Tools for VideoCalls enjoy great popularity, Corona and home office make it possible. But what about GDPR compliance? We will show you how to use Zoom and Co.safely. […]
In most cases, these are American tools such as GotoWeb, WebEx, Teams, or Zoom. Their servers are usually located in the USA, which of course contradicts Schrems II, since on the servers the login data are at a minimum as personal data. In addition to the login data such as name and email address, however, entire vidostreams are sometimes recorded. Thus, there is usually a violation of the Schrems II judgment of the ECJ. But what is Schrems II? On 16 July 2020, the European Court of Justice (ECJ) ruled in case “Schrems II” (C-311/18) that the EU-US Privacy Shield Decision was invalid. Standard contractual clauses (SCCs) can still be used for data transfers to the USA, but the mere conclusion of a contract is not sufficient for this. The same applies to binding internal data protection regulations (BCRs). In the rarest cases, such standard contractual clauses exist-which are only valid if they have been agreed between the tool manufacturer and the end customer.
Teams is an exception in that Teams is an extension of Office365 and Microsoft claims that the servers are for EU citizens in Frankfurt. It remains to be seen whether it will be possible to prove that this is correct in an emergency. An alternative known to us is Chatify.com. This tool from Austria ensures that the servers are actually located in Frankfurt.
Receiver are disclosed
Video tools are characterized by the fact that participants in a video conference can be invited via the tool. As we were able to convince ourselves recently after the incident with a customer, teams send such invitations via distribution lists. However, these lists are not sent as bcc, but as cc. In plain language, this means that every recipient can see who has been invited to this video conference.
Of course, this is not intentional and thus leads to a data protection incident. Of course, there is a workaround by sending the invitations not via teams, but manually by means of bcc.
Recording of web conferences
Recordings of the video sessions are to be classified as critical. These are only permitted if consent is given in the course of the invitation to the web meeting. Alternatively, it must be expressly pointed out that participants who do not agree with this must switch off the camera and microphone. Whether this procedure holds legally is to be doubted, since this indication would have to be made again and again when a new participant enters the session.
Problem Server Locations
Server locations outside the EU are only permitted if they are secure third countries. According to the adequacy decision of the EU Commission, these currently include Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, Canada, New Zealand, Switzerland and Uruguay.
Use Zoom GDPR compliant
For example, the “Zoom” tool is often used for video conferences and/or webinars. “Zoom” is a service of Zoom Video Communications, Inc. which is based in the USA. The so-called”EU” cluster of Zoom can be set up and used in advance. The processing of communication content of meeting participants takes place exclusively in data centers in the European Union. Data on past meetings and participants will also be stored in the EU. In all cases where it is technically possible, an end-to-end encryption between the participants is used as an additional data protection measure. This measure ensures that only participants in the meeting can access the content of the communication / data transfer.
End-to-end encryption (E2EE) is possible for both Zoom and WebEx. Microsoft has announced an “upcoming” E2EE option for its Teams platform. In the end-to-end encryption method, the data is already encrypted at the device of the “sender” and only decrypted again at the target devices, the keys used being known only among the subscribers. The server of the provider who acts as an intermediary between the subscribers is therefore no longer able to decrypt the content of the communication (of the data transfer). From today’s point of view, these cryptographic methods used correspond to a secure and DSGVO-compliant data transmission between sender and recipient.
As a downer, however, it should be noted that there are functional limitations when using the E2EE option and Zoom requires the use of “Zoom Desktop Client”, “Mobile App” or “Zoom Rooms” from version 5.5. Currently, the functionalities” Join before moderator”,” Cloud recording”,” Livestreaming”,” Live transcription”,” Breakout rooms”, and” Surveys ” are deactivated. Generally, e.g. Zoom requires registration. At least the registration data is stored as data necessary for operation on the servers in the USA.
Example Zoom Disclaimer for GDPR compliance
The following text is an example of a disclaimer:
“We have concluded a data processing contract with “Zoom”, including the EU standard contractual clauses. For the processing of “operational data” in the USA and for the processing of personal data in the case of support, the level of protection is guaranteed by the use of the above-mentioned EU standard contractual clauses.
Incidentally, the legal basis for the use of “Zoom” is Art. 6 para. 1 lit. b) GDPR. In the case of (rare) “open webinars”, it is Art. 6 para. 1 lit. f) GDPR, unless a contractual relationship has arisen regarding participation in the webinar. In this case, our interest is to conduct a webinar.
The diary is provided by