Zoom Video Communications, Inc.
Global Data Processing Addendum
(e) Diagnostic Data, including but not limited to: Data from applications (including
browsers) installed on End User devices (“Telemetry Data”), Service generated
server logs (for example meeting metadata and End User settings) and internal
security logs that are generated by or provided to Zoom by, or on behalf of,
Customer through use of the Services as further defined in in Annex I of the
Standard Contractual Clauses).
1.7 “Data Subject” means the identified or identifiable person to whom Personal Data relates.
1.8 “Legitimate Business Purposes” means the exhaustive list of specific purposes for which
Zoom is allowed to process some Personal Data as a Controller as specified in Section 2.4.
1.9 “Personal Data” means any information relating to a Data Subject; an identifiable natural
person is one who can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an online identifier or to
one or more factors specific to the physical, physiological, genetic, mental, economic, cultural
or social identity of that natural person. This includes any special categories of Personal Data
defined in Art. 9 of the UK GDPR, data relating to criminal convictions and offences or related
security measures defined in Art. 10 of the UK GDPR and national security numbers defined
in Art. 87 of the GDPR and national supplementing law.
1.10 “Processor” means the entity that processes Personal Data on behalf of the Controller.
1.11 “Personal Data Breach” means a breach of security which results in the accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer
Personal Data Processed by Zoom or Zoom's Authorized Subprocessor.
1.12 “Process” or “Processing” means any operation or set of operations which is performed
upon Personal Data or sets of Personal Data, whether or not by automatic means, such as
collection, recording, organization, storage, adaptation or alteration, retrieval, consultation,
disclosure by transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure, or destruction. For the avoidance of doubt: This includes
processing of Personal Data to disclose, aggregate, pseudonymise, de-identify or anonymize
Personal Data, and to combine Personal Data with other Personal Data, or to derive any data
or information from such Personal Data.
1.13 “Services” means the Zoom Services as set forth in the Agreement or associated Zoom order
form.
1.14 “Specific US State Data Protection Law” means the California Consumer Privacy Act of 2018,
as amended by the California Privacy Rights Act of 2020, and any regulations promulgated
thereunder (“CCPA”); the Colorado Privacy Act of 2021; the Virginia Consumer Data
Protection Act of 2021; the Utah Consumer Privacy Act of 2022, as amended; and any other
US state law that may be enacted that adheres to the same or substantially the same
requirements of the aforementioned laws in this definition.
1.15 “Standard Contractual Clauses” means: (i) where the GDPR applies the contractual clauses
annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on
standard contractual clauses for the transfer of Personal Data to third countries pursuant to
Regulation EU 2016/679 of the European Parliament and of the Council (the “EU SCCs”); (ii)
where the UK GDPR applies, the “International Data Transfer Addendum to the EU
Commission Standard Contractual Clauses” issued by the Information Commissioner under
s.119A1 of the Data Protection Act 2018 (“UK Addendum”); and (iii) where the Swiss DPA
applies, the applicable standard data protection clauses issued, approved or otherwise
recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”)
(the “Swiss SCCs”).
Zoom Global Data Processing Addendum March 2023 Page 2 of 39