NORDUnet Zoom: GDPR and Privacy Facts
The use of video conferencing and teaching via Zoom has grown as a result COVID lock-down and the increased need for remote teaching and learning. Many people are concerned about GDPR and privacy issues when using the video service, and NORDUnet receives numerous inquiries on this subject. To address this matter, we have listed privacy related facts pertaining the Zoom service, including an outline of what NORDUnet has done to be in compliance with GDPR and European privacy directives.
The following facts apply to Zoom provided by NORDUnet:
• Service Delivery: Colleges and universities in the Nordic countries that use Zoom have this service operated by NORDUnet. The service is provided by the national NREN in each country.
• GDPR compliance: Zoom operated by NORDUnet is fully GDPR compliant and in accordance with other European privacy directives. This is secured through the individual contracts entered into and the chain of Data Processing and sub-processing agreements. University->NREN->NORDUnet->Zoom->sub-providers
• User account data: Data from users of NORDUnet's Zoom service is not stored with Zoom in the United States. The account data is stored in Zoom datacentres in Europe.
We use dedicated servers installed in Copenhagen, Denmark, Stockholm, Sweden, Helsinki, Finland and Oslo, Norway, for all meetings and meeting data.
• Logging in: All organizations that use Zoom provided by NORDUnet decide for themselves which login solution their users should use. Most use the National identity federation login (SWAMID, FEIDE, HAKA and WAYF), or directly the local institution Single Sign-On solution (SSO).
• Personal information: Personal information about users of NORDUnet's Zoom service is processed within the EU in accordance with the applicable data processing agreement. This applies to personal information necessary for using the service, such as first name, last name, email address, role, etc. Typically, as released by the home institution, using the national identity federation, through SAML attributes. No credit card details, telephone numbers or other similar information is stored in the Zoom instance provided by NORDUnet. (See section above for storing of personal data)
• Zoom public service: Zoom in the US provides a so-called "public" or public service. Zoom from NORDUnet is not part of this public service. NORDUnet provides a private Zoom service, regulated by a separate agreement.
• Zoom local administrators: All organizations that use Zoom provided by NORDUnet have one or more local institution administrators. As with other ICT services, local Zoom administrators have a higher degree of access and use of control tools than ordinary users. Such access is necessary to keep good quality of service and to help out single users if they need assistance.
• Public Cloud recording: Zoom operated by NORDUnet does not contractually provide for the option to have meetings recorded with Zoom in the United States, the so-called cloud recording. Local Zoom administrators have been instructed to disabled this option for all of their users.
If your license type is set to "Licensed" and you start a cloud recording, this is not covered by a contract nor by the mentioned GDPR regime for the NORDUnet service.
• Local recording: NORDUnet's Zoom service allows for local recording. If a meeting is recorded, participants in the meeting are automatically notified with a symbol in the video window and in the attendee list. The local institution administrator can set up Zoom so that all attendees must approve any recordings. The local administrator can also control whether other participants can record the meeting.
• Safe meetings: Zoom offers a number of mechanisms for creating safe meetings. For example, waiting rooms, and the possibility for the meeting hosts to password protect the meeting. Meeting hosts can also “lock” meetings, then no one but the invited participants can participate, this also applies to administrators. No one can use meeting rooms created by other users without permission.
• Encryption: All video and audio traffic and data are by default encrypted, too and from the meeting servers. Real End-to-End encryption is only acheivable directly between two meeting participants.
• Data overview