Zoom and the European Union’s General Data Protection Regulation (GDPR)
Updated: May 3, 2023
Zoom’s mission is to deliver happiness through frictionless video communications, and we understand that such happiness requires privacy and security. That’s why we strive to protect and secure our customers’ communications to the highest levels, such as the data privacy obligations in the European Economic Area (“EEA”) – primarily the General Data Protection Regulation (the “GDPR”).
Zoom applauds the GDPR as an opportunity to build a stronger data protection foundation for the benefit of all. Zoom acknowledges that our customers (data controllers) need to ensure that Zoom (the data processor) implements technical and organizational measures in a manner that aligns with the GDPR’s compliance obligations. Zoom is here to help and support our customers in their role as data controllers.
The following key facts reflect Zoom’s commitment to data protection practices.
Contractual GDPR commitments for all Zoom customers
The GDPR requires that data controllers (such as organizations and developers using Zoom’s services) only use data processors (such as Zoom) that process personal data on the data controller’s behalf and provide adequate guarantees to meet specific requirements of the GDPR. Zoom provides these commitments to all our customers by incorporating Zoom’s Data Processing Addendum into the Zoom Terms of Service.
Zoom’s contractual commitments relevant to the GDPR:
- Zoom strives to be transparent and commits to using personal data only as stated in our agreement about delivering our services or as otherwise instructed by our customers.
- Zoom maintains appropriate technical and organizational security measures to protect the personal data we process.
- Zoom assists customers in fulfilling their obligations when data subjects exercise the rights attached to the personal data processed using our services (such as requests for information, access, rectification, and deletion).
International data transfer support
In July 2020, the Court of Justice of the European Union (the “CJEU”) ruled on case C-311/18 (commonly referred to as the “Schrems II decision”) concerning the validity of data transfers outside the EEA. The Schrems II decision stemmed from a complaint made by an Austrian data subject, Maximillian Schrems, concerning transfers of his personal data to the United States and the potential for U.S. governmental agencies to access his data.
In the Schrems II decision, the CJEU held that the EU-U.S. Privacy Shield framework no longer provided a lawful means to transfer personal data from the EEA to the United States.
But importantly, the CJEU also held that the European Commission’s Standard Contractual Clauses (or “SCCs”) — which form the basis of Zoom’s international transfers — remain a lawful mechanism for transferring personal data from the EEA to non-EEA countries.
Following this decision, the European Commission published new SCCs in June 2021. Zoom has incorporated the new SCCs into applicable agreements following the transition periods specified by the European Commission (i.e., by 27 September 2021 for new contracts and by 27 December 2022 for existing contracts). Please see our Customer FAQs on the new SCCs for further information.
New requirement: “Know-Your-Transfer”
The Schrems II decision also introduced a new requirement. Before transferring personal data to a country outside the EEA not considered as ensuring an adequate level of protection, data exporters must assess whether the SCCs adequately ensure that the personal data remains protected in the recipient country to a degree “essentially equivalent” with EU data protection rules.
In other words, before relying on the SCCs, the data exporter and data importer are now expected to assess whether the laws and practices in the country receiving the data may undermine the level of protection otherwise provided. To support our customers with this assessment, we’ve prepared Data Transfer Impact Assessments for the following products:
Zoom Meetings/Webinar/Chat Data Transfer Impact Assessment
Zoom Phone Data Transfer Impact Assessment
Zoom Contact Center Data Transfer Impact Assessment
Strong specific measures to ensure European data protection
Zoom is committed to maintaining a high level of security:
- Zoom leverages a range of encryption technologies to protect data in transit and at rest.
- Zoom utilizes security measures to support the ongoing confidentiality, integrity, availability, and resilience of our processing systems and services.
- Zoom takes measures to facilitate the restoration of availability and access to our processing systems and services promptly in the event of a physical or technical incident.
- Zoom implements a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to support the security of the data we process.
Specifically, the security measures Zoom uses to enable the security of communications sent over and stored on Zoom’s platform include the following:
- Optional End-to-End Encryption for Meetings: Users may choose to enable end-to-end encryption for Zoom Meetings. This provides a high level of security since no third party — including Zoom — has access to the meeting’s private keys.
- Default Encryption: The connection between a given device and Zoom is encrypted by default, using a mixture of TLS 1.2+ (Transport Layer Security), Advanced Encryption Standard 256-bit AES GCM encryption, and SRTP (Secure Real-time Transport Protocol). The precise methods used depend on whether a user leverages the Zoom client, a web browser, a third-party device or service, or the Zoom Phone product. For further information, please see our encryption whitepaper.
- Protections against unauthorized meeting participants: Zoom has implemented numerous safeguards and controls to prohibit unauthorized participants from joining meetings:
- Eleven digit unique meeting IDs
- Complex passwords
- Waiting Rooms with the ability to automatically admit participants from your domain name or another selected domain
- Lock Meeting feature that can prevent anyone from joining the meeting
- Ability to remove participants
- Authentication profiles that only allow entry to registered users, or restrict to specific email domains
- At-Risk Meeting Notifier tool can scan posts on public social media sites and other public online resources for Zoom Meeting links
- Selective meeting invitations: The host can selectively invite participants via email, IM, or SMS. This provides greater control over the distribution of the meeting access information. The host can also create the meeting to only allow members from a certain email domain to join.
- In-meeting security: During the meeting, Zoom delivers real-time, rich-media content securely to each participant within a Zoom Meeting. All content shared with the participants in a meeting is only a representation of the original data. This content is encoded and optimized for sharing using a secured implementation.
- Host controls: Meeting host controls can enable/disable participants from content sharing, chat, and renaming themselves.
- Reporting: Report a user feature enables the meeting host to flag problematic behavior.
- In-product security controls: Security controls with a dedicated Security icon on the main interface.
- Role-based user security: The following pre-meeting security capabilities are available to the meeting host:
- Secure log-in using standard username and password or SAML single sign-on
- Start a secured meeting with a passcode
- Schedule a secured meeting with a passcode
- Robocall prevention: Users can prevent robocalling with rate limiting, and reCAPTCHA (requires human intervention) enabled across all platforms.
Choices for data processing and storage
Zoom understands that our customers may wish to have choices about the data centers that process and store certain data.
Data in transit and processing: Zoom routes customer data in transit through its global network of collocated data centers and public cloud data centers (including Amazon Web Services (“AWS”) data centers). The Zoom services are designed to work so that information entering the Zoom ecosystem is routed through the data center nearest the user sending or receiving the data.
Account owners and admins on paid accounts can, at the account, group, or user level, opt in or out of specific Zoom data centers that will be used for the processing of participants’ real-time meeting and webinar video, audio, and shared content during the hosting of meetings and webinars. The data centers in the country supporting the region where an account was provisioned will be locked as an opt-in for processing. Zoom data center choices only apply when an account is hosting a meeting or webinar. When an account hosting a meeting or webinar has opted out of any data center(s), all participants’ real-time meeting and webinar video, audio, and shared content data will only be processed by an opted-in Zoom data center. However, Zoom may route through traffic between data centers using industry standard network routing protocols while traversing Zoom private network connections (i.e., edge-routing). Additional details can be found in this Help Article.
Data storage: Customers may choose the data storage location for some of their Customer Content. Customer Content is information provided by a customer through use of the Zoom service including all data a customer chooses to record or share during a meeting or webinar, including for example cloud recordings, meeting transcripts, chat transcripts (in-meeting & persistent), and files that are exchanged during a meeting or in the persistent chat channel.
Customer Content is stored in the US by default. Customers on paid accounts may choose the storage location for some of their Customer Content for their account. Only Account holders, account administrators, or those with the customer account profile privilege will be able to change this setting. Additional details can be found in this Help Article. Please note that Customer Content, Account Data, and Diagnostic Data are still stored in the U.S.
Strict protocols for responding to governmental requests for information
Zoom is committed to protecting our customers and users’ privacy and only produces user data to governments in response to valid and lawful requests, in accordance with our Government Requests Guide and relevant legal policies.
In all geographic areas:
- Government requests must be issued under applicable laws and regulations and through official channels, including requiring a signed official document or an email request sent from a government entity’s official email address.
- Each request must be explicit, not overly broad, and have a valid legal basis. We will reject or challenge requests that do not meet these requirements.
- We will apply additional scrutiny to certain government requests for user information based on our principles and interest in promoting successful collaboration worldwide.
If a request is too vague, Zoom will challenge the validity of the request to minimize the spectrum of information submitted.
Zoom typically notifies users of governmental requests for information, including a copy of the request received unless we are legally prohibited from notifying the user. Requests for exceptions to user notification must include a description of the exigent circumstances or notification’s potential adverse result.
- Transparency Reports: Zoom published its first report on the number of requests received from U.S. and international authorities in December 2020 (Government Request Transparency Report). We aim for each transparency report to improve on the previous one. Our most recent Transparency Report is available here. Additional Transparency Reports will be made available in the Zoom Trust Center.
- In-Product Notifications: Zoom is continuously updating to integrate feature-specific privacy notifications into the Zoom experience to help users understand, in context, who may be able to see and share the content and information they share on Zoom. For example, if a user wants to know who can see the messages they send in Zoom’s chat feature, they can go to “Who can see your messages?” to see who can access the messages they send to everyone, as well as the private messages they send.
Zoom designs its services with GDPR requirements at the forefront
Zoom is committed to making every effort to build product features that align with GDPR requirements and foster protection of the personal data processed through our services. For more information about our data practices, please see our Privacy Statement, or you can send an email to email@example.com if you have any GDPR-specific questions.