DPIA on Webex for Dutch government

Scope of the DPIA

The DPIA contains a technical analysis and legal assessment of the data processing through 7 specific Webex services:

1. Webex Meetings (including personal and shared meeting rooms, and dial-in phone)
2. Webex Presence (shows who is online)
3. Webex Messaging (chat, similar to Teams)
4. Slido (survey application, acquired by Cisco)
5. Whiteboard application integrated in Webex
6. Secure Messaging (Clam AV scans content such as hyperlinks and attachments for viruses, phishing, ransomware and malware)
7. Webex Webinar (including) recording with storage in the Cisco cloud - this functionality is only used for large meetings.

Five categories of personal data

This DPIA assesses the data protection risks for 5 categories of personal data:

1. Content Data (chats, shared files, meeting (room) names, optional Avatar/profile pictures, webinar recordings), possible future data processing via transcriptions and subtitling.
2. Account Data
3. Diagnostic Data (including audit logs for the admins, Telemetry Data and Cisco security logs)
4. Support Data (support tickets with metadata who filed a request, when)
5. Website Data (both the 3 login websites admin.webex.com, rijksvideo.webex.com and user.webex.com, and the 2 publicly accessible sites trustportal.cisco.com and help.webex.com with relevant technical and legal information).

The DPIA does not contain a security risk analysis, nor an analysis of generative AI-services offered by Cisco as features of Webex, such as subtitling and transcriptions.

GDPR roles of Cisco, CIO-Rijk, BD and government organisations

CIO-Rijk and the government organisations that use Webex are joint controllers. The BD acts as processor for CIO-Rijk and the government organisations, provides second line support, and manages the central settings and logs.

One of the key revisions in the amended data processing agreement is the explicit inclusion of the five categories of personal data, and the addition of an exhaustive list of compatible purposes for which Cisco is authorised to further process some personal data for its own legitimate business purposes, when strictly necessary. Such purposes include billing, aggregating data for Cisco’s internal management reports, and complying with legal obligations resting on Cisco. When processing some (pseudonymised) personal data for these purposes, Cisco qualifies as authorised data controller.

Risks and measures

The DPIA identifies 20 risks to the protection of personal data. Most of these risks have been, or will be mitigated by measures from Cisco. Other risks can be mitigated if the BD implements the recommended measures.

Cisco has already implemented some of the agreed measures, such as publishing a list with the Telemetry Data. In light of the relatively short timeframe in which Cisco will implement the remaining agreed mitigation measures, the Dutch government has a sufficiently concrete view of improvement, and the government organisations can be confident that they are sufficiently in control of the data processing.

In the interim, government organisations can implement additional policies if required, such as giving additional instructions to employees on when to enable E2EE for meetings, and on retention periods for chats and shared files.