delete their Meeting Data (and any associated recordings) within 7 or 14 days. For others, we delete their Meeting Data only upon request by the instructor (using a “delete recording” button in the Front End).

How do we restrict access to Meeting Data?

For access to live meeting sessions, users can only login via the Front End or by invitation from a moderator (a guest link).

For access to a Recording Link, users can login via the Front End to access the link.

While we can’t prevent a user from recording their screen while watching a recording, with Restricted Recording Links, we’ve made it more difficult for users to casually share a recording that might include your personal information.

What information do we retain for support purposes and for how long?

As described above, we capture user metrics and logs during a session to better enable us to provide customer support. BigBlueButton servers record metrics for each meeting and for each user in a meeting (“Support Data”).

We use this Support Data to resolve support issues such as:

• Diagnosing login issues in a meeting
• Diagnosing audio quality issues for users in a meeting
• Locating and recovering an accidentally deleted recording (if it was accidentally deleted within 14 days of the origin of the meeting).

This Support Data includes:

• Full Name
• Browser
• Operating system
• Start time
• Length of time in session
• Three octets of the user’s IP address (e.g. 192.168.0.)
• % of audio packets dropped
• # of times reconnected
• Connectivity logs generated by the BigBlueButton client (these logs specify when network connections are created/dropped to by the BigBlueButton client to the BigBlueButton server).
• Any feedback provided by the user on their experience using BigBlueButton when the session ends

We store all Support Data on servers in Jülich, Germany.

How Do We Secure Our Infrastructure?

We adhere to a number of industry best practices for securing our infrastructure, which include:

• We restrict access to all servers containing personal information to only a few employees in the company.
• We disable password access to all servers (access is only through revocable keys).
• All servers are regularly updated with the latest security patches.
• All employees are trained on our privacy policy.

Who Is the Data Protection Officer (DPO) for Forschungszentrum?

The DPO is Frank Rinkens. You can contact him at DSB@fz-juelich.de

Your privacy rights

You have the right of Information pursuant to Art. 15 GDPR, the right of rectification pursuant to Art. 16 GDPR, the right of deletion pursuant to Art. 17 GDPR, the right of restriction of processing pursuant to Art. 18 GDPR and the right of data transfer pursuant to Art. 20 GDPR. In addition, there is a right of appeal to a data protection supervisory authority (Art. 77 GDPR).

How Can You Request Access to Your Personal Information?

We recommend you first contact the Data Controller (the organization providing the Front End for accessing BigBlueButton).

You may request a full report on the personal information we hold for you by sending an e-mail to dsb@fz-juelich.de

In the subject line, please indicate “Request for Personal Information”.  In your email, please specify:

1. Your full Name
2. Whether you are an individual or a representative of a Data Controller
3. If you are an individual, the name of your Data Controller (the organization providing you access to BigBlueButton)

Please note that we will need to share your request with the Data Controller to verify and action it. We will endeavor to fulfill all access requests within 30 days of receipt.

How Can You Request Deletion of Your Personal Information?

We recommend you first contact the Data Controller (the organization providing the Front End for accessing BigBlueButton).

You may request deletion of personal information by sending an e-mail to dsb@fz-juelich.de

Use the subject “Request for Deletion”

In the subject line, please indicate “Request for Deletion”.  In your email, please specify:

1. Your full Name
2. Whether you are an individual or a representative of a Data Controller
3. If you are an individual, the name of your Data Controller (the organization providing you access to BigBlueButton)

Please note that we will need to share your request with the Data Controller to verify and action it. We will endeavor to fulfill all access requests within 30 days of receipt.

How Can You Contact Us?

If you have any questions about this document or our support for GDPR or about our Privacy Policy, please contact us directly at DSB@fz-juelich.de

Scope of your obligations to provide us with your data

You only need to provide data which is necessary for the establishment and execution of a business relationship or for a pre-contractual relationship with us or which we are legally obliged to collect. Without this data, we will generally not be able to conclude or execute the contract. This may also refer to data required later within the framework of the business relationship. If we also request data from you, you will be informed of the voluntary nature of the information separately.

Your right to appeal to the competent supervisory authority

They have the right to appeal to the data protection supervisory authority (Art. 77 GDPR). The supervisory authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit
Nordrhein-Westfalen
Postfach 20 04 44
40102 Düsseldorf

Or contact directly our Data Protection Officer

Frank Rinkens

DSB Forschungszentrum Jülich GmbH

Tel: 02461-61-9005

E-Mail: DSB@fz-juelich.de