Back to Dr. Gerrit Hötzel

GDPR: Video telephony in times of COVID-19 Use of solutions for video conferencing

On March 27, 2020, the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI BW) published a statement on the use of remote communication tools (e.g. video telephony) from a data protection perspective.

The statement contains only a few specific points. Essentially, it recommends using a solution on your own servers ("on-premises"). A number of software products are mentioned as possible solutions, although these have not been conclusively checked for legal compliance. The LfDI BW also refers to an overview of conferencing solutions on Wikipedia.

The background to the recommendation to use on-premises solutions is that for all solutions that run on third-party servers, it is impossible or only possible with great effort to ensure that no metadata and other data is recorded by the third party in breach of the GDPR. Such recordings would require a separate legal basis and transparent data protection information, which are often difficult to find or design. However, even with on-premises solutions, it must be ensured that no evaluations are carried out that violate data protection regulations.

Obtaining consent is often not an option here. This is because consent must be given by the data subject. If person A has a conversation with person B via video call and talks about person C, person C would therefore have to give their consent. However, it is unrealistic to only talk about people who have previously given their consent during a call.

In addition to the GDPR, other legal norms must also be considered. For example, a punishable violation of Section 201 StGB ("breach of confidentiality of the word") or - in the case of persons subject to professional secrecy such as doctors, pharmacists, tax consultants and social workers - a violation of professional secrecy under Section 203 StGB may also occur. In addition, breaches of the professional codes of conduct of the respective professional groups, e.g. the professional code of conduct for doctors, can also be considered, as these each contain their own confidentiality obligations. In order to avoid these other breaches, additional measures should be taken - completely independently of the GDPR - e.g. the conclusion of special confidentiality agreements.

Date: 30. Mar 2020