The use of video conferencing is increasing, especially during the current contact restrictions. Systems known to private users in particular are publicly criticized for not allowing sensitive handling of user-related data. In order to avoid hasty decisions when selecting and using the tool, which could potentially jeopardize the security of your company and your employees in the home office, we recommend compliance with the requirements of the current General Data Protection Regulation (GDPR) in German-speaking countries. The following checklist will help you comply with legal requirements and conveniently implement technical and organizational measures for mobile and flexible working.
- Prefer EU services – When selecting a video conferencing service from the USA and an equivalent service from the EU, you should preferably select the service with commissioned data processing in the EU.
- Select services with the most data protection-friendly settings (Art. 25 GDPR) – Select services with the most “data protection-friendly” process and setting options, e.g:
Encryption – Image and sound transmissions should be encrypted.
Business use – Business use should be permitted. Usually only so-called business versions offer this factor.
Approvals – Screen transmission or recording of activities in the conference tool should require the express consent of the user.
Minutes and recordings – conversation histories and recordings should be automatically deleted after the appointment.
Profiling – No behavior and movement profiles of participants should be created or it should be possible to switch off this function in general. (Check smartphone app functions) - Involvement of the works council – The works council has a right of co-determination in accordance with § 87 Para. 1 No. 6 BetrVG, the works council has a right of co-determination when technical systems are introduced. It is also advisable to involve the data protection officer as early as possible.
- Ensure level of data protection for providers from third countries (e.g. USA) – Adequate level of data protection (e.g. Switzerland, Israel, Canada, New Zealand) / check Privacy Shield certification of a US service / conclusion of “EU Model Contract Clauses” (standard protection clauses).
- Ensuring technical measures – The GDPR also requires companies to take technical measures: they are obliged to use data protection-friendly technology and data protection-friendly default settings in accordance with the principles of “privacy by design” and “privacy by default” (Art. 25 GDPR). This includes, for example:
- Transmissions should be encrypted.
- Participation in the conference may only take place via a log-in mask or by invitation of the organizer.
- Log files should only be created for the purpose of support activities. Deletion in compliance with data protection regulations must be ensured.
- It must be possible to automatically delete chat histories after defined periods of time.
- Exchanged documents may only be cached locally for short periods of time. Automated deletion in the cache should take place automatically.
- The video conference may only be recorded with the consent of all participants.
- Create awareness of your applicable privacy policy, e.g. by including a link to the privacy policy on login pages or in invitations to online meetings.
If If you need direct support in selecting the right technology and creating the necessary processes, please contact us using the following contact options: ? info@agilimo.de ?+49 (0) 6028-94013-0
Further links: Berlin data protection officer on conducting video conferences during contact restrictions
