Hamburg’s data protection agency (DPA) states that using Zoom violates GDPR

The German state’s data protection agency (DPA) warns that the use of the videoconferencing platform Zoom violates the European Union’s GDPR.

The German state’s data protection agency (DPA) warns that the Senate Chancellory’s use of the popular videoconferencing tool violates the European Union’s General Data Protection Regulation (GDPR). The DPA is concerned by the transfer of user data to the U.S. for processing.

“The DPA’s concern follows a landmark ruling (Schrems II) by Europe’s top court last summer which invalidated a flagship data transfer arrangement between the EU and the U.S. (Privacy Shield), finding U.S. surveillance law to be incompatible with EU privacy rights.” states Yahoo News.

Multiple European DPA agencies are investigating how U.S.-based digital services manage data of EU citizens and if they transfer data to the U.S. for processing purposes.

In the Hamburg case, the DPA issued a public warning because the body was not able to respond to the privacy concerns raised by EU privacy watchdogs.

The German agency states that the use of Zoom by the public body violated the EU GDPR.

“The documents submitted by the Senate Chancellery on the use of Zoom show that [GDPR] standards are not being adhered to.”

According to DPA, the Senate Chancellory failed to stop using the videoconferencing tool and to demonstrate compliance usage of the communication platform. The DPA is going to issue a formal warning, under Article 58 (2) (a) of the GDPR.

“Public bodies are particularly bound to comply with the law. It is therefore more than regrettable that such a formal step had to be taken. At the [Senate Chancellery of the Free and Hanseatic City of Hamburg], all employees have access to a tried and tested video conference tool that is unproblematic with regard to third-country transmission. As the central service provider, Dataport also provides additional video conference systems in its own data centers. These are used successfully in other regions such as Schleswig-Holstein. It is therefore incomprehensible why the Senate Chancellery insists on an additional and legally highly problematic system.” states Ulrich Kühn, the acting Hamburg commissioner for data protection and freedom of information.

Kühn recommends the use of an alternative platform, such as the one provided by the German company Dataport, which is used by several state, regional and local government bodies.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]