Data Processing Agreement
Last updated:June 14, 2021
- Validity and Scope of Application
- Indication of the Competent Data Protection Supervisory Authority; Data Protection Officer
- Subject of Contract
- Responsibility and Right of Instructions
- Type of Data processed, Group of Data Subjects
- Protective Measurements of the Processor
- Information and Cooperation Obligations of ANYDESK
- Control Rights of the Controller
- Use of Subcontractors
- Requests and Rights of Data Subjects
- Extraordinary Right of Termination
- Data Deletion
- Final Provisions
1. Validity and Scope of Application
1.1 In case, personal data is being processed on behalf of the Customer as the controller within the meaning of Article 4 (7) of the German Data Protection Regulation (GDPR) while using the contractual services of ANYDESK, the Parties agree in accordance with Section 12.4 of the General Terms and Conditions (lit. A) on the following Agreement on the Processing of Personal Data (DPA) accordingly to Article 28 (3) of the GDPR. This agreement is subject to the following provisions, which take precedence over the General Terms and Conditions (lit. A), which otherwise apply.
2.1 Pursuant to Article 4 (7) of the GDPR, the Controller is the body which alone or jointly with other controllers determines the purposes and means of the processing of personal data.
2.2 Pursuant to Article 4 (8) of the GDPR, the Processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller.
2.3 Pursuant to Article 4 (1) of the GDPR, personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.4 Personal data requiring special protection are personal data pursuant to
Art. 9 GDPR revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of data subjects, personal data pursuant to Art. 10 GDPR on criminal convictions and offences or related security measures, and genetic data pursuant to Art. 4 (13) GDPR, biometric data pursuant to Art. 4 (14) GDPR, health data pursuant to Art. 4 (15) GDPR and data on the sex life or sexual orientation of a natural person.
2.5 Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, in accordance with
Article 4 (2) GDPR.
2.6 Pursuant to Article 4 (21) GDPR, the supervisory authority shall be an independent state body established by a Member State pursuant to Article 51 GDPR.
3. Indication of the Competent Data Protection Supervisory Authority; Data Protection Officer
3.1 The competent supervisory authority for ANYDESK (hereinafter also "Processor") is the State Commissioner for Data Protection of Baden-Württemberg ( https://www.baden-wuerttemberg.datenschutz.de ).
3.2 The Customer (hereinafter also "Controller") and ANYDESK and, if applicable, their representatives shall cooperate with the supervisory authority in the performance of their duties upon request.
3.3 The data protection officer of ANYDESK is activeMind AG, Potsdamer Straße 3, DE-80802 München to be contacted via firstname.lastname@example.org .
4. Subject of Contract
4.1 ANYDESK grants the Controller the use of the AnyDesk remote maintenance software in accordance with the General Terms and Conditions (lit. A; "Main Contract"). In doing so, ANYDESK obtains access to personal data (hereinafter also referred to as "Data") and processes them exclusively on behalf of and according to the instructions of the Controller. The scope and purpose of the data processing by ANYDESK as a processor are set out in the main contract (lit. A, section 2.2). However, the Controller is responsible for assessing the permissibility of the data processing.
4.2 ANYDESK reserves the right to anonymise or aggregate the data so that it is no longer possible to identify individual data subjects and to use it in this form for the purposes of demand-oriented design, further development and optimisation as well as the provision of the services agreed in accordance with the main contract. The parties agree that anonymised data or data aggregated in accordance with the above provision shall no longer be deemed data within the meaning of this agreement.
4.3 ANYDESK may process and use the data for its own purposes on its own responsibility within the scope of what is permissible under data protection law if this is permitted by a statutory permission provision or a declaration of consent by the data subject. This contract does not apply to such data processing.
4.4 The provisions of these terms and conditions shall apply to all activities related to the Main Contract in which ANYDESK and its employees or persons authorised by ANYDESK come into contact with personal data originating from or collected for the data controller.
4.5 The term of this Agreement shall be governed by the term of the Main Contract, unless the following provisions impose further obligations or rights of termination.
4.6 The processing of data by ANYDESK outside the territory of the Federal Republic of Germany, a member state of the European Union or a contracting state of the EEA Agreement shall only take place under the conditions of Chapter 5 Art. 44 et seq. GDPR.
5. Responsibility and Right of Instructions
5.1 The Controller is solely responsible for the lawfulness of the processing of the data as well as for the protection of the rights of the data subjects in relation to each other.
5.2 ANYDESK may only collect, process or use data, including in the case of the use of anonymised data, within the framework of the main contract and in accordance with the instructions of the Controller; this applies in particular with regard to the transfer of personal data to a third country or to an international organisation. If ANYDESK is required to carry out further processing by the law of the European Union or the Member States to which it is subject, it shall notify the Controller of such legal requirements prior to the processing.
5.3 The instructions of the Controller shall initially be determined by these Supplementary Conditions and may thereafter be amended, supplemented or replaced by the Controller in writing or in text form by individual instructions (individual instructions). The Controller is entitled to issue corresponding instructions at any time. This includes, in particular, instructions with regard to the correction, deletion and blocking of data, provided that no justified contractual interests or statutory provisions prevent this.
5.4 The person authorised to issue instructions to the customer as the Controller is determined by the information provided by the customer during the registration process or the current information in the customer account (https://my.anydesk.com) . In the event of a change or long-term prevention of the named persons, the successor or representative must be named to ANYDESK in text form without delay.
5.5 All instructions issued must be documented by both ANYDESK and the Controller. Instructions that go beyond the performance agreed in the main contract are treated as a request for a change in performance.
5.6 If ANYDESK is of the opinion that an instruction of the Controller violates data protection regulations, ANYDESK must inform the Controller of this without delay. ANYDESK is entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. ANYDESK may refuse to carry out an obviously unlawful instruction.
5.7 ANYDESK does not acquire any rights to the data and, for the duration of the Main Contract, is obliged to surrender any stored data in a form that can be read and further processed by the Controller at any time upon first request. Rights of retention with regard to the data and the associated data carriers are excluded.
6. Type of Data processed, Group of Data Subjects
6.1 In the course of the performance of the Main Contract, ANYDESK shall, to the extent necessary, have access to the following personal data, among others, which shall be processed:
(i) inventory data (names, addresses, gender, company, location),
(ii) payment data (bank details, invoices, payment history),
(iii) contact data (e-mail, telephone numbers),
(iv) contract and customer account data (subject matter of contract, type of licence, term, customer category, customer ID, licence key, login data),
(v) AnyDesk software usage data (IP addresses, login data, AnyDesk version, country, MAC addresses, network ID, computer name, user name, operating system type and version, RAM/CPU/GPU information, screen resolution, hashed hardware serial number, installation time, AnyDesk IDs of AnyDesk session participants, start/end time and duration of AnyDesk software sessions, access times, time and duration of the respective remote data connection (session), transferred data volumes, online status of the client, licence keys of the session participants)
6.2 The following categories of persons are affected by the Processing:
(i) customers, business partners, interested parties, users of the software
7. Protective Measurements of the Processor
7.1 ANYDESK is obliged to comply with the statutory provisions on data protection and not to disclose information obtained from the area of responsibility to third parties or expose it to their access. Documents and data must be secured against access by unauthorised persons, taking into account the state of the art.
7.2 ANYDESK shall organise the internal organisation in its area of responsibility in such a way that it meets the special requirements of data protection. ANYDESK shall take all necessary technical and organisational measures for the adequate protection of data pursuant to Art. 32 GDPR, taking into account the legal requirements pursuant to Art. 5 (1) lit. f) and (2) GDPR, i.e., at least the measures listed in Annex 1 , which are to be documented and include the following:
(i) the pseudonymisation and encryption of personal data;
(ii) the ability to ensure the confidentiality, integrity, availability and resilience of the systems and services related to the processing on an ongoing basis;
(iii) the ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident;
(iv) a procedure for periodic review, assessment and evaluation of the effectiveness of the technical and organisational measures to ensure the security of the processing.
ANYDESK reserves the right to change the security measures taken, while ensuring that the contractually agreed level of protection is not undercut.
7.3 Persons employed in data processing by ANYDESK are prohibited from collecting, processing or using personal data without authorisation. ANYDESK shall oblige all persons entrusted by it with the processing and performance of this contract (hereinafter referred to as employees) accordingly (obligation of confidentiality, Art. 28 (3) lit. b) GDPR) and ensure compliance with this obligation with due care. These obligations must be formulated in such a way that they remain in force even after the termination of this contract or the employment relationship between the employee and ANYDESK. Evidence of the obligations must be provided to the Controller in an appropriate manner upon request.
8. Information and Cooperation Obligations of ANYDESK
8.1 In the event of disruptions, suspected data protection violations or violations of contractual obligations of ANYDESK, suspected security-related incidents or other irregularities in the processing of personal data by ANYDESK, by persons employed by ANYDESK under the contract or by third parties, ANYDESK shall immediately inform the Controller in writing or text form. The same applies to audits of ANYDESK by the data protection supervisory authority. The notification of a personal data breach shall contain at least the following information:
(i) a description of the nature of the personal data breach, including, to the extent possible, the categories and number of data subjects concerned, the categories concerned and the number of personal data records concerned;
(ii) a description of the measures taken or proposed by ANYDESK to address the breach and, where appropriate, measures to mitigate its possible adverse effects.
ANYDESK shall furthermore, in the event, immediately take the necessary measures to secure the data and mitigate any possible adverse effects of the data subjects, inform the Controller thereof and request further instructions.
8.2 ANYDESK shall be obliged to provide the Controller with information at any time insofar as the data is affected by a breach pursuant to Section 8.1.
8.3 Should the data at ANYDESK be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, ANYDESK shall inform the Controller thereof without delay, unless it is prohibited from doing so by court or administrative order. In this context, ANYDESK shall immediately inform all competent bodies that the decision-making authority over the data lies exclusively with the Controller.
8.4 ANYDESK must inform the Controller without delay of any significant changes to the security measures pursuant to Section 7.1.
8.5 The Controller shall be informed immediately of any change in the person of the company data protection officer.
8.6 ANYDESK shall keep a register of all categories of processing activities carried out on behalf of the Controller, which shall contain all information pursuant to
Article 30 (2) of the GDPR. The directory shall be made available to the Controller upon request.
8.7 ANYDESK shall cooperate to a reasonable extent in the creation of the procedure directory by the Controller. It shall provide the data required in each case to the Controller in an appropriate manner.
9. Control Rights of the Controller
9.1 The Controller shall satisfy itself of ANYDESK's technical and organisational measures prior to the commencement of data processing and thereafter on a regular basis. For this purpose, it may, for example, obtain information from ANYDESK, obtain existing certificates from experts, certifications pursuant to Article 42 of the GDPR or internal audits, or inspect ANYDESK's technical and organisational measures itself personally or have them inspected by a competent third party after timely coordination during normal business hours, provided that the third party is not in a competitive relationship with ANYDESK. The Controller will only carry out inspections to the extent necessary and will not disproportionately disrupt ANYDESK's operations in the process.
9.2 ANYDESK undertakes to provide the Controller with all information and evidence required to carry out a check of the technical and organisational measures within a reasonable period of time at the latter's verbal or written request.
9.3 The Controller shall document the results of the inspection and notify ANYDESK thereof. In the event of errors or irregularities discovered by the responsible party, he must inform ANYDESK immediately. If facts are ascertained during the inspection whose future avoidance requires changes to the ordered procedure, the Controller shall inform ANYDESK of the necessary procedural changes without delay.
9.4 ANYDESK shall provide the Controller with a comprehensive and up-to-date data protection and security concept for the commissioned processing as well as on persons authorised to access it at the latter's request.
9.5 ANYDESK shall provide the Controller with evidence of the obligation of the employees pursuant to Section 7.3 upon request.
9.6 In the event of subcontracted data processing (i.e. the Customer is already a processor of a third party; ANYDESK as a subcontractor), the Controller undertakes to also directly grant the third party the control rights described above.
10. Use of Subcontractors
10.1 The contractually agreed services of the Main Contract shall be performed with the involvement of the subcontractors listed in Annex 2 .
10.2 Within the scope of its contractual obligations, ANYDESK is authorised to establish further subcontracting relationships with subcontractors ("subcontractor relationship"). ANYDESK shall inform the Controller of this in advance in text form, giving the Controller the opportunity to object to such changes in individual cases. An objection may only be raised by the Controller for good cause to be proven to ANYDESK. If the Controller does not object in text form within 14 days after receipt of the notification, his/her right to object to the corresponding assignment expires. If the Controller raises an objection, ANYDESK is entitled to extraordinarily terminate the Main Contract as well as this Data Processing Agreement with a notice period of two weeks to the end of the month, irrespective of the termination provision under clause 16.2 of the General Terms and Conditions. In this case, the Customer shall be reimbursed pro rata temporis for the term of the contract; the Customer shall have no further claims in this respect.
10.3 ANYDESK is obliged to carefully select subcontractors according to their suitability and reliability and, when engaging subcontractors, must oblige them in accordance with the provisions of this Agreement and, in doing so, ensure that the Controller can also exercise its rights under this agreement (in particular its audit and inspection rights) directly against the subcontractors. The contract with the subcontractor must be in writing, which may also be in an electronic format
(Art. 28 (4) and (9) GDPR).
10.4 If subcontractors in a third country are to be involved, ANYDESK must ensure that the legal requirements for this pursuant to Art. 44 et seq. DSGVO are present. Insofar as there is no decision in accordance with Art. 45 (3) DSGVO with regard to a third country, data processing by the subcontractor shall only take place insofar as an appropriate level of data protection is ensured by suitable guarantees. An adequate level of protection of the transferred data is ensured by the conclusion of the Standard Contractual Clauses (specified by the European Commission) as well as corresponding organisational and technical measures. Compliance with the Standard Contractual Clauses and the organisational and technical measures will be reviewed regularly. Upon request, ANYDESK will provide the responsible party with evidence of the conclusion of the aforementioned agreements with its subcontractors.
10.5 A subcontractor relationship within the meaning of these provisions does not exist if ANYDESK commissions third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, telecommunication services without any specific reference to services that ANYDESK provides for the Controller and guarding services. Maintenance and testing services constitute subcontractor relationships subject to approval insofar as they are provided for IT systems that are also used in connection with the provision of services for the responsible party.
11. Requests and Rights of Data Subjects
11.1 Where possible, ANYDESK supports the Controller with suitable technical and organisational measures in fulfilling its obligations under Articles 12-22 of the GDPR and Articles 32 and 36 of the GDPR.
11.2 If a data subject asserts rights, such as the right to information, correction or deletion with regard to his or her data, directly against ANYDESK, ANYDESK shall not react independently, but shall immediately refer the data subject to the Controller and await the latter's instructions.
12.1 The Controller and ANYDESK shall be liable to data subjects in accordance with the provision set out in Article 82 GDPR.
12.2 Within the internal relationship of the parties the exclusions and limitations of liability according to the Main Contract shall apply, unless expressly agreed otherwise. As far as third parties assert claims against ANDESK which have their cause in a culpable breach of this contract or of one of the Controller's obligations as a Controller, the Controller shall indemnify ANYDESK from such claims upon first request.
12.3 The Controller also undertakes to indemnify ANYDESK against any fines imposed on ANYDESK to the extent that the Controller bears a share of the responsibility for the infringement sanctioned by the fine.
13. Extraordinary Right of Termination
13.1 Either party may terminate the Main Contract in whole or in part without notice if the other party fails to comply with its obligations under this contract, violates provisions of the GDPR intentionally or with gross negligence or if ANYDESK cannot or does not want to carry out an instruction of the responsible party.
13.2 In the event of simple breaches - i.e. breaches that are neither intentional nor grossly negligent - one Party shall set a reasonable deadline for the other party to remedy the breach.
14. Data Deletion
14.1 ANYDESK will delete the data after termination of the main contract, unless ANYDESK is legally obliged to continue storing the data.
14.2 Documentation that serves as evidence of the orderly and proper dissemination of the data may be retained by ANYDESK for evidentiary purposes even after the end of the main contract.
The remuneration for the processing of personal data under this agreement is, unless expressly agreed otherwise, included in the remuneration for the services provided under the Main Contract.
16. Final Provisions
16.1 Should the references to statutory provisions in this agreement change during the term of the agreement, these references shall also apply to the respective successor provisions.
16.2 ANYDESK is entitled to amend this agreement. ANYDESK shall inform the Controller of the planned amendment at least 30 days before it takes effect. The amendment shall become part of the agreement unless the Controller objects within 30 days after receipt of the amendment notice. If the Controller objects to the change, this agreement shall continue to exist under the existing conditions. The establishment of further subcontracting relationships with subcontractors shall not be deemed to be an amendment in the aforementioned sense.
16.3 If, on the other hand, individual provisions of this agreement are or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions.
16.4 This agreement shall be governed exclusively by the laws of the Federal Republic of Germany.
16.5 The exclusive place of jurisdiction for all disputes arising from this Agreement shall be ANYDESK's place Headquarter in Stuttgart, provided that the Controller is a merchant (Kaufmann) or a legal entity under public law or has no general place of jurisdiction in the territory of the Federal Republic of Germany. ANYDESK is also entitled to sue at any other place of jurisdiction provided by law.
Annex 1 – Technical and Organisational Measures