Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1627
Views
0
Helpful
6
Replies

DSGVO Auftragsdatenverarbeitungsvertrag / GDPR dsgvo processor contract

BenHun
Level 1
Level 1

‎04-18-2020 07:50 AM

Hi there,

 

Im new to Cisco and I try to use Cisco Webex Meetings for my Webinar Events. The functions seem to be great, I would like to use the normal business edition for around 12€ per month.

 

Unfortunately Im not able to find something substantial about this DSGVO in the FAQ and this Forum. There is a need to create a data processor and data processing agreement to meet the requirements.

 

Thank you very much in Advance, I hope, its the right board?

 

The Article https://www.cisco.com/c/en/us/about/trust-center/gdpr.html does not help. Could somebody help

 

Labels:
0 Helpful
6 Replies 6

Fritz_H
VIP Alumni
VIP Alumni

‎04-18-2020 10:59 AM

allow me to add some info, perhaps to avoid misunderstandings:

@BenHun is looking for this:  https://gdpr.eu/what-is-data-processing-agreement/

This DPA is mandatory for every company who "processes" personal data
from any other source than the own company - especially if it´s personal-data of the clients of a client. 
(hard to explain in a foreign language...)

This also affects subsidiary companies, for example:
* Cisco-Germany has to have such an agreement with Cisco-USA in case e.g. the
Cisco-HR-Employee-Database is hosted / provided by Cisco-USA...

* or: if the Client-Database of Cisco-Germany is hosted by anyone other than Cisco-Germany itself.

* or: dentist "A" stores the patient´s personal data (name, address, medical information..) in a cloud-storage provided by Company "B".  According to the GDPR the dentist has to have a DPA by Cloud-Company "B" where "B" promises to handle all Data provided by the dentist "A" according to the GDPR.
This is to ensure, that the patient´s rights* to govern over his/her data is still in place, even if the data is processed by a third party.

* Rights:
The right to be informed how personal data are used
The right of access to personal data organizations are holding
The right to correct personal data that’s inaccurate or incomplete
The right to request the deletion of personal data under certain circumstances
The right to restrict or pause the processing of data if there are irregularities
The right to have an organization send personal data it holds to other companies
The right to object to data processing
The right to protection from harmful automated decision-making processes
https://gdpr.eu/what-the-regulation-means-for-everyday-internet-user/


To keep the amount of paperwork low, it became best practise for Service-Provides to offer a prepared DPA for the clients.

here is a (german) example of an Austrian telecommunication-Provider:  https://cdn12.a1.net/m/resources/media/pdf/EK-BSV.pdf


If Cisco can not provide such an agreement it´s possibly illegal by GDPR
to use Cisco-Services that in any way "process" personal data.

Fritz

0 Helpful

BenHun
Level 1
Level 1
In response to Fritz_H

‎04-20-2020 01:46 PM

Thank you, that‘s the point. 

It seems every single Service is not GDPR-conform, but I hope to get some information that proofs. Isco Webex to be GDPR-conform...

 

Danke, wirklich schwierig, diese Problematik, die schon in deutscher Sprache kompliziert ist, auf Englisch darzustellen. Also nochmals vielen Dank für die Ergänzungen!

0 Helpful

Fritz_H
VIP Alumni
VIP Alumni
In response to BenHun

‎04-21-2020 01:42 AM

@BenHun 

I just wanted to explain the background of your request a little more.

But on the other hand: the GDPR is only a concern when handling personal data.

As long as you share just the names and the business-eMail-Addresses of your Partners with Cisco
(for sending webex-invitations etc.)  I do not see a reason for concern since that´s the same data
which is already openly available on your partners web-pages or printed on business-cards, invoices etc.

Next step: data-sharing during webex-meetings:
for joining as guest nobody has to enter his/her real name and eMail-Address -
it´s just required to help you to identify the attendees.
Even if your partners subscribe to a (free) webex-Account: Cisco only asks for their (business) eMail-Addresses. 
(see above #business-card)
Since audio- and video-data is not stored by Cisco, this part of the transmission also is no issue.
(but! using the webex-recording-feature may cause far more problems than just GDPR.
e.g. in Austria the use of dashcams in cars is forbidden because of data privacy)

Last part: file-sharing (either during a Webex-Meeting or using Webex-Teams):
if you share a file containing personal data: big issue!
if you share e.g. excel-sheets with calculations: no (GDPR-) issue - but perhaps a data-protection-issue
between you and your business-partners (how to protect sensitive business-information?)

kind regards
Fritz

0 Helpful

BenHun
Level 1
Level 1
In response to Fritz_H

‎04-21-2020 12:49 PM

Thank you.

Problem: Its about personal data from my customer, not from business partner. I need to do special webinare to keep my business alive. But you are right, Cisco does not aks for lot of data (officially). But Cisco needs to make clear, what data exactly Cisco collects and saves from the User, especially while using free acounts/entering conference rooms.

Could please somebody from Cisco answer this important question? Or does anybody know, if such a contract is available paid plans?

Best regards
Ben

(PS: Please excuse my poor english)



0 Helpful

Fritz_H
VIP Alumni
VIP Alumni
In response to BenHun

‎04-21-2020 02:19 PM

@BenHun 
Anonymized meta-data which Cisco maybe is collecting is not part of the GDPR:

when did someone connect, how long did the meetings take, how many participants, etc.

No Cisco does not have to make the usage of this data public because another company - based in Redmond...
you know the name..those who committed the crime called "Windows 10"...
....collect your data 24/7 and the EU does not care.

AFAIK: The GDPR covers the protection of personal data and its processing and the owners rights.
Statistical and anonymized data Cisco is perhaps collecting from their own servers is not affected - in my POV.

Far more important: which content is actively shared using Cisco-Services?
If your Client wants to share e.g. HR-Data with Webex: that´s in fact a problem.
In this case you (your Client) need to have a DPA.

Does your Client allow WhatsApp on the Company-Phones (without a MDM-Solution that offers containerization...) ?
If it does: forget about the GDPR - they are already in hell.

0 Helpful

BenHun
Level 1
Level 1
In response to Fritz_H

‎04-22-2020 01:14 PM

Yes, Whatsapp is not GDPR conform and thereby erased from my business phones.

My Customer/Clients will be various private Person who will do Online Spirittastings with me.

Your point about collecting anonymised data and not personal data by Cisco could be GDPR could be no problem in this case. But if they collect more Data and/or personal data, you need to have this Contract. See for example Webspace Hosting Companies, good ones always provide those processor contracts...

It would be so great if somebody from Cisco would answer this post or my 2 mails...






0 Helpful
Customers Also Viewed These Support Documents