Last Updated: February 2026
Many organisations in the Nordic research and education sector have questions about GDPR, data privacy, and how Zoom services operated by NORDUnet handle personal information — especially when using on-premise or hybrid meeting solutions.
Below are the key facts about how these services work, what data is processed where, and how GDPR and other European data protection requirements are addressed.
1. Service Delivery & GDPR Compliance
- Operational Model: Zoom services provided to Nordic institutions are operated on-premise by NORDUnet and respective national NRENs.
- GDPR Compliance: The service is delivered under a GDPR-compliant framework through a chain of Data Processing and Sub-processing Agreements (University organisation → NREN → NORDUnet → Zoom → any sub-processors). Each participating organisation remains responsible for their own GDPR risk assessment.
- European Data Protection: Zoom commits to GDPR-aligned technical and organisational measures and provides contractual commitments in their Data Processing Addendum. (Zoom)
2. Where Your Data Is Stored
- Data Residency: User account data and meeting metadata for on-premise Zoom services are stored in Zoom data centres in Europe (Germany and France as of March 2026), not in the US.
- Meeting Media: For standard on-premise Zoom, meeting media (audio, video, shares) is routed through dedicated servers in Copenhagen, Stockholm.
3. Identity Management & Personal Information
- Authentication: Organisations choose their own identity provider (e.g., national identity federations such as SWAMID, FEIDE, HAKA/WAYF or local SSO).
- Personal Data Processed: Names, email addresses, and roles supplied via SAML attributes are used for authentication and service operation. No credit card or telephone data is stored in the on-premise Zoom environment.
4. On-Premise Recording & Data Handling
- Local Recording: Hosts and administrators can enable recording; meeting participants are notified when a recording occurs.
- On-Prem Cloud Recording: Cloud Recording data is initially processed within the Nordic zones and then transferred to designated on-premise media services such as Kaltura or Panopto.
- Cloud Recording Disabled by Default: Unless specifically enabled and contractually covered, cloud recordings are not permitted under the NORDUnet on-premise contract.
5. Secure Meetings & Encryption
- Meeting Security: Waiting rooms, passwords, and meeting locks help control participation.
- Encryption: All meeting traffic (audio/video/data) is encrypted in transit by default. Real End-to-End Encryption (E2EE) is also available, with functional limits per Zoom’s documentation.
6. Zoom Meetings Hybrid — What It Is
NORDUnet Zoom Meetings Hybrid (ZMH) is an add-on module that lets organisations keep media flows inside the Nordic NREN networks and environment more than in the classic cloud-hosted model. (Zoom)
How It Works
- Local Media Routing: Internal participants’ media can be routed locally via an on-premises Zoom Node (Hybrid Multimedia Router) rather than every endpoint independently reaching the public cloud. (Zoom)
-
Hybrid vs. Private Modes:
- Hybrid Mode: Internal media is routed locally; one consolidated connection flows to the Zoom Cloud for external participants. (Zoom)
- Private Mode: Both signalling and media can be kept inside your network, with no media traversal to the Zoom Cloud if configured accordingly — useful for highly confidential meetings. (library.zoom.com)
- External Users: External participants can still join via Zoom Cloud services when desired, with media bridged appropriately. (Zoom)
- Benefits:
7. Third-Party Zoom Apps & GDPR
- Marketplace or third-party Zoom Apps are not GDPR compliant by default and must be evaluated individually by organisations activating them.
8. Your Responsibility & Risk Assessment
Even with GDPR-compliant infrastructure and agreements in place:
- Each organisation must conduct its own GDPR risk assessment for its use cases.
- Ensure configurations (recording permissions, SSO attributes, app activations) align with your privacy policies.
9. Where to Find More Information
- Zoom GDPR commitments and data protection overview: Zoom’s Trust & GDPR documentation. (Zoom)
- Zoom Meetings Hybrid deployment & requirements: Zoom Support articles. (Zoom)
- Compliance certifications relevant to Zoom services: ISO 27001, ISO 27701, SOC reports. (Zoom)
Comments
0 comments
Article is closed for comments.