Hamburg’s data protection agency (DPA) states that using Zoom violates GDPR

The German state’s data protection agency (DPA) warns that the use of the videoconferencing platform Zoom violates the European Union’s GDPR.

The German state’s data protection agency (DPA) warns that the Senate Chancellory’s use of the popular videoconferencing tool violates the European Union’s General Data Protection Regulation (GDPR). The DPA is concerned by the transfer of user data to the U.S. for processing.

“The DPA’s concern follows a landmark ruling (Schrems II) by Europe’s top court last summer which invalidated a flagship data transfer arrangement between the EU and the U.S. (Privacy Shield), finding U.S. surveillance law to be incompatible with EU privacy rights.” states Yahoo News.

Multiple European DPA agencies are investigating how U.S.-based digital services manage data of EU citizens and if they transfer data to the U.S. for processing purposes.

In the Hamburg case, the DPA issued a public warning because the body was not able to respond to the privacy concerns raised by EU privacy watchdogs.

The German agency states that the use of Zoom by the public body violated the EU GDPR.

“The documents submitted by the Senate Chancellery on the use of Zoom show that [GDPR] standards are not being adhered to.”

According to DPA, the Senate Chancellory failed to stop using the videoconferencing tool and to demonstrate compliance usage of the communication platform. The DPA is going to issue a formal warning, under Article 58 (2) (a) of the GDPR.

“Public bodies are particularly bound to comply with the law. It is therefore more than regrettable that such a formal step had to be taken. At the [Senate Chancellery of the Free and Hanseatic City of Hamburg], all employees have access to a tried and tested video conference tool that is unproblematic with regard to third-country transmission. As the central service provider, Dataport also provides additional video conference systems in its own data centers. These are used successfully in other regions such as Schleswig-Holstein. It is therefore incomprehensible why the Senate Chancellery insists on an additional and legally highly problematic system.” states Ulrich Kühn, the acting Hamburg commissioner for data protection and freedom of information.

Kühn recommends the use of an alternative platform, such as the one provided by the German company Dataport, which is used by several state, regional and local government bodies.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.