For the data processing activities described in the respective Annex 1 of this agreement, where TeamViewer acts as the Customer’s Processor, the parties agree to the following provisions on the commissioned processing of personal data, which shall supplement the TeamViewer End User License Agreement (EULA) (Data Processing Agreement, “DPA“) until further notice.
The DPA does not apply if the Customer is a natural person using the Software or the Services in the course of a purely personal or family activity (cf. Art. 2(2)(c) EU General Data Protection Regulation, “GDPR“).
The provisions of this DPA and the EULA concluded at the same time complement each other and exist side by side. In the event of any contradictions in the area of data protection, the DPA shall take precedence over the provisions of the EULA.
The obligations of TeamViewer shall arise from this DPA and the applicable laws. The applicable laws shall in particular include the Federal Data Protection Act (“FDPA”) and the GDPR.
To the extent this DPA is applicable, TeamViewer shall only process personal data within the scope of this DPA and on documented instructions of the Customer, which are mutually agreed upon by the parties in the EULA and especially defined by the Product functionality, unless TeamViewer is required to do so by Union or the member state law to which TeamViewer is subject; in such a case TeamViewer shall inform the Customer of that legal requirement before processing, unless the respective law prohibits such information on important grounds of public interest. The Customer can give additional written instructions as far as this is necessary to comply with the applicable data protection law. The documentation on issued instructions shall be kept by the Customer for the term of the DPA.
TeamViewer shall ensure that the persons authorized to process the personal data have committed themselves to confidentiality unless they are subject to an appropriate legal obligation of secrecy.
TeamViewer shall, taking into account the nature of the processing, assist the Customer as far as this is possible by appropriate technical and organizational measures in the fulfillment of requests to exercise the rights of affected data subjects as referred in Chapter III of the GDPR. Should a data subject contact TeamViewer directly to exercise the data subject’s rights regarding the data processed on behalf of the Customer (as far as identifiable), TeamViewer shall immediately forward such request to the Customer. The Customer shall remunerate TeamViewer an hourly rate of 70 Euros for the effort resulting from such assistance, if and as far as permitted by applicable data protection laws.
Taking into account the type of processing and the information available to TeamViewer, TeamViewer shall support the Customer with appropriate technical and organizational measures to comply with the obligations mentioned in Article 32-36 GDPR, especially with regard to the security of the processing, the notification of personal data breach, the data protection impact assessment as well as the consultation with supervisory authorities. The Customer shall remunerate TeamViewer an hourly rate of 70 Euros for the effort resulting from such assistance, if and as far as permitted by applicable data protection laws.
TeamViewer will provide the Customer with the information necessary to maintain the records of processing activities.
At the choice of the Customer, TeamViewer shall delete or return the personal data that is processed on behalf of the Customer, if and to the extent that the law of the European Union or a member state to which TeamViewer is subject does not provide for an obligation to store the data.
TeamViewer shall provide the customer with all information necessary to demonstrate compliance with the obligations resulting from Sections 2 and 3 of this DPA. TeamViewer will also provide certificates of regular audits by recognized auditors or other qualified third parties, if required.
If and insofar there are objectively justified indications of a violation of this DPA or of data protection regulations by TeamViewer, TeamViewer will enable and contribute to additional audits, including inspections, which are carried out by the Customer or by a qualified auditor appointed by the Customer. When conducting the inspection, the Customer will not disrupt TeamViewer’s operations in a disproportionate manner.
TeamViewer shall inform the Customer immediately if TeamViewer is of the opinion that the execution of an instruction could lead to a violation of the applicable data protection law. TeamViewer is entitled to suspend the execution of the relevant instruction until it is confirmed in writing or changed by the Customer after the review.
If TeamViewer detects violations of the applicable data protection law, this DPA, or instructions of the Customer regarding the commissioned processing of personal data, TeamViewer shall inform the Customer immediately.
TeamViewer has appointed Ms. Hauser as external data protection officer, who can be reached at privacy@teamviewer.com, or at TeamViewer Germany GmbH, for the attention of the Data Protection Officer, Bahnhofsplatz 2, 73033 Göppingen, Deutschland.
TeamViewer will generally only transfer personal data processed within the scope of this DPA to a country outside the EU or the European Economic Area (EEA) for which no adequacy decision of the EU Commission in the sense of Art. 45 para. 3 GDPR exists (“unsafe third country”), provided that:
Furthermore, TeamViewer shall be entitled to utilize Subprocessors in a third country to process personal data, insofar the requirements of Art. 44 GDPR are met.
TeamViewer utilizes the services of a number of another processors (hereinafter, “Subprocessors”). The list of Subprocessors used by TeamViewer for each of the TeamViewer products can be found under the following link as Annex 3. By concluding the DPA, the Customer agrees to the engagement of the Subprocessors that are included in Annex 3 at the time of concluding the DPA for the relevant TeamViewer Product.
If TeamViewer wishes to commission further or other Subprocessors to provide the contractually agreed services (e.g., hosting), such Subprocessors have to be selected with the required care and due diligence. TeamViewer shall notify the Customer at least 15 days in advance about the appointment of any new Subprocessors. The Customer has the right to object to the engagement of the Subprocessor by stating objectively comprehensible reasons. If no objection is raised within this period, the new Subprocessor notified accordingly shall be deemed approved. If, in the event of an objection within the deadline, no solution can be reached, either party is entitled to terminate the DPA with a notice period of two (2) weeks. When the termination of the DPA becomes effective, the EULA shall also be considered terminated. Reference is made to section B.5.5 (Consequences of termination) of the EULA.
Subprocessors in third countries may only be engaged if the special requirements of Art. 44 et seq. GDPR are fulfilled.
TeamViewer is generally entitled to amend the provisions of this DPA. TeamViewer will inform the Customer about the planned change and the content of the new DPA at least twenty-eight (28) days before such changes become effective. The change is considered approved if the Customer does not object to TeamViewer within fifteen (15) days after receipt of this information. If the Customer objects to the change, the DPA continues under the existing conditions.
Reference is made to Art. 82 of the GDPR.
For the rest, it is agreed that the regulations on limitation of liability from the corresponding license agreement shall apply.
Version as of January 1st, 2021.