Recording Internal Virtual Work Meetings
Due to the global events of the last few years, virtual meetings have become part of our everyday reality, and has certainly changed our way or working. However, the use of virtual meetings has raised concerns from a privacy perspective, and how such use can comply with requirements under the General Data Protection Regulation (GDPR), national implementation of the ePrivacy Directive, or other applicable data protection law. In this article, our focus will be on requirements under the GDPR.
Regardless of what pros and cons one might argue for the use of virtual meetings, we can say with certainty that such a tool has been broadly normalised. It is almost difficult to imagine nowadays that there would not be an option to attend a meeting via applications such as Teams or Zoom. But with a more frequent use of video and audio transmission, questions have been raised about an individual’s privacy in such a context, and whether companies are using these tools in way and for purposes that comply with applicable data protection laws.
One purpose that is often discussed is the intention of companies and organisations to record certain virtual meetings held by their employees.
“Since virtual meetings undoubtably involve processing of personal data, such as a person’s name, voice, image, opinion, etc., there are several things that must be considered before the action of recording a meeting can take place”.
Ashton Papaioannou
An example can be to establish a legal basis for such processing under the GDPR. A recording may carry personal data both in the meta-information (age or sex, etc) or in its content (meaning of the spoken words). A person’s voice and facial image are inherently biometric personal data under the GDPR and can be highly sensitive in nature, which sets out further requirements for security and an assessment of possible consequences for the data subjects.
A starting point might be to determine why a specific virtual meeting should be recorded, since different purposes could point to different legal bases. Furthermore, the why must be detailed enough so that one can assess what personal data is necessary to collect and what is not. Necessity requires that processing should be a reasonable and proportionate method of achieving a given purpose. This should take into account the principle of data minimisation, and the avoidance of processing personal data when there are more proportionate and less intrusive ways to achieve the same goal. Such less intrusive ways could be taking meeting minutes or transcribing the conversation from the virtual work meeting.
“Finding recording convenient, potentially useful or just standard practice does not automatically mean that the recording is considered necessary under the GDPR”
Ashton Papaioannou
Consent from employees – valid, or not really?
Such as with all processing of personal data, the legal basis is a fundamental part of what determines whether processing is lawful or not. One of said legal bases is consent, which is often seen to be relied upon for processing of personal data in relation to recording virtual meetings at the workplace. Perhaps you have seen a small pop-up window when entering a virtual meeting stating that the meeting is being recorded and by participating in the meeting, you are consenting to the recording and thus the processing of your personal data.
Consent has several pre-requisites in order to be considered as valid; it must be freely given, specific, informed, and unambiguous. Furthermore, it must be as easy to give consent as it is to withdraw it. Additionally, a data subject must be able to refuse consent without any consequences. In the context of the employee-employer relationship, we have clear guidelines[1] explaining that employees are seldom able to “freely give, refuse or revoke”[2] consent due to the power imbalance of the relationship where the employee finds him- or herself in a position of dependency.
Therefore, imagine you enter a meeting and get that pop-up stating that the meeting is being recorded, and you consent to this. However in reality, you do not. Not only would an individual in such a situation feel compelled to “consent” to such processing of personal data, but the consequence of refusing consent would be that the individual probably being unable to participate in the meeting, thereby violating the pre-requisites of valid consent. Consequently, relying on consent for processing of employees’ personal data it not recommended.
Legitimate interest – a matter of balance
The use of legitimate interest as a legal basis for processing personal data is considered by many to be very flexible. Businesses often make use of this legal basis as it offers the possibility to present an argument for why a business might have a compelling and legitimate reason to processes certain personal data. Moreover, it also requires businesses to specifically consider the interests and rights of the data subject, and to ensure that appropriate safeguards and protection are in place.
The fundamental element of legitimate interest as a legal basis is that the business must be able to demonstrate that its interest outweighs data subjects’ rights and freedoms, including the right to privacy. This balancing test is referred to as a Legitimate interest Assessment (LIA) that must be conducted when relying on this legal basis for processing of personal data.
In the context of recording virtual meetings, a starting point may be to ask the question “why do we want to record this virtual meeting?”. The answer to this question will help determine whether legitimate interest is the appropriate legal basis, or not. Some common answers to this question are that a company wants to be able to reuse information from a virtual meeting at a later time, for instance for training purposes, or for employees who perhaps could not attend the meeting to be able to take part of useful information from said meeting. This reasoning needs to be argued and documented in a LIA to show that the company indeed has a compelling and legitimate interest to process such personal data. It should consider, among other things, what kinds of personal data it is collecting by recording a virtual meeting, how its reasoning for doing so outweighs the rights and freedoms of data subjects, or that there is no other less intrusive way to achieve the same purpose. In line with the principle of data minimisation, even when the processing may seem necessary, businesses should ensure that the amount of personal data processed, and the extent of the processing, is the minimum amount needed to achieve the purpose (the why). Perhaps, the whole meeting does not have to be recorded.
Further obligations – information and risk
In addition to conducting a LIA, a company must also ensure that (i) data subjects are properly informed about the processing of personal data in relation to recording virtual meetings, usually through a privacy notice as well as when a virtual work meeting is taking place (at the time of collecting the data), (ii) the lifecycle management of the actual recordings considering data protection by design and by default, perhaps from a more strategic and sustainable perspective, (iii) how long to retain the recordings, and (iv) that any risks associated with such processing of personal data are considered. Usually this is achieved by conducting a Data Protection Impact Assessment (DPIA), which aims to identify these risks and consequences and addresses how they can be mitigated or lowered. The starting point for this assessment is to map out the personal data processing in question, which allows to identify any possible risk-increasing factors by answering certain pre-DPIA questions. Also, a data subject has a number of rights under the GDPR, e.g. the right to request access to personal data, that must be considered in relation to such processing of personal data, and how a company may have to comply with such requests.
Finally, as with any processing of personal data, this type of processing must be found/registered in your Register of Processing Activities (RoPA) as described and required under GDPR.
Practical recommendations
- Consent as a legal basis for processing employees’ personal data is generally not considered as valid, apart from certain exceptional circumstances. Avoid if possible.
- Determine why you would want to record a virtual meeting. This will help build a compelling argument for determining the appropriate legal basis for such processing of personal data. Furthermore, it will also help understand whether it is legitimate interest, or a different legal basis, that should be used for this specific processing of personal data.
- Conduct an assessment to decide whether the processing is necessary. Necessity entails that the processing should be a reasonable and proportionate method of achieving a given purpose, taking into account the principle of data minimisation and that personal data should not be processed where there is a more reasonable, proportionate, and less intrusive way to achieve a goal.
- If you have determined that legitimate interest is the appropriate legal basis and that the processing is necessary, conduct a LIA to strike a balance between the business’s interest and the rights and freedoms of the data subject.
- Additionally, if any risk-increasing factors have been identified, you might also be required to conduct a DPIA.
- Finally, update your RoPA appropriately.
If you have questions regarding any of the topics discussed, or want to learn more about GPDR compliance please contact:
We are your data privacy partner, providing hands-on solutions to ensure sustainable privacy at the core of your business. For more information on sustainable privacy and GDPR please visit our designated privacy site: On Top of Privacy.
[1] Guidelines issued by the Article 29 Working Party, which later became today’s European Data Protection Board (EDPB), which is the highest authority of the EU on privacy and data protection matters.
[2] Opinion 2/2017 on data processing at work, Adopted on 8 June 2017, p. 4.