RECORDING VIDEO CONFERENCES –a practical function, but also GDPR-compliant?

For many people, they are now part of everyday business life: video conferencing. A practical feature here is the recording function. In this way, what has been discussed can be looked up without any problems or those who are not present can be picked up. As with everything to do with the processing of personal data and metadata, however, some regulations of the GDPR must be observed. But what are they exactly?

Purpose of data processing

Before any recording takes place, the purpose and nature of the data processing must be clearly defined. It should be noted that the purpose of the recording is not necessarily the same as the purpose of the video conference. Each processing must be examined separately.

Legal basis of data processing

In data protection law, the legal principle of “prohibition with reservation of permission” applies: processing of personal data is only lawful if a legal basis according to Art. 6 GDPR legitimizes this processing.

Although processing on the basis of a legitimate interest can be considered to legitimize recording, this is negated by a balancing of interests: recording is in fact a major intrusion into the privacy of all parties involved. For this reason, obtaining consent is the appropriate legal basis for legitimization.

In addition, Section 26 of the BDSG must be observed in employment relationships, which imposes special requirements for the processing of employee data.


The General Data Protection Regulation sets high requirements for the effectiveness of consent:

Obligation to inform

Participants shall be informed about the data processing and about their data subject rights. The BDSG stipulates that employees must be informed in text form about the purpose of the data processing and about their right of revocation (cf. Section 26 (2) sentence 4 BDSG).

What else must the responsible person pay attention to?

One difficulty of using videoconferencing services is data transfers to the US. Therefore, the GDPR requirements for the transfer of personal data to third countries must also be met.

In order to correctly inform about all processing operations, the event “video conference” has to be included in the list of processing activities according to Art. 30 GDPR. In addition, it is an obligation of data controllers to check whether a data protection impact assessment needs to be carried out in accordance with Art. 35 GDPR.

A note at the end

One point that almost always applies when processing data is the principle of data minimization. Only topics that are necessary for the conference should be discussed within the call.

Your personal contact

Matthias SchulzSenior Sales Manager

You might also be interested in these articles

Passgenaue Erweiterung der Beratung
CLARIUS.LEGAL AG expands its consulting services in data protection, IT security and occupational safety.
Learn more
Attack through mobile storage media
Learn more