There is a particular irony in the way most organisations approach privacy in video meetings: they spend time debating features, pricing, and integration capabilities — then sign the vendor’s terms of service without reading them. Those terms quietly establish your organisation as a data controller for every call you host. That includes the attendee list, the IP addresses, the recording, and the metadata showing who unmuted at what time.
GDPR does not make exceptions for video software. The question is not whether it applies, but where your compliance gaps are.
What You Need to Know First
These are the answers most people search for before reading anything else.
|
Topic |
What the law actually says |
|---|---|
|
Does GDPR cover video calls? |
Yes. Any tool that processes identifiable information about EU residents falls under GDPR — Article 4(1) defines personal data broadly enough to include names, emails, IP addresses, facial images, and voice recordings. |
|
Is a signed DPA enough to stay compliant? |
No. A DPA satisfies Article 28, but you also need lawful basis, transparency to participants, retention limits, and appropriate technical security under Article 32. |
|
Can US-based platforms be used legally? |
Yes, under the EU-US Data Privacy Framework (since July 2023), provided the vendor is DPF-certified and you have a DPA. Legal uncertainty persists around FISA Section 702. |
|
Do recordings change the compliance picture? |
Significantly. A recording is a persistent personal data document. It triggers separate obligations around storage limits, access control, and handling deletion requests. |
|
What fines are possible? |
Up to €20 million or 4% of global annual turnover under Article 83(5), depending on the violation. |
|
Do I need to notify a participant if there is a breach? |
Only if the breach creates high risk to their rights and freedoms. But you must notify your supervisory authority within 72 hours regardless. |
|
Is on-premises software always safer under GDPR? |
It removes the Article 28 and Articles 44-49 problems entirely. But your internal security practices still determine whether data is actually protected. |
The Legal Anatomy of a Video Call Under GDPR
Article 5 — Principles you cannot contract your way out of
Purpose limitation means you cannot record a meeting “for potential future use.” You need a specific, documented reason at the time of collection.
Storage limitation means you cannot keep recordings indefinitely — even if nobody asks you to delete them.
Data minimisation means disabling features that collect data beyond the core purpose: transcription analytics, sentiment detection, attendance heat maps, and similar tools all need justification before you switch them on.
Article 6 — Why consent is often the wrong lawful basis for work meetings
Most internal meetings rely on legitimate interests or contractual necessity as the lawful basis — not consent.
Consent works poorly in employment contexts because of the power imbalance between employer and employee.
For external participants such as clients or candidates, legitimate interests is more defensible when the call has a clear business purpose.
Where consent is chosen as the basis, it must be specific, informed, freely given, and withdrawable — which creates real complications if you want to record.
Article 13 — The notice you are probably not giving
Before a meeting takes place, participants have the right to know what data is collected, who processes it, how long it is stored, whether it will leave the EU, and who to contact with a privacy query.
“We may record this call” in a calendar invite is not sufficient.
A link to a privacy notice covering your video platform’s data practices, sent before the meeting, comes much closer to satisfying this obligation.
Article 28 — The DPA is not optional
When a third-party vendor processes personal data on your behalf — and every cloud-based video platform does exactly that — you must have a written data processing agreement in place.
The DPA must specify the subject matter, duration, nature, and purpose of the processing, plus the obligations of both parties.
Vendor-supplied DPAs vary considerably in quality. Sub-processor lists buried in the DPA annexes deserve particular scrutiny, since they tell you where your data actually travels.
Articles 44–49 — The transfer problem that keeps coming back
When your video platform routes data through servers outside the EU/EEA, or when a US parent company can legally access data held by a European subsidiary, you have an international transfer on your hands.
The EU-US Data Privacy Framework provides a mechanism for transfers to certified US companies.
However, guidance from the European Data Protection Board and academic analysis of FISA Section 702 both suggest that US surveillance law creates obligations incompatible with the “essentially equivalent” protection standard.
Expect further legal challenges to the DPF.
GDPR Compliance Checklist
Before deploying or renewing a video conferencing platform:
Vendor and contracts
- DPA signed with the video platform vendor
- Sub-processor list reviewed, and locations checked
- Vendor’s DPF certification confirmed for US-based platforms
- Vendor’s security certifications reviewed (ISO 27001, SOC 2, etc.)
Technical configuration
- EU data residency selected and verified in admin settings, not assumed
- Encryption in transit confirmed (TLS 1.2 minimum; TLS 1.3 preferred)
- E2E encryption enabled for sensitive discussions where available
- Waiting rooms active to control who enters meetings
- Recording permissions restricted at admin level, not left to individual users
- Automated recording off by default
Policies and documentation
- Retention period defined for recordings and enforced technically where possible
- Privacy notice updated to cover video platform data practices
- Privacy notice communicated to external participants before meetings
- DPIA conducted if processing is high-risk (e.g., recording health-related discussions)
- Process documented for responding to erasure and access requests
- Incident response plan covers video platform data breaches
Ongoing obligations
- Vendor DPA reviewed annually — terms change
- Works council consulted where required by national employment law
- Internal privacy training covers video meeting obligations
Vendor Comparison: Which Platforms Hold Up Under GDPR Scrutiny
The table below reflects publicly documented features and architecture as of early 2025. Compliance always depends partly on your configuration and internal practices, not just on the platform you choose.
|
Platform |
Deployment |
Data location |
E2E encryption |
DPA required |
Key compliance note |
|---|---|---|---|---|---|
|
Secumeet |
On-premises / private cloud |
Customer-controlled |
Yes |
No |
Vendor does not process meeting content by design |
|
TrueConf |
On-premises / private cloud |
Customer-controlled |
Yes (multi-layer) |
No |
Operates fully offline; 12-level security architecture |
|
Wire |
On-premises / SaaS |
EU or customer-controlled |
Yes — all channels |
Yes |
ISO 27001; independent security audits published |
|
Digital Samba |
EU cloud |
EU |
Yes |
Yes |
EU-incorporated; designed around GDPR from inception |
|
Jitsi Meet |
Self-hosted or cloud |
Customer-controlled (self-hosted) |
Partial (self-hosted) |
No (self-hosted) |
Open source; strongest when self-hosted in EU |
|
Nextcloud Talk |
Self-hosted |
Customer-controlled |
Yes |
No |
Integrates with Nextcloud data sovereignty infrastructure |
|
BigBlueButton |
Self-hosted / EU cloud |
Customer-controlled |
Partial |
No (self-hosted) |
Strong audit logging; common in EU education |
|
Zoom |
Cloud (US-based) |
EU residency option |
Optional E2EE |
Yes (DPF certified) |
Compliant with correct setup; DPF uncertainty persists |
|
Microsoft Teams |
Cloud (EU available) |
EU Data Boundary option |
In transit |
Yes |
EUDB does not yet cover all workloads |
|
Cisco Webex |
Cloud / on-premises |
EU option |
Yes |
Yes |
On-premises option provides stronger data isolation |
Secumeet
The defining characteristic of Secumeet’s architecture is that the vendor itself never touches your meeting content. Video streams, audio, screen sharing, and recordings stay on the customer’s own infrastructure or private cloud. This is not a statement about encryption — it means there is no third-party processor relationship to govern under Article 28 for the meeting content itself, and no cross-border transfer question under Articles 44-49. The product covers group video calls, one-on-one meetings, screen sharing, and multi-device access including Android TV. Public documentation on third-party certifications such as ISO 27001 is less detailed compared to vendors targeting regulated industries; factor that in if your sector requires certification evidence.
TrueConf
TrueConf Server is designed to run inside a closed corporate network. The platform supports fully offline operation, which addresses the cross-border transfer issue as directly as any solution can — data that never leaves an internal network is not subject to Articles 44-49. Security is documented across 12 levels: proprietary video codec, VPN gateway integration, encrypted data storage, and multi-layer authorisation. Licences support up to 1,500 concurrent participants. TrueConf has published documentation on both GDPR and HIPAA compliance and includes audit trail functionality, which matters when you need to demonstrate compliance to a supervisory authority rather than simply claiming it.
Wire
Wire encrypts everything by default — messages, voice calls, video, and file transfers — using the Proteus protocol for messaging and DTLS-SRTP for calls. End-to-end encryption is not an optional add-on; it is the baseline. Wire Server can be fully self-hosted, and the SaaS version runs on EU infrastructure. The company holds ISO 27001 certification and has commissioned independent security audits with results published publicly, which is unusual in this space and worth crediting. The constraint for video is participant count: simultaneous video is limited to 12. Wire works well for organisations whose primary communication happens in small team meetings and chats, less so for large-scale video events.
Digital Samba
Digital Samba is incorporated in Europe and runs infrastructure within the EU, which removes the US data transfer question from the equation. The platform uses anonymised user identifiers to reduce its personal data footprint, and provides a DPA as standard with business accounts. It is positioned specifically at organisations that want a managed cloud video service under EU jurisdiction without operating their own infrastructure. Relevant for sectors where the domicile of the vendor matters as a compliance criterion: financial services, healthcare, and legal firms in particular.
Jitsi Meet (self-hosted)
When deployed on your own EU-based servers, Jitsi Meet puts you in a position where you are both the data controller and the entity operating the infrastructure. No DPA is needed because there is no processor. No international transfer question arises unless you put your server outside the EU. The code is open source and independently auditable. End-to-end encryption is available but has documented limitations in larger meetings. The trade-off is operational: you bear full responsibility for availability, updates, and infrastructure security. For organisations with technical staff and limited budget, this path offers strong legal clarity at low licensing cost.
Zoom, Microsoft Teams, Cisco Webex
These three represent the pragmatic middle path — widely adopted, legally usable under GDPR with deliberate configuration, but not compliant by default. For Zoom and Teams, EU data residency must be actively selected in administrator settings; it is not the default for new accounts. Microsoft’s EU Data Boundary initiative covers many Teams workloads but not all, and Microsoft’s own documentation specifies which services are inside and outside the boundary. Webex offers an on-premises deployment option that eliminates most cross-border concerns for organisations willing to operate their own Webex infrastructure.
The unresolved tension with all three is the US parent company question: even with EU-located servers, US legal process can in principle compel these companies to produce data. For standard business meetings this is a risk most organisations will accept. For meetings involving legally privileged communications, health data, or sensitive HR discussions, the risk is harder to dismiss under Article 9 GDPR.
Recording Meetings: Where Most Organisations Create the Most Liability
A recording is not a convenience feature. It is a persistent document containing personal data about everyone who appeared, spoke, or was mentioned — and it remains subject to GDPR obligations for its entire existence.
Before recording starts: Participants must be informed, not notified after the fact. A platform-generated banner is the practical minimum. Where recordings are stored long-term or distributed beyond the original participants, the lawful basis should be documented explicitly.
While the recording exists: Access should be restricted to people with a specific, documented need to view it. Recordings accessible to entire departments or open to anyone with the link are both a data minimisation failure and a straightforward security risk.
When retention ends: Delete the recording. This is not discretionary under Article 5(1)(e). If the platform supports automated deletion by date, configure it. Do not rely on individual employees to remember.
When someone asks to be removed: Article 17 gives individuals the right to erasure in certain circumstances. If an external participant asks you to delete a recording that contains their image and voice, you need an actual process for responding — not just a policy document saying you will. Some enterprise platforms include automated redaction tools; most do not, which means either manual effort or deleting the recording in full.
The US Surveillance Law Problem
The EU-US Data Privacy Framework, which the European Commission adopted in July 2023, restored a legal transfer mechanism after the Court of Justice of the EU struck down both Safe Harbour (2015) and Privacy Shield (2020) in response to challenges by Max Schrems. NOYB has signalled intent to challenge the DPF through European courts, and the underlying US surveillance law that caused both previous frameworks to fail has not changed substantively.
Insight worth noting: The DPF only covers transfers that actually reach US-certified entities. If a European subsidiary of a US company processes your data on EU servers with contractual and technical barriers preventing US parent access, the transfer question may not arise at all. This is a material distinction that many compliance analyses skip. Review vendor architecture documentation rather than categorising all US-owned companies as presenting identical transfer risk.
Deployment Models: Matching Technical Setup to Risk Appetite
EU-hosted cloud (European vendor): Removes the US transfer problem and retains operational simplicity. You manage a DPA with an EU entity, which is both conceptually and legally simpler. Appropriate for organisations that cannot operate infrastructure but need stronger jurisdictional certainty than US platforms offer.
EU-hosted cloud (US vendor, EU residency selected): Legal under the DPF with correct configuration, but carries ongoing framework uncertainty. Suitable for most standard business use cases. Harder to justify for processing special category data in calls.
On-premises (own hardware, internal network): Removes both the processor relationship and the transfer risk. Requires technical capacity to operate securely. The compliance narrative is clean, but only if the underlying infrastructure is actually maintained; an on-premises deployment on unpatched servers with shared admin credentials is not safer than a properly configured cloud platform — just differently exposed.
Self-hosted open source (EU servers): Comparable profile to on-premises, lower licensing cost, full software auditability. Requires stronger internal operational maturity than commercial products that include vendor support.
Sovereign cloud or EU-hosted private cloud: Grown considerably in Europe since 2020. Infrastructure physically located in the EU, operated by EU entities, governed by EU law. Increasingly common among public sector bodies, defence contractors, and regulated financial institutions.
One More Thing Most Guides Miss
Two data protection obligations for video conferencing appear on almost no compliance checklists.
First: in several EU member states, deploying a video conferencing platform that can track employee attendance, participation, or behaviour requires prior consultation with the works council or staff council under national co-determination law. Germany’s Betriebsverfassungsgesetz and the Netherlands’ Works Councils Act are two examples. Rolling out a platform without this step creates employment law liability separate from GDPR entirely.
Second: if you process special category data (health information, political opinions, trade union membership, biometric data) during video calls — and many organisations do, in HR, legal, and healthcare contexts — the Article 9 standard applies. This requires an additional lawful basis beyond Article 6, and the residual risk from US surveillance law access is considerably harder to justify at this higher threshold. The practical implication: healthcare providers, legal teams, and HR departments running sensitive conversations on US cloud platforms are in a different compliance position than a sales team running client discovery calls.
FAQ