Security Embedded

GDPR Compliance in Video Meetings: What You Need To Know

by Digital Samba
12 min read
Mar 23, 2026

 Choosing a GDPR-compliant video conferencing platform in 2026 means more than ticking a box on a vendor checklist. With GDPR fines exceeding €6.2 billion since 2018 and the European Data Protection Board (EDPB) launching a coordinated enforcement action on transparency obligations this year, organisations need video tools that are built for privacy from the ground up – not retrofitted with an "EU region" setting on US cloud infrastructure. 

If you're a CTO, compliance officer, or developer evaluating video conferencing for your organisation, this guide breaks down exactly what GDPR requires, what to look for in a provider, and how to avoid the common traps that leave companies exposed. 

Table of Contents

  1. Understanding GDPR in video conferencing 
  2. What makes a video conferencing platform truly GDPR-compliant?
  3. GDPR requirements for video conference recordings
  4. Screen sharing and live streaming under GDPR
  5. How popular video platforms compare on GDPR compliance
  6. How Digital Samba protects your data during video conferencing?
  7. GDPR video conferencing checklist for 2026
  8. Frequently asked questions

GDPR

GDPR, a comprehensive framework enacted by the European Union (EU), is designed to protect the privacy and personal information of individuals.

What does GDPR mean for video conferencing in 2026?

The General Data Protection Regulation (GDPR) has been in force since May 2018, but enforcement is getting sharper every year. Let's look at why this matters specifically for video conferencing right now.

Video calls process a surprisingly large amount of personal data. Names, email addresses, IP addresses, facial images, voice recordings, chat messages, shared documents – all of this falls under GDPR's scope. And it's not just about hackers or data breaches. A misrouted meeting invite, an accidental recording, or an unauthorised participant can all trigger compliance obligations.

Here's what's changed recently:

  • Fines are accelerating. Total GDPR penalties have surpassed €7 billion across more than 2,500 documented cases since 2018, according to the DLA Piper GDPR Fines Survey. In 2025 alone, regulators imposed approximately €1.2 billion in fines, matching the previous year and confirming that enforcement shows no signs of slowing down.
  • Transparency is the 2026 focus. The EDPB selected transparency and information obligations (Articles 12–14) as the focus of its 2026 Coordinated Enforcement Framework, with 25 Data Protection Authorities participating across Europe. If your video platform can't clearly explain what data it collects and why, you're in the spotlight.
  • The EU AI Act adds new layers. Video conferencing platforms increasingly use AI features – noise cancellation, background blur, transcription, and smart summaries. The EU AI Act, which entered into force in August 2024 and is phasing in through 2026 and 2027, creates additional obligations for platforms that deploy AI to process personal data. This intersects directly with GDPR's rules on automated decision-making.
  • Cross-border transfers remain risky. The EU-US Data Privacy Framework (DPF), effective since July 2023, provides a mechanism for transatlantic data transfers. But concerns persist about conflicts between US surveillance laws (FISA Section 702) and GDPR requirements. The European Commission's Digital Omnibus proposal, announced in late 2025, aims to simplify parts of GDPR and ePrivacy – but the outcome isn't settled yet.

The key GDPR articles that apply to video conferencing are:

  • Article 5 – Data must be processed lawfully, fairly, and transparently, collected for specific purposes, and kept only as long as necessary.
  • Article 25 – Privacy by design and by default. Your video platform must implement data protection measures from the ground up, not as an afterthought.
  • Article 28 – If your video provider processes data on your behalf, you need a Data Processing Agreement (DPA) in place.
  • Article 32 – Appropriate technical and organisational security measures are required. This is where encryption, access controls, and secure storage come in.
  • Articles 44–49 – Rules governing international data transfers. If your video data leaves the EU, you need a lawful transfer mechanism.

What makes a video conferencing platform truly GDPR-compliant?

This is where things get interesting – and where many organisations get tripped up. A vendor saying "we're GDPR-compliant" isn't enough. Here's what to actually look for.

Data hosting location matters more than you think

There's a crucial difference between "hosted in the EU" and "hosted on EU infrastructure owned by a European company." Many providers offer an "EU region" option on Amazon Web Services, Google Cloud, or Microsoft Azure. The data physically sits in an EU data centre, sure. But the company that owns and operates those servers? That's a US corporation, subject to the US CLOUD Act.

The CLOUD Act allows US authorities to compel US-headquartered companies to hand over data stored anywhere in the world. So even if your video call data sits in Frankfurt, if the infrastructure provider is American, that data could potentially be accessed under US law.

Genuinely GDPR-compliant hosting means EU-owned infrastructure, operated by European companies, fully within EU legal jurisdiction. No legal grey areas, no transatlantic tensions.

End-to-end encryption vs. transport encryption

Not all encryption is created equal. Most video conferencing providers offer TLS (Transport Layer Security) encryption, which protects data in transit between your device and the provider's servers. That's a good baseline, but it means the provider can theoretically access the content on their servers.

End-to-end encryption (E2EE) is a much stronger standard. With E2EE, only the meeting participants can decrypt the content. Not the provider, not their employees, not anyone who might gain access to the servers. For organisations handling sensitive data – healthcare, legal, financial – E2EE isn't optional. It's essential.

When evaluating a platform, ask specifically: "Is your encryption end-to-end, or just transport-level?" The answer tells you a lot about how seriously a provider takes privacy.

Data minimisation and no-tracking policies

GDPR's data minimisation principle (Article 5(1)(c)) requires that you collect only the personal data that's strictly necessary. In a video conferencing context, this means asking: does the platform track user behaviour? Does it collect analytics about meeting habits? Does it retain metadata after the call ends?

Some platforms monetise usage data or use it for product improvement without clear consent. A truly privacy-first platform collects only what's needed to deliver the service – and nothing more.

Consent management and user rights

Your video platform needs to support the rights GDPR gives to individuals:

  • Right to be informed – Participants should know what data is being collected before a call begins.
  • Right to access – Anyone can request a copy of their personal data.
  • Right to erasure – The famous "right to be forgotten." If a participant asks you to delete their data, your platform needs to make that possible.
  • Right to object – Users can object to certain types of data processing, including recordings.

This means your platform should have clear consent flows, easy data export, and straightforward deletion processes.

GDPR requirements for video conference recordings

This is one of the areas where organisations most commonly slip up. Recording a video conference creates a persistent record of personal data – faces, voices, names, and potentially sensitive discussions.

Before you hit record

You need a lawful basis for recording. In most cases, this means getting explicit consent from every participant before the recording starts. A consent checkbox in the meeting lobby or a verbal acknowledgement at the beginning of the call can work – but it needs to be genuine consent, not a buried "by joining, you agree" clause.

Participants who don't consent should have the option to leave the meeting or participate without being recorded, where technically feasible.

Storing recordings securely

Once you've recorded a meeting, GDPR Articles 5 and 32 kick in with full force:

  • Access control – Only authorised personnel should be able to view recordings. This typically means the meeting organiser and designated roles like the Data Protection Officer. Don't store recordings in shared drives where anyone can stumble across them.
  • Encryption at rest – Recordings should be encrypted in storage, not just during transmission.
  • EU data residency – Recordings should be stored within the EU, on infrastructure that's subject to EU law.
  • Retention policies – Don't keep recordings forever. Define how long you need them, and delete them automatically when that period expires. GDPR requires that personal data not be kept longer than necessary.
  • Audit trails – Maintain logs of who accessed a recording and when. If a regulator asks, you need to demonstrate accountability.

Handling deletion requests

If a participant exercises their right to erasure under Article 17, you need to be able to act on it. This can get complicated with recordings – deleting one person from a group recording isn't straightforward. Some platforms offer redaction tools that can remove a specific individual from a recording. If yours doesn't, you may need to delete the entire recording.

The bottom line: think carefully before you record. Only record when there's a genuine business need, inform everyone, and have a clear retention and deletion process.

Screen sharing and live streaming under GDPR

Screen sharing introduces a specific risk that's easy to overlook: inadvertent data exposure. A notification pops up from a personal app, an open browser tab reveals confidential information, or a document preview shows client names. All of this can constitute a personal data disclosure under GDPR.

Best practices for screen sharing:

  • Close unnecessary applications and browser tabs before sharing your screen.
  • Use the "share a specific window" option rather than sharing your entire desktop.
  • Disable notification pop-ups during the meeting.
  • If recording while screen sharing, be extra cautious – everything on screen becomes part of the recording.

Live streaming adds another dimension. Unlike a private video call, a live stream reaches a broader audience, potentially outside the EU. If you're streaming an event that includes personal data (participant names, Q&A interactions, chat messages), you need to ensure GDPR compliance for every viewer. This includes clear notices about what data is being processed and, where applicable, consent mechanisms for participants who appear on stream.

How popular video platforms compare on GDPR compliance

Let's look at the reality of GDPR compliance across widely used video conferencing platforms. This isn't about bashing competitors – it's about helping you make an informed decision.

Zoom

Zoom has significantly improved its security since the "Zoombombing" incidents of 2020. It now offers end-to-end encryption (as an option that must be enabled), EU data residency for paid plans, and a Data Processing Agreement. However, Zoom is a US company, and its infrastructure relies on US cloud providers. For organisations in regulated industries, this creates a residual risk around the CLOUD Act and FISA Section 702.

Microsoft Teams

Teams is deeply integrated into the Microsoft 365 ecosystem, which is convenient but comes with baggage. In 2022, Germany's Data Protection Conference (DSK) concluded that proof of GDPR-compliant use of Microsoft 365 could not be provided, citing insufficient transparency around how Microsoft processes personal data for its own purposes. Microsoft has since taken steps to address concerns, including EU data boundary commitments and updates to its data processing addendum, but it remains a US company processing vast amounts of data globally. Microsoft disputed the DSK's findings at the time.

Google Meet

Google Meet encrypts data in transit and at rest, and Google offers a DPA for Workspace customers. However, Google's business model is fundamentally built around data. While Google states it doesn't use Workspace data for advertising, the company's overall data practices face ongoing regulatory scrutiny in Europe.

Jitsi Meet

An open-source option that can be self-hosted, which gives you full control over data. German data protection authorities have recommended Jitsi as a GDPR-compliant option. The trade-off: you're responsible for hosting, maintenance, and security – which requires significant technical expertise.

Digital Samba

Digital Samba is built and hosted entirely in Europe, on genuinely EU-owned infrastructure – no US hyperscaler dependencies. With true end-to-end encryption, anonymised user IDs, token-based security, and a strict no-tracking policy, it's designed for GDPR compliance by default, not as a configuration option. More on this below.

Logo_512_fill0-2
Explore Digital Samba`s features

GDPR compliance, E2EE, token-based security and more

Explore Digital Samba`s features

How Digital Samba ensures GDPR compliance by design

We should be transparent about who we are and why we built Digital Samba the way we did.

Digital Samba is a European video conferencing platform founded in 2003 in Barcelona. We've been focused exclusively on video conferencing for over 20 years – since before Zoom or Teams existed. We're bootstrapped (no venture capital, no investors pushing for aggressive data monetisation).

Here's what makes our approach to GDPR compliance different:

Genuinely European hosting

We don't use "EU region" options from US cloud giants. Our infrastructure runs on servers owned and operated by European companies, within the EU. Your data stays under EU legal jurisdiction – full stop. No CLOUD Act exposure, no legal grey areas around transatlantic data access.

End-to-end encryption that actually works

Our E2EE implementation means that only the meeting participants can access the content of their calls. We can't see it. Our engineers can't access it. Nobody can – except the people in the room. This is particularly important for organisations in healthcare, legal services, financial services, and public sector contexts where confidentiality isn't just preferred, it's required by law.

No tracking, no data monetisation

We don't track your users. We only store data that you choose to upload or share (like presentation files), and that data stays private and under your control. We don't analyse it, monetise it, or use it for any purpose beyond delivering your meeting. When you delete a room, all associated data is permanently deleted.

Privacy-first architecture

Our platform includes anonymised user IDs (minimising personal data exposure), token-based authentication (preventing unauthorised access), SOC 1-aligned security processes, and role-based access controls for recordings and room management. These aren't premium add-ons – they're built into every tier of the product.

A track record you can rely on

We've been building video conferencing technology for over two decades. We've outlasted multiple generations of competitors, weathered the COVID surge without compromising on privacy, and maintained our infrastructure independently. When you choose a vendor for a critical service like video conferencing, stability matters. We're not going anywhere.

Choose Digital Samba for GDPR-compliant video conferencing integration. Your data's safety is our priority. Sign up for free or schedule a demo with us today!

GDPR video conferencing checklist for 2026

Use this checklist when evaluating your current video conferencing setup or choosing a new provider:

Platform selection:

  • Does the platform host data within the EU on EU-owned infrastructure?
  • Does it offer true end-to-end encryption (not just transport encryption)?
  • Is a Data Processing Agreement (DPA) available and up to date?
  • Does the provider have a clear, transparent privacy policy?
  • Is the platform privacy by design – or are privacy features optional add-ons?

Consent and rights:

  • Can you inform participants about data processing before meetings begin?
  • Does the platform support consent mechanisms for recordings?
  • Can participants exercise their right to access, correct, or delete their data?
  • Can you honour erasure requests for recordings?

Security and recordings:

  • Are recordings encrypted at rest and in transit?
  • Is access to recordings restricted by role-based permissions?
  • Do you have defined retention policies for recordings?
  • Are audit trails maintained for recording access?

Organisational measures:

  • Have you trained employees on GDPR obligations during video calls?
  • Do you include privacy policy links in meeting invitations?
  • Do you regularly review your video conferencing setup for compliance?
  • Have you documented your lawful basis for processing video call data?

Frequently asked questions

Is video conferencing covered by GDPR?

Yes. Any video conferencing session that processes personal data of individuals in the EU falls under GDPR. This includes names, email addresses, IP addresses, facial images, voice recordings, chat messages, and shared files. It doesn't matter where your company is based – if you're processing EU residents' data, GDPR applies.

What are the GDPR requirements for recording video meetings?

You need explicit consent from all participants before recording. Recordings must be stored securely with restricted access, encrypted at rest, and kept only as long as necessary. Participants have the right to request access to or deletion of their recorded data. You should also maintain audit trails showing who accessed recordings and when.

Is Zoom GDPR-compliant?

Zoom offers GDPR compliance features, including a DPA, optional end-to-end encryption, and EU data residency for paid plans. However, as a US company, Zoom is subject to US laws like the CLOUD Act, which may conflict with GDPR requirements. For organisations in regulated industries or those handling particularly sensitive data, this creates a residual compliance risk that should be carefully assessed.

What makes video conferencing secure under GDPR?

GDPR Article 32 requires "appropriate technical and organisational measures." For video conferencing, this means end-to-end encryption, secure authentication, access controls (waiting rooms, meeting passwords), encrypted storage for recordings, EU data residency, and regular security audits. The platform should implement privacy by design – meaning these protections are built in by default, not optional settings.

Does GDPR apply to live streaming?

Yes. If a live stream captures or processes personal data (participant names, faces, voices, chat interactions), GDPR applies. This is particularly important because live streams typically reach a wider audience. You need to inform participants that the session will be streamed, obtain consent where required, and ensure that your streaming setup complies with data transfer rules if viewers are outside the EU.

How do I ensure GDPR compliance for video messaging?

Video messages containing personal data are subject to the same GDPR principles as live video calls. Ensure that messages are encrypted in transit and at rest, that access is restricted to authorised recipients, and that you have a process for deleting messages upon request. Choose a platform that minimises data collection and doesn't retain video message content longer than necessary.

 

Ready to switch to genuinely GDPR-compliant video conferencing? Sign up for free and get 10,000 participation minutes, or schedule a demo with our team to see how Digital Samba can work for your organisation. 

Request a free consultation
Get secure and fully GDPR-compliant video calling now!
Get a consultation
 
Previous story
← A Comprehensive Guide to Developing E-Learning Apps
Next story
How to Configure Your Team Settings with the Digital Samba Developer API →
Ensuring Compliance in Video Communications Across Borders
Cross-Border Compliance - Digital Samba
Security

Ensuring Compliance in Video Communications Across Borders

April 12, 2024 12 min read
Navigating HIPAA and GDPR: A Guide to Video Conferencing for Healthcare Professionals
HIPAA-Compliant Video Conferencing for Therapists - Digital Samba
Security

Navigating HIPAA and GDPR: A Guide to Video Conferencing for Healthcare Professionals

October 5, 2023 9 min read
Ensuring Video Conferencing Security: Risks, and Best Practices
what-makes-video-conferencing-secure
Video Conferencing

Ensuring Video Conferencing Security: Risks, and Best Practices

August 23, 2022 7 min read

Get Email Notifications