Blizz Data Processing Agreement
For the data processing activities described in Annex 1 of this agreement for which TeamViewer acts as the Customer’s data processor, the parties, until further notice, agree on the following regulations concerning commissioned (data) processing, which shall supplement the End User License Agreement (EULA) (the “DPA”). The DPA shall not apply if Customer is a natural person using the Software or Services in the course of a purely personal or household activity (cf. Art 2, sec. (2)(c) General Data Protection Regulation).
2. Rights and obligations of TeamViewer
- 2.1. Compliance with Applicable Laws . The obligations of TeamViewer shall arise from this DPA and the applicable laws. The applicable laws shall particularly include the German Federal Data Protection Act (Bundesdatenschutzgesetz – “BDSG”) and the General Data Protection Regulation (“GDPR”).
- 2.2. Processing on Instructions Only. To the extent this DPA is applicable, TeamViewer shall only process personal data within the scope of this DPA and on documented instructions from the Customer mutually agreed by the parties in the EULA. Customer may issue additional instructions to the extent required in order to comply with the applicable data protection laws.
- 2.3. Obligation of Conﬁdentiality TeamViewer shall ensure that the persons authorized to process personal data have committed themselves to conﬁdentiality, unless they are subject to a statutory obligation of conﬁdentiality.
- 2.4 Security Measures Pursuant to Art. 32 GDPR
- 2.4.1. Principle.. TeamViewer declares that it will implement the necessary measures for the security of processing according to Art. 32 of the GDPR (collectively, the “Security Measures”).
- 2.4.2. Scope. For the concrete commissioned processing, a level of security appropriate to the risk for the rights and freedoms of the natural persons who are the subject of the processing shall be guaranteed. In this regard, the protection objectives of Art. 32(1) of the GDPR, especially the conﬁdentiality, integrity, availability and resilience of the processing systems and services in terms of the nature, scope, context and purposes of the processing shall be taken into account in such a way that any risks shall be mitigated permanently through appropriate security measures.
- 2.4.3. Security Measures. The selected Security Measures are described in detail in the documentation of the Security Measures. Please contact us to receive a copy of such documentation.
- 2.4.4. Procedure for Reviewing. The documentation of the Security Measures also describes the procedures for regularly reviewing, assessing and evaluating the eﬀectiveness of the then-current Security Measures.
- 2.4.5. Changes. The Security Measures are subject to technical progress and further developments. TeamViewer shall be permitted in principle to implement alternative adequate measures. The level of security may thereby not fall below the level existing prior to this DPA on the basis of the Security Measures already implemented or to be implemented.
- 2.5. Engagement of Additional Processors. The obligations of TeamViewer when engaging additional processors (“Subprocessors”) are regulated in clause 3.
- 2.6. Assistance with Safeguarding the Rights of Data Subjects. TeamViewer shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, in fulﬁlling the Customer’s obligations to respond to rights to rectiﬁcation, deletion or blocking according to the BDSG or requests for exercising the data subject’s rights laid down in Chapter III of the GDPR. If a data subject should directly contact TeamViewer for the purposes of exercising the data subject’s rights with regard to data processed on behalf of Customer, TeamViewer shall forward this request to the Customer without delay. All costs incurred insofar shall be borne by the Customer and shall be refunded at an hourly rate of 70 Euro to the extent permissible under applicable data protection law.
- 2.7. Assistance with Ensuring Compliance with Art. 32 – 36 GDPR. Taking into account the nature of processing and the information available to TeamViewer, TeamViewer shall assist the Customer by appropriate technical and organizational measures in ensuring compliance with the obligations pursuant to Art. 32 – 36 GDPR, in particular with respect to the security of the processing, data protection impact assessments, and consultation of supervisory authorities. All costs incurred insofar shall be borne by the Customer and shall be refunded at an hourly rate of 70 Euro to the extent permissible under applicable data protection law.TeamViewer shall provide the Customer with the information required for the preparation of the list of processing operations.
- 2.8. Deletion and Return at the End of Processing. At the choice of the Customer, TeamViewer shall delete or return the personal data that is the object of the commissioned data processing, unless the law of the European Union or a Member State to which TeamViewer is subject requires storage of the personal data.
- 2.9 Information to Demonstrate Compliance with Data Protection Obligations and Inspections. TeamViewer shall make available to the Customer all information necessary to demonstrate compliance with the obligations resulting from clauses 2 and 3. In the event of any failure to provide such information or audit reports, TeamViewer will make available certiﬁcates of regular audits by a recognized auditor or other competent third parties. TeamViewer allows for and contributes to additional audits, including inspections, conducted by the Customer or another auditor mandated by the Customer; the costs for such additional audits shall be borne by the Customer except in case TeamViewer’s certiﬁcate gives substantial rise to concerns of non-compliance.
- 2.10. Obligation to Notify Doubts About Instructions. TeamViewer shall immediately inform the Customer if, in its opinion, the execution of an instruction could infringe any applicable data protection laws.
- 2.11. Obligation to Notify Breaches. If TeamViewer detects any breaches of applicable data protection laws, this DPA, or instructions of the Customer relating to the data processing, TeamViewer shall notify the Customer without undue delay.
- 2.12. Designation of a Data Protection Oﬃcer. TeamViewer appointed Mrs. Hauser as external data protection officer, who can be reached at [email protected] or at intersoft consulting services AG, DSB TeamViewer, Dürener Str. 189, 50931 Cologne.
- 2.13. Disclosure or Publication of Appropriate or Suitable Safeguards for Transfers to a Third Country. TeamViewer agrees to disclose or publish information on the appropriate or suitable safeguards that have been used to make a transfer to a third country to the extent that this is required under Art. 13(1) f) or 14(1) f) of the GDPR in order to inform the data subject.
- 3.1. Subprocessors Engaged Upon Conclusion of the DPA. TeamViewer has engaged a number of Subprocessors, a list of which can be found under the following link:
- 3.2. Additional Subprocessors. If TeamViewer would like to engage additional or diﬀerent Subprocessors to render the contractually agreed services, such Subprocessors shall be selected using the due care required by law. TeamViewer shall give the Customer prior notice of the appointment of any new Subprocessors 15 days in advance. The Customer may object against the instruction of the new Subprocessors on reasonable grounds. In case an understanding cannot be reached, TeamViewer is entitled to terminate the Agreement with 2 weeks’ notice.
- 3.3. Obligations of Subprocessors.
- 3.3.1. Structuring Contracts According to the Requirements of the Agreement. TeamViewer shall structure the contracts with Subprocessors in such a way that they comply with the requirements of the applicable data protection laws and this DPA.
- 3.3.2. Engagement of Additional or Diﬀerent Subprocessors. TeamViewer shall obligate any Subprocessors to commit in particular to refraining from engaging any additional or other Subprocessors to process personal data without complying with sec. 3.2.
- 3.3.3. Checking Safeguards of Subprocessors. TeamViewer will examine whether suﬃcient safeguards will be provided to implement appropriate technical and organizational measures in such a way that the applicable data protection laws and this DPA are complied with.
Annex 1: Details of the Data Processing
The general object of the data processing is described in the EULA.
The duration of the data processing shall correspond to the term of the EULA.
- Nature and Purpose of the Processing.
TeamViewer shall process personal data as the Customer’s data processor for the purpose of enabling the use of the Software and Services provided under the EULA according to documented instructions on behalf of the Customer.
- Type of Personal Data..
The following types of personal data shall be processed by TeamViewer as data processor:
- 4.1. Content data transferred in the use of the Software and Services, for example the data in connection with chat functionality (including the files exchanged through the chat).
- 4.2. Data in connection with meeting scheduling and outlook integration as well as contacts.
- 4.3. Connection data stored on the user’s device (logfiles, connection-txt-files).
- 4.4. Data contained in conference recordings stored on the user’s device.
- 4.5. User account information as summarized in the following table:
|Profile Picture (optional)
- 4.6. Company profile administration and management data.
- Categories of Data Subjects. The following categories of data subjects are aﬀected by the processing:
- 5.1. The Customer (to the extent the personal data of the Customer as set out under clause 4. is processed) and Customer’s users as applicable.
- 5.2. The Customer’s/the Customer’s users’ connection partners.
- 5.3. Third parties whose personal data is being shared by the Customer/the Customer’s users in a communication connection.