Zoom and SURF partnership delivers enhanced data privacy solutions for EU customers

Zoom is proud to announce that we have reached the next milestone for our enterprise and education customers in the Netherlands and all of the EEA. Over the last few years, we have worked with SURF,  the collaborative organization for IT in Dutch higher education and research, to adapt and update our policies.

The major news: Zoom has implemented important data privacy measures and met its commitments, as agreed upon in 2022.

"Working with SURF really helped refine and validate our policies and features around data localization capabilities in Europe - and that is now open to all our enterprise and education customers", Lynn Haaland, Chief Privacy Officer at Zoom said.

“SURF is known internationally for its robust approach to working with tech companies, which is why we are so delighted to earn their trust. We believe it shows Zoom’s continued commitment to Zoom customers across the EEA,” Lynn added. 

As a result of the DPIA, Zoom has made significant progress in aligning with EU privacy standards. Most notably, Zoom has taken a proactive approach to privacy by design and privacy by default. This includes measures such as:

• Increased the amount of personal data processed exclusively in the EU: While Dutch entities were the initial scope of the cooperation, we are happy to announce that all of our enterprise and education customers in the EEA are able to benefit from these changes.
• Easy-to-use tools for data subject requests: By introducing a new portal in 2023, admins can now request access to personal data with a self-service tool. By the end of 2024, end users will be able to file a DSAR directly. The response to the DSAR is provided in a clearer format such as providing descriptions of each file and in an understandable order for the user. With this intuitive, self-service tool, Zoom not only increases user control over their data but also promotes transparency and accountability.
• Clarity around data retention and processing: By providing clear visibility into data retention periods, the company has prioritized transparency. Zoom enables users to better understand how their data is managed and protected by streamlining this information.
• Specification regarding the role of Zoom and its sub-processors: By defining processing activities in Zoom’s DPA, Zoom clarified its role as either data processor or data controller. Zoom requires its sub-processors, and the sub-processors of its sub-processors, to comply with the contractual obligations in accordance with the customer Data Processing Agreement (DPA) including the Standard Contractual Clauses (SCCs) for any onward and international transfer.

In addition, there have been updates in a number of key areas, including:

• Transparency around diagnostic data: Zoom has increased transparency around how diagnostic data is processed, ensuring that only required telemetry gets collected by default. This is in line with the principle of privacy by design. Privacy considerations are built into the product development process from the beginning.
• EU support services: Zoom has established a dedicated support team within Europe, allowing customers who opt-in to receive direct technical support. All support information will be processed within the EEA by local employees during normal business hours.

These initiatives underscore Zoom’s commitment to responsible data management and its proactive efforts in line with EU privacy regulations. By embracing the principles of privacy by design and privacy by default, Zoom is not only strengthening trust but also setting a commendable standard for privacy practices in the digital age. Through ongoing enhancements and collaborative initiatives, such as its partnership with SURF, Zoom continues to prioritize privacy and security, ensuring that customers can confidently engage with its platform while their data remains protected.

Other measures were assessed regarding Child Sexual Abuse Material (CSAM). Measures were implemented for the report of the CSAM material to the National Center for Missing & Exploited Children (NCMEC) organization in the US to enable a secured transfer by only reporting exact matches and after human review. To further improve compliance with the ePrivacy Directive, Zoom has refined its parameters for sending commercial communications from admins and end users to account commercial contacts. 

Zoom has demonstrated a proactive approach to adhering to the privacy standards and practices outlined in the GDPR. 

 “We are proud of the changes our collaboration with Zoom has produced. With this result, in which privacy is paramount, Zoom is taking a big step that will benefit the entire EEA,” said Jet de Ranitz, CEO and chair of SURF’s board of directors. 

Our commitment to European standards and practices has not gone unnoticed. In 2023, we collected several certifications and attestations from regulators and independent organizations. All of them are documented in our Trust Center, including BSI C5 and gpaNRW in Germany, and the ENS in Spain. In addition, together with other vendors, we helped create the new German DIN SPEC 27008, specifically covering the minimum security requirements of video communications solutions. 

“Transparency matters — especially in today’s modern tech landscape. These initiatives are designed to equip you with insights and options, so you get to decide where your data goes and how it’s used. And as a result, you get the transparency you need to build a trusted relationship with Zoom as a technology provider,” said Lynn Haaland.   

While we reached a huge milestone for Zoom customers in the EEA, our journey is not over. On the contrary, Zoom is constantly working to improve the platform, committed to building the trust our customers put in us. Significant work has been done regarding the transfer of personal data to third countries, improvement of transparency for diagnostic data, and simplifying data subject requests. In the first half of 2024, we will release a Diagnostic Data Viewer for Telemetry Data; in the second half of the same year, we will develop solutions for Enterprise and Education customers to have direct access to data and privacy tools.

 For more information about the implemented practices and further recommendations for Zoom, please access the DPIA through this link. To learn more about our ongoing commitment to EU-based customers, read our articles about How Zoom delivers on its privacy commitment in Europe or explore our Trust Center.