DEV Community

Alex Neamtu
Alex Neamtu

Posted on • Originally published at sendrec.eu

GDPR-Compliant Screen Recording: What You Actually Need to Know

#gdpr #privacy #opensource #webdev

You need to record your screen for a team update, a bug report, or an onboarding walkthrough. You open Loom, hit record, and share the link. Simple.

But if you're in the EU, that recording just left European jurisdiction. The video file, the metadata, the viewer analytics — all sitting on US servers, processed by a US company, subject to US law. And if the recording captures a customer's name, an email thread, a Slack conversation, or a support ticket — you just exported personal data without thinking about it.

Most teams don't think about this. They should.

What GDPR actually requires for screen recordings

Screen recordings aren't exempt from GDPR just because they're internal tools. Under the regulation, a screen recording is personal data processing if it captures any identifiable information — names, email addresses, profile pictures, IP addresses, customer data visible on screen, or even the voice of the person narrating.

Three requirements matter most:

1. Lawful basis for processing. You need a legal reason to record. For internal team communication, legitimate interest usually applies — you have a genuine business reason (async communication, documentation) and the recording is proportionate. For recordings that capture third-party data (customer screens, support tickets), the analysis gets stricter.

2. Data residency and transfers. GDPR Chapter V restricts transfers of personal data outside the EU/EEA. If your screen recording tool stores videos on US servers, that's an international data transfer. The EU-US Data Privacy Framework (DPF) provides one legal mechanism, but it's been challenged before — Privacy Shield was struck down by the CJEU in Schrems II (2020), and the DPF faces similar legal challenges. Keeping data in the EU eliminates the transfer question entirely.

3. Data processor obligations. Your screen recording tool is a data processor under GDPR Article 28. That means you need a Data Processing Agreement (DPA) with the provider, and the provider must implement appropriate technical and organizational measures. You're responsible for verifying this — "we're GDPR compliant" on a pricing page isn't enough.

Where popular screen recording tools fall short

Most screen recording tools are built for the US market and treat GDPR as a checkbox rather than an architecture decision.

US-hosted infrastructure. Loom, Vidyard, and most competitors run on AWS US regions or Google Cloud US. Your video data crosses the Atlantic. They rely on the EU-US Data Privacy Framework or Standard Contractual Clauses to make this legal, but these mechanisms add legal complexity and create ongoing compliance risk. If the DPF is invalidated (as Privacy Shield was), you're exposed.

No self-hosting option. You can't run Loom on your own infrastructure. Your data lives on their servers, managed by their team, subject to their retention policies. For regulated industries (healthcare, finance, legal), this is often a non-starter.

Opaque data processing. Many tools collect telemetry, analytics, and usage data beyond what's needed for the core service. Reading a 40-page privacy policy to understand what's collected and where it goes isn't practical — but it's what GDPR compliance actually requires.

No data residency guarantee. Even tools that offer "EU data residency" sometimes route data through US services for processing, CDN delivery, or analytics. The video might be stored in Frankfurt, but the thumbnail generation, transcription, or analytics pipeline might run through Virginia.

The simplest path to compliance: keep data in the EU

The cleanest way to handle GDPR and screen recordings is to never send the data outside the EU in the first place. No international transfer means no transfer mechanism needed. No reliance on the DPF. No supplementary measures assessment. No risk of a future court ruling pulling the rug out.

This requires a tool that:

  • Stores video files on EU servers — not just the primary storage, but all processing (thumbnails, transcription, analytics)
  • Runs its application servers in the EU — API requests, authentication, metadata all handled in-region
  • Doesn't route through US cloud services — no AWS CloudFront, no Google Analytics, no US-based CDN in the delivery path
  • Supports self-hosting — for teams that need full control, the option to run everything on their own infrastructure

A checklist for evaluating screen recording tools

Before adopting a screen recording tool for your EU-based team, verify:

Data storage:

  • Where are video files physically stored? Which data center, which country?
  • Where are backups stored?
  • Where does processing happen (thumbnail generation, transcription, encoding)?

Infrastructure:

  • Who is the cloud provider? Where are their servers?
  • Does any data pass through non-EU infrastructure, even transiently?
  • What CDN is used for video delivery? Where are the edge nodes?

Legal:

  • Is a DPA available? Have you signed it?
  • What lawful basis does the tool use for processing your data?
  • What happens to your data if you cancel? Deletion timeline?

Control:

  • Can you export your data?
  • Can you self-host for full control?
  • Can you set retention policies?

Third-party sub-processors:

  • Who has access to your data?
  • Where are sub-processors located?
  • Are you notified when sub-processors change?

Most teams skip this evaluation because the popular tools feel safe. But "everyone uses Loom" isn't a lawful basis under GDPR. Your Data Protection Officer won't accept it.

How we handle this at SendRec

SendRec is built from the ground up for EU data residency. Not as an add-on, not as an opt-in region selector — as the default architecture.

EU-only infrastructure. The application server, database, and object storage all run on Hetzner in Helsinki. Video files never leave the EU. Thumbnail generation, transcription (via whisper.cpp), and analytics all happen on the same EU server.

No US cloud in the data path. No AWS, no Google Cloud, no Cloudflare. DNS is Cloudflare (DNS-only, no proxying — the data path goes direct to the EU server). Video delivery uses presigned S3 URLs from EU-hosted MinIO. No US CDN edge nodes.

Self-hostable. SendRec is open source (AGPL-3.0) and ships as a single Docker image. Run it on your own infrastructure with docker compose up. You control the server, the database, the storage. Zero dependency on us.

Minimal data collection. View analytics track a hash of IP + user agent — enough to count unique viewers, not enough to identify individuals. No telemetry, no usage tracking, no third-party analytics. The only external service is Listmonk (self-hosted) for transactional emails.

Browser-native recording. Screen recordings happen entirely in the browser using the standard getDisplayMedia API. The video data goes directly from the browser to the EU storage server via presigned upload URLs. The application server never touches video bytes.

GDPR compliance isn't just about where data is stored

Data residency is necessary but not sufficient. Real GDPR compliance also means:

  • Purpose limitation — only processing data for its intended purpose (async video communication, not ad targeting or behavioral profiling)
  • Data minimization — collecting only what's needed (we don't require personal information from viewers)
  • Storage limitation — video owners can delete recordings at any time, and deleted files are purged from storage
  • Right of access and erasure — users can export or delete their data

These aren't features you bolt on. They're architectural decisions that need to be made from the start. Retrofitting a US-built SaaS product for GDPR compliance is fundamentally different from building for it from day one.

The bottom line

If your team is in the EU and records screens that capture any personal data — customer names, email threads, Slack messages, support tickets — your screen recording tool is processing personal data under GDPR. The regulation applies whether you've thought about it or not.

The path of least resistance is a tool that keeps data in the EU by default. No transfer impact assessments, no reliance on legal frameworks that might be invalidated, no compliance theater.

SendRec is open source, self-hostable, and EU-hosted. Try it at app.sendrec.eu or run it on your own infrastructure — the self-hosting guide takes about ten minutes.

Top comments (0)