This activity provides a brief analysis of GDPR compliance for two popular video conferencing platforms: Microsoft Teams and Jitsi Meet. Read it and take notes.

Microsoft Teams

  1. Data Security and Access Control
    Teams offers data encryption in transit and at rest (TLS and BitLocker), including end-to-end encryption for one-to-one calls. Tools such as DLP (Data Loss Prevention), sensitivity labeling, multi-factor authentication, and audit logs are available.
  2. Data Subject Rights and Data Governance
    Teams enables the fulfillment of GDPR rights such as access, correction, deletion, and data portability through  the Microsoft Privacy Dashboard. Requests (DSRs) can be processed within the legal deadline (1 month).
  3. Data Retention Policies and Location
    Administrators can set data retention policies. Microsoft allows storage within the EU (Dublin, Amsterdam, Frankfurt, Paris), and uses the SCC and Data Privacy Framework for transfers outside the EU.
  4. Compliance and certifications 
    Teams includes mechanisms to support GDPR requirements and tools like Microsoft Purview Compliance Manager. Microsoft has ISO 27001, ISO 27018, SSAE18 SOC 1/2 certificates. 

Conclusion: Microsoft Teams offers tools for GDPR compliance, but requires active administration and carries US jurisdictional risks.

Jitsi Meet

  1. Privacy and architecture
    Jitsi was designed according to the principle of privacy by design: rooms are ephemeral, there is no need for a user account, which reduces data collection.
  2. Encryption and secure settings
    Jitsi uses DTLS‑SRTP for encryption and supports end‑to‑end encryption. Self-hosting enables control of logging and data retention policy.
  3. Transparency and the benefits of open source
    Jitsi is an open source solution, which enables independent security assessments and system modification.
  4. The public instance of meet.jit.si has certain limitations
    The public version of meet.jit.si uses Google Analytics and hosting in AWS, which raises concerns about GDPR compliance. It temporarily stores chat, recordings and livestream data as part of functionality. But that is why Jitsi Meet, which is implemented on the HEI server, is fully compliant with the GDPR.
  5. Examples of implementation
    The Hochschule Niederrhein example shows self-installed Jitsi with GDPR hardened settings: no tracking, room passwords, log deletion after 7 days.

Conclusion: Independently installed Jitsi Meet on HEI's server infrastructure enables high GDPR compliance, while the public instance of meet.jit.si carries certain privacy risks.

IMPORTANT: This activity is mandatory!

Accessibility
Reset All

Background Colour Background Colour

Font Face Font Face

Font Size Font Size

1

Text Colour Text Colour

Font Kerning Font Kerning

Image Visibility Image Visibility

Letter Spacing Letter Spacing

0

Line Height Line Height

1.2

Link Highlight Link Highlight