World-class privacy

As a company headquartered in Germany, TeamViewer has data protection in its DNA.

Maintaining the strictest standards to safeguard our customers’ data

Data protection at TeamViewer is built on three pillars

Our structural framework creates a holistic view of data protection and allows us to carry into effect the given legal obligations. This enables everyone within the TeamViewer organization to abide by and work in accordance with GDPR.

World-class

Data protection and privacy

TeamViewer recognizes and takes to heart its obligations of accountability for compliance with the principles of data processing according to Art. 5 (2) GDPR.

 

To fulfil the requirements of Art. 30 GDPR, TeamViewer implemented Records of Processing Activities (RoPA). It is the central document of the data protection management system which takes into account any processing of customer, employee, contractor, and visitor data handled by TeamViewer and processed by TeamViewer or our processors.

The RoPA is actively and regularly maintained on a departmental basis and is also centrally administered by the legal department for which TeamViewer uses a data management software.

TeamViewer has implemented and follows a 2-step risk assessment process to meet the data protection risk management requirements of GDPR (Art. 35 and 36). This process includes a pre-assessment and, if necessary, a Data Protection Impact Assessment (DPIA) for each process documented in the Records of Processing Activities (RoPA).

To support our DPIA process as well as document the DPIAs conducted, TeamViewer uses a data management software.

To fulfil the requirements of Art. 15-21 GDPR, TeamViewer determined the department Customer Support to manage all incoming Data Subject Requests (DSR). TeamViewer mainly receives Data Subject Requests via web form or email at [email protected].

Requests via letter, fax, and phone are less common. In addition, TeamViewer has an established process for handling DSR by employees, which is overseen by the HR department.

TeamViewer has implemented an appropriate level of security through established Technical and Organizational Measures (TOMs) that ensure that the requirements of Art. 32 in conjunction with Art. 25 GDPR are met.

We demonstrate compliance by having adopted internal policies and implemented TOMs which meet in particular the data protection risks identified.

These measures include: Minimizing the processing of personal data in pursuance of the proportionality and necessity, pseudonymising personal data as soon as possible; transparency with regard to the functions and processing of personal data and establishing and improving security features.

TeamViewer systematically takes into account the right to data protection when developing and designing our products, services, and applications. We also implement appropriate Technical and Organizational Measures within the operations regularly.

The description of these TOMs can be found as Annex 2 to the Data Processing Agreement.

TeamViewer has established a systematic contractual framework that requires appropriate contracts to be concluded and archived. To fufill Art. 26-28 GDPR the process includes controls to ensure appropriate contracts of sufficient type and quality are entered into. This ensures data protection obligations are in place with third party suppliers, partners/resellers, and between TeamViewer Group companies.

When entrusting a processor with processing activities, TeamViewer only employs processors that provide sufficient guarantees, including for the security of processing, and implement Technical and Organizational Measures (TOMs) which will meet the requirements of GDPR and the additional requirements of TeamViewer. TeamViewer uses the above mentioned contractual framework to systematically pre-assess sub-processors. TeamViewer’s sub-processors are located within the EEA with the exception of additional features, against separate order or activation of function modules. Further details can be found in Annex 3 to the Data Processing Agreement.

Structure and framework

GDPR governance

TeamViewer has established a data protection organization within the company covering governance, policies, and procedures. There is at least one specialist responsible for the GDPR compliance of each department.

 

Handling of data protection issues is the responsibility of all employees within the TeamViewer organization, with established accountability for defined topics by the Senior Leadership Team (SLT) and the Board of Management.

On top of that, our departmental GDPR leads, with additional support from our legal department, function as first contact for our employees within each department to ensure company-wide GDPR compliance.

The TeamViewer SE and its affiliates, including TeamViewer Germany GmbH (“TeamViewer”), takes the protection of personal data very seriously. Therefore, data protection is one of our compliance focus areas as described in our Compliance Policy which sets the tone from the top for compliance with EU general data protection regulations.

“Think Privacy” demonstrates our commitment to data protection and is the overall objective when implementing new processes and products in which we handle personal data.

See our General Privacy Notice to learn more about our purposes of data processing.

TeamViewer has an established deletion concept which is overseen centrally and actively maintained on an ongoing basis at a departmental level, including retention periods and timelines to ensure a consistent approach to data deletion.

Additionally, once a year during the company-wide data deletion month all employees are requested to delete the unstructured data they keep in their systems and are responsible for.

These concerted and systematic efforts address the requirement that in terms of GDPR personal data may only be stored as long as it is required for the purpose for which it is processed (Art. 25 (2) and Art. 5 (1 lit b and e) GDPR in conjunction with recital 39 and 66).

TeamViewer has established a streamlined data breach notification process in accordance with Art. 33 and 34 GDPR. The process includes the exact and comprehensive documentation of each incident by using a standardized template.

In addition, a detailed risk assessment is done by the legal department in accordance with the risk assessment matrix provided by the body of the independent German data protection supervisory authorities of the federal and state governments (DSK Kurzpapier Nr. 18 Risiko für die Rechte und Freiheiten natürlicher Personen).

Each incident is assessed within the target time frame of 72 hours and concludes with a decision of whether the regulating authorities need to be notified. TeamViewer management is informed about all incidents and internal records are maintained.

Empowering people

Trainings and certifications

TeamViewer has designed and rolled out a structured and holistic data protection and privacy training program which focuses on enhancing awareness for GDPR and fostering a good data protection culture within the organization. All employees receive regular training on data protection and GDPR topics in person as well as via the TeamViewer internal learning management platform. We use externally generated content and also provide internally created content to ensure compressive spread and depth of training.

In addition to the general employee training program, TeamViewer has a qualification program which provides dedicated GDPR resources with the opportunity to obtain certifications in privacy and GDPR such as Certified Information Privacy Professional / Europe (CIPP/E). The certification is provided by The International Association of Privacy Professionals (IAPP).

TeamViewer has obtained the TÜVIT ‘Trusted Site Privacy’ Certification for our products TeamViewer Remote and Tensor. The certificate demonstrates that TeamViewer Remote and Tensor meet the data protection requirements of TÜV and constitutes a great way for us to demonstrate our GDPR compliance.

Do you want to report a security issue?

TeamViewer’s security team will investigate every submission in our Vulnerability Disclosure Program (VDP).