GDPR Articles 24, 25, 28, 29, 30, 32, and 35 provide for a good reading, but the question comes natural: how many readers have actually understood where these articles lead to and are not, instead, naively thinking there's not much but legal contractual requirements, easily accomplished, and technical requirements which are already in place? Luckily, or unfortunately for the naive enterprises and C-levels, there's much more to read between the lines than what is stated in those articles. One hint: accountability, and knowing what you're doing.
Last 23rd October, the German Data Protection Conference ('DSK') issued, a guidance on something companies are using a lot in this times of COVID-19 lockdowns and travel restrictions: video conferences. The problem is that they were common before too, and naïveté suggests it is just business as usual.
The GDPR is very keen, among other things, on the legal basis for processing, the obligations of data controllers, and the application of adequate technical and organisational requirements. What are those?
In general, there are three possible options when operating a video conferencing system: the use of an online service in SaS mode; the use of a platform operated by an external IT provider, and the operation of a video conferencing system by the data controller itself on-premises.
It is worth noting that, for video conferencing the above GDPR Articles are to be fulfilled. Per se, video conferencing is a personal data treatment, even more when there is recording and late access provided. Which means, you better list the activities under Article 30 obligations and don't forget to comply with Article 35, either, and conduct a DPIA.
A platform operated by external IT providers, for example, makes them Processors and the requirement of establishing a processing contract under Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') must be fulfilled.
Among the responsibilities of employers (Controllers) when using a video conferencing system, although there is the possibility of using collective agreements to regulate the processing of employee data, there is the requirement of having explicit consent for the processing of sensitive personal data, which is to happen in accordance with the GDPR and national law, and the rights of individuals are to be at all times ensured (correction, deletion, objection, etc.).
Moreover, the DSK guidance includes recommendations on making participants aware of their data subject rights, and a system in place to honor them, the obligation to report data breaches, and of carrying out a Data Protection Impact Assessment, which is NOT your data privacy risk assessment for your entreprise/company.