Zoom and the European Union’s General Data Protection Regulation (GDPR)

Updated: August 8, 2024

Zoom’s mission is to deliver happiness through frictionless video communications, and we understand that such happiness requires privacy and security. That’s why we strive to protect and secure our customers’ communications to the highest levels, such as the data privacy obligations in the European Economic Area (“EEA”) – primarily the General Data Protection Regulation (the “GDPR”).

Zoom applauds the GDPR as a  data protection foundation for the benefit of all, not only in Europe. Zoom supports our customers by implementing technical and organizational measures in a manner that aligns with the GDPR’s compliance obligations. Zoom is here to help our customers in their role as data controllers.

The following key facts reflect Zoom’s commitment to data protection practices. 

If you want to learn more about Zoom’s data protection practices please also have a look at Zoom’s Data Protection Impact Assessment (“DPIA”) performed in cooperation with the cooperative of Dutch education and research institutions SURF in this Blog (and the Privacy Company’s DPIA itself). 

Contractual GDPR commitments for all Zoom customers
The GDPR requires that data controllers (such as organizations and developers using Zoom’s services) only use data processors (such as Zoom) that process personal data on the data controller’s behalf and provide adequate guarantees to meet specific requirements of the GDPR. Zoom provides these commitments to all our customers by incorporating Zoom’s Data Processing Addendum into the Zoom Terms of Service.

Zoom’s contractual commitments relevant to the GDPR:

  • Zoom strives to be transparent and commits to using personal data only as stated in our agreement about delivering our services or as otherwise instructed by our customers.
  • Zoom maintains appropriate technical and organizational security measures to protect the personal data we process.
  • Zoom assists customers in fulfilling their obligations when data subjects exercise the rights attached to the personal data processed using our services (such as requests for information, access, rectification, and deletion).

International data transfer safeguards

United States of America

The GDPR contains specific rules for the transfer of personal data to countries outside the European Economic Area (EEA). In principle, personal data may only be transferred to countries outside the EEA if the country has an adequate level of protection. 

The adequacy determines whether a non-EU country's data protection measures are considered adequate to ensure a level of protection equivalent to that provided within the EU. An adequacy decision by the European Commission allows for the free flow of personal data from the EU to the third country without the need for additional safeguards. Since 10 July 2023, there is a new adequacy decision from the European Commission for participants to the EU-US Data Privacy Framework (DPF). Zoom has registered as an active participant

The Data Privacy Framework (DPF) originated as a response to the increasing concerns over data protection and privacy in the digital age. It aims to harmonize and enhance the standards for data protection, especially concerning the transfer of personal data across borders. The importance of the DPF lies in its role in facilitating international commerce and communication while ensuring the protection of individuals' privacy rights. Its relevance extends to various stakeholders, including businesses, regulators, and individuals, by establishing clear guidelines and obligations for data handling. The DPF's applicability is crucial in the context of safe data transfer, as it provides a legal framework that ensures compliance with data protection laws, thereby fostering trust and accountability in cross-border data exchanges. 

Other third countries

Personal data may be transferred from the EEA to third countries outside of the EEA using Standard Contractual Clauses (SCC, also known as EU model clauses) adopted by the European Commission. These SCC contractually ensure a high level of protection. Zoom implemented the new  SCCs in 2021 into Zoom’s standard DPA. Zoom has incorporated the new SCCs into applicable agreements following the transition periods specified by the European Commission. Please see our Customer FAQs on the new SCCs for further information. 

Data Transfer Impact Assessment
In order to help Zoom’s customers comply with additional requirements when relying on the SCC, Zoom offers the below Data Transfer Impact Assessments for various products. In accordance with common best practice, the data exporter and importer are expected to assess whether the laws and practices in the country receiving the data may undermine the level of protection otherwise provided. 

Zoom Meetings/Webinar/Team Chat Data Transfer Impact Assessment
Zoom Phone Data Transfer Impact Assessment
Zoom Contact Center Data Transfer Impact Assessment
Zoom Virtual Agent Data Transfer Impact Assessment

 

Data subject requests (DSAR)
A Data Subject Access Request (DSAR) is a mechanism provided under the General Data Protection Regulation (GDPR) that allows individuals, known as data subjects, to request access to their personal data held by organizations. Also, data subjects can request the correction of inaccurate or incomplete personal data. This ensures that any errors in the data are corrected promptly. Under certain circumstances, individuals have the right to request the deletion of their personal data (commonly referred to as the right to be forgotten). This is a fundamental right under GDPR, emphasizing transparency and control for individuals over their personal data. Zoom offers its customers a self-service tool to exercise these rights simple and easily. You can find out more about this tool on our support website

 

Data storage
Zoom offers European customers on eligible paid accounts the option to use data centers in the European Union (EU). Customers can choose data center regions, plus the automatically determined home region, for the hosting of their real-time meeting and webinar traffic. Customers may also choose to store recordings locally on their own devices or in their local data center. You can find more information on our support page. For such customers Zoom also offers the possibility to have all of their Support Data exclusively processed in the EU. If they wish to offer support outside of regular working hours in the EU, they can give specific case-by-case consent to the transfer of personal data to a helpdesk outside of the EU. 

 

Strong specific measures to ensure European data protection
Zoom is committed to maintaining a high level of security:

  • Zoom leverages a range of encryption technologies to protect customer data in transit and stored data .
  • Zoom utilizes security measures to support the ongoing confidentiality, integrity, availability, and resilience of our processing systems and services.
  • Zoom takes measures to facilitate the restoration of availability and access to our processing systems and services promptly in the event of a physical or technical incident.
  • Zoom implements a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to support the security of the data we process.

Specifically, Zoom employs various security measures to safeguard customer communications transmitted through and stored on its platform. These measures include the following:

  • Optional End-to-End Encryption for Meetings: Users may choose to enable end-to-end encryption for Zoom Meetings. End-to-end Encryption is designed to encrypt data between all meeting participants, so that no provider or system in-between can access the communications, not even Zoom.
  • Default Encryption: The connection between a given device and Zoom is encrypted by default, using a mixture of TLS 1.2+ (Transport Layer Security), Advanced Encryption Standard 256-bit AES GCM encryption, and SRTP (Secure Real-time Transport Protocol). The precise methods used depend on whether a user leverages the Zoom client, a web browser, a third-party device or service, or the Zoom Phone product. For further information, please see our encryption whitepaper.
  • Protections against unauthorized meeting participants: Zoom has implemented numerous safeguards and controls to prohibit unauthorized participants from joining meetings:
    • Eleven digit unique meeting IDs
    • Complex passwords
    • Waiting Rooms with the ability to automatically admit participants from your domain name or another selected domain
    • Lock Meeting feature that can prevent anyone from joining the meeting
    • Ability to remove participants
    • Authentication profiles that only allow entry to registered users, or restrict to specific email domains
    • At-Risk Meeting Notifier tool can scan posts on public social media sites and other public online resources for Zoom Meeting links
  • Selective meeting invitations: The host can selectively invite participants via email, IM, or SMS. This provides greater control over the distribution of the meeting access information. The host can also create the meeting to only allow members from a certain email domain to join.
  • In-meeting security: During the meeting, Zoom delivers real-time, rich-media content securely to each participant within a Zoom Meeting. All content shared with the participants in a meeting is only a representation of the original data. This content is encoded and optimized for sharing using a secured implementation.
  • Host controls: Meeting host controls can enable/disable participants from content sharing, chat, and renaming themselves.
  • Reporting: you can report participants for inappropriate behavior during meetings by selecting which participants you would like to report, include any written details, and add attachments. This report is automatically sent to the Zoom Trust and Safety team to evaluate any misuse of the platform and block a user if necessary.
  • In-product security controls: Security controls with a dedicated Security icon on the main interface.
  • Role-based user security: The following pre-meeting security capabilities are available to the meeting host:
    • Secure log-in using standard username and password or SAML single sign-on
    • Start a secured meeting with a passcode
    • Schedule a secured meeting with a passcode
  • Robocall prevention: Call screening feature to help users reduce unwanted robocalls has been implemented. Account owners and admins can enable the Call Screening feature at the account, site, group, user, common area, auto-receptionist, call queue, and shared line group. This feature is enabled and unlocked by default for the entire account.

 

Choices for data processing and storage
Zoom understands that our customers may wish to have choices about the data centers that process and store certain data.

Data in transit and processing: Zoom routes Meetings customer data in transit through its global network of collocated data centers and public cloud data centers (including Amazon Web Services (“AWS”) data centers). The Zoom Meetings services are designed to work so that information entering the Zoom ecosystem is routed through the data center nearest the user sending or receiving the data.

Account owners and admins on paid accounts can, at the account, group, or user level, opt in or out of specific Zoom data centers that will be used for the processing of participants’ real-time meeting and webinar video, audio, and shared content during the hosting of meetings and webinars. The data centers in the country supporting the region where an account was provisioned will be locked as an opt-in for processing. Zoom data center choices only apply when an account is hosting a meeting or webinar. When an account hosting a meeting or webinar has opted out of any data center(s), all participants’ real-time meeting and webinar video, audio, and shared content data will only be processed by an opted-in Zoom data center. However, Zoom may route through traffic between data centers using industry standard network routing protocols while traversing Zoom private network connections (i.e., edge-routing). Additional details can be found in this Help Article.

Data storage: Customers may choose the data storage location for certain Customer Content. Customer Content is information provided by a customer through use of the Zoom service including all data a customer chooses to record or share during a meeting or webinar, including for example cloud recordings, meeting transcripts, chat transcripts (in-meeting & persistent), and files that are exchanged during a meeting or in the persistent chat channel.

Customer Content is stored in the US by default. Customers on paid accounts may choose the storage location for some of their Customer Content for their account. Only Account holders, account administrators, or those with the customer account profile privilege will be able to change this setting. Additional details can be found in this Help Article. Please note that Customer Content, Account Data, and Diagnostic Data are still stored in the U.S.

 

Strict protocols for responding to governmental requests for information
Zoom is committed to protecting our customers and users’ privacy and only produces user data to governments in response to valid and lawful requests, in accordance with our Government Requests Guide and relevant legal policies.

In all geographic areas:

  • Government requests must be issued under applicable laws and regulations and through official channels, including requiring a signed official document or an email request sent from a government entity’s official email address.
  • Each request must be explicit, not overly broad, and have a valid legal basis. We will reject or challenge requests that do not meet these requirements.
  • We will apply additional scrutiny to certain government requests for user information based on our principles and interest in promoting successful collaboration worldwide.

If a request is too vague, Zoom will challenge the validity of the request to minimize the spectrum of information submitted.

Zoom typically notifies users of governmental requests for information, including a copy of the request received unless we are legally prohibited from notifying the user. Requests for exceptions to user notification must include a description of the exigent circumstances or notification’s potential adverse result.

 

Increased Transparency

  • Transparency Reports: Zoom published its first report on the number of requests received from U.S. and international authorities in December 2020 (Government Request Transparency Report). We aim for each transparency report to improve on the previous one. Our most recent Transparency Report is available here. Additional Transparency Reports will be made available in the Zoom Trust Center.
  • In-Product Notifications: Zoom is continuously updating to integrate feature-specific privacy notifications into the Zoom experience to help users understand, in context, who may be able to see and share the content and information they share on Zoom. For example, if a user wants to know who can see the messages they send in Zoom’s chat feature, they can go to “Who can see your messages?” to see who can access the messages they send to everyone, as well as the private messages they send.

 

Zoom designs its services with GDPR requirements at the forefront
Zoom is committed to making every effort to build product features that align with GDPR requirements and foster protection of the personal data processed through our services. For more information about our data practices, please see our Privacy Statement, or you can send an email to [email protected] if you have any GDPR-specific questions.