Secure video integration for corporates

Associations, public institutions and companies are increasingly using videos for their information and communication offerings. This makes websites more interesting and appealing to visitors. However, there are a few things to bear in mind if videos are to be integrated in compliance with the GDPR.

Although it is quick and easy to embed videos directly from commercial video platforms such as YouTube or Vimeo by simply copying the code, this entails a number of obligations for the responsible website operator from the perspective of the General Data Protection Regulation (GDPR) and increases the liability risk.

Why can the direct embedding of videos pose a problem from a GDPR perspective?

If videos are integrated directly, data is already transmitted when the player is loaded, which often happens at the same time as the page is accessed. When interacting with the player, further data is transmitted, including personal data of website visitors such as IP addresses, which are transmitted to the platform operators and, if applicable, third-party providers.

The website operator is legally responsible for these data transfers and therefore requires - as with any other form of data processing - a legal basis for this as well as information about the integration of the videos in the data protection information. In the case of commercial video platform operators from non-EU countries, it should also be noted that a legal basis is required not only for the transfer of the data itself, but also for the transfer of the data to third countries, i.e. all countries that are not part of the European Economic Area (EEA).

Consent for videos

Two ways of obtaining legally valid consent for the transfer of data to third countries have become established: obtaining transparent consent via the cookie consent banner and obtaining consent directly when calling up the video with a preview text.

However, consent for the transfer of data to third countries via a cookie banner is often neither transparent nor legal. As a result, the embedded player is loaded as soon as the website is opened and the transfer of data to third countries is thus started invisibly and uninfluenceably for the user. Irrespective of this, both solutions often lead to a high bounce rate, which does not further the purpose of embedding a video.

The GDPR does not hinder, but rather leads to new solutions that do not require consent for third country transfer, are legally compliant and protect the privacy of website visitors. Such embedding within the meaning of the GDPR is easily possible. There are two options:

• The use of a data protection-compliant solution that loads the player immediately and plays the content. This only requires an order data agreement with a European video SaaS provider, which guarantees data security.

• Installing a script for the content management system of your own website, even if this is the more complicated way. It first shows the user what happens to the user data when the video is loaded. This script should be placed before every video. Care should be taken to ensure that neither the video player nor any form of analytics are loaded in the background, unless the user has given their consent.

What advantages does the service of a European video SaaS provider offer compared to a commercial non-EU video platform?

The use of YouTube, Vimeo etc. as a marketing tool is perfectly sensible and legitimate. However, various problems can be avoided by using a professional EU video platform to manage and display videos on your own website:

• GDPR: the time-consuming process of obtaining transparent, data protection-compliant consent

• Monetisation: uncontrolled placement of third-party advertising by YouTube and its parent company Google

• Loss of autonomy: Terms of use grant YouTube control over content & playout

• Brand integrity: post video recommendations from YouTube can have a negative impact on brand identity

• User drain: Links to YouTube videos distract users from your own website.

How does 3Q ensure data protection-compliant video management?

The key requirement is the purely European infrastructure. 3Q operates with a "privacy-first" approach and completely dispenses with third-country service providers in the entire ecosystem. European data centres form the operational basis and are operated by the company's own Content Delivery Network (CDN) without the involvement of non-EU sub-service providers.

3Q customers benefit from a modern software-as-a-service solution in which software and infrastructure are seamlessly integrated.