Why Your Zoom Meeting May Not Be Compatible With GDPR

The world has changed significantly in the past 18 months when it comes to how people interact. Video conferencing, once a niche for purposes of business meetings, has become ubiquitous. The timing of that change coincided with last year’s Schrems II decision, which struck down the Privacy Shield Framework that many companies relied on to transfer data between the European Union and United States. Companies have struggled to keep up with the evolving data privacy landscape and now, a data protection watchdog in Germany has warned the Senate Chancellery of Hamburg to avoid using Zoom as its video conferencing software is now incompatible with the EU’s GDPR.

Why is Zoom on regulators’ radars?

A new press release from the Hamburg Commissioner for Data Protection and Freedom of Information warns members of the German government not to use the on-demand version of Zoom. The stated rationale is that Schrems II prevents businesses in the EU from carrying out data transfers to non-EU businesses, and that Zoom violates GDPR as the software transmits personal data to the US.

What is Zoom’s position?

In response, Zoom has stated that it will sign Standard Contractual Clauses (“SCCs”) with customers in Europe as well as take additional safeguards to protect their data in such a way that it lives up to the standards laid out under GDPR. However, it should be noted that Zoom has a history of questionable practices related to GDPR compliance, and it remains to be seen whether their usage of SCCs can be scaled in a manner commensurate with their global footprint.

What do businesses need to know?

If you’re conducting video conferencing meetings with participants in the EU, and especially if you are recording such meetings, you should take a few steps to ensure that you’re in compliance with GDPR, including:

• Utilizing a platform that is considered to be GDPR complaint.
• Checking the wording of your privacy policy to ensure it covers your intended use of the information and identifies the appropriate lawful basis you are relying on.
• Including in your work policies and staff handbook your policy on the recording of video-conferences. In addition, have all staff who may conduct such meetings received training in how to carry out the meeting lawfully?
• Considering carrying out a mini-DPIA to demonstrate that that all potential risks have been considered and how those risks will be mitigated.
• Signposting your privacy policy to participants in advance, and at the start of the meeting request their verbal consent to record the session.
• Keeping records of your decisions to record meetings so that you can demonstrate you are complying with GDPR.

Ensure compliance with your obligation to process data lawfully and fairly.