Loom and Consent - GDPR Compliance

Hi community,
We are currently assessing the privacy implications of using Loom within our internal workflows — particularly for cross-functional collaboration (e.g., onboarding, product updates, training) involving team members across different jurisdictions (EU, US, APAC) and Clients.

Given that:

• Loom captures video, audio, and transcriptions, which can include images and voices of individuals.

• In some EU member states and under certain data protection authorities’ interpretations, biometric identifiers such as facial images and voice recordings may qualify as special categories of data under Article 9(1) GDPR;

• And considering transparency obligations (Articles 12–14 GDPR) and requirements for data protection by design;

We are seeking community insights on the following:

1. What would be the appropriate legal basis under Article 6 GDPR for the processing of video/audio/transcription data using Loom in a workplace setting (e.g., legitimate interest vs. consent vs. contractual necessity)?

2. In what circumstances could such processing be deemed to fall under Article 9 GDPR (special categories)? Have any EU data protection authorities (e.g., CNIL, AEPD, DSK) issued guidance confirming this interpretation?

3. If Article 9 applies, what would be a compliant exception under Article 9(2) — and would this effectively require explicit consent from data subjects (employees or collaborators)?

4. Are there recommended best practices for ensuring GDPR compliance when implementing asynchronous video tools like Loom (e.g., DPIA, internal policies, opt-in mechanisms)? How are companies managing Consent if that is the case?

Any experience, DPIA templates, or regulatory references would be greatly appreciated. Our goal is to maintain compliance while promoting transparent and efficient internal communication.

Thanks in advance for your insights!