You may have already read our articles on how to get started with Video In Person, how to customize it or which features are relevant for your use cases. If not, you can review them here: 

However, you may be wondering what about GDPR (General Data Protection Regulation) compliancy for video calling and recording? An important part to consider with any Saas platform you use. 

For 36% of CX leaders, one of their top 3 priorities in 2021 was ‘upgrading customer data privacy tools and compliance processes’ – according to Genesys’ State of CX report

When offering video calls in B2C settings, it is your responsibility to ensure that the video calling technology and the processes comply with the EU’s GDPR regulations. The biggest challenge here is that not all solutions automatically offer the right features and configurations.  

How do you make sure that the video call technology you use meets GDPR compliance? 

And how do you safely secure any pictures, video recordings or documents processed during a video call? 

First, what is GDPR?

‘General Data Protection Regulation’, or ‘GDPR’ is a set of laws on data privacy and security introduced by the EU in 2018. General Data Protection Regulation protects the personal data of European citizens and give them more control over how their data is collected, processed, accessed, shared and stored online. 

Personal data is any personally identifiable information (PII), or information that can directly or indirectly identify an individual. For example, a name, address, email address or gender, but also biometric data shown on an image, video stream or recording. 

Importantly, is that GDPR not only applies to organizations within the European Union, but also to entities cooperating with European organizations throughout the world. Due to that, a business located in the United States but serving customers in the EU (even if it’s just one!) also needs to comply with GDPR. 

GDPR (General Data Protection Regulation)

Why is GDPR compliance important for video calls with B2C customers? 

Regarding video calling with B2C customers, GDPR is a major compliance law you need to consider and comply with.  

So how does GDPR compliance matter to video calling? 

To protect the data privacy of end customers, the EU data protection law highlights 3 main roles: 

  • Data subject: a person whose data is collected 
  • Data controller: an entity that processes personal data. In the case of video calling for B2C that’s your organization. 
  • Data processor: the entity that is hired by an enterprise to process data on their behalf, e.g., a vendor of a video solution, say Video In Person. 

When using video solutions to engage with customers, the technology vendor (say Video In Person) is considered a ‘Data processor’ under GDPR’s legal terms. The technology vendor processes the personal data of your customers on your behalf – like their name, email address, and other biometric information. 

And one key criteria for GDPR compliance is that you, as a ‘data controlling’ entity, are responsible for ensuring that the Data processor handles your customer’s personal data securely. It is therefore always a good idea to discuss the topic with your technology vendor before using their solution. 

There are 5 more GDPR regulations that apply to video calling with customers. Generally, these can be split into 2 categories. 

  1. GDPR compliancy for video calls themselves (in-transit data) 
  1. GDPR compliancy for recordings and other documentation (in-rest data) 

Let’s take a further look at each. 

1. GDPR compliance for video calls themselves (in-transit data) 

1.1 Work with GDPR-compliant vendors 

As mentioned, the technology vendor processes your customer’s personal information. Under GDPR they are ‘Data Processors’ . According to Article 28, it requires you to only use the service of a data processor that is GDPR-compliant as well. 

What does this mean for your video calls with customers? 

  • Make sure to have a DPA (Data Processing Agreement) in place with your vendor. 
  • A DPA verifies the scope and purpose of processing 

1.2 Check if your vendor processes personal data securely 

In GDPR Article 13 it simply states that for hosting videocalls you have to notify all participants that you will process their personal data within the context of video meetings. Article 5 relates data security and that you check and guarantee that the vendor processes that personal data in a ‘lawful, fair and transparent manner’. 

What this means for your video calls with customers. 

  • Check that the video call technology allows you to ask customers for consent to process their personal data before the video call starts, for example in the email invitation – or in a check-mark message if you’re having an ad-hoc video session. 
  • Check if your vendor process data using end-to-end encryption. This applies to both video connections itself (in-transit data) as well as data that is being stored, like a recording or picture. 
  • If possible, work with an EU-based vendor that specializes in video calling technology for B2C situations. Preferably one able to offer security at an enterprise level
  • Perform a security assessment of how your vendor documents and protects data privacy of video call participants. A great indication of their expertise in security is the ISO27001 certificate

2. GDPR compliance for video recordings and other documentation (in-rest data) 

Depending on the service you offer via video calling, other compliancy regulations – such as MiFID II for discussing financial transactions online – may require you to document customer meetings.  

So, if you’re recording video calls with customers, how do you store recordings in a GDPR-compliant manner?  

The GDPR basics are the same as for having a video call (processing in-transit data). But to there are some additional factors to abide by: 

  • store recordings securely, and no longer than absolutely necessary. 
  • provide customers and employees the right to access and erase the recording with their personally identifiable data 
  • restrict access to recording data, e.g., through different user roles offered via configurable video call technology 

2.1 Ask a Customer’s Legal Consent for recording 

There should be legal grounds for recording a video call, such as compliancy with legislation that applies to your industry. Example, remotely conducted safety inspections need to have video recording as proof. 

What this means for your video calls with customers. 

  • Check with your legal department that you meet all criteria, before recording in video calls 
  • If you are unsure, always ask your customer if you can record. In case of training purposes under Article 6 you always need to ask for consent. 
  • If switching your text-based chat to a videochat, always mention before recording that you will record. 

2.2 Allow customers to access or delete their personal data 

In line with Article 15 and 17, Data subject rights, you have to comply by giving customers the Right to Access their personal data such as recordings. You have 30 days to give them access. Article 17 Right to Erasure, means you need to permanently delete their data. 

What this means for your video calls with customers. 

  • How long you store recordings, pictures and documents should be in compliance with your privacy statement, GDPR or other regulations. 
  • Use a video calling technology solution which allows you to configure how long you store data. Either via a fixed retention period for all video calls, or different periods of time depending on your legal needs. You can review Security and Storage features for Video In Person:

2.3 Securely store recordings, pictures and other files from video calls 

Under Article 32, both your organization and the video call vendor need to implement technical measures to protect data privacy during video calls. You should always verify that your vendor provides the right security capabilities to prevent personal data from leaks, hackers or ‘Zoom bombing’ by third parties. 

What this means for your video calls with customers. 

  • Once you have generated a recording, taken a picture of document (in-rest data), ensure it is securely stored with end-to-end encryption. 
  • Ensure your files and data are stored within a location within the borders of the EU, and for no longer than necessary. 
  • GDPR requires you to restrict access to data, meaning only necessary users should have access. 
  • Ensure files are stored somewhere they cannot be downloaded onto personal devices. 

Learn more about video call configurations for compliance? 

Schedule a free consultation session with one of our Security Experts. Make sure you feel comfortable knowing a solution like Video In Person meets your security requirements. 

    We will only use your details to contact you about potential cooperation both now and in the future. All details about personal data protection can be found in the Privacy Policy.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Nick van Xanten

    Related posts