A few years ago, the use of video conferencing systems was still the exception. In the meantime, video conferencing systems have become an indispensable part of everyday business for many companies. Since video conferencing involves the processing of a large amount of personal data, specific data protection requirements need to be observed. This still receives too little attention in most companies.The following are therefore some tips and advice to consider when choosing a video conferencing system and conducting video conferences. (This list is not conclusive).
- Contractual protection.
Many providers of video conferencing systems make their service available as Software as a Service (Saas). Customers receive the corresponding order processing contracts online. An order processing contract is intended to establish the basis of the data processing performed by the video conferencing system provider on the instructions of the controller. Providers who do not supply you with a processing contract despite their status as a processor within the meaning of Article 28 of the GDPR should not be commissioned. Under certain circumstances, it may alternatively be necessary to conclude a joint controller agreement. This is the case when you and the video conferencing system provider jointly decide on the purposes and means of processing personal data and therefore qualify as joint controllers within the meaning of Article 26 GDPR.
- Third country transfer.
Furthermore, you should take note of where the actual processing of personal data occurs. Some video conferencing system providers or their affiliates and/or sub-processors are located in the USA and therefore process personal data outside the EU or EEA. Inform yourself in advance whether an adequate level of data protection is available in possible third countries pursuant to Article 44 et seq. GDPR. The USA should in any case be viewed critically now that the ECJ has declared the EU – U.S. Privacy Shield 2020 to be ineffective. Most video conferencing system providers with ties to the USA now make use of standard data protection clauses. The ECJ holds that the standard data protection clauses alone are not sufficient to ensure an adequate level of protection for EU/US related processing operations. Rather, additional security measures are required for this, especially with regard to access by the authorities. The specific measures required must be considered on a case-by-case basis.
When selecting the video conferencing system provider, care must be taken to ensure that it takes appropriate technical and organisational measures to ensure secure processing of personal data. The personal data concerned in the processing are subject to security in accordance with the legal requirements of the GDPR and their respective level of protection. A detailed overview of the measures taken should be obtained in this regard. Among other factors, encryption during transmission and storage is important to protect the data from unauthorised access by third parties.
- Information obligations.
As the initiator and controller for the video conference, you are obliged to inform the participants about the processing of their personal data pursuant to Article 13 et seq. GDPR. In addition to the general information on the controller, the legal basis and the purpose of processing, the data subjects are also to be informed about the storage period and other issues inherent to the video conference. Note: Any recording of the video conference should generally be avoided. However, if recording is necessary in view of the specific purpose of the video conference, then those concerned should receive timely notification. The consent of the participants is required for this in cases of doubt.
When conducting video conferences, further data protection requirements need to be observed. Frequently, during video conferences, the private domain of the participants’ lives is visible. In such cases, it is advisable either to refrain from video transmission in general or to place oneself in front of a neutral background. Numerous providers also offer the alternative of inserting neutral digital backgrounds. Those responsible in the company should also define the sharing of documents or the screen in a uniform manner and inform the employees accordingly. Screen sharing generally increases the risk of unauthorised access to personal data by third parties.
In addition to the points listed above, further useful information is available in the “Guide to Video Conferencing Systems” of the Data Protection Conference of 23.10.2020 (<u>https://datenschutz-hamburg.de/assets/pdf/OH-Videokonferenzsysteme.pdf</u>).
Should you require an individual consultation, please contact the team at secjur GmbH.