Companies, authorities and other organizations can be widely used videoconferencing systems such as microsoft teams, skype, zoom, google meet, gotomeeting and cisco webex also in times of coronavirus pandemic do not use readily. The data protection officers of the confederation and stamen recommend in a relevant orientation assistance on friday, striking services of US providers prior to use "carefully examine".
Reasonable protection of personal information
"The largest and most famous providers of videoconferencing products have their headquarters in the US and process the data there", constates the privacy conference (DSK) in your handout. After the european court of justice (ECJ) jungst the transatlantic privacy shield" but declared this instrument no longer available to ensure adequate protection in the USA-based personal information.
Who in the data export to the alternative standard contract clauses, MUSS "before starting the transmission, analyze the legal situation in the third country with regard to conductive access and legal protection options for those affected persons", the supervisors drove out. For determined deficits "additional measures required", if necessary, the transfer must be left.
According to the DSK, there are still other analyzes to be in the light of the ECJ case law "concrete statements" if necessary, it will continue to meet additional protection precautions. The separate prudency also applies if the contracting party is a european subsidiary of a US company or when european providers in their part use personal data into the USA.
Grunes light for open source software
Previously, the leading systems from ubersee had already failed at a short test of the berlin privacy officer maja smoltczyk. Grunes light, on the other hand, gave the checkur for commercially provided instances of the open source software jitsi meet like the service of netways or secure video conferencing.De. She also rated the tixeo cloud, bigbluebutton instances of werk21 and the messenger wire.
It is best to operate conference services, for example with open source software itself, the DSK works out now. Responsible but then also had to "for operation and maintenance of sufficient technical and personnel capacity and take appropriate technical and organizational measures to protect the data". This will be challenging for smaller institutions.
Service provider and "finished" online services
In the case of a possible operation by an external service provider, the analysis must be observed, "that the software used or participants are to be examined for data excavations to the manufacturer and third parties". This will take diagnostic and telemetry data. Corresponding "to call home" leisure "be prevented, unless there is a legal basis for this purpose".
Informed and voluntary consent often doubtful
If you want to carry out a video conference, according to the paper, it must generally initially exploit the extent to which he is authorized to the associated processing of a variety of personal data. He has "in particular, to observe the principle of data saving". As far as the election on the tool of an external provider case is in advance "the data protection relationship with this clear".
The legal basis for the use of a video conferencing service comes within the framework of the data protection basic ordinance (DSGVO) next to the "legitimate interest" among other things, an informed and voluntary consent in question. Especially in professional or school context, the voluntary is "often doubtful", stop the DSK. This applies above all when indispensable information, "find informed in the context of a video conferencing".
Problem homeoffice – transfer of image or sound
As far as employees participate from their home office, according to the document, the problem arises that other participants without the consent of employees "no insights in their privacy by image or sound can be obtained". The employer must therefore provide neutral backrest. One "undavorable camera orientation, taking the devices in unsuitable or third-party areas, the unprepared optical and / or acoustic appearance of third parties in the videoconference and similar ‘breakdown’ are to be avoided".
On 25 pages, the data protectioners drove many more points like adequate IT security that would comply with. At the time of work on the paper, about end-to-end-captive solutions that require these requirements and video conferencing for a higher number of participants "even then, if this endpoints to the endpoints used by you only a small or varying bandwidth and computing power is available, not yet market". Therefore, a transport capture is currently being carried out in order to meet the statutory requirements, provided that a reasonable level of protection is ensured by compensating measures.
"Only legitimate persons should access a video conferencing meeting and their data", write the authors. Threatened high risks for the rights and freedoms of the participants, MUSS "at least a two-factor authentication according to the prior art take place".