How it works Pricing Blog Changelog vs Loom vs Cap
Sign in
Apr 09, 2026 7 min read

GDPR-Compliant Screen Recording: A 2026 Guide for EU Teams

Screen recordings are easy to overlook in a GDPR audit. They get classified as "internal communication" and skipped — even though they routinely contain customer email addresses, names, dashboards with PII, and sometimes payment details visible on screen. If your team records sessions that include any of those, GDPR applies.

This guide walks through what GDPR expects from a screen recording tool and what to ask vendors before you sign.

Why screen recordings are a GDPR concern

A screen recording can include personal data in three forms:

  1. Visible PII: customer names, emails, addresses, support tickets — anything on screen during recording.
  2. Audio PII: spoken names, account details, identifying information during a voiceover.
  3. Derivative artifacts: if the tool runs ASR over the recording, that PII is now also stored as searchable transcript text.

Once a recording lives in a SaaS vendor's storage, that vendor is a processor under GDPR. Your DPA needs to cover them, and your DPIA should reflect the risk.

The five questions to ask any screen recording vendor

1. Where is recording data physically stored?

EU teams typically need EU-region storage. Ask for the specific region (Frankfurt, Dublin, Amsterdam). "We're GDPR compliant" does not answer the data residency question.

2. Who is the sub-processor for video delivery?

Most screen recording tools use a CDN to deliver videos. That CDN is a sub-processor. You need them listed in the DPA and in your processor register.

3. Can shared links expire?

GDPR's data minimization principle implies recordings shouldn't be perpetually accessible. Time-limited shareable links are a practical control — the link returns 404 after expiry, regardless of who still has the URL.

4. Can you delete a recording — and verify deletion?

A data subject access request may require deleting a recording that contains personal data. The tool needs a clear deletion workflow that propagates to backups and CDN caches, with confirmation visible to the operator.

5. What about transcripts and AI summaries?

If the tool runs transcription or AI summarization, those derivative artifacts also contain personal data. Ask: are transcripts processed by the same vendor, or shipped to a sub-processor? Are they deleted automatically when the parent recording is deleted?

How OpenKap addresses each

  • EU storage: when self-hosted, you choose the region. The hosted version supports EU regions via Bunny Stream's European points of presence.
  • Sub-processors: documented in the DPA — Bunny Stream for video delivery, optionally a transcription provider.
  • Expiring links: every share link supports an optional expiration date, set per video.
  • Deletion workflow: deleting a video removes it from storage and invalidates active share tokens.
  • Transcripts: optional feature; when enabled, transcripts are deleted with the parent video.

Practical workflows for EU teams

Recording with customer data on screen

  • Use a virtual desktop or scrubbed test account for the recording.
  • Set an expiration of 7–14 days on the share link.
  • Disable transcription for sensitive recordings via the video settings.

Recording for support or customer success

  • Get consent on the call before recording.
  • Mark the recording as private so the share link requires authentication.
  • Apply your standard retention policy (e.g., 90 days) and rely on automatic deletion.

Recording for internal team comms

  • Lower risk, but still review for PII before sharing externally.
  • Use workspace-level access controls to keep recordings inside the organization.

The audit-ready checklist

  • Vendor's DPA signed and on file.
  • Sub-processors documented in your processor register.
  • Storage region confirmed in writing.
  • Retention policy configured in the tool.
  • Deletion process tested with a sample recording.
  • DPIA includes the screen recording tool.
  • Internal policy: when teams can record, and what they shouldn't include.

A small but useful nuance

GDPR doesn't outright prohibit recordings that contain personal data — it requires you to have a lawful basis, document it, minimize what's collected, and respect data subject rights. The most common failure mode isn't recording too much; it's not knowing what was recorded six months later. A short, enforced retention policy solves more compliance problems than any tooling decision.

For deployment options, see our self-hosted screen recording guide. For external sharing controls, see sharing confidential videos with clients.

gdpr compliance eu data-protection privacy
O
OpenKap Team