Video con­fe­ren­cing: Using Zoom in com­pli­ance with data pro­tec­tion law

Video con­fe­ren­cing ser­vice pro­vi­der Zoom has made adjus­t­ments to its pri­va­cy poli­cy fol­lo­wing an exch­an­ge with SURF, an asso­cia­ti­on of Dutch edu­ca­ti­on and rese­arch insti­tu­ti­ons. In its new data pro­tec­tion impact assess­ment (DPIA), SURF the­r­e­fo­re con­cludes that the­re are no gre­at data pro­tec­tion risks asso­cia­ted with the use of Zoom. For the trans­fer of per­so­nal data to third count­ries, a data trans­fer impact assess­ment was also car­ri­ed out, which con­firms the exis­tence of appro­pria­te safe­guards for the data transfer.

The main actions agreed bet­ween SURF and Zoom are:

  • Deve­lo­p­ment of new data pro­tec­tion functions

Zoom will offer data loca­li­sa­ti­on solu­ti­ons and man­da­to­ri­ly enable pro­ces­sing in the EU of the per­so­nal data of Zoom’s Euro­pean cus­to­mers by the end of this year. Zoom will estab­lish an EU sup­port ser­vice by mid-2022. In case of requi­red assis­tance of a sup­port out­side the EU, the expli­cit con­sent of the cus­to­mer is requi­red. Zoom will impro­ve its abili­ty to hand­le and respond to requests for infor­ma­ti­on through two self-service tools for cor­po­ra­te and edu­ca­tio­nal account admi­nis­tra­tors. By the end of 2022, Zoom will build a self-service tool for everyone.

  • Impro­ved trans­pa­ren­cy and documentation

Zoom has published a Pri­va­cy Data Sheet (PDF), which pro­vi­des public docu­men­ta­ti­on on the pro­ces­sing of per­so­nal data and will be updated on an ongo­ing basis. A new data trans­fer impact assess­ment shows that data pro­tec­tion risks from third-country trans­fers for Zoom cus­to­mers are minor. Zoom has also cla­ri­fied that, in prin­ci­ple, the com­pa­ny its­elf is the con­trol­ler of all per­so­nal data. To the ext­ent that edu­ca­tio­nal and busi­ness cus­to­mers use Zoom as a pro­ces­sor, Zoom is aut­ho­ri­sed by them to pro­cess some per­so­nal data under its own respon­si­bi­li­ty.

  • Impro­ving data pro­tec­tion practices

Zoom has cla­ri­fied and mini­mi­sed its prac­ti­ces for retai­ning per­so­nal cus­to­mer data. Zoom will imple­ment impro­ved privacy-by-design and default pro­ces­ses throug­hout the pro­duct deve­lo­p­ment life­cy­cle. Intern­al­ly, new employee trai­ning is being intro­du­ced to ensu­re impro­ved data pro­tec­tion by each indi­vi­du­al employee.

  • Joint con­ti­nuous eva­lua­ti­on of pro­gress at two-month intervals

In addi­ti­on to Zoom’s chan­ges, SURF advi­ses imple­men­ting addi­tio­nal mea­su­res on your own and ente­ring into new data pro­ces­sing agree­ments with Zoom. With the imple­men­ta­ti­on of the­se mea­su­res, cus­to­mers should be able to use Zoom for high­ly con­fi­den­ti­al com­mu­ni­ca­ti­ons and no lon­ger be expo­sed to the data pro­tec­tion risks pre­vious­ly clas­si­fied as high.

For this pur­po­se, SURF has published recom­men­da­ti­ons on appro­pria­te Zoom set­tings (PDF) (for admi­nis­tra­tors (PDF) as well as for end users and hosts (PDF)).

Prac­ti­cal impli­ca­ti­ons: Can Zoom be used in a GDPR-compliant manner?

When imple­men­ting Zoom, num­e­rous data pro­tec­tion issues ari­se due to the pro­ces­sing of per­so­nal data. The DPIA from the Net­her­lands, which has now been published, and our prac­ti­cal expe­ri­ence show that GDPR-compliant use of Zoom is pos­si­ble if cer­tain data pro­tec­tion mea­su­res are obser­ved. If you want to use Zoom in your com­pa­ny or a public body, the decisi­ve ques­ti­on is the­r­e­fo­re not whe­ther it can be used in a way that com­pli­es with data pro­tec­tion law, but rather what data pro­tec­tion mea­su­res are requi­red for GDPR compliance.

To ans­wer this, we recom­mend the fol­lo­wing five steps:

  • Con­duct a data pro­tec­tion impact assess­ment in accordance with Artic­le 35 GDPR to iden­ti­fy data pro­tec­tion risks and neces­sa­ry reme­di­al mea­su­res, as well as for docu­men­ta­ti­on purposes.
  • Iden­ti­fy usa­ge sce­na­ri­os and deter­mi­ne groups of data sub­jects and cate­go­ries of data in order to be able to defi­ne pro­ces­sing ope­ra­ti­ons and pur­po­ses of processing.
  • Ensu­re a legal basis for all spe­ci­fied pro­ces­sing purposes.
  • Assess the risks to the rights and free­doms of data sub­jects based on the respec­ti­ve usa­ge scenarios.
  • Imple­ment tech­ni­cal and orga­ni­sa­tio­nal miti­ga­ti­on mea­su­res to mini­mi­se and eli­mi­na­te iden­ti­fied risks.


It is pos­si­ble to use Zoom in a way that com­pli­es with data pro­tec­tion regu­la­ti­ons, but this requi­res that con­trol­lers take acti­ve steps, imple­ment mea­su­res and, abo­ve all, docu­ment them. It remains to be seen whe­ther the natio­nal data pro­tec­tion aut­ho­ri­ties and the Euro­pean Data Pro­tec­tion Board will endor­se this view. Howe­ver, Zoom has once again demons­tra­ted its wil­ling­ness to make impro­ve­ments in the area of data pro­tec­tion and cyber­se­cu­ri­ty when jus­ti­fied cri­ti­cism is brought to the company’s atten­ti­on. Ger­man data pro­tec­tion regu­la­tors in par­ti­cu­lar should take note of this when con­side­ring issuing pro­duct war­nings (only in Ger­man) or taking action against data con­trol­lers due to the use of Zoom in the future.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.