Zoom Video Communications: Collaboration with leading Dutch research and education association enhances Zoom’s data privacy protections

Collaboration with leading Dutch research and education association enhances Zoom’s data privacy protections

Today, we are pleased to announce the release of a Data Protection Impact Assessment (DPIA) on Zoom’s meeting, webinar and chat services published by SURF.

On behalf of its members, SURF negotiates with major software vendors to obtain and assess compliance of their tools with European privacy and security standards and documents its findings in a DPIA. This gives SURF members freedom of choice when purchasing software such as video conferencing tools.

A DPIA published by SURF represents an important benchmark for technology providers – accurately tracking current data protection performance and risk analysis, as well as identifying opportunities for improving practices.

Zoom is grateful to SURF for its cooperation in the preparation of this DPIA. In addition to supporting Zoom’s efforts to continue to improve its approach to data privacy, the DPIA reflects Zoom’s respect for European data protection policies and principles. Zoom is committed to expanding its engagement with European businesses, governments and citizens.

What is a DPIA?

A DPIA is a detailed technical and legal examination of a company’s data collection and use practices to determine compliance with European Union (EU) data protection laws, in particular the General Data Protection Regulation. data protection (GDPR). A DPIA analyzes how a business processes personal data, identifies the risks associated with that processing, and provides measures to mitigate those risks.

During the DPIA assessment process, Zoom clarified its data collection and use practices and provided evidence to demonstrate those practices. SURF assessed Zoom’s current capabilities and made recommendations in the DPIA to improve practices, all with the aim of strengthening data protection for European citizens.

Ratings are posted below this ad.

Key actions from the DPIA

SURF and Zoom have agreed to several actions as part of their collaboration on the DPIA. These include:

  • Develop new privacy features:
    • Data localization solutions: EU Zoom customers have privacy concerns regarding the processing of personal data in the United States and prefer that all personal data be processed in the EU. Zoom has committed, in consultation with SURF, to making this largely possible by the end of this year. Any exceptions will be agreed and documented.
    • EU assistance services: Zoom will establish a separate EU support desk by mid-2022 to support EU accounts during EU business hours. If an EU account requires support outside of these hours or has an escalation that requires support outside of the EU, Zoom will only provide such support if the customer explicitly consents, with each support ticket. .
    • Data Subject Access Requests (DSARs): Zoom will improve customers’ ability to respond to DSARs with two self-service tools for enterprise and education account administrators.
    • Communication Preference Center: Zoom will develop a marketing preferences self-service tool for all account holders by the end of 2022.
  • Improved transparency and documentation:
    • Privacy sheet: Zoom has improved its public documentation on its processing of personal data with the publication of a confidentiality sheet which will be regularly updated.
    • Data Transfer Impact Assessment (DTIA) Update: Zoom has produced a new DTIA based on the format created by Swiss lawyer David Rosenthal. The DTIA shows that the risks to the privacy of people using Zoom are negligible.
    • Clarify Zoom roles and responsibilities: Zoom has agreed that it is appropriate to reclassify itself as processor for all personal data, except for a limited list of situations in which education and enterprise customers (controllers) authorize to “continue” the processing of certain personal data as an independent data controller. This also applies to personal data that Zoom collects through its publicly accessible website.
  • Improved Zoom data protection practices:
    • Retention of personal data: Zoom has clarified and minimized its practices for storing the personal data of its customers.
    • Privacy by design and by default: Zoom will implement more robust and aggressive privacy-by-design and default privacy processes throughout its product development lifecycle.
    • employee training: Zoom is rolling out new training for its employees to ensure they always consider privacy protections while delivering happiness.
  • Measure our progress: Together with SURF, Zoom has documented opportunities for improving data protection and a roadmap to achieve these goals. SURF and Zoom will discuss progress on a bi-weekly schedule.

A new horizon for data privacy

Zoom says the cooperation between SURF and Zoom – both on the DPIA and in the future – will help Zoom benchmark and evolve its privacy and data protection strategies.

As the DPIA notes, “With Zoom’s many improvement measures, and the new DPA with a limiting list of specific purposes, Zoom customers should be able to rely on contractual safeguards and privacy controls to prevent personal data is not processed beyond these permitted purposes.”


To learn more about Zoom’s privacy and security, explore the Trust Center.

Don’t forget to share this post

Andrew B. Reiter