Video con­fe­ren­cing: Using Zoom in com­pli­an­ce with data pro­tec­tion law

Video con­fe­ren­cing ser­vice pro­vi­der Zoom has made adjus­t­ments to its pri­va­cy poli­cy fol­lowing an exchan­ge with SURF, an asso­cia­ti­on of Dut­ch edu­ca­ti­on and rese­arch insti­tu­ti­ons. In its new data pro­tec­tion impact assess­ment (DPIA), SURF the­re­fo­re con­clu­des that the­re are no gre­at data pro­tec­tion risks asso­cia­ted with the use of Zoom. For the trans­fer of per­so­nal data to third coun­tries, a data trans­fer impact assess­ment was also car­ri­ed out, which con­firms the exis­tence of appro­pria­te safe­guards for the data transfer.

The main actions agreed bet­ween SURF and Zoom are:

  • Deve­lo­p­ment of new data pro­tec­tion functions

Zoom will offer data loca­li­sa­ti­on solu­ti­ons and man­da­to­ri­ly enab­le pro­ces­sing in the EU of the per­so­nal data of Zoom’s Euro­pean cus­to­mers by the end of this year. Zoom will estab­lish an EU sup­port ser­vice by mid-2022. In case of requi­red assi­s­tance of a sup­port out­side the EU, the expli­cit con­sent of the cus­to­mer is requi­red. Zoom will impro­ve its abi­li­ty to hand­le and respond to requests for infor­ma­ti­on through two self-service tools for cor­po­ra­te and edu­ca­tio­nal account admi­nis­tra­tors. By the end of 2022, Zoom will build a self-service tool for everyone.

  • Impro­ved trans­pa­ren­cy and documentation

Zoom has publis­hed a Pri­va­cy Data Sheet (PDF), which pro­vi­des public docu­men­ta­ti­on on the pro­ces­sing of per­so­nal data and will be updated on an ongo­ing basis. A new data trans­fer impact assess­ment shows that data pro­tec­tion risks from third-country trans­fers for Zoom cus­to­mers are minor. Zoom has also cla­ri­fied that, in princip­le, the com­pa­ny its­elf is the con­trol­ler of all per­so­nal data. To the extent that edu­ca­tio­nal and busi­ness cus­to­mers use Zoom as a pro­ces­sor, Zoom is aut­ho­ri­sed by them to pro­cess some per­so­nal data under its own respon­si­bi­li­ty.

  • Impro­ving data pro­tec­tion practices

Zoom has cla­ri­fied and mini­mi­sed its prac­ti­ces for retai­ning per­so­nal cus­to­mer data. Zoom will imple­ment impro­ved privacy-by-design and default pro­ces­ses throughout the pro­duct deve­lo­p­ment lifecy­cle. Intern­al­ly, new employee trai­ning is being intro­du­ced to ensu­re impro­ved data pro­tec­tion by each indi­vi­du­al employee.

  • Joint con­ti­nuous eva­lua­ti­on of pro­gress at two-month intervals

In addi­ti­on to Zoom’s chan­ges, SURF advi­ses imple­men­ting addi­tio­nal mea­su­res on your own and ent­e­ring into new data pro­ces­sing agree­ments with Zoom. With the imple­men­ta­ti­on of the­se mea­su­res, cus­to­mers should be able to use Zoom for high­ly con­fi­den­ti­al com­mu­ni­ca­ti­ons and no lon­ger be expo­sed to the data pro­tec­tion risks pre­vious­ly clas­si­fied as high.

For this pur­po­se, SURF has publis­hed recom­men­da­ti­ons on appro­pria­te Zoom set­tings (PDF) (for admi­nis­tra­tors (PDF) as well as for end users and hosts (PDF)).

Prac­ti­cal impli­ca­ti­ons: Can Zoom be used in a GDPR-compliant manner?

When imple­men­ting Zoom, nume­rous data pro­tec­tion issu­es ari­se due to the pro­ces­sing of per­so­nal data. The DPIA from the Nether­lands, which has now been publis­hed, and our prac­ti­cal expe­ri­ence show that GDPR-compliant use of Zoom is pos­si­ble if cer­tain data pro­tec­tion mea­su­res are obser­ved. If you want to use Zoom in your com­pa­ny or a public body, the decisi­ve ques­ti­on is the­re­fo­re not whe­ther it can be used in a way that com­plies with data pro­tec­tion law, but rather what data pro­tec­tion mea­su­res are requi­red for GDPR compliance.

To ans­wer this, we recom­mend the fol­lowing five steps:

  • Con­duct a data pro­tec­tion impact assess­ment in accordance with Arti­cle 35 GDPR to iden­ti­fy data pro­tec­tion risks and necessa­ry reme­di­al mea­su­res, as well as for docu­men­ta­ti­on purposes.
  • Iden­ti­fy usa­ge sce­n­a­ri­os and deter­mi­ne groups of data sub­jects and cate­go­ries of data in order to be able to defi­ne pro­ces­sing ope­ra­ti­ons and pur­po­ses of processing.
  • Ensu­re a legal basis for all spe­ci­fied pro­ces­sing purposes.
  • Assess the risks to the rights and free­doms of data sub­jects based on the respec­ti­ve usa­ge scenarios.
  • Imple­ment tech­ni­cal and orga­ni­sa­tio­nal miti­ga­ti­on mea­su­res to mini­mi­se and eli­mi­na­te iden­ti­fied risks.


It is pos­si­ble to use Zoom in a way that com­plies with data pro­tec­tion regu­la­ti­ons, but this requi­res that con­trol­lers take acti­ve steps, imple­ment mea­su­res and, abo­ve all, docu­ment them. It remains to be seen whe­ther the natio­nal data pro­tec­tion aut­ho­ri­ties and the Euro­pean Data Pro­tec­tion Board will endor­se this view. Howe­ver, Zoom has once again demons­tra­ted its wil­ling­ness to make impro­ve­ments in the area of data pro­tec­tion and cyber­se­cu­ri­ty when jus­ti­fied cri­ti­cism is brought to the company’s atten­ti­on. Ger­man data pro­tec­tion regu­la­tors in par­ti­cu­lar should take note of this when con­si­de­ring issuing pro­duct warnings (only in Ger­man) or taking action against data con­trol­lers due to the use of Zoom in the future.


Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.