Data Protection - Privacy
MeetingSphere is a solution for dynamic web conferencing and online workshops, which is also often used in face-to-face meetings. MeetingSphere provides a set of virtual workspaces in which participants brainstorm, discuss and prioritise. By default, all contributions are anonymous. There is no link between participants and their contributions even at the technical level.The MeetingSphere solution has been designed for data economy. User accounts are created and used only for the purposes of licensing and authentication. Meetings which are no longer required and inactive users are deleted automatically. As a matter of principle, activity or user related profiling are not supported. All data of a Meeting Center is owned by the customer and and controlled by its appointed administrators. MeetingSphere does not use, analyze, profile or otherwise monetize customer data or share it with anyone.
MeetingSphere is committed to providing all its customers uniformly with the highest levels of data protection. However, since legal frameworks and language differ, please select your geography to read our contractual assurances that apply to you.
11. Data Protection
11.1 Scope. You acknowledge that MeetingSphere provides the service to You under a shared responsibility model. This clause 11 defines the roles, responsibilities and assurances between You and MeetingSphere regarding Data Protection and, in particular, Personal Data under the GDPR. It also serves as the Data Processing Addendum between You and MeetingSphere as required by the GDPR.
11.2 Roles. In the context of this agreement, MeetingSphere acts as “processor” to You who may act either as “controller” or “processor” as each term is defined in the GDPR.
11.3 Types of information collected. The Service collects a minimum set of Personal Data on users of the service, the contributions of users and circumstantial information as follows:
11.3.1 Personal Data. The service collects Personal Data solely for the purpose of authenticating users at login and their identification in the meeting. This information is limited to (a) first name and surname, (b) email address and (c) organization or department.
11.3.2 Contributions of Users. Users and their contributions to meetings fall into two categories: (a) Participants who submit ideas, comments and ratings, which can include file attachments, and (b) Licensed Users who set up and run meetings with participants and who also contribute meeting structures such as agendas and questions by which they organize the meeting and guide the work of Participants in the meeting.
11.3.3 Circumstantial information. This is information logged for security auditing purposes such as the IP address from which users connect or which records were created, accessed or changed. MeetingSphere screens and analyses these logs solely for the purpose of securing the deployment and protecting the information therein. MeetingSphere deletes logs after 90 days.
11.4 MeetingSphere’s obligations and responsibilities. MeetingSphere implements and maintains technical and organizational measures to adequately protect Your data in accordance with and satisfying the requirements of the GDPR and the principle of data secrecy.
11.4.1 Processing. The Service processes Personal Data and contributions of users only in so far as it provides the technical functionality by which Your Users enter, change and delete such information. For the avoidance of doubt, MeetingSphere is not involved in the processing of Personal Data and user contributions beyond (a) providing the functionality for such processing by You as part of its software service, (b) creating, restoring and deleting backup copies of the Meeting Center database which hold such information (c) creating, storing and deleting Audit logs and (d) recording licensing information in the MeetingSphere Store.
11.4.2 Storage. Information collected by the Service is stored in encrypted format only in the agreed geography from where information is transmitted to Users directly in encrypted format. For the avoidance of doubt: MeetingSphere will not store Your Personal Data or any other content of your Meeting Center outside the agreed location. By default, MeetingSphere will host the Meeting Centers of residents of the European Union in its European data center (Dublin, Ireland). If You instruct MeetingSphere to host Your Meeting Center in Virginia, the assurances of this clause 11 fall under the protection of the EU-U.S. Privacy Shield Framework.
11.4.3 Disclosure of collected information. MeetingSphere will not disclose or transmit Information that has been collected by the Service to anyone, unless required by law following due legal process.
11.4.4 Sub-processing. MeetingSphere’s provisioning of the Service rests on the infrastructure services of Amazon (AWS) who acts as a sub-processor under MeetingSphere’s control. A GDPR compliant data processing addendum is incorporated in the agreement between AWS and MeetingSphere. MeetingSphere’s U.S. datacenter (AWS Virginia) is operated by MeetingSphere Inc, which is certified under the EU-U.S. Privacy Shield Framework. MeetingSphere will inform You of any changes of sub-processors.
11.4.5 Personnel. MeetingSphere warrants that personnel entrusted with processing Your data has been vetted and instructed on the protective regulations of the GDPR and have undertaken to comply with the principle of data secrecy.
11.4.6 Encryption. MeetingSphere warrants that information is stored and transmitted to Users only in encrypted format.
11.4.7 Use by MeetingSphere. MeetingSphere makes no use of information collected by the Service other than to keep track of the personal licensing and unlicensing of individuals as Host, Leader or Facilitator and to provide information to these users regarding their new or changed role. For the avoidance of doubt: MeetingSphere does not profile use patterns, user contributions or Personal Data or related information for any purpose and will prevent any other party from doing so.
11.4.8 Other systems. Information collected by Your use of the Service is held (a) in a dedicated Meeting Center instance with dedicated database, (b) backups of that database and (c) the MeetingSphere Store. The MeetingSphere Store is located in Virginia and holds the names and email addresses only of personally licensed users, Subscription Administrators and Licensors. MeetingSphere maintains licensing information as part of its business records in compliance with legal requirements and good commercial practice.
11.4.9 Deletion. MeetingSphere deletes Your Meeting Center and its database including all backup copies automatically at the end of the Grace Period or on Your written order. MeetingSphere will also delete backup copies of Your Meeting Center on your written order should this be required for You to comply with deletion requests. For the avoidance of doubt: After such deletion no copies of Your information shall survive, and You accept that such information cannot be subsequently restored.
11.4.10 Use statistics. MeetingSphere counts logon events and the number of new meetings created in a given Meeting Center per day. The statistic does not allow for disaggregation to the level of individual users or groups of users and is deleted irrevocably after 180 days.
11.4.11 Notification of breaches. MeetingSphere will inform you without undue delay of any material breach of the regulations for the protection of Your Personal Data, committed by MeetingSphere, its personnel or 3rd parties. MeetingSphere shall implement the measures necessary to secure the data and to mitigate potential adverse effects on the data subjects and shall agree upon the same with You without undue delay. MeetingSphere shall support You in fulfilling Your disclosure obligations regarding such breaches.
11.4.12 Enquiries by data subjects. At your written request, MeetingSphere will assist You in answering a data subject’s enquiry related to Your collection, processing or use of such data subject’s data by Your Use of the Service. You and MeetingSphere acknowledge the right of individuals falling under the protection of the GDPR to access their personal data pursuant to the GDPR or EU-U.S. Privacy Shield, as applicable, and will grant individuals reasonable access to personal information they received pursuant to these principles. In addition, You and MeetingSphere will take reasonable steps to permit individuals to correct, amend, or delete such information that is demonstrated to be inaccurate or incomplete. An individual may request to access his or her information, or otherwise correct, amend, or delete his or her information pursuant to the GDPR or the EU-U.S. Privacy Shield Principles, as applicable, by contacting us at email@example.com.
Under the EU-U.S. Privacy shield, MeetingSphere Inc is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). In compliance with the Privacy Shield Principles, MeetingSphere Inc commits to resolve complaints about our collection or use of Your personal information. You and European Union individuals with inquiries or complaints regarding MeetingSphere Inc’s Privacy Shield policy should first contact MeetingSphere Inc at firstname.lastname@example.org. MeetingSphere Inc commits to refer unresolved Privacy Shield complaints to the International Centre for Dispute Resolution / American Arbitration Association (ICDR®/AAA®), an alternative dispute resolution provider located in the United States. If You or an eligible individual do not receive timely acknowledgment of Your or their complaint from MeetingSphere Inc, or if MeetingSphere Inc have not resolved Your or their complaint, please contact or visit ICDR®/AAA® for more information or to file a complaint under https://go.adr.org/privacyshield.html. An individual may be allowed to invoke binding arbitration to resolve disputes under certain limited conditions. The services of ICDR®/AAA® are provided at no cost to You or them.
11.5 Your obligations. While MeetingSphere is responsible for the technical security, availability, confidentiality and functionality of the Service it falls on You to assure that the service is used in compliance with the GDPR, the principles of data secrecy and other regulations that may apply to you. This obligation includes but is not limited to the following sub-clauses of this clause 11.5:
11.5.1 Collection of Personal Data. You will collect Personal Data only with the User’s consent.
11.5.2 Authentication. You will set and enforce adequate authentication requirements and a separation of roles to protect the Personal Data and contributions of Your Users.
11.5.3 Data economy. You acknowledge that the Service is not a repository for the results and the minutes of meetings and will instruct Your Administrators and Licensed Users to delete Personal Data after it has served its purpose and apply the principles of data secrecy and economy through the Service’s automated procedures to remove inactive user accounts and old unused meetings which may hold participant lists.
11.5.4 Irregularities. You will instruct Your Administrators that any attempt to circumvent the Service’s protective measures and controls regarding the bulk extraction, profiling or transfer of Personal Data is a severe violation of this Agreement and may be a crime. You shall, without undue delay and in a comprehensive fashion, inform MeetingSphere of any defects and irregularities You may detect in the functioning of the Service regarding statutory regulations on Data Protection.
“Data Protection Officer” designates the MeetingSphere officer responsible for compliance with Meeting-Sphere’s contractual and legal obligations regarding data protection.
“GDPR” refers to the General Data Protection Regulation of the European Union.
“Grace Period” is the term measured in weeks or months for which a Meeting Center is preserved for renewal after the Meeting Center Subscription has expired.
“Licensed User” means a named individual who has been licensed personally through a User Subscription by the customer’s Subscription Administrators or Licensors to set up and run Meetings as a Host, Leader or Facilitator. Re-assignment of licenses from one individual to another is permitted after they have been held by the Licensed User for a year. Reassignment is also allowed to accommodate natural fluctuations of personnel or changes in individual job definitions. The re-assignment of licenses for sharing a limited number of licenses between a greater number of individuals is a severe breach of this agreement.
“Meeting Center” means the technical meeting environment in which Meetings are planned, executed and stored and for which a Meeting Center Subscription must be purchased.
“MeetingSphere” means MeetingSphere GmbH a limited liability company registered in Hamburg HRB 153862 with offices at Efftingestrasse 28, 22041 Hamburg, Germany.
“MeetingSphere” also means the Software which is provided for use via the Service.
“MeetingSphere Inc” means MeetingSphere’s US subsidiary MeetingSphere Inc, 440 Monticello Ave, Ste 1875, Norfolk, VA 23510. For customers who choose to be served from MeetingSphere’s US data center (AWS Virginia) MeetingSphere Inc acts as an EU-U.S. Privacy Shield certified sub-processor of MeetingSphere.
“MeetingSphere Store” means MeetingSphere’s system used for transactions related to Meeting Center Subscriptions and User Subscriptions and for the provisioning of the Service.
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly. The MeetingSphere Service only collects the names, email address and organisation of users for the purpose of authenticating users at login and for identifying users in Meetings. MeetingSphere does not collect other identifiers such as identification num-bers, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
MeetingSphere does not store Personal Data beyond its purpose and does not profile it. MeetingSphere does not share Personal Data with anyone unless required by law, subject to due legal process.
“Privacy Shield” means the frameworks designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
* The 'Terms and Conditions for the Software Service - International' apply to customers of Meeting Center (Cloud) and Managed Server (Cloud) served by MeetingSphere GmbH, Germany. The terms for personal cloud deployments (see Agreements) differ regarding the details of technical implementation.