Secure video integration for companies

Associations, public institutions and companies are increasingly using videos for their information and communication offerings. This makes websites more interesting and appealing to visitors. But there are a few things to consider if the integration of videos is to be GDPR-compliant.

The direct integration of videos from commercial video platforms such as YouTube or Vimeo is quick and easy by simply copying the code, but from the perspective of the General Data Protection Regulation (GDPR), entails some obligations for the responsible website operators and increases the liability risk.

Why can the direct integration of videos be a problem from the perspective of the GDPR?

When videos are integrated directly, data is transferred as soon as the player is loaded, which often happens at the same time as the page is accessed. When interacting with the player, further data transfers take place, including personal data of website visitors such as IP addresses, which are transmitted to platform operators and, if applicable, third-party providers.

The operator of the website is legally responsible for these data transfers and therefore needs - as with any other form of data processing - a legal basis for this and information about the integration of the videos in the data protection policy. In the case of commercial video platform operators from non-EU countries, it should also be noted that a legal basis is required not only for the transfer of the data itself, but also for the transfer of data to third countries, i.e. all countries that are not part of the European Economic Area (EEA).

Consent for videos

There are two ways to obtain legally valid consent to the transfer of data to third countries: obtaining transparent consent via the cookie consent banner and obtaining consent directly when viewing the video with a preview text.

However, consent to the transfer of data to third countries using a cookie banner is often neither transparent nor legal. As a result, the embedded player is loaded as soon as the website is set up and the data transfer to third countries starts invisibly and without influence for the user. Regardless, both solutions often result in a high bounce rate, which does not promote the purpose of including a video.

The GDPR does not hinder, but leads to new solutions that do not require consent to transfer to third countries, are legally compliant and protect the privacy of website visitors. Such embedding within the meaning of the GDPR is easily possible. There are two options:

• Using a privacy-compliant solution that instantly loads the player and plays the content. All that is required is an order data agreement with a European video SaaS provider, which guarantees data security.
• Installing a script for your own website's content management system, even if this is the more cumbersome way. It first shows the user what happens to the user data when the video is loaded. This script should be used before every video. Care should be taken to ensure that neither the video player nor any form of analytics are loaded in the background, unless the user has consented.

What are the advantages of a European video SaaS provider's service compared to a commercial non-EU video platform?

Using YouTube, Vimeo, etc. as a marketing tool is definitely useful and legitimate. However, using a professional EU video platform to manage and play videos on your own website can avoid various problems:

• GDPR: the time-consuming process of obtaining transparent, data protection-compliant consent
• Monetization: uncontrolled placement of third-party advertising by YouTube and its parent company Google
• Loss of autonomy: Usage rights conditions give YouTube control over content & playback
• Brand integrity: Post video recommendations from YouTube can have a negative impact on brand identity
• User outflow: Links to YouTube videos distract users from their own website.

How does 3Q ensure privacy-compliant video management?

The main requirement is a purely European infrastructure. 3Q operates with a “privacy-first” approach and completely dispenses with third-party service providers in the entire ecosystem. European data centers form the operational basis and are operated by the company's own content delivery network (CDN) without the involvement of non-EU sub-service providers.

3Q customers benefit from a modern software-as-a-service solution that seamlessly integrates software and infrastructure.