Data Processing Agreement
Last updated:December 1, 2023
- 1. Validity and Scope
- 2. Definitions
- 3. Competent Data Protection Supervisory Authority; Data Protection Officer
- 4.1 Subject Matter of the Contract
- 4.2 Purpose
- 4.3 Duration
- 4.4 Type of Processing
- 5. Responsibility and Right to Issue Instructions
- 6.1 Type of Data Processed
- 6.2 Group of Affected Parties
- 7. Protective Measures of the Processor
- 8. Information and Cooperation Obligations of ANYDESK
- 9. Control Rights of the Person Responsible
- 10. Use of Subcontractors
- 11. Requests and Rights of Data Subjects
- 12. Liability
- 13. Extraordinary Right of Termination
- 14. Data Deletion
- 15. Remuneration
- 16. Final Provisions
- 17. Annexes
1. Validity and Scope
If, when using the contractual services of ANYDESK, personal data is processed on behalf of the Customer as the Controller within the meaning of Art. 4 No. 7 GDPR, the parties agree on the following data processing agreement (DPA) within the meaning of Art. 28 para. 3 GDPR in accordance with Section 14.3 of AnyDesk’s General Terms and Conditions (lit. A). This DPA is subject to the following provisions, which take precedence over the General Terms and Conditions (lit. A), which otherwise apply.
Terms used in this contract are to be understood in accordance with their definition in the EU General Data Protection Regulation. Insofar as declarations are to be made "in writing" in the following, the written form pursuant to Section 126 BGB is meant. Otherwise, declarations may also be made in another form, provided that adequate verifiability is guaranteed.
3. Competent Data Protection Supervisory Authority; Data Protection Officer
3.1 The competent supervisory authority for ANYDESK (hereinafter also referred to as "Processor") is the State Commissioner for Data Protection of Baden-Württemberg (https://www.baden-wuerttemberg.datenschutz.de).
3.2 The Customer (hereinafter also referred to as the "Controller") and ANYDESK and, where applicable, its representatives shall cooperate with the supervisory authority in the performance of its duties upon request.
3.3 The data protection officer of ANYDESK is the
Potsdamer Straße 3
4.1 Subject Matter of the Contract
ANYDESK offers a remote desktop software solution that optionally provides a comprehensive range of additional functions. ANYDESK not only enables remote maintenance and access, but also provides an integrated communication platform that allows users to chat with each other and exchange files in real time. ANYDESK also offers the option of setting up a customer account. In this customer account, users have the option of entering additional data. The customer account also enables the user account to be activated for the AnyDesk Academy.
The processing of personal data by ANYDESK is essential to provide our services effectively. The processing is necessary to:
- Ensuring a problem-free connection setup.
- Ensuring the smooth use of our software and evaluating system security and stability.
- Enabling uncomplicated communication between the users of the software.
- Provision of an optional customer account for a personalized user experience. Your data is managed securely to provide you with a transparent and user-friendly service.
- Provision of training content via the ANYDESK Academy.
Furthermore, the processed data can be used to create certificates as proof of successful participation in ANYDESK training courses.
The term of this contract is based on the term of the main contract unless the following provisions provide for additional obligations or rights of termination.
4.4 Type of Processing
The processing is as follows:
Collection, storage, retrieval, consultation, disclosure by transmission, restriction, erasure or destruction of data.
4.5 The processing of data by ANYDESK outside the territory of the Federal Republic of Germany, a member state of the European Union or a contracting state of the EEA Agreement shall only take place under the conditions of Chapter 5 Art. 44 et seq. GDPR.
5. Responsibility and Right to Issue Instructions
5.1 The Controller is solely responsible for the lawfulness of the processing of the data and for safeguarding the rights of the data subjects in relation to each other.
5.2 ANYDESK may collect, process, or use data, including in the case of the use of anonymized data, only within the scope of the main contract and in accordance with the instructions of the Controller; this applies in particular with regard to the transfer of personal data to a third country or to an international organization. If ANYDESK is obliged by the law of the European Union or the Member States to which it is subject to carry out further processing, it shall inform the Controller of these legal requirements prior to processing.
5.3 The Controller's instructions are initially set out in these Supplementary Terms and Conditions and may subsequently be amended, supplemented or replaced by the Controller in writing or in text form by means of individual instructions (individual instructions). The Controller is entitled to issue corresponding instructions at any time. This includes in particular, instructions with regard to the correction, deletion and blocking of data, provided there are no legitimate contractual interests or statutory provisions to the contrary.
5.4 The person authorized to issue instructions to the Customer as the person responsible is determined by the information provided by the Customer during the registration process or the current information in the customer account (https://my.anydesk.com). In the event of a change or long-term absence of the named persons, ANYDESK must be informed immediately in text form of the successor or representative.
5.5 All instructions issued must be documented by both ANYDESK and the person responsible. Instructions that go beyond the service agreed in the main contract shall be treated as a request for a change in service.
5.6 If ANYDESK is of the opinion that an instruction of the Controller violates data protection provisions, ANYDESK shall inform the Controller of this without delay. ANYDESK shall be entitled to suspend the implementation of the instruction in question until it is confirmed or amended by the Controller. ANYDESK may refuse to carry out an obviously unlawful instruction.
5.7 ANYDESK shall not acquire any rights to the data and shall be obliged to surrender any stored data in a readable and processable form for the Controller at any time upon first request for the duration of the main contract. Rights of retention in relation to the data and the associated data carriers are excluded.
6.1 Type of Data Processed
The type of data processed depends on the type of use and the configurations made by the Controller and the users.
As a rule, ANYDESK processes the following types of data:
- Access data: ANYDESK requires information to establish a connection between the user and the computer (login data).
- Device information and session information: IP addresses, AnyDesk version, country, MAC addresses, network ID, computer name, user name, type and version of operating system, information on RAM/CPU/GPU, screen resolution, hashed hardware serial number, installation time, AnyDesk IDs of AnyDesk session participants, start/end time and duration of AnyDesk sessions, access times, time and duration of the respective remote data connection (session), online status of the client, license key (of session participants), session recordings.
- Screen content and file transfer information: The software transfers the screen content of the other end device to enable the user to control it remotely. File transfers can also take place. ANYDESK has no access to the content of the file. The transfer is encrypted.
- Chat history of the session: ANYDESK does not save a history of chat messages from and to the client.
- Customer support: ANYDESK processes data for customer support and for the provision of technical support.
- When using the my.anydesk I and II customer account: access data, connection data, contract/license information, information about the AnyDesk clients (client ID, alias, client version, login information, status, license ID), user data (status, e-mail; optional: first name, last name, date of birth), invoices, means of payment, address book data, user roles.
- Optionally, it is possible to import employee lists from authentication software (e.g. Active Directory). First and last name, email address, roles and groups are processed to enable efficient use of the service.
The responsibility for which data is entered in ANYDESK or transmitted via ANYDESK lies with the respective user of the software. It is recommended that users handle their data responsibly and ensure that their actions comply with the applicable data protection regulations.
6.2 Group of Affected Parties
The following categories of persons are affected by the processing:
- Users of the software, customers, interested parties and, if applicable, their users
- Connection partners (third parties)
7. Protective Measures of the Processor
7.1 The data security measures described in Annex 1 are defined as binding. They define the minimum owed by ANYDESK.
7.2 The data security measures may be adapted in line with technical and organizational developments as long as they do not fall below the level agreed here. ANYDESK must implement any changes required to maintain information security without delay. The person responsible must be notified of any changes.
7.3 ANYDESK guarantees that the data processed on behalf of the customer will be strictly separated from other data stocks.
7.4 Copies or duplicates are not created without the knowledge of the Controller. This does not apply to technically necessary, temporary copies, provided that there is no impairment of the level of data protection agreed here.
7.5 If processing takes place in private residences, ANYDESK must ensure that a level of data protection and data security corresponding to this contract is maintained.
7.6 ANYDESK ensures a procedure for the regular review, assessment, and evaluation of the effectiveness of the technical and organizational measures to ensure the security of the processing in accordance with Art. 32 para. 1 lit. d GDPR.
7.7 The persons employed by ANYDESK for data processing shall be prohibited from collecting, processing, or using personal data without authorization. ANYDESK shall obligate all persons entrusted by it with the processing and fulfillment of this contract (hereinafter referred to as employees) accordingly (obligation of confidentiality, Art. 28 para. 3 lit. b GDPR) and ensure compliance with this obligation with due care. These obligations must be formulated in such a way that they remain in force even after termination of this contract or the employment relationship between the employee and ANYDESK. Evidence of the obligations must be provided to the Controller in an appropriate manner upon request.
8. Information and Cooperation Obligations of ANYDESK
8.1 In the event of disruptions, suspected breaches of data protection or breaches of contractual obligations by ANYDESK, suspected security incidents or other irregularities in the processing of personal data by ANYDESK, by persons employed by ANYDESK within the scope of the order or by third parties, ANYDESK shall inform the Controller immediately in writing or text form. The same applies to audits of ANYDESK by the data protection supervisory authority. The notification of a personal data breach shall contain at least the following information:
(i) a description of the nature of the personal data breach, including, where possible, the categories and number of data subjects concerned, the categories and number of personal data records concerned.
(ii) a description of the measures taken or proposed to be taken by ANYDESK to remedy the breach and, where appropriate, measures to mitigate its possible adverse effects.
In addition, ANYDESK shall immediately take the necessary measures to secure the data and to minimize possible adverse consequences for the data subjects, inform the Controller thereof and request further instructions.
8.2 ANYDESK is obliged to provide the Controller with information at any time if the data is affected by a breach in accordance with paragraph 1.
8.3 ANYDESK must inform the Controller immediately of any significant changes to the security measures in accordance with Section 7.1.
8.4 The Controller must be informed immediately of any change in the person of the company data protection officer.
8.5 ANYDESK shall keep a record of all categories of processing activities carried out on behalf of the Controller, which shall contain all information pursuant to Art. 30 para. 2 GDPR. The register shall be made available to the Controller upon request.
8.6 ANYDESK shall cooperate to an appropriate extent in the creation of the process directory by the Controller. It shall provide the Controller with the necessary information in an appropriate manner.
9. Control Rights of the Person Responsible
9.1 The Controller shall satisfy itself of ANYDESK's technical and organizational measures before commencing data processing and regularly thereafter. For this purpose, he may, for example, obtain information from ANYDESK, obtain existing certificates from experts, certifications pursuant to Art. 42 GDPR or internal audits. If necessary, the Controller may also check the measures in person during normal business hours or have them checked by a competent third party, provided that this third party is not in competition with ANYDESK. The Controller shall only carry out checks to the extent necessary and shall not disproportionately disrupt ANYDESK's operational processes.
9.2 Unless otherwise indicated for urgent reasons to be documented by the Controller, inspections shall take place after reasonable advance notice and during ANYDESK's business hours, and no more frequently than every 12 months. Insofar as ANYDESK provides evidence of the correct implementation of the agreed data protection obligations as provided for in this Agreement, checks shall be limited to spot checks.
9.3 ANYDESK undertakes to make available to the Controller, at the Controller's verbal or written request and within a reasonable period of time, all information and evidence required to carry out a check of the technical and organizational measures.
9.4 The person responsible shall document the inspection result and inform ANYDESK of it. In the event of errors or irregularities discovered by the person responsible, he must inform ANYDESK immediately. If facts are discovered during the inspection that require changes to the ordered process flow in order to avoid them in the future, the person responsible shall inform ANYDESK immediately of the necessary procedural changes.
9.5 In the case of subcontracted data processing (i.e. the Customer is already the Processor of a third party; ANYDESK as a subcontractor), the Controller undertakes to grant the aforementioned control rights directly to the third party.
10. Use of Subcontractors
10.1 The contractually agreed services of the main contract shall be performed with the involvement of the subcontractors listed in Annex 2.
10.2 Within the scope of its contractual obligations, ANYDESK shall be authorized to establish further subcontracting relationships with subcontractors ("subcontractor relationship"). ANYDESK shall inform the Controller of this in advance in text form, giving the Controller the opportunity to object to such changes in individual cases. An objection may only be raised by the Controller for good cause that must be demonstrated to ANYDESK. If the Controller does not raise an objection in text form within 14 days of receipt of the notification, its right of objection to the corresponding assignment shall expire. If the Controller raises an objection, ANYDESK shall be entitled to terminate the main contract and these Supplementary Terms and Conditions extraordinarily with two weeks' notice to the end of the month, notwithstanding the termination provision in Section 16.3 of the General Terms and Conditions. In this case, the Customer shall be reimbursed pro rata temporis for the remuneration relating to the term of the contract; the Customer shall have no further claims in this respect.
10.3 ANYDESK is obliged to carefully select subcontractors according to their suitability and reliability and, when engaging subcontractors, must bind them in accordance with the provisions of this Agreement and ensure that the Controller can also exercise its rights under this Agreement (in particular its inspection and control rights) directly against the subcontractors. The contract with the subcontractor must be drawn up in writing, which may also be in electronic format (Art. 28 (4) and (9) GDPR).
10.4 The commissioning of subcontractors who perform processing on behalf of us not exclusively from the territory of the EU or the EEA is only possible if the conditions set out in section 4.5 of this contract are observed. In particular, it is only permitted if and as long as the subcontractor offers appropriate data protection guarantees. ANYDESK shall provide evidence of the data protection guarantees to the Controller upon request.
10.5 A subcontractor relationship within the meaning of these provisions shall not exist if ANYDESK commissions third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transportation and shipping services, cleaning services, telecommunications services with no specific connection to services that ANYDESK provides for the Controller, and security services. Maintenance and testing services constitute subcontractor relationships requiring approval insofar as these are provided for IT systems that are also used in connection with the provision of services for the Controller.
11. Requests and Rights of Data Subjects
11.1 Where possible, ANYDESK shall support the Controller with suitable technical and organizational measures in fulfilling its obligations under Art. 12-22 GDPR and Art. 32 - 36 GDPR.
11.2 If a data subject asserts rights directly against ANYDESK, such as the right to information, correction or deletion of their data, ANYDESK shall not respond independently, but shall refer the data subject immediately to the Controller and await the Controller's instructions.
12.1 The Controller and ANYDESK are jointly and severally liable to data subjects pursuant to Art. 82 GDPR.
12.2 Insofar as the damage was caused by the correct implementation of the commissioned service or an instruction issued by the Controller, the Controller shall indemnify ANYDESK on first demand against all third-party claims asserted against ANYDESK in connection with the commissioned processing.
12.3 ANYDESK shall only be liable to the person responsible in the event of gross negligence or intent.
13. Extraordinary Right of Termination
13.1 Both parties may terminate the main contract in whole or in part without notice if the other party fails to comply with its obligations under this contract, intentionally or grossly negligently violates provisions of the GDPR or ANYDESK is unable or unwilling to carry out an instruction of the Controller.
13.2 In the case of simple - i.e. neither intentional nor grossly negligent - breaches, one party shall set the other a reasonable deadline within which it can remedy the breach.
14. Data Deletion
14.1 Upon termination of the contractual relationship or at any time at the request of the Controller, ANYDESK shall either destroy the data processed on behalf of the Controller or hand it over to the Controller and then destroy it. All existing copies of the data shall also be destroyed.
14.2 ANYDESK may retain documentation that serves as proof of the orderly and proper dissemination of the data even after the end of the main contract for evidentiary purposes.
The remuneration is conclusively regulated in the main contract. There is no separate remuneration or reimbursement of costs under this contract.
16. Final Provisions
16.1 Should the references to statutory provisions referenced in this contract change during the term of the contract, these references shall also apply to the respective successor provisions.
16.2 Should the data at ANYDESK be jeopardized by seizure or confiscation, by insolvency or composition proceedings or by other events or measures of third parties, ANYDESK shall inform the Controller thereof without delay, unless it is prohibited from doing so by court or official order. In this context, ANYDESK shall immediately inform all competent bodies that the Controller has exclusive decision-making authority over the data.
16.3 This agreement shall be governed exclusively by the laws of the Federal Republic of Germany.
16.4 The exclusive place of jurisdiction for all disputes arising from this contract shall be the registered office of ANYDESK in Stuttgart, provided that the party responsible is a merchant or a legal entity under public law or has no general place of jurisdiction in the territory of the Federal Republic of Germany. ANYDESK shall also be entitled to take legal action at any other place of jurisdiction provided for by law.
16.5 Should individual parts of this agreement be invalid, this shall not affect the validity of the remainder of the agreement.