Go back

GDPR Compliance in Video Conferencing

June 29, 2021
Alina Krukova

Alina Krukova

Categories: Reviews

What is GDPR?

The General Data Protection Regulation (GDPR) marks a considerable transformation in digital confidentiality frameworks, seeking to align protection standards throughout the European region (EU) and strengthen citizens’ authority regarding their sensitive data. Introduced by authorities, the directive compels entities to follow rigorous protocols while storing private details.

Operational since 25 may 2018, the GDPR affects any institution managing user records within the EU, regardless of geographic base. Thus, even companies beyond EU boundaries must observe the law if they provide offerings or track the activity of European citizens.

This directive emphasizes the value of openness, resilience, and liability during information workflows. Businesses are instructed to adopt reliable digital and administrative controls to maintain data privacy and respect user entitlements.
Failure to adhere to GDPR could trigger major sanctions, such as charges reaching €20 million or 4% of a firm’s worldwide yearly revenue, based on which is greater. Such rigorous enforcement showcases the region’s dedication to defending private records in the era of technology.

Why is GDPR So Important?

Personally identifiable information is highly valuable, in fact, it supports a billion dollar industry worldwide. Some video conferencing services can collect and transmit these data to interested advertisers without your permission thus making money on your communication online. Plus, some vendors have only scratched the surface of security compliance when developing software, therefore, they expose users’ personal data to the threat of malware infections, phishing attacks, etc. Incorporating examples of client testimonials can be a powerful way to build trust and credibility, especially when dealing with sensitive data and GDPR compliance. By highlighting positive feedback from clients who have successfully navigated GDPR regulations using your services, you can reassure potential customers of your commitment to data protection and compliance.


GDPR is that key piece of legislation that addresses the issue of insufficient data privacy when using video meeting solutions. Within its framework, there are 5 main roles:

  • Data subject (person whose data is collected)
  • Data controller (entity that gathers and stores personal data, for example, a business)
  • Data processor (entity that is hired by an enterprise to process data on their behalf, i.e. payroll company)
  • Supervisory authority (each EU country has its own supervisory authority to enforce GDPR within its territory)
  • Data protection officer (companies that process lots of personally identifiable information appoint this specialist to handle all their GDPR activities and paperwork)

GDPR applies not only to businesses in the European Union, but also to entities cooperating with them from another part of the world. Obtaining GDPR cookie consent is a crucial step in ensuring that companies collect and process personal data from their website visitors or customers in a transparent and lawful manner. It works the same way in reverse, i.e. if the company is actually located in the United States, and it has at least one customer from Europe, this set of articles still comes into force.

GDPR Compliance in Video Conferencing

How to Keep Video Conferencing GDPR Compliant?

Ensuring GDPR alignment within video collaboration platforms involves a layered strategy that emphasizes information safeguarding and personal rights. To satisfy these obligations:

    • Prevent private collection of content and highlight openness
      Vendors and businesses should avoid collecting private information, whether related to customers, employees, or contractors, for unauthorized intentions or interests. This guideline emphasizes the importance of clear processing rules during video interactions, helping to ensure that users’ privacy freedoms are maintained.
    • Protect meeting archives with limited permissions
      Video conferencing session archives must be protected using robust measures to reduce the risk of illicit access or data leaks. Permission to reach these stored sessions should only be given to certified team members, such as a Data Privacy Manager.
    • Provide valid reasons for international information movement
      While engaging in cross-national data movement, especially with vendors situated beyond the EU or region, one must clearly present justified legal grounds for such flows. Maintaining secure data during international handling is critical for fulfilling compliance responsibilities.

Why TrueConf Server is GDPR-Compliant

TrueConf Server is designed with a strong focus on privacy, security, and data control, making it fully aligned with the core principles of the General Data Protection Regulation (GDPR):\

Self-Hosted Architecture

TrueConf Server is deployed on-premises, within the organization’s own IT infrastructure. This ensures that all personal data is stored and processed locally, without involving third-party cloud providers, enabling full control over data access and protection.

Data Minimization and Purpose Limitation

The platform collects only the data necessary for video conferencing services and does not use personal information for unintended purposes. All data processing is transparent and limited to legitimate business needs.

User Consent and Control

TrueConf provides organizations with tools to obtain and manage user consent, in line with GDPR requirements. Users have the ability to access, rectify, or delete their personal data upon request.

Access Management and Security

Access to personal data and recordings is strictly controlled through role-based permissions. All data is encrypted in transit and at rest, preventing unauthorized access or data leaks.

No Data Transfers Outside the EU

Because TrueConf Server runs on local infrastructure, no personal data is transferred outside the EU/EEA, avoiding the complexities and risks associated with international data transfers.

Audit Logs and Accountability

TrueConf Server maintains detailed audit logs, enabling organizations to track data processing activities and demonstrate compliance during audits.

Download TrueConf Server Free

We hope the above facts will greatly facilitate your choice of video conferencing vendor that fully complies with the General Data Protection Regulation and keeps sensitive data as secure as possible. With TrueConf, your personally identifiable information is always in safe and, most importantly, GDPR-compliant hands!

Our Customers Trust Us

GDPR Compliance in Video Conferencing 2

FAQ

How GDPR Article 5 Regulates Video Conferencing?

Article 5 sets out the fundamental principles relating to the processing of personally identifiable information. When you start recording a video meeting you will be collecting personal data of its participants. Thus, you automatically become the data controller in GDPR terms which entails compliance with this article. This includes ensuring that you

  • collect and process only the data you need
  • process recordings fairly, lawfully, and in a transparent manner
  • store recordings securely and access to them is strictly limited

What it means: before choosing a video conferencing service, make sure its vendor stores recordings in a safe place, preferably on the servers based in the EU. Most cloud services don’t meet the requirements of Article 5 due to the lack of information about their server location and the high risk of violating confidentiality of the data stored there. Therefore, cloud apps for personal video communication, like Skype or Whatsapp, cannot provide the required level of security.

Security-conscious users should pay attention to self-hosted enterprise-grade solutions, e.g. TrueConf. This platform ensures reliable data privacy as all sensitive information is encrypted and stored on the company’s internal servers, so it cannot get leaked to third parties.

How GDPR Article 6 Regulates Video Conferencing?

The Article 6 states that video meeting participants should be warned in advance of possible data collection and session recording, as well as give their consent to these actions. It is also advisable for meeting administrator to draw their attention to the following:

  • When the camera and microphone are on, other attendees can see and capture your images.
  • Depending on user configurations, personally identifiable information may be available to other meeting participants, especially when utilizing platforms that involve dental credentialing services.
  • If the screen is shared, any information it contains is visible and thus may be recorded. Close all content that is not required or use a second desktop with no shortcuts and files on it.

What it means: video conferencing service you’re using should offer a special setting that limits the ability to record meeting participants without their personal consent. For instance, this feature is implemented in TrueConf solution.

How GDPR Article 13 Regulates Video Conferencing?

Pursuant to Article 13, virtual event organisers should obviously notify prospective participants about personal data processing carried out exclusively within the framework of video conference.

What it means: before running video conferencing software, you should first check if this service offers all the necessary security protection tools. It is also advisable to review the Privacy and Cookie Policy of your chosen vendor to ensure that it fully complies with GDPR.

With TrueConf, you can set up the Privacy and Cookie Policy both for guest and internal conference pages which fully complies with the requirements of Article 13. Relevant information can be uploaded and configured by yourself through the control panel of your server instance. This enables users to join virtual events with notification of acceptance of the Privacy and Cookie Policy displaying where their personally identifiable data goes and how it is stored.

How GDPR Articles 15 & 17 Regulate Video Conferencing?

In terms of Articles 15 & 17, data subjects can request access to their personally identifiable information, e.g. meeting recordings or chat transcripts. Plus, they can request the deletion of the user account and personal data it contains at any time.

What it means: уou have the right to request the deletion of your personal data at any moment. The video conferencing provider is obliged to fulfil your request within 30 days. With TrueConf on-premises platform, such requests can be swiftly fulfilled by your own administrator, since all data is stored locally on the company’s server and no user information gets to the vendor.

How GDPR Article 28 Regulates Video Conferencing?

Video conferencing vendors are actually service providers that process and store customers’ personal information, i.e. they are data controllers. Under Article 28, businesses are obliged to use only video conferencing services that are GDPR-compliant.

What it means: before using cloud-based software, you should find the relevant data processing agreement (DPA) on providers’ website or receive it on request, and then both parties should accept its terms. With self-hosted video conferencing solutions, like TrueConf, you don’t need to search for DPA as all information is stored on your server without being transferred to another data storage.

How GDPR Article 32 Regulates Video Conferencing?

Article 32 states that organisations should apply technical privacy measures to protect sensitive personal data from eavesdropping and leakage during online communication.

For example, two-factor message authentication is to be applied to mobile devices processing and storing personally identifiable information of the users of video conferencing apps. Such security-enhancing tools as end-to-end encryption, multi-level access controls, and data segregation should also be provided to prevent outsiders from violating users’ privacy.

What it means: from the technical point of view, cloud-based software, like Zoom or Skype, may lack security features such as access control and content segregation. Therefore, they cannot fully comply with the requirements of Article 32.

Unlike cloud-based apps, on-premises platforms, like TrueConf, are centralised solutions where the database is hosted within your company’s network and is not transferred anywhere. Accordingly, it is your server administrator who is responsible for safeguarding personally identifiable information and ensuring its inaccessibility to outsiders.

TrueConf implements multi-level data protection by assigning a unique ID to each video conference, mandatory authorization access, and end-to-end encryption of media streams. To achieve more privacy, you can enable Meeting Lock and thus prevent unexpected attendees from joining your current session.


Sign up for newsletter