Choosing a GDPR-compliant video conferencing platform in 2026 means more than ticking a box on a vendor checklist. With GDPR fines exceeding €6.2 billion since 2018 and the European Data Protection Board (EDPB) launching a coordinated enforcement action on transparency obligations this year, organisations need video tools that are built for privacy from the ground up – not retrofitted with an "EU region" setting on US cloud infrastructure.
If you're a CTO, compliance officer, or developer evaluating video conferencing for your organisation, this guide breaks down exactly what GDPR requires, what to look for in a provider, and how to avoid the common traps that leave companies exposed.
Table of Contents
The General Data Protection Regulation (GDPR) has been in force since May 2018, but enforcement is getting sharper every year. Let's look at why this matters specifically for video conferencing right now.
Video calls process a surprisingly large amount of personal data. Names, email addresses, IP addresses, facial images, voice recordings, chat messages, shared documents – all of this falls under GDPR's scope. And it's not just about hackers or data breaches. A misrouted meeting invite, an accidental recording, or an unauthorised participant can all trigger compliance obligations.
Here's what's changed recently:
The key GDPR articles that apply to video conferencing are:
This is where things get interesting – and where many organisations get tripped up. A vendor saying "we're GDPR-compliant" isn't enough. Here's what to actually look for.
There's a crucial difference between "hosted in the EU" and "hosted on EU infrastructure owned by a European company." Many providers offer an "EU region" option on Amazon Web Services, Google Cloud, or Microsoft Azure. The data physically sits in an EU data centre, sure. But the company that owns and operates those servers? That's a US corporation, subject to the US CLOUD Act.
The CLOUD Act allows US authorities to compel US-headquartered companies to hand over data stored anywhere in the world. So even if your video call data sits in Frankfurt, if the infrastructure provider is American, that data could potentially be accessed under US law.
Genuinely GDPR-compliant hosting means EU-owned infrastructure, operated by European companies, fully within EU legal jurisdiction. No legal grey areas, no transatlantic tensions.
Not all encryption is created equal. Most video conferencing providers offer TLS (Transport Layer Security) encryption, which protects data in transit between your device and the provider's servers. That's a good baseline, but it means the provider can theoretically access the content on their servers.
End-to-end encryption (E2EE) is a much stronger standard. With E2EE, only the meeting participants can decrypt the content. Not the provider, not their employees, not anyone who might gain access to the servers. For organisations handling sensitive data – healthcare, legal, financial – E2EE isn't optional. It's essential.
When evaluating a platform, ask specifically: "Is your encryption end-to-end, or just transport-level?" The answer tells you a lot about how seriously a provider takes privacy.
GDPR's data minimisation principle (Article 5(1)(c)) requires that you collect only the personal data that's strictly necessary. In a video conferencing context, this means asking: does the platform track user behaviour? Does it collect analytics about meeting habits? Does it retain metadata after the call ends?
Some platforms monetise usage data or use it for product improvement without clear consent. A truly privacy-first platform collects only what's needed to deliver the service – and nothing more.
Your video platform needs to support the rights GDPR gives to individuals:
This means your platform should have clear consent flows, easy data export, and straightforward deletion processes.
This is one of the areas where organisations most commonly slip up. Recording a video conference creates a persistent record of personal data – faces, voices, names, and potentially sensitive discussions.
You need a lawful basis for recording. In most cases, this means getting explicit consent from every participant before the recording starts. A consent checkbox in the meeting lobby or a verbal acknowledgement at the beginning of the call can work – but it needs to be genuine consent, not a buried "by joining, you agree" clause.
Participants who don't consent should have the option to leave the meeting or participate without being recorded, where technically feasible.
Once you've recorded a meeting, GDPR Articles 5 and 32 kick in with full force:
If a participant exercises their right to erasure under Article 17, you need to be able to act on it. This can get complicated with recordings – deleting one person from a group recording isn't straightforward. Some platforms offer redaction tools that can remove a specific individual from a recording. If yours doesn't, you may need to delete the entire recording.
The bottom line: think carefully before you record. Only record when there's a genuine business need, inform everyone, and have a clear retention and deletion process.
Screen sharing introduces a specific risk that's easy to overlook: inadvertent data exposure. A notification pops up from a personal app, an open browser tab reveals confidential information, or a document preview shows client names. All of this can constitute a personal data disclosure under GDPR.
Best practices for screen sharing:
Live streaming adds another dimension. Unlike a private video call, a live stream reaches a broader audience, potentially outside the EU. If you're streaming an event that includes personal data (participant names, Q&A interactions, chat messages), you need to ensure GDPR compliance for every viewer. This includes clear notices about what data is being processed and, where applicable, consent mechanisms for participants who appear on stream.
Let's look at the reality of GDPR compliance across widely used video conferencing platforms. This isn't about bashing competitors – it's about helping you make an informed decision.
Zoom has significantly improved its security since the "Zoombombing" incidents of 2020. It now offers end-to-end encryption (as an option that must be enabled), EU data residency for paid plans, and a Data Processing Agreement. However, Zoom is a US company, and its infrastructure relies on US cloud providers. For organisations in regulated industries, this creates a residual risk around the CLOUD Act and FISA Section 702.
Teams is deeply integrated into the Microsoft 365 ecosystem, which is convenient but comes with baggage. In 2022, Germany's Data Protection Conference (DSK) concluded that proof of GDPR-compliant use of Microsoft 365 could not be provided, citing insufficient transparency around how Microsoft processes personal data for its own purposes. Microsoft has since taken steps to address concerns, including EU data boundary commitments and updates to its data processing addendum, but it remains a US company processing vast amounts of data globally. Microsoft disputed the DSK's findings at the time.
Google Meet encrypts data in transit and at rest, and Google offers a DPA for Workspace customers. However, Google's business model is fundamentally built around data. While Google states it doesn't use Workspace data for advertising, the company's overall data practices face ongoing regulatory scrutiny in Europe.
An open-source option that can be self-hosted, which gives you full control over data. German data protection authorities have recommended Jitsi as a GDPR-compliant option. The trade-off: you're responsible for hosting, maintenance, and security – which requires significant technical expertise.
Digital Samba is built and hosted entirely in Europe, on genuinely EU-owned infrastructure – no US hyperscaler dependencies. With true end-to-end encryption, anonymised user IDs, token-based security, and a strict no-tracking policy, it's designed for GDPR compliance by default, not as a configuration option. More on this below.
We should be transparent about who we are and why we built Digital Samba the way we did.
Digital Samba is a European video conferencing platform founded in 2003 in Barcelona. We've been focused exclusively on video conferencing for over 20 years – since before Zoom or Teams existed. We're bootstrapped (no venture capital, no investors pushing for aggressive data monetisation).
Here's what makes our approach to GDPR compliance different:
We don't use "EU region" options from US cloud giants. Our infrastructure runs on servers owned and operated by European companies, within the EU. Your data stays under EU legal jurisdiction – full stop. No CLOUD Act exposure, no legal grey areas around transatlantic data access.
Our E2EE implementation means that only the meeting participants can access the content of their calls. We can't see it. Our engineers can't access it. Nobody can – except the people in the room. This is particularly important for organisations in healthcare, legal services, financial services, and public sector contexts where confidentiality isn't just preferred, it's required by law.
We don't track your users. We only store data that you choose to upload or share (like presentation files), and that data stays private and under your control. We don't analyse it, monetise it, or use it for any purpose beyond delivering your meeting. When you delete a room, all associated data is permanently deleted.
Our platform includes anonymised user IDs (minimising personal data exposure), token-based authentication (preventing unauthorised access), SOC 1-aligned security processes, and role-based access controls for recordings and room management. These aren't premium add-ons – they're built into every tier of the product.
We've been building video conferencing technology for over two decades. We've outlasted multiple generations of competitors, weathered the COVID surge without compromising on privacy, and maintained our infrastructure independently. When you choose a vendor for a critical service like video conferencing, stability matters. We're not going anywhere.
Choose Digital Samba for GDPR-compliant video conferencing integration. Your data's safety is our priority. Sign up for free or schedule a demo with us today!
Use this checklist when evaluating your current video conferencing setup or choosing a new provider:
Platform selection:
Consent and rights:
Security and recordings:
Organisational measures:
Ready to switch to genuinely GDPR-compliant video conferencing? Sign up for free and get 10,000 participation minutes, or schedule a demo with our team to see how Digital Samba can work for your organisation.