- 04.03.24
- Reading time: 3 Minuten
RECORDING VIDEO CONFERENCES –a practical function, but also GDPR-compliant?
For many people, they are now part of everyday business life: video conferencing. A practical feature here is the recording function. In this way, what has been discussed can be looked up without any problems or those who are not present can be picked up. As with everything to do with the processing of personal data and metadata, however, some regulations of the GDPR must be observed. But what are they exactly?
Purpose of data processing
Before any recording takes place, the purpose and nature of the data processing must be clearly defined. It should be noted that the purpose of the recording is not necessarily the same as the purpose of the video conference. Each processing must be examined separately.
Legal basis of data processing
In data protection law, the legal principle of “prohibition with reservation of permission” applies: processing of personal data is only lawful if a legal basis according to Art. 6 GDPR legitimizes this processing.
Although processing on the basis of a legitimate interest can be considered to legitimize recording, this is negated by a balancing of interests: recording is in fact a major intrusion into the privacy of all parties involved. For this reason, obtaining consent is the appropriate legal basis for legitimization.
In addition, Section 26 of the BDSG must be observed in employment relationships, which imposes special requirements for the processing of employee data.
Consent
The General Data Protection Regulation sets high requirements for the effectiveness of consent:
- The declaration of consent should be formulated clearly and understandably.
- The data subjects must be informed about who is the data controller, what data is processed for what purpose and that there is a right of withdrawal.
- Consent must be given voluntarily. This means that the data subject must have a real choice regarding the recording. In professional contexts, this voluntariness may be doubtful due to the dependency of the employed person (cf. Section 26 (2) sentence 1 BDSG). Therefore, it is important to offer alternatives to the participants if they do not agree with the recording.
- The GDPR does not provide for a specific form for consent. However, the controller is obliged to be able to prove that effective consent has been obtained.
Obligation to inform
Participants shall be informed about the data processing and about their data subject rights. The BDSG stipulates that employees must be informed in text form about the purpose of the data processing and about their right of revocation (cf. Section 26 (2) sentence 4 BDSG).
What else must the responsible person pay attention to?
One difficulty of using videoconferencing services is data transfers to the US. Therefore, the GDPR requirements for the transfer of personal data to third countries must also be met.
In order to correctly inform about all processing operations, the event “video conference” has to be included in the list of processing activities according to Art. 30 GDPR. In addition, it is an obligation of data controllers to check whether a data protection impact assessment needs to be carried out in accordance with Art. 35 GDPR.
A note at the end
One point that almost always applies when processing data is the principle of data minimization. Only topics that are necessary for the conference should be discussed within the call.
