Data Protection in Virtual Meetings: Criteria for Selecting GDPR-Compliant Conference Tools
Virtual conferencing technologies have become increasingly important for remote work, especially when it comes to communicating with customers, partners, and organizing conferences. The COVID-19 pandemic and the resulting travel restrictions as well as social distancing have changed communication and working practices. However, data protection regulations are especially important when selecting conference technologies, as there are risks such as eavesdropping by third parties, unauthorised recordings and data protection breaches due to the transmission of personal data. This blog post discusses how to find the right conferencing technology for virtual meetings and conferences in compliance with the General Data Protection Regulation (GDPR).
The list of conference and communication tools is long. In addition to well-known and established conference technologies such as Zoom or Cisco, there are live streaming platforms such as YouTube Live or Vimeo, interactive platforms such as Slack, Microsoft Teams, Mural or VR platforms such as Gather.town, Workadventure or SpatialChat. When implementing these tools, different requirements and settings must be met with regard to data protection.
Location and Provider of the Tool
A primary consideration when selecting a suitable tool is the location and provider. In general, EU-based services and providers are preferable, as they are directlsubject to the GDPR requirements.
On-Premise Solutions
On-premise solutions (also known as ’self-hosted‘), where the video conferencing software runs on your own servers, are also recommended. These solutions offer the advantage of full control over the data, ensuring compliance with all data protection regulations.
Providers outside the EU
If you use services from providers outside the EU – for example from the United States – it is important to ensure that the level of data protection in these countries meets the requirements of the GDPR (Art. 44 to 49 GDPR). There are several approaches to this:
- EU Commission Adequacy Decisions: The EU Commission has established an ‚adequate‘ level of data protection for certain locations, for example Switzerland, New Zealand, Andorra, Argentina, Japan, Canada and Israel. → Learn more
- Standard Contractual Clauses (SCC): If there is no adequacy decision, compliance with an equivalent level of data protection must be contractually established. SCCs are contractual clauses specified by the EU Commission to ensure that an adequate level of data protection is maintained when transferring personal data to non-EU countries. → Learn more
Data Processing Agreement (DPA) According to Art. 28 GDPR
Providers of video conferencing tools are generally considered data processors. As such, they are service providers that process personal data of customers or employees according to instructions. You must conclude a data processing agreement (pursuant to Art. 28, 29 GDPR) with the provider of your video conferencing tool, as this agreement governs the processing of participants‘ personal data.
A DPA sets out, among other things, the standard contractual clauses and appropriate technical and organizational measures (TOMs). TOMs are measures that ensure the protection of personal data. These include encryption, access controls, and backup procedures.
It is essential to consult your organization’s data protection officers to ensure all requirements are met.
Involvement of the Works Council in the Use of Online Conference Tools
If a works council or staff council exists, it must be involved if the online conference tool can monitor employee participation or login data. This is mandatory according to § 87 Para. 1 No. 6 BetrVG.
Data Protection Notices
You are required to inform participants about the purposes, types, and scope of processing their personal data according to Art. 12, 13 GDPR. It is advisable to integrate this information into the regular privacy policy and provide it via a link on login pages or in invitations to online meetings.
In the privacy policy, you should inform about the use of video conferencing services and the associated processing of personal data. This includes information on the following points: Tools used, contact details of the data protection officers, purpose of data processing, provider’s address, data storage period, information on DPA with the service provider, etc.
Conclusion
When organised and used correctly, conferencing or communication technologies can contribute to efficient work organisation, especially in times when working from home and virtual communication has become the standard. The careful selection and implementation of these tools, considering data protection regulations such as the GDPR, are essential to minimize legal risks and maintain participants‘ trust.
Consultation and Support
Do you have a specific event planned and need support?
We are happy to advise you in a personal conversation on all aspects of virtual and hybrid events—whether for general brainstorming, developing specific event formats, or solving a problem. → Learn more
... arbeitet als wissenschaftliche Mitarbeiterin im Lab Nicht-Textuelle Materialien an der TIB. // ... works as Research Assistant in the Lab Non-Textual Materials at TIB.