What makes a video tool GDPR-compliant?
A therapy session involves especially sensitive data (Art. 9 GDPR). What matters isn’t the tool’s name, but whether it meets a few clear requirements. This list lets you assess any tool in two minutes:
- A data processing agreement (DPA) under Art. 28 GDPR with the provider.
- Data processed in the EU/EEA — with no uncontrolled transfer to third countries.
- No recording by default; recordings only on purpose and with consent.
- No AI that listens to, transcribes, or trains on session content.
- Encrypted transmission (state of the art, e.g. AES-256).
- No account and no download for clients — data minimisation and a low barrier.
This is orientation, not legal advice — when in doubt, your data protection officer or a specialist lawyer can help.
Is Zoom enough for therapy sessions?
Zoom can run compliantly — but not without effort. On the right plans, Zoom offers a data processing agreement and options for EU data processing. You have to choose them actively, disable recording and the AI assistant, and be able to show everything is set up correctly. In other words: the tools are there, but the responsibility for plan, configuration, and documentation is yours.
The same is broadly true of Microsoft Teams and Google Meet. All three are solid general-purpose tools that can be set up compliantly. The effort — and the risk of missing a setting — is the price of tools that weren’t built specifically for health data.
How do common video tools compare?
The overview below places common tools along the four most important criteria. “Yes” doesn’t always mean “automatic” — it often depends on the plan and the right setting.
| Tool | DPA available | Data in the EU | No recording by default | No account for clients |
|---|---|---|---|---|
| Zoom | Yes, plan-dependent | configurable | Yes — but AI assistant available | App recommended, browser possible |
| Microsoft Teams | Yes (via Microsoft) | EU Data Boundary | configurable | Account/app often required |
| Google Meet | Yes (Workspace) | plan/config-dependent | Yes | Guests by link, host account needed |
| WhatsApp / FaceTime | No | no/unclear | Yes | App/device needed |
| Jitsi (self-hosted) | n/a (your responsibility) | yes, if EU-hosted | Yes | no account |
| Specialised tools (e.g. Kaufmann Health) | included | EU-hosted | off by default | no account |
As of June 2026. Plans, features, and configurations change — always check the provider’s current documentation before use. WhatsApp and FaceTime are listed for orientation but aren’t recommended for professional health data.
What to look for when choosing
- Request and file the DPA — before you use the tool with real clients.
- Check server location/data processing: EU/EEA, or a valid legal basis.
- Disable recording and AI/transcription features (or pick a tool that doesn’t have them).
- Test the client experience: one click in the browser, no account, no download?
- Name the provider and the processing in your practice’s privacy notice.
How does Kaufmann Health solve this?
Kaufmann Health is one of several options that meet these criteria by default. The video solution is built into the practice software: it runs on EU-hosted infrastructure, records nothing by default, applies no AI to session content, and clients join in one click in the browser — no account. We provide a data processing agreement, so you don’t have to source one yourself.
If your current tool meets the criteria above and you’re happy with it, there’s no need to change. And if you’d like to have this handled in one place, you can take a look at our GDPR-compliant video solution.