Zoom’s efforts to fulfill the agreements made with SURF to deliver an even more secure digital environment to its education customers in Europe.

We are proud to announce that Zoom has reached the next milestone for enterprise and education customers in the Netherlands and all of the EEA: The long-standing close partnership with SURF has led Zoom to refine and update its privacy policy and implement key privacy and security measures. This fulfills Zoom's obligations as agreed in the published DPIA of 2022.

Zoom has been working to fulfill agreements made with SURF to deliver an even more secure digital environment to educational and business customers in Europe. Lynn Haaland, Chief Privacy Officer at Zoom explains: "Working with SURF has really helped refine and validate our policies and features around data localization capabilities in Europe - and that is now open to all of our enterprise and educational customers. SURF is known internationally for its robust approach in working with tech companies, which is why we are so pleased to have gained SURF's trust. We believe this demonstrates Zoom's continued commitment to Zoom customers across the EEA."

As a result of the DPIA, Zoom has made significant progress in aligning with EU privacy standards. Zoom has taken a proactive approach to privacy by design and privacy by default. This includes measures such as:

• The amount of personal data processed exclusively in the EU has been greatly increased: although Dutch customers were initially the focus of the collaboration, Zoom announces that all of its enterprise and educational customers in the EEA will benefit from these changes.
• Easy-to-use tools for data subject requests: with the introduction of a new portal in 2023, admins can now request access to personal data using a self-service tool. By the end of 2024, end users will also be able to directly submit a Data Subject Access Request (DSAR) directly as well. The response to the DSAR is provided in a clearer format such as providing descriptions of each file and in an understandable order for the user. With this self-service tool, Zoom not only increases users' control over their data, but also promotes transparency and accountability.
• Increased clarity on data retention and processing: By providing clear visibility into data retention periods, the company has prioritized transparency. Zoom enables users to better understand how their data is managed and protected by streamlining this information.
• Specification regarding the role of Zoom and its sub-processors: By defining processing activities in Zoom’s DPA, Zoom clarified its role as either data processor or data controller. Zoom requires its sub-processors, and the sub-processors of its sub-processors, to comply with the contractual obligations in accordance with the customer Data Processing Agreement (DPA) including the Standard Contractual Clauses (SCCs) for any onward and international transfer.

In addition, there have been updates in a number of key areas, including:

• More transparency around diagnostic data: Zoom has increased transparency around how diagnostic data is processed, ensuring that only required telemetry data gets collected by default. These privacy considerations were built into the product development process from the beginning. This is in line with the principle of privacy by design.
• EU support services: Zoom has established a dedicated support team within Europe, allowing customers who opt-in to receive direct technical support. All support information will be processed within the EEA by local employees during normal business hours.

CSAM

Other measures were assessed regarding Child Sexual Abuse Material (CSAM). Measures were implemented for the report of the CSAM material to the National Center for Missing & Exploited Children (NCMEC) organization in the US to enable a secured transfer by only reporting exact matches and after human review.

Commercial communications

To further improve ePrivacy compliance, Zoom has refined its parameters for sending commercial communications. Administrators and end users will no longer receive commercial communications; only the commercial contact will receive these communications.

Collaboration with SURF

By setting a high standard for privacy with the use of privacy by design and privacy by default principles, Zoom demonstrates its commitment and thereby reinforces trust. Through ongoing collaboration with SURF, Zoom continues to prioritize privacy and security and ensures that users can continue to safely use the video platform.

Zoom's ongoing commitment to privacy

Zoom has demonstrated a proactive approach to adhering to the privacy standards and practices outlined in the GDPR. 

"We are proud of the changes our partnership with Zoom has produced," said Jet de Ranitz, CEO and chair of SURF's board of directors. "With this result that puts privacy first, Zoom is taking a big step that benefits the entire EEA."

Zoom's commitment to European standards and practices has not gone unnoticed. In 2023, Zoom received several certifications and attestations from regulators and independent organizations. These are all documented in the Trust Center. Here you will find, among others, BSI C5 and gpaNRW in Germany and the ENS in Spain. In addition, Zoom, along with other vendors, helped to create the new German DIN SPEC 27008, which sets out the minimum security requirements of video communication solutions.

Transparency and reliability

“Transparency matters — especially in today’s modern tech landscape." said Lynn Haaland. "These initiatives are designed to equip users with insights and options, so they get to decide where their data goes and how it’s used. As a result, users get the transparency they need to build a trusted relationship with Zoom as a technology provider.’’

While Zoom reached a huge milestone for their customers in the EEA, their journey is not over. They are committed to building on customer trust and are constantly working to improve the platform. Significant work has been done regarding transfer of personal data to third countries, improvement of transparency for diagnostic data, and simplifying data subject requests. As a part of the agreement with SURF, Zoom will release a Diagnostic Data Viewer for Telemetry Data for their enterprise and education customers in the first half of 2024; in the second half of the same year, they will develop solutions to have direct access to data and privacy tools.

More information

For more information about the implemented practices and further recommendations for Zoom, please access the DPIA through this link. If you want to find more information about privacy at Zoom, go to their Trust Center.