GDPR & Using Video Conferencing Services

June 29, 2021
Alina Krukova

Alina Krukova

Categories: Reviews

GDPR & Using Video Conferencing Services 1

The coronavirus pandemic has made significant changes in both personal and business communication. To keep work-life balance and stay afloat, most global companies have adopted the telecommuting strategy.

The rise of teleworking and remote collaboration technologies has made it easier than ever for the business community around the globe to maintain effective communication with nothing but desktops, laptops, and portable video-enabled devices connected to the Internet. That is, the nine-to-five lifestyle has turned into virtual workspace where teammates can seamlessly collaborate outside of the office using the same tools as in traditional workplaces.

Given today’s popularity of video conferencing apps, it shouldn’t be overlooked that entities handling any kind of sensitive data are responsible for keeping it safe and comply with the law issued in the European Union to protect personally identifiable information of its citizens. It’s about GDPR that came into force on May 25, 2018. Our overview below will help you understand the essence of this regulation and determine which GDPR articles may apply to your digital communications.

GDPR: What Does This Abbreviation Stand for?

GDPR stands for General Data Protection Regulation which can be considered as the set of rules that governs the way EU citizens can use, process, and store sensitive data, by which third parties can identify a particular person. This includes various kinds of information, from a person’s name, location, and IP address to marital status, political opinions, and biometric data.

Why is GDPR So Important?

Personally identifiable information is highly valuable, in fact, it supports a billion dollar industry worldwide. Some video conferencing services can collect and transmit these data to interested advertisers without your permission thus making money on your communication online. Plus, some vendors have only scratched the surface of security compliance when developing software, therefore, they expose users’ personal data to the threat of malware infections, phishing attacks, etc.

GDPR is that key piece of legislation that addresses the issue of insufficient data privacy when using video meeting solutions. Within its framework, there are 5 main roles:

  • Data subject (person whose data is collected)
  • Data controller (entity that gathers and stores personal data, for example, a business)
  • Data processor (entity that is hired by an enterprise to process data on their behalf, i.e. payroll company)
  • Supervisory authority (each EU country has its own supervisory authority to enforce GDPR within its territory)
  • Data protection officer (companies that process lots of personally identifiable information appoint this specialist to handle all their GDPR activities and paperwork)

GDPR applies not only to businesses in the European Union, but also to entities cooperating with them from another part of the world. It works the same way in reverse, i.e. if the company is actually located in the United States, and it has at least one customer from Europe, this set of articles still comes into force.

How GDPR Article 5 Regulates Video Conferencing?

Article 5 sets out the fundamental principles relating to the processing of personally identifiable information. When you start recording a video meeting you will be collecting personal data of its participants. Thus, you automatically become the data controller in GDPR terms which entails compliance with this article. This includes ensuring that you

  • collect and process only the data you need
  • process recordings fairly, lawfully, and in a transparent manner
  • store recordings securely and access to them is strictly limited

What it means: before choosing a video conferencing service, make sure its vendor stores recordings in a safe place, preferably on the servers based in the EU. Most cloud services don’t meet the requirements of Article 5 due to the lack of information about their server location and the high risk of violating confidentiality of the data stored there. Therefore, cloud apps for personal video communication, like Skype or Whatsapp, cannot provide the required level of security.

Security-conscious users should pay attention to self-hosted enterprise-grade solutions, e.g. TrueConf. This platform ensures reliable data privacy as all sensitive information is encrypted and stored on the company’s internal servers, so it cannot get leaked to third parties.

How GDPR Article 6 Regulates Video Conferencing?

The Article 6 states that video meeting participants should be warned in advance of possible data collection and session recording, as well as give their consent to these actions. It is also advisable for meeting administrator to draw their attention to the following:

  • When the camera and microphone are on, other attendees can see and capture your images.
  • Depending on user configurations, personally identifiable information may be available to other meeting participants.
  • If the screen is shared, any information it contains is visible and thus may be recorded. Close all content that is not required or use a second desktop with no shortcuts and files on it.

What it means: video conferencing service you’re using should offer a special setting that limits the ability to record meeting participants without their personal consent. For instance, this feature is implemented in TrueConf solution.

How GDPR Article 13 Regulates Video Conferencing?

Pursuant to Article 13, virtual event organisers should obviously notify prospective participants about personal data processing carried out exclusively within the framework of video conference.

What it means: before running video conferencing software, you should first check if this service offers all the necessary security protection tools. It is also advisable to review the Privacy and Cookie Policy of your chosen vendor to ensure that it fully complies with GDPR.

With TrueConf, you can set up the Privacy and Cookie Policy both for guest and internal conference pages which fully complies with the requirements of Article 13. Relevant information can be uploaded and configured by yourself through the control panel of your server instance. This enables users to join virtual events with notification of acceptance of the Privacy and Cookie Policy displaying where their personally identifiable data goes and how it is stored.

How GDPR Articles 15 & 17 Regulate Video Conferencing?

In terms of Articles 15 & 17, data subjects can request access to their personally identifiable information, e.g. meeting recordings or chat transcripts. Plus, they can request the deletion of the user account and personal data it contains at any time.

What it means: уou have the right to request the deletion of your personal data at any moment. The video conferencing provider is obliged to fulfil your request within 30 days. With TrueConf on-premises platform, such requests can be swiftly fulfilled by your own administrator, since all data is stored locally on the company’s server and no user information gets to the vendor.

How GDPR Article 28 Regulates Video Conferencing?

Video conferencing vendors are actually service providers that process and store customers’ personal information, i.e. they are data controllers. Under Article 28, businesses are obliged to use only video conferencing services that are GDPR-compliant.

What it means: before using cloud-based software, you should find the relevant data processing agreement (DPA) on providers’ website or receive it on request, and then both parties should accept its terms. With self-hosted video conferencing solutions, like TrueConf, you don’t need to search for DPA as all information is stored on your server without being transferred to another data storage.

How GDPR Article 32 Regulates Video Conferencing?

Article 32 states that organisations should apply technical privacy measures to protect sensitive personal data from eavesdropping and leakage during online communication.

For example, two-factor message authentication is to be applied to mobile devices processing and storing personally identifiable information of the users of video conferencing apps. Such security-enhancing tools as end-to-end encryption, multi-level access controls, and data segregation should also be provided to prevent outsiders from violating users’ privacy.

What it means: from the technical point of view, cloud-based software, like Zoom or Skype, may lack security features such as access control and content segregation. Therefore, they cannot fully comply with the requirements of Article 32.

Unlike cloud-based apps, on-premises platforms, like TrueConf, are centralised solutions where the database is hosted within your company’s network and is not transferred anywhere. Accordingly, it is your server administrator who is responsible for safeguarding personally identifiable information and ensuring its inaccessibility to outsiders.

TrueConf implements multi-level data protection by assigning a unique ID to each video conference, mandatory authorization access, and end-to-end encryption of media streams. To achieve more privacy, you can enable Meeting Lock and thus prevent unexpected attendees from joining your current session.

How to Keep Video Conferencing GDPR Compliant?

Now that you’ve already known the essence of key GDPR articles regarding online communicating, you can clearly see that TrueConf meets its requirements in all respects. We prioritize respecting the privacy rights of our users and take all the necessary measures to protect their personally identifiable information. Our self-hosted unified communications platform features a wide range of complex action tools ensuring:

  1. Reliable data protection. Each virtual event is assigned a unique ID password, and video & audio streams are encrypted using AES-256. Public video conferences can be closed for guests, while private sessions cannot be accessed without mandatory authorization. Single-port operation provides total safety of your virtual communication on a hardware level.
  2. Comprehensive data privacy.No one knows the exact location of the servers used by cloud-based services to store user data. Therefore, there is always a threat of leakage or unauthorized access by video conferencing vendor staff. TrueConf on-premises solution securely operates over LAN/VPN and without Internet connection which excludes the possibility of such a risk.

We hope the above facts will greatly facilitate your choice of video conferencing vendor that fully complies with the General Data Protection Regulation and keeps sensitive data as secure as possible. With TrueConf, your personally identifiable information is always in safe and, most importantly, GDPR-compliant hands!

Our Customers Trust Us


Sign up for newsletter