Zoom AI Companion GDPR Compliance for German Businesses

Is Zoom AI Companion GDPR compliant in Germany?

Zoom AI Companion can be deployed in a GDPR-compliant way in Germany, but only if your company accepts Zoom's DPA, verifies EU data residency for the AI features you enable, sets a lawful basis for employee and participant data, and handles works-council co-determination where monitoring risks exist.

• Zoom can be configured compliantly, but AI Companion needs a stricter review than core video meetings.
• The key 2026 checks are the DPA version, AI inference location, and the exact scope of EU data residency.
• Frankfurt hosting alone is not enough if AI processing, support access, or external transfers still fall outside your approved setup.

Yes, Zoom AI Companion can be used in a GDPR-compliant way in Germany, but only with additional legal and technical checks beyond standard Zoom meetings. For most German businesses, the decisive points are whether you have accepted Zoom’s current DPA, whether AI Companion stays within your approved data-flow design, whether the EU data residency add-on actually covers the AI features you want, and whether works-council co-determination is required before employee rollout. Our AI tools compliance overview covers other enterprise AI tools assessed for use in Germany.

Short answer: Is Zoom AI Companion GDPR compliant in Germany?

The short answer is yes, conditionally. Zoom’s core conferencing product and Zoom AI Companion are not the same compliance question. A company may have a defensible Zoom setup for video meetings while still needing a separate approval process for AI meeting summaries, smart recordings, transcripts, and chat assistance.

For German companies, the fastest decision test is:

• Contract layer: accept Zoom’s DPA and confirm the current version in your vendor file
• Transfer layer: check whether your selected data residency setup also covers the AI feature you plan to enable
• Employment layer: assess §26 BDSG and §87(1) No. 6 BetrVG before enabling AI Companion for employees
• Meeting layer: ensure participants are informed when AI summaries, transcripts, or smart recording functions are active

If one of those layers is unresolved, the safer conclusion is not “Zoom is non-compliant,” but rather “AI Companion is not yet approved for this use case.”

What German businesses should verify in 2026

As of May 22, 2026, three product-specific checks matter most for German buyers and privacy teams:

1. Which DPA version is on file? Zoom’s public Global Data Processing Addendum was updated in November 2024. Your procurement file should record the accepted version, date, account entity, and any negotiated addenda.
2. Where does AI Companion processing happen for your setup? Zoom’s AI Companion privacy and security whitepaper updated on August 26, 2025 states that Zoom AI Companion may use Zoom-hosted models and, depending on feature and configuration, third-party model providers. That makes the inference location and transfer design a live review point, not a box you can assume from core Zoom hosting alone.
3. What does EU data residency actually cover? Zoom’s April 2026 EU infrastructure fact sheet says eligible EU-hosted customers can use AI Companion with in-region processing and a Zoom-hosted Models Only option, but you still need to confirm the scope for your plan, activated features, support paths, and cross-region meeting scenarios.

This is why the right legal answer for many organisations is not “Is Zoom compliant?” but “Is our intended Zoom AI Companion configuration compliant?”

Zoom’s Data Processing Agreement (DPA)

Zoom’s DPA is the contractual starting point for any German business that wants to use Zoom for employee or customer data. It is not enough on its own, but without it the rest of the analysis usually stops.

For practical review purposes, confirm that your file covers:

• Article 28 GDPR processor terms
• Standard Contractual Clauses (SCCs) for restricted transfers
• Sub-processor change management
• Security and confidentiality obligations
• Deletion, return, audit, and assistance obligations

This DPA review matters even more for AI Companion because summaries, transcripts, smart recordings, and AI chat functions can process richer meeting content than standard call metadata.

What Zoom’s DPA includes:

• Controller-processor relationship, with Zoom acting as processor for customer data
• Standard Contractual Clauses (SCCs) covering transfers of personal data outside the EEA
• Data security and confidentiality obligations (GDPR Art. 32)
• Sub-processor management with prior notice of changes
• Rights to conduct audits and inspections
• Obligations to assist with data subject rights requests
• Data deletion and return commitments at contract termination

How to access Zoom’s DPA:

Zoom’s Global Data Processing Addendum is available through Zoom’s legal documentation and admin flows. Enterprise contracts may also contain negotiated addenda. For German procurement files, keep a copy of the accepted DPA version, the acceptance date, and any deviations from Zoom’s standard terms.

For a detailed guide to reviewing AI tool DPAs, see our data processing agreement guidance.

Zoom AI Companion and GDPR

Zoom AI Companion is Zoom’s suite of AI-powered features, including:

• AI Meeting Summaries: Automatically generated summaries of meeting content and decisions
• Smart Recording: AI-generated chapters, transcripts, and highlights from recorded meetings
• AI Companion Chat: AI-assisted responses and suggestions in Zoom Chat
• AI Notes: Real-time note suggestions during live meetings

Each of these features processes personal data — the content of meetings, names and voices of participants, written chat, and conversation metadata. This creates specific GDPR obligations that extend significantly beyond standard video conferencing compliance.

What data does Zoom AI Companion process?

Zoom AI Companion processes the following categories of personal data:

• Meeting audio and video content — transcribed for summaries and smart recordings
• Chat messages — accessed by the AI Companion for context-aware responses
• Participant identifiers — names, email addresses, associated with AI outputs
• Behavioural metadata — attendance patterns, participation data used by AI features

Depending on what participants discuss, meeting audio and transcripts may indirectly reveal health information, trade union membership, political opinions, or other special category data under GDPR Art. 9. This creates a heightened compliance obligation even when AI Companion is used for ordinary business meetings.

Legal basis for Zoom AI Companion under GDPR

Before enabling Zoom AI Companion, your organisation must identify a valid legal basis under GDPR Art. 6:

Legitimate interest (Art. 6(1)(f)): Often applied for internal productivity tools, but requires a balancing test against employees’ and participants’ privacy rights. For German companies, processing employee data on the basis of legitimate interest must also satisfy §26 BDSG (Federal Data Protection Act).

Contract performance (Art. 6(1)(b)): Generally not suitable as the primary basis for AI meeting recording or employee monitoring.

Consent (Art. 6(1)(a)): Valid for processing data from external meeting participants, but difficult to use for employee data due to the inherent power imbalance. Employer-collected consent from employees may not be freely given and therefore invalid under GDPR.

German companies should assess the appropriate legal basis for each AI Companion feature separately, and for each category of data subject (employees versus external participants).

Opt-in and opt-out configuration

Zoom AI Companion features are configurable at account, group, or user level through the Zoom Admin Console:

• Account-level control: Administrators can enable or disable AI Companion features globally before any user activates them
• Meeting host control: Hosts can toggle specific AI features per meeting
• Participant notification: Zoom displays an AI Companion indicator when features are active — participants are notified automatically

For GDPR compliance, verify that participant notification is enabled and that employees receive clear information about when AI features are processing their speech and contributions. For AI transcription compliance under GDPR, our dedicated guide explains the obligations triggered by automatic transcription of meetings.

Data Residency: Where Does Zoom Store Your Data?

By default, Zoom routes data through its global infrastructure, which includes US-based data centres. For German businesses, this creates transfer obligations under GDPR Chapter V (international data transfers).

EU Data Residency option:

Zoom offers an EU Data Residency configuration for enterprise customers. With this enabled:

• Data at rest is stored in European data centres, including Frankfurt
• Real-time meeting data is routed through EU infrastructure
• SCCs in Zoom’s DPA cover any residual transfers outside the EEA

Important limitations to verify:

• EU Data Residency is typically an add-on feature for enterprise accounts — not included in standard licences
• Not all data types may fall within the residency scope — review exactly which data categories are covered
• AI model inference for Zoom AI Companion features may involve cloud-based processing that operates differently from at-rest data residency
• Support access from non-EU Zoom personnel may create residual transfer exposure under your DPA

In practice, this means Frankfurt hosting alone is not a complete AI Companion answer. Your privacy team should ask Zoom or your reseller to confirm, in writing, whether the AI features you intend to enable remain within your approved residency and model-processing scope.

German companies in regulated sectors — financial services, healthcare, or legal — should verify the full residency scope before treating the EU Data Residency option as a complete transfer solution.

Zoom GDPR Risk Checklist for German Businesses

Work through this checklist before or during your Zoom deployment:

DPA and legal framework:

• Accept Zoom’s Data Processing Addendum through your account admin portal
• Verify the DPA version and effective date in writing
• Confirm Zoom’s role as processor (not controller) for meeting content
• Review SCCs for US-based data transfers
• Add Zoom to your data processing register (Verzeichnis der Verarbeitungstätigkeiten)

AI Companion specific:

• Decide at account level whether Zoom AI Companion is enabled for your organisation
• Establish the legal basis for AI Companion under GDPR Art. 6 (and §26 BDSG for employee data)
• Configure participant notification — confirm the AI indicator is displayed in meetings
• Assess whether a Data Protection Impact Assessment (DPIA) is required under GDPR Art. 35
• Document your AI Companion configuration decisions with written rationale

Data residency:

• Determine whether the EU Data Residency add-on is required for your compliance posture
• Verify which specific data types are covered by EU residency configuration
• Review AI model inference locations for AI Companion features with your Zoom account manager

Works council (Betriebsrat):

• Assess whether Zoom AI Companion triggers co-determination rights under §87 BetrVG
• If applicable, initiate works council consultation before enabling AI Companion for employees
• Document the outcome and any agreed works agreement (Betriebsvereinbarung)

Employee communication:

• Update employee privacy notices to cover Zoom AI Companion data processing
• Train employees on when AI features are active and how to identify them
• Establish an internal policy on acceptable use and storage of AI Companion outputs

Works Council Requirements in Germany

German companies with a works council (Betriebsrat) must assess whether Zoom AI Companion triggers co-determination rights under §87(1) No. 6 BetrVG — which covers the introduction and use of technical equipment designed to monitor employee behaviour or performance.

AI meeting summaries, smart recordings, and participation analytics can constitute monitoring under this provision, even if that is not their primary purpose. The critical legal question is whether the tool creates the possibility of monitoring — not whether management actually intends to use it that way.

Practical implications:

• Consult your Betriebsrat before enabling AI Companion features for employees
• A works agreement (Betriebsvereinbarung) covering Zoom AI Companion is the most defensible approach
• The works agreement should specify: which features are enabled, how outputs are stored and accessed, who can review AI-generated summaries, and how long data is retained
• Failing to engage the Betriebsrat may give employees grounds to demand deactivation of the features

For the full framework governing AI employee monitoring compliance in Germany, our dedicated guide covers BetrVG co-determination requirements for AI tools in the workplace.

How to Sign Zoom’s DPA as a German Company

Follow these steps to execute Zoom’s Data Processing Addendum:

1. Log in to your Zoom account portal as account administrator at zoom.us
2. Navigate to Privacy settings — typically under Account Management → Privacy
3. Locate the Data Processing Addendum — for enterprise accounts this may be pre-accepted or require explicit opt-in
4. Review the DPA carefully, including the SCCs and sub-processor annex, before accepting
5. Accept the DPA through the portal, or request a countersigned addendum from your Zoom account manager for enterprise-level agreements
6. Document the acceptance — record who accepted, when, and which account configuration was in place
7. Update your vendor register — add Zoom as a data processor in your GDPR Records of Processing Activities with reference to the accepted DPA

Enterprise customers with specific residency or security requirements can negotiate bespoke DPA terms through Zoom’s enterprise sales team.

How Compound Law Helps

• DPA review and gap analysis for your specific Zoom deployment
• Legal basis assessment for Zoom AI Companion under GDPR Art. 6 and §26 BDSG
• Works council coordination and Betriebsvereinbarung drafting
• Data Protection Impact Assessment (DPIA) support for AI Companion features
• Internal Zoom AI usage policy development
• Comparison with Microsoft Teams Copilot and Notion AI for enterprise AI tool selection

Frequently Asked Questions

Is Zoom AI Companion GDPR compliant?

Zoom AI Companion can be used in a GDPR-compliant way, but compliance depends on your configuration, legal basis, and organisational measures — not on the tool itself. You must accept Zoom’s DPA, establish a valid legal basis for AI processing of employee and participant data, enable participant notification, and engage your works council where required. The tool is not automatically compliant simply because Zoom provides a DPA.

Does Zoom store data in Germany?

Zoom offers an EU Data Residency option that includes storage in European data centres, including Frankfurt. This is an enterprise add-on feature and is not enabled by default. AI Companion features may involve additional processing infrastructure beyond at-rest data storage — verify the full scope of data residency for AI features specifically in your DPA and account configuration.

Is Frankfurt hosting alone enough for Zoom AI Companion?

No. Frankfurt or EU hosting helps, but it does not answer every GDPR question for AI Companion. German businesses still need to verify model inference scope, support access, cross-border transfers, retention settings, participant transparency, and the intended internal use of summaries or transcripts.

Do external meeting participants require additional Zoom AI Companion steps?

Usually yes. External participants are not covered by your employee policies, so meeting notices, host controls, legal basis analysis, and the decision to activate transcripts, summaries, or smart recording features should be assessed separately for mixed internal-external meetings.

Does Zoom AI Companion require works council approval in Germany?

It often requires at least a formal co-determination assessment and, in many companies, a works agreement before rollout. If AI Companion features can make employee behaviour, participation, or performance visible, §87(1) No. 6 BetrVG may apply even when monitoring is not the employer’s stated purpose.

Can German companies use Zoom AI Companion under DSGVO?

Yes, German companies can use Zoom AI Companion under DSGVO with appropriate preparation: an executed DPA, a documented legal basis under Art. 6 DSGVO (and §26 BDSG for employee data), works council engagement where co-determination applies, and the correct technical configuration for participant notification. Companies without a works council have more organisational flexibility but must still address the GDPR and BDSG requirements.

What is Zoom’s DPA and where do I find it?

Zoom’s Data Processing Addendum is the contractual agreement under which Zoom processes personal data as a processor on behalf of your organisation. It covers GDPR Article 28 obligations, including Standard Contractual Clauses for international data transfers. It is accessible through your Zoom account admin portal under Privacy settings, or through Zoom’s legal documentation. Enterprise customers can request a countersigned version through their account manager.

Do I need a DPIA for Zoom AI Companion?

A Data Protection Impact Assessment (DPIA) may be required if Zoom AI Companion involves systematic monitoring of employees, large-scale processing of sensitive data, or high-risk automated outputs. German companies should assess DPIA necessity under GDPR Art. 35, considering especially the monitoring dimension of AI meeting summaries and smart recording features. When the analysis is borderline, conducting a DPIA is the more defensible approach.