Zoom AI Companion GDPR Compliance for German Businesses

Yes, Zoom offers a GDPR-compliant configuration for German businesses, including an EU Data Processing Addendum (DPA) and EU data residency options through its Frankfurt data center. However, Zoom AI Companion — the AI feature set that generates meeting summaries, smart recordings, and AI-assisted chat — requires additional review and configuration before use under GDPR. The AI Companion processes personal data about meeting participants and employees, creating compliance obligations that go well beyond Zoom’s core video conferencing setup. Our AI tools compliance overview covers other enterprise AI tools assessed for use in Germany.

Is Zoom GDPR Compliant?

Zoom Video Communications offers a configurable GDPR compliance posture for enterprise customers. The key components are:

• Data Processing Addendum (DPA): Zoom provides a DPA compliant with GDPR Article 28, incorporating Standard Contractual Clauses (SCCs) for international data transfers.
• EU Data Residency: Zoom offers an EU data residency option for accounts configured to process and store data in European data centers, including Frankfurt.
• Sub-processor list: Zoom publishes and maintains a list of sub-processors with change-notification obligations.

However, GDPR compliance is not a product feature — it is determined by how your organisation deploys and governs Zoom. Simply purchasing a Zoom Business or Enterprise licence does not automatically make your use GDPR-compliant. You must execute the DPA, configure data residency, and establish a valid legal basis for processing under GDPR Art. 6.

Zoom’s Data Processing Agreement (DPA)

Zoom’s DPA is available to all business and enterprise customers. It covers the full scope of GDPR Art. 28 requirements.

What Zoom’s DPA includes:

• Controller-processor relationship, with Zoom acting as processor for customer data
• Standard Contractual Clauses (SCCs) covering transfers of personal data outside the EEA
• Data security and confidentiality obligations (GDPR Art. 32)
• Sub-processor management with prior notice of changes
• Rights to conduct audits and inspections
• Obligations to assist with data subject rights requests
• Data deletion and return commitments at contract termination

How to access Zoom’s DPA:

Zoom’s Global Data Processing Addendum is available through Zoom’s Privacy and Legal pages. For accounts with EU data residency configured, the DPA is accepted through the account admin portal. Enterprise contracts may include negotiated addenda with adjusted terms.

For a detailed guide to reviewing AI tool DPAs, see our data processing agreement guidance.

Zoom AI Companion and GDPR

Zoom AI Companion is Zoom’s suite of AI-powered features, including:

• AI Meeting Summaries: Automatically generated summaries of meeting content and decisions
• Smart Recording: AI-generated chapters, transcripts, and highlights from recorded meetings
• AI Companion Chat: AI-assisted responses and suggestions in Zoom Chat
• AI Notes: Real-time note suggestions during live meetings

Each of these features processes personal data — the content of meetings, names and voices of participants, written chat, and conversation metadata. This creates specific GDPR obligations that extend significantly beyond standard video conferencing compliance.

What data does Zoom AI Companion process?

Zoom AI Companion processes the following categories of personal data:

• Meeting audio and video content — transcribed for summaries and smart recordings
• Chat messages — accessed by the AI Companion for context-aware responses
• Participant identifiers — names, email addresses, associated with AI outputs
• Behavioural metadata — attendance patterns, participation data used by AI features

Depending on what participants discuss, meeting audio and transcripts may indirectly reveal health information, trade union membership, political opinions, or other special category data under GDPR Art. 9. This creates a heightened compliance obligation even when AI Companion is used for ordinary business meetings.

Legal basis for Zoom AI Companion under GDPR

Before enabling Zoom AI Companion, your organisation must identify a valid legal basis under GDPR Art. 6:

Legitimate interest (Art. 6(1)(f)): Often applied for internal productivity tools, but requires a balancing test against employees’ and participants’ privacy rights. For German companies, processing employee data on the basis of legitimate interest must also satisfy §26 BDSG (Federal Data Protection Act).

Contract performance (Art. 6(1)(b)): Generally not suitable as the primary basis for AI meeting recording or employee monitoring.

Consent (Art. 6(1)(a)): Valid for processing data from external meeting participants, but difficult to use for employee data due to the inherent power imbalance. Employer-collected consent from employees may not be freely given and therefore invalid under GDPR.

German companies should assess the appropriate legal basis for each AI Companion feature separately, and for each category of data subject (employees versus external participants).

Opt-in and opt-out configuration

Zoom AI Companion features are configurable at account, group, or user level through the Zoom Admin Console:

• Account-level control: Administrators can enable or disable AI Companion features globally before any user activates them
• Meeting host control: Hosts can toggle specific AI features per meeting
• Participant notification: Zoom displays an AI Companion indicator when features are active — participants are notified automatically

For GDPR compliance, verify that participant notification is enabled and that employees receive clear information about when AI features are processing their speech and contributions. For AI transcription compliance under GDPR, our dedicated guide explains the obligations triggered by automatic transcription of meetings.

Data Residency: Where Does Zoom Store Your Data?

By default, Zoom routes data through its global infrastructure, which includes US-based data centres. For German businesses, this creates transfer obligations under GDPR Chapter V (international data transfers).

EU Data Residency option:

Zoom offers an EU Data Residency configuration for enterprise customers. With this enabled:

• Data at rest is stored in European data centres, including Frankfurt
• Real-time meeting data is routed through EU infrastructure
• SCCs in Zoom’s DPA cover any residual transfers outside the EEA

Important limitations to verify:

• EU Data Residency is typically an add-on feature for enterprise accounts — not included in standard licences
• Not all data types may fall within the residency scope — review exactly which data categories are covered
• AI model inference for Zoom AI Companion features may involve cloud-based processing that operates differently from at-rest data residency
• Support access from non-EU Zoom personnel may create residual transfer exposure under your DPA

German companies in regulated sectors — financial services, healthcare, or legal — should verify the full residency scope before treating the EU Data Residency option as a complete transfer solution.

Zoom GDPR Risk Checklist for German Businesses

Work through this checklist before or during your Zoom deployment:

DPA and legal framework:

• Accept Zoom’s Data Processing Addendum through your account admin portal
• Verify the DPA version and effective date in writing
• Confirm Zoom’s role as processor (not controller) for meeting content
• Review SCCs for US-based data transfers
• Add Zoom to your data processing register (Verzeichnis der Verarbeitungstätigkeiten)

AI Companion specific:

• Decide at account level whether Zoom AI Companion is enabled for your organisation
• Establish the legal basis for AI Companion under GDPR Art. 6 (and §26 BDSG for employee data)
• Configure participant notification — confirm the AI indicator is displayed in meetings
• Assess whether a Data Protection Impact Assessment (DPIA) is required under GDPR Art. 35
• Document your AI Companion configuration decisions with written rationale

Data residency:

• Determine whether the EU Data Residency add-on is required for your compliance posture
• Verify which specific data types are covered by EU residency configuration
• Review AI model inference locations for AI Companion features with your Zoom account manager

Works council (Betriebsrat):

• Assess whether Zoom AI Companion triggers co-determination rights under §87 BetrVG
• If applicable, initiate works council consultation before enabling AI Companion for employees
• Document the outcome and any agreed works agreement (Betriebsvereinbarung)

Employee communication:

• Update employee privacy notices to cover Zoom AI Companion data processing
• Train employees on when AI features are active and how to identify them
• Establish an internal policy on acceptable use and storage of AI Companion outputs

Works Council Requirements in Germany

German companies with a works council (Betriebsrat) must assess whether Zoom AI Companion triggers co-determination rights under §87(1) No. 6 BetrVG — which covers the introduction and use of technical equipment designed to monitor employee behaviour or performance.

AI meeting summaries, smart recordings, and participation analytics can constitute monitoring under this provision, even if that is not their primary purpose. The critical legal question is whether the tool creates the possibility of monitoring — not whether management actually intends to use it that way.

Practical implications:

• Consult your Betriebsrat before enabling AI Companion features for employees
• A works agreement (Betriebsvereinbarung) covering Zoom AI Companion is the most defensible approach
• The works agreement should specify: which features are enabled, how outputs are stored and accessed, who can review AI-generated summaries, and how long data is retained
• Failing to engage the Betriebsrat may give employees grounds to demand deactivation of the features

For the full framework governing AI employee monitoring compliance in Germany, our dedicated guide covers BetrVG co-determination requirements for AI tools in the workplace.

How to Sign Zoom’s DPA as a German Company

Follow these steps to execute Zoom’s Data Processing Addendum:

1. Log in to your Zoom account portal as account administrator at zoom.us
2. Navigate to Privacy settings — typically under Account Management → Privacy
3. Locate the Data Processing Addendum — for enterprise accounts this may be pre-accepted or require explicit opt-in
4. Review the DPA carefully, including the SCCs and sub-processor annex, before accepting
5. Accept the DPA through the portal, or request a countersigned addendum from your Zoom account manager for enterprise-level agreements
6. Document the acceptance — record who accepted, when, and which account configuration was in place
7. Update your vendor register — add Zoom as a data processor in your GDPR Records of Processing Activities with reference to the accepted DPA

Enterprise customers with specific residency or security requirements can negotiate bespoke DPA terms through Zoom’s enterprise sales team.

How Compound Law Helps

• DPA review and gap analysis for your specific Zoom deployment
• Legal basis assessment for Zoom AI Companion under GDPR Art. 6 and §26 BDSG
• Works council coordination and Betriebsvereinbarung drafting
• Data Protection Impact Assessment (DPIA) support for AI Companion features
• Internal Zoom AI usage policy development
• Comparison with Microsoft Teams Copilot and Notion AI for enterprise AI tool selection

Frequently Asked Questions

Is Zoom AI Companion GDPR compliant?

Zoom AI Companion can be used in a GDPR-compliant way, but compliance depends on your configuration, legal basis, and organisational measures — not on the tool itself. You must accept Zoom’s DPA, establish a valid legal basis for AI processing of employee and participant data, enable participant notification, and engage your works council where required. The tool is not automatically compliant simply because Zoom provides a DPA.

Does Zoom store data in Germany?

Zoom offers an EU Data Residency option that includes storage in European data centres, including Frankfurt. This is an enterprise add-on feature and is not enabled by default. AI Companion features may involve additional processing infrastructure beyond at-rest data storage — verify the full scope of data residency for AI features specifically in your DPA and account configuration.

Can German companies use Zoom AI Companion under DSGVO?

Yes, German companies can use Zoom AI Companion under DSGVO with appropriate preparation: an executed DPA, a documented legal basis under Art. 6 DSGVO (and §26 BDSG for employee data), works council engagement where co-determination applies, and the correct technical configuration for participant notification. Companies without a works council have more organisational flexibility but must still address the GDPR and BDSG requirements.

What is Zoom’s DPA and where do I find it?

Zoom’s Data Processing Addendum is the contractual agreement under which Zoom processes personal data as a processor on behalf of your organisation. It covers GDPR Article 28 obligations, including Standard Contractual Clauses for international data transfers. It is accessible through your Zoom account admin portal under Privacy settings, or through Zoom’s legal documentation. Enterprise customers can request a countersigned version through their account manager.

Do I need a DPIA for Zoom AI Companion?

A Data Protection Impact Assessment (DPIA) may be required if Zoom AI Companion involves systematic monitoring of employees, large-scale processing of sensitive data, or high-risk automated outputs. German companies should assess DPIA necessity under GDPR Art. 35, considering especially the monitoring dimension of AI meeting summaries and smart recording features. When the analysis is borderline, conducting a DPIA is the more defensible approach.