view all news & events

30.03.2020

Take advantage of opportunities and establish video conferences now for the future!

[Translate to English:]
[Translate to English:]

Corona is not only slowing down personal life, new ways also need to be found in the business environment due to the rules on social distancing. Internal meetings, but also meetings with external parties are generally no longer possible on site.

One option that has already been used in the past is conference calls. Not everything can be solved over the phone, though, so now many companies are turning to video and online conferences using programs such as TeamViewer, Zoom, or Skype for Business (to name just a few of the numerous providers). Employees are able to participate from their home offices, thus not losing contact with each other or with customers.

When using online conferencing and videoconferencing, however, the GDPR guidelines must be observed, despite the crisis, as long as such conferencing is used in a business environment. The following comments from German regulatory authorities in connection with video conferences are particularly helpful: Baden-Württemberg, Hamburg, and Rhineland-Palatinate.

Below you will find a checklist on the relevant questions relating to the use of online and video conferencing, which must be checked prior to using the system.

1. Selection of the service provider

  •   What services does the service provider have to enable? E.g., pure video conference, sharing of documents (by one person or by several participants), etc.
  •   Is it possible to use the service for business purposes? In some cases business use is only possible against payment
  •   Where are the service provider's servers located? EU providers should be preferred over providers from third countries, as they are within the scope of the GDPR
  •   Is the tool/software only supposed to be used during the corona pandemic or is continuous operation planned?

In the case of continuous operation, only tools/software that meet the necessary technical measures to ensure data security should be included in the selection process

2. Initial steps towards the introduction of a tool/software for video conferencing

  •   Obtain the consent of the works council or staff council (where necessary, conclude a works agreement)
  •   Involvement of the data protection officer
  •   Examine whether a data protection impact assessment is required and document this prior check

3. Examination of the level of data protection for third country providers

If the selected provider is not based in the EU, it must be ensured that sufficient guarantees for an adequate level of data protection are provided.

  •   Existence of an adequacy finding by the EU Commission
  •   Privacy Shield certification in case of a U.S. provider
  •   Conclusion of standard data protection clauses
  •   Exceptions for certain cases according to Article 9 GDPR

4. Necessary documents for the use of video conferencing

  •   Conclusion of a contract on data processing including TOMs, provided that data processing is subject to instructions. This is offered by many providers, but must be reviewed, in particular as to whether the technical and organizational measures and subcontractors are suitable
  •   Data protection information according to Articles 13/14 GDPR for the participants of the video conference (own employees and external participants)
  •   Inclusion of the tool/software in the record of processing activities

5. Examining data protection-friendly default settings

  •   Does the service provider offer sufficient data protection-friendly default settings (varies depending on the use of the platform) and have these settings been activated? E.g., end-to-end encryption of transmissions, i.e., provider may not access the contents of the communication (only metadata); obtaining consent for recordings and releases; deletion of recordings
  •   Turning off tracking functions if they are not required
  •   If possible, no special categories of data should be discussed and recorded
  •   Strict purpose limitation, i.e., no use of the collected data for other purposes than to enable communication

Tip for use in practice

The use of videoconferencing does not require witchcraft in terms of data protection and offers a good alternative to attendance meetings. Once set up, all employees may use this option and continue to keep in contact with customers.

If attention is paid to compliance with data protection regulations now, despite times of crisis, it will be possible to continue to use this system after corona and allow to perform some coordination to be carried out more efficiently and cost-effectively in the future as well. In this respect, compliance with data protection regulations should currently not be seen as a burden, but rather as an opportunity.

We support our clients in the selection of tools and software for all questions of data protection and data security, as well as in the implementation within the company. Below you will find an overview of tools, which is neither complete nor to be understood as a recommendation for a certain tool. Prior to using a specific tool, a legal review must be carried out in each individual case.

Name

Country

Is the conclusion of a contract offered for data processing

Privacy Shield certification or standard privacy clauses if located outside the EU

Arkadin

Germany

Upon request

 

BlueJeans

USA

No

Yes

ClickMeeting

Poland

Yes

 

Discord

USA

No

Yes

FastViewer

Germany

Yes

 

GoToMeeting

USA

Yes

Yes

Hangouts/Meet by Google

USA

Yes

Yes

Intercall Unified Meeting

USA

Yes

Yes

meetgreen

Germany

Upon request

 

meetyo

Germany

Upon request

 

Skype for Business

USA

Yes

Yes

Slack

USA

Yes

Yes

TeamViewer

Germany

Upon request

 

Teams by Microsoft

USA

Yes

Yes

Twitch

USA

No

No

WebEx by Cisco

USA

Yes

Yes

Zoom

USA

Yes

Yes

Status: March 30, 2020

Authors

Oliver Hornung

Dr. Oliver Hornung

Partner

visit profile
Franziska Ladiges

Franziska Ladiges

Partner

visit profile