Customer Portal +86 17621470504

This Data Processing Agreement only applies to new customers as of October 10, 2025. If you are existing customer, please click here to view your Data Processing Agreement.

Data Processing Agreement

Last updated: October 10, 2025

Download PDF

Preamble

1. Scope of application / terms

2. Responsibility and authority of the controller / protective measures of the processor

3. Legal obligations of the controller

4. Legal obligations of the processor

5. Technical and organizational measures

6. Control rights of the controller

7. Notification of breaches by the processor

8. Sub-processors

9. Deletion and return of data

10. Liability

11. Final provisions

Annex 1: Purpose, type and scope of data processing; type of data and categories of data subjects

Annex 2: Technical and organizational measures pursuant to art. 32 GDPR:

This data processing agreement ("DPA") is entered into between the customer named in the agreement for the provision of ANYDESK services ("Services") ("Controller" or "Customer") and AnyDesk Software GmbH, Türlenstraße 2, 70191 Stuttgart, Germany ("Processor" or "ANYDESK"), both also referred to as "Party" or both jointly as "Parties".

Preamble

ANYDESK offers a remote desktop software solution ("Software") that optionally provides a comprehensive range of additional functions. ANYDESK not only enables remote maintenance and access but also provides an integrated communication platform that allows users to chat with each other and exchange files in real time. ANYDESK also offers the option of setting up a customer account. In this customer account, users have the option of entering additional data. The customer account also enables the user account to be activated for the AnyDesk Academy.

The Parties have entered into an agreement for the provision and use of the Software ("Main Agreement"). As part of the provision of the services under the Main Agreement, it is necessary for the Processor to handle personal data for which the Controller is legally responsible under applicable data protection laws, including the rights and obligations arising from this data processing in accordance with the requirements of the European General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - GDPR), the German Federal Data Protection Act (BDSG), the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as amended, and its implementing regulations (CCPA), and all other applicable U.S. federal and state consumer privacy laws and regulations (collectively, Applicable Data Protection Laws), the Parties agree on the following provisions:

  1. Scope of application / terms

    1. This DPA applies to the processing of all personal data (hereinafter also referred to as "Data," with the meaning given to “personal data”, “personal information” or similar such terms as defined under Applicable Data Protection Laws) processed by the Processor on behalf of the Controller for the provision of the Services. The scope, nature and purpose of processing are determined by the Main Agreement and are listed in Annex 1 (Purpose, nature and scope of data processing; type of data and categories of data subjects) to this DPA.

    2. Unless otherwise stipulated in this DPA, the term and termination provisions of the Main Agreement shall apply to the term and termination of this DPA. Termination of the Main Agreement shall automatically lead to termination of this DPA. An isolated termination of this DPA is excluded.

    3. Unless otherwise specified in this DPA, the definitions of the Main Agreement shall also apply to this DPA.

  2. Responsibility and authority of the controller / protective measures of the processor

    1. The Parties shall be responsible for compliance with the provisions of Applicable Data Protection Laws. The Controller may instruct the Processor at any time to release, correct, adjust, delete and restrict the Data processed within the scope of this DPA.

    2. The Parties acknowledge and agree that with regard to the processing of Data, Customer is the Controller while ANYDESK is the Processor. The Processor shall not process Data other than on the Controller’s documented instructions unless processing is required by Applicable Data Protection Laws to which the Processor is subject, in which case the Processor shall, to the extent permitted by Applicable Data Protection Laws, inform the Controller of that legal requirement before the relevant data processing. The Controller refers to the natural or legal person, public authority, agency or any other body that alone or jointly with others determines the purposes and means of the processing of Data. The Processor is the party which processes Data on behalf of the Controller, and to the extent applicable, shall include “service provider” and “contractor” as the terms are defined under Applicable Data Protection Laws.

    3. In order to ensure the protection of the rights of identified or identifiable natural person to whom the Data relates ("Data Subjects"), the Processor shall provide appropriate support to the Controller, in particular by ensuring appropriate technical and organizational measures. If a Data Subject contacts the Processor directly to assert rights, the Processor shall forward this request to the Controller without undue delay.

    4. If the Processor is of the opinion that an instruction violates Applicable Data Protection Laws, the Processor shall inform the Controller without undue delay. The Processor shall be entitled to suspend the execution of the instruction in question until the instruction is confirmed or amended by the Controller.

    5. The Processor may only process Data in accordance with the instructions of the Controller, unless the Processor is obliged to process Data differently under the law of the Union or the Member State or other applicable jurisdictions to which the Processor is subject (e.g. investigations by law enforcement or state security authorities); in such a case, the Processor must inform the Controller of these legal requirements prior to processing, unless the law in question prohibits such information for reasons of important public interest (Art. 28 para. 3 sentence 2 lit. a GDPR). The Controller's instructions are in principle conclusively regulated and documented in the provisions of this DPA. Individual instructions that deviate from the provisions of this DPA or impose additional requirements require the consent of the Processor and must be documented. Any additional costs incurred by the Processor as a result shall be borne by the Controller.

    6. The person authorized to issue instructions on behalf of the Controller is determined by the information provided by the Controller during the registration process or the current information in the customer account (https://my.anydesk.com). In the event of a change or long-term absence of the named persons, the successor or representative must be named to the Processor without undue delay in text form.

    7. Changes to the object of processing shall be jointly agreed and documented. The Processor will not retain, use, or disclose any Data for any purpose other than providing the Services set out in the Main Agreement, or as otherwise permitted by Applicable Data Protection Laws. In no event shall the Processor process Data for its own purposes or those of any third parties. In particular, the Processor shall not be entitled to pass this Data on to third parties. The Processor shall not be entitled to copy or duplicate the Data without the knowledge of the Controller.

    8. The Controller is solely responsible for its records of processing activities (Art. 30 para. 1 GDPR). At the request of the Controller, the Processor shall provide the Controller with information for the record of processing activities. The Processor shall also keep a record of all categories of processing activities carried out on behalf of the Controller in accordance with Art. 30 para. 2 GDPR.

    9. Processing shall generally take place within the European Union (EU) / the European Economic Area (EEA). Insofar as processing within the scope of this DPA takes place outside the territory of the EU/EEA, the Parties shall ensure that the special requirements of Art. 44 et seq. GDPR are fulfilled.

    10. The Processor is obliged to inform the natural persons under its authority who have access to the Data of the duty of confidentiality and ensures that they only process the Data in accordance with the instructions of the Controller.

  3. Legal obligations of the controller

    1. The Controller shall be solely responsible for the lawfulness of the Data processing and for safeguarding the rights of the Data Subjects in the relationship between the Parties. Should third parties assert claims against the Processor based on the processing of Data in accordance with this DPA, the Controller shall indemnify the Processor against all such claims upon first request.

    2. The Controller shall be responsible for providing the Processor with the Data necessary for the provision of the Services under the Main Agreement in a timely manner and shall be responsible for the quality of the Data. The Controller shall inform the Processor without undue delay and completely if during the examination of the Processor’s results it finds errors or irregularities with regard to Applicable Data Protection Laws or its instructions.

    3. Upon request, the Controller shall provide the Processor with the information specified in Art. 30 para. 2 GDPR, insofar as it is not available to the Processor itself.

    4. If the Processor is obliged to provide information to a governmental body or person when processing Data or to cooperate with these bodies in any other way in order to fulfil the requirements set out in Applicable Data Protection Laws, the Controller is obliged to support the Processor in providing this information and in fulfilling other cooperation obligations upon first request.

  4. Legal obligations of the processor

    1. The Processor shall ensure that the persons authorized to process the Data are bound by confidentiality or are subject to an appropriate legal obligation of secrecy.

    2. The Parties shall support each other in proving and documenting their accountability with regard to the principles of proper data processing, including the implementation of the necessary technical and organizational measures as required under Applicable Data Protection Laws, including Art. 5 para. 2, Art. 24 para. 1 of the GDPR. If required, the Processor shall provide the Controller with the relevant information.

    3. Where required by law, the Processor shall appoint a data protection officer who shall carry out his/her activities in accordance with the statutory provisions. The contact details of the data protection officer shall be communicated to the Controller for the purpose of direct contact.

    4. The Processor shall inform the Controller without undue delay of any audits and measures taken by the supervisory authorities or if a supervisory authority requests, investigates or otherwise makes enquiries to the Processor.

    5. The Processor shall promptly inform the Controller if it determines that it can no longer meet its obligations in this Section 4. Upon such notification, the Controller shall have the right to take reasonable actions to stop and remediate the Processor’s unauthorized use of Data processed on behalf of the Controller.

  5. Technical and organizational measures

    1. The Parties agree on the specific technical and organizational security measures set out in Annex 2 ("Technical and organizational measures pursuant to Art. 32 GDPR") to this DPA. Annex 2 forms an integral part of this DPA.

    2. Technical and organizational measures are subject to technical progress. In this respect, the Processor shall be permitted to take alternative but appropriate measures in accordance with the provisions of Applicable Data Protection Laws and this DPA. Significant changes to such measures shall be documented.

    3. At the request of the Controller, the Processor shall demonstrate compliance with the technical and organizational measures specified in Annex 2 to the Controller by providing suitable evidence in accordance with the requirements.

  6. Control rights of the controller

    1. The Controller is entitled to regularly verify compliance with the provisions of this DPA, in particular the implementation of and compliance with the technical and organizational measures pursuant to Section 5 of this DPA ("Inspection"). For this purpose, the Controller may, for example, obtain information from the Processor, obtain existing certificates from experts, certifications or internal audits. The Processor undertakes to inform the Controller without undue delay of any form of revocation or significant change to the aforementioned evidence. In addition, the Controller shall be entitled to inspect the Processor's technical and organizational measures personally or have them inspected by a competent third party during normal business hours, without disrupting the course of business and in strict compliance with the Processor's business and trade secrets.

    2. The Controller shall inform the Processor in good time (generally two weeks in advance) of all circumstances associated with the performance of the Inspection. The Controller shall only carry out Inspections to the extent necessary (generally one Inspection per calendar year) and shall take appropriate account of the Processor's business operations. The Parties shall agree on the timing and manner of Inspection in good time. Further inspections shall be conducted after prior consultation with the Processor and shall generally be subject to reimbursement of the associated costs by the Controller.

    3. If the Controller commissions a competent third party to carry out the Inspection, the Controller shall obligate the third party in writing in the same way as it obligates itself to the Processor in accordance with this Section 6 of this DPA. In addition, the Controller shall obligate the third party to secrecy and confidentiality, unless the third party is subject to a professional duty of confidentiality. At the request of the Processor, the Controller shall submit the obligation agreements with the third party to the Processor without undue delay. The Controller may not commission a competitor, i.e. a third party who is in a direct competitive relationship with the Processor, to carry out the Inspection.

    4. The Controller shall document the results of the Inspection and inform the Processor accordingly. In the event of errors or irregularities detected by the Controller, the Controller shall inform the Processor without undue delay. Where the Inspection reveals circumstances requiring adjustments to existing procedures in order to prevent recurrence, the Controller shall inform the Processor of the necessary procedural changes without undue delay.

  7. Notification of breaches by the processor

    The Processor shall without undue delay inform the Controller in the event of serious disruption to its operations, suspected breaches and breaches of this DPA and Applicable Data Protection Laws or other irregularities in the processing of the Controller's Data. This applies in particular with regard to the reporting obligation pursuant to Art. 33 para. 2 GDPR and to the corresponding obligations of the Controller pursuant to Art. 33 and Art. 34 GDPR (reporting obligations in the event of data breaches). The Processor shall ensure that it provides appropriate support to the Controller in fulfilling its obligations under Art. 33 and 34 GDPR, where necessary. The Processor may only carry out the notifications pursuant to Art. 33 or 34 GDPR for the Controller following prior instructions in accordance with Section 2 of this DPA.

  8. Sub-processors

    1. The current sub-processors engaged for the performance of this DPA and agreed between the Parties are specified in detail on https://trust.anydesk.com/subprocessors.

    2. Should the Processor wish to entrust further sub-processors with the processing of Data, it shall inform the Controller of this in advance and grant the Controller the right to object to the engagement of the respective sub-processor concerned within 14 days, whereby the Controller may only object due to a legitimate reason. If this period elapses without objection, the proposed sub-processors shall be deemed approved. Should the Controller raise a justified objection to the new sub-processor within the notification period, the Parties shall cooperate in good faith to find an alternative solution. If the Parties cannot agree on a mutually acceptable alternative, the Processor shall be entitled to terminate the Main Agreement and this DPA with two weeks' notice to the end of the month. In this case, the Controller shall be reimbursed pro rata temporis for the remuneration relating to the term of the Main Agreement. The Controller shall have no further claims in this context.

    3. For the purpose of this provision, sub-processing services are not considered to be services that the Processor purchases from third parties as ancillary services in support of the performance under this DPA, for example telecommunications services.

    4. If the Processor commissions sub-processors, it shall ensure that its contractual agreements with the sub-processor guarantee a level of data protection that corresponds to the level agreed between the Controller and the Processor and that all contractual and legal requirements are complied with; this shall apply, in particular, with regard to the use of appropriate technical and organizational measures to ensure an adequate level of security of the data processing.

    5. Subject to compliance with the requirements of Section 2.9 of this DPA, the provisions of this Section 8 of this DPA shall also apply if another Processor in a third country is involved.

  9. Deletion and return of data

    1. If data carriers and data records are made available, they remain the property of the Controller.

    2. After termination of the contractually agreed Services or earlier at the request of the Controller, but at the latest upon termination of this DPA, the Processor shall return to the Controller all documents, processing and usage results and data records (as well as copies or reproductions thereof) which have come into its possession and which are connected with the contractual relationship, or destroy them in accordance with Applicable Data Protection Laws if not otherwise instructed by the Controller. The same applies to test and rejected material. A deletion protocol shall be submitted to the Controller upon its request.

    3. The Processor may retain documentation that serves as proof of data processing in accordance with this DPA and the Applicable Data Protection Laws, subject to the respective retention periods, until the termination of this DPA (and thereafter, if applicable). For the Data stored in accordance with sentence 1, the obligations under Section 9.2 of this DPA shall also apply after the expiry of the retention period.

    4. The Processor is obliged to treat the Data it has become aware of in connection with the Main Agreement confidentially, even after the end of the Main Agreement.

    5. A right of retention is excluded.

  10. Liability

    1. The exclusions and limitations of liability provided for in the Main Agreement shall apply to the Processor's liability under this DPA. As far as third parties assert claims against the Processor which are caused by the Controller’s culpable breach of this DPA or one of its obligations relating to it as the controller, the Controller shall upon first request indemnify and hold the Processor harmless from these claims.

    2. The Processor shall also be liable to the Controller for any breaches committed by sub-processors engaged by the Processor.

    3. The Controller undertakes to indemnify the Processor upon first request against all possible fines imposed on the Processor that correspond to the Controller's share of the infringement sanctioned by the fine.

  11. Final provisions

    1. This DPA is subject to the laws of the Federal Republic of Germany.

    2. The place of jurisdiction for all disputes arising from or in connection with this DPA is Stuttgart.

    3. Should any provisions of this DPA be invalid or unenforceable, the validity of the remaining provisions shall not be affected.

    4. This DPA has been originally drafted in English language.

Annex 1: Purpose, type and scope of data processing; type of data and categories of data subjects

Purpose of the processing

  • Ensuring a problem-free connection setup.

  • Ensuring the smooth use of our software and evaluating system security and stability.

  • Enabling uncomplicated communication between the users of the software.

  • Provision of an optional customer account for a personalized user experience. Your data is managed securely to provide you with a transparent and user-friendly service.

  • Provision of training content via the ANYDESK Academy.

  • Furthermore, the processed data can be used to create certificates as proof of successful participation in ANYDESK training courses.
Type of processing Collection, storage, retrieval, consultation, disclosure by transmission, restriction, erasure or destruction of data.
Types or category of data

The type of data processed depends on the type of use and the configurations made by the Controller and the users.

As a rule, ANYDESK processes the following types of data:

  • Access data: ANYDESK requires information to establish a connection between the user and the computer (login data).

  • Device information and session information: IP addresses, AnyDesk version, country, MAC addresses, network ID, computer name, user name, type and version of operating system, information on RAM/CPU/GPU, screen resolution, hashed hardware serial number, installation time, AnyDesk IDs of AnyDesk session participants, start/end time and duration of AnyDesk sessions, access times, time and duration of the respective remote data connection (session), online status of the client, license key (of session participants), session recordings.

  • Screen content and file transfer information: The software transfers the screen content of the other end device to enable the user to control it remotely. File transfers can also take place. ANYDESK has no access to the content of the file. The transfer is encrypted.

  • Chat history of the session: ANYDESK does not save a history of chat messages from and to the client.

  • Customer support: ANYDESK processes data for customer support and for the provision of technical support.

  • When using the my.anydesk I and II customer account: access data, connection data, contract/license information, information about the AnyDesk clients (client ID, alias, client version, login information, status, license ID), user data (status, e-mail; optional: first name, last name, date of birth; for integrations: First name, last name, time zone, case ID, case description), invoices, means of payment, address book data, user roles.

Optionally, it is possible to import employee lists from authentication software (e.g. Active Directory). First and last name, email address, roles and groups are processed to enable efficient use of the service.

The responsibility for which data is entered in ANYDESK or transmitted via ANYDESK lies with the respective user of the software. It is recommended that users handle their data responsibly and ensure that their actions comply with the applicable data protection regulations.

Categories of persons affected by the processing of their data

  • Users of the software, customers, interested parties and, if applicable, their users

  • Connection partners (third parties)

Purpose of the processing

  • Ensuring a problem-free connection setup.

  • Ensuring the smooth use of our software and evaluating system security and stability.

  • Enabling uncomplicated communication between the users of the software.

  • Provision of an optional customer account for a personalized user experience. Your data is managed securely to provide you with a transparent and user-friendly service.

  • Provision of training content via the ANYDESK Academy.

  • Furthermore, the processed data can be used to create certificates as proof of successful participation in ANYDESK training courses.

Type of processing

Collection, storage, retrieval, consultation, disclosure by transmission, restriction, erasure or destruction of data.

Types or category of data

The type of data processed depends on the type of use and the configurations made by the Controller and the users.

As a rule, ANYDESK processes the following types of data:

  • Access data: ANYDESK requires information to establish a connection between the user and the computer (login data).

  • Device information and session information: IP addresses, AnyDesk version, country, MAC addresses, network ID, computer name, user name, type and version of operating system, information on RAM/CPU/GPU, screen resolution, hashed hardware serial number, installation time, AnyDesk IDs of AnyDesk session participants, start/end time and duration of AnyDesk sessions, access times, time and duration of the respective remote data connection (session), online status of the client, license key (of session participants), session recordings.

  • Screen content and file transfer information: The software transfers the screen content of the other end device to enable the user to control it remotely. File transfers can also take place. ANYDESK has no access to the content of the file. The transfer is encrypted.

  • Chat history of the session: ANYDESK does not save a history of chat messages from and to the client.

  • Customer support: ANYDESK processes data for customer support and for the provision of technical support.

  • When using the my.anydesk I and II customer account: access data, connection data, contract/license information, information about the AnyDesk clients (client ID, alias, client version, login information, status, license ID), user data (status, e-mail; optional: first name, last name, date of birth; for integrations: First name, last name, time zone, case ID, case description), invoices, means of payment, address book data, user roles.

Optionally, it is possible to import employee lists from authentication software (e.g. Active Directory). First and last name, email address, roles and groups are processed to enable efficient use of the service.

The responsibility for which data is entered in ANYDESK or transmitted via ANYDESK lies with the respective user of the software. It is recommended that users handle their data responsibly and ensure that their actions comply with the applicable data protection regulations.

Categories of persons affected by the processing of their data

  • Users of the software, customers, interested parties and, if applicable, their users

  • Connection partners (third parties)

Annex 2: Technical and organizational measures pursuant to art. 32 GDPR:

Call for action

Legal requirement

 Implementation in practice
Entry Control

Denying unauthorised persons access to data processing systems

The company building is guarded by a security service. All entrances to the building are under video surveillance. The main entrance is manned by a gatekeeper. All side entrances can only be opened via chip cards. The main entrance doors to the building are firmly locked outside operating hours. Third parties have no access to the premises. Building and office doors are alarmed. Visitors are received by the doorman and their registration is checked. An electronic locking system with different authorisation levels ensures that employees can only enter rooms for which they have been specifically authorised, in addition to the general areas. Server rooms can only be entered by authorised staff with chip cards. Entrances to rooms with increased security requirements are accessible via chip cards and special authorisations and are electronically recorded and monitored.
Access Control

Preventing the use of data processing equipment by unauthorised persons

All staff computers have virus protection. To gain access to data processing systems, staff must identify themselves with at least user ID & password. Screens are automatically locked after a short period of inactivity. Each staff member has their own user account with individual access rights. The number of login attempts is logged and after exceeding the maximum number of incorrect login attempts, the user account is locked. Unlocking is only possible by an administrator after authentication of the employee. After unlocking, the user is prompted to enter a personal password. Mobile work for employees is secured by VPN. All end devices and data carriers are encrypted, if possible. The company networks are secured by firewalls. The network segments are separated by a firewall. The firewall settings are checked regularly. A policy on the departure of employees (revocation of rights) and a password policy have been adopted.
Admission Control

Ensuring the use of a DP system and the stored data according to the authorisation

All access options and user roles are recorded in authorisation concepts and regulated analogously. All employees are bound to data secrecy. Certificates are issued for authentication and accesses are logged. In addition, protocols are used that include transport encryption.

Transfer Control/Transmission Control

Data may only be transferred to authorised recipients

Transport encryption is used. Data records are identified by IDs rather than by plain names or other personal data. The principle of data minimisation is observed. A standardised process for destroying data media in a data protection- compliant manner is followed.

Plausibility check/Transaction control

Ensuring traceability of (intentional and unintentional) data manipulations

 Plausibility checks are carried out.

Order Control/ Contract Conformity Control

Ensuring the processing of data on behalf of the client in accordance with instructions

In order to protect personal data, contractors are carefully selected with regard to technical and organisational measures and corresponding order processing contracts are concluded. The company's own technical and organisational measures are reviewed on a regular basis. An external data protection officer is provided.
Availability Control

Securing data against accidental destruction or loss

Availability, rapid recoverability and protection against losses are ensured by uninterruptible power supply (UPS) with surge protection, RAID solutions and daily backups. All offices and server rooms are equipped with fire and smoke detection systems. An analysis of the server room situation has been carried out, server rooms are air- conditioned. Regular updates are carried out on all systems.

Data Segregation Control/Client Separation Control

Ensuring the separation of data collected for different purposes

Development/test and productive environments are separated from each other and data processing systems are separated from each other for specific purposes. Only those personal data are collected that are necessary for the respective purpose. During the development process of new software, it is already ensured that it is realised in a data protection-friendly manner.

Procedures for regular review, Assessment and evaluation of effectiveness

Responsibilities for data privacy and information security are defined. A DPO has been appointed. Regular internal controls of the security measures take place in the PDCA cycle. Management is regularly informed about the status of data privacy and information security as well as possible risks and consequences due to missing measures. In the event of a negative outcome of the aforementioned review, the security measures are adjusted, renewed and implemented on a risk-related basis.

Call for action

Entry Control

Legal requirement

Denying unauthorised persons access to data processing systems

Implementation in practice

The company building is guarded by a security service. All entrances to the building are under video surveillance. The main entrance is manned by a gatekeeper. All side entrances can only be opened via chip cards. The main entrance doors to the building are firmly locked outside operating hours. Third parties have no access to the premises. Building and office doors are alarmed. Visitors are received by the doorman and their registration is checked. An electronic locking system with different authorisation levels ensures that employees can only enter rooms for which they have been specifically authorised, in addition to the general areas. Server rooms can only be entered by authorised staff with chip cards. Entrances to rooms with increased security requirements are accessible via chip cards and special authorisations and are electronically recorded and monitored.

Call for action

Access Control

Legal requirement

Preventing the use of data processing equipment by unauthorised persons

Implementation in practice

All staff computers have virus protection. To gain access to data processing systems, staff must identify themselves with at least user ID & password. Screens are automatically locked after a short period of inactivity. Each staff member has their own user account with individual access rights. The number of login attempts is logged and after exceeding the maximum number of incorrect login attempts, the user account is locked. Unlocking is only possible by an administrator after authentication of the employee. After unlocking, the user is prompted to enter a personal password. Mobile work for employees is secured by VPN. All end devices and data carriers are encrypted, if possible. The company networks are secured by firewalls. The network segments are separated by a firewall. The firewall settings are checked regularly. A policy on the departure of employees (revocation of rights) and a password policy have been adopted.

Call for action

Admission Control

Legal requirement

Ensuring the use of a DP system and the stored data according to the authorisation

Implementation in practice

All access options and user roles are recorded in authorisation concepts and regulated analogously. All employees are bound to data secrecy. Certificates are issued for authentication and accesses are logged. In addition, protocols are used that include transport encryption.

Call for action

Transfer Control/Transmission Control

Legal requirement

Data may only be transferred to authorised recipients

Implementation in practice

Transport encryption is used. Data records are identified by IDs rather than by plain names or other personal data. The principle of data minimisation is observed. A standardised process for destroying data media in a data protection- compliant manner is followed.

Call for action

Plausibility check/Transaction control

Legal requirement

Ensuring traceability of (intentional and unintentional) data manipulations

Implementation in practice

Plausibility checks are carried out.

Call for action

Order Control/ Contract Conformity Control

Legal requirement

Ensuring the processing of data on behalf of the client in accordance with instructions

Implementation in practice

In order to protect personal data, contractors are carefully selected with regard to technical and organisational measures and corresponding order processing contracts are concluded. The company's own technical and organisational measures are reviewed on a regular basis. An external data protection officer is provided.

Call for action

Availability Control

Legal requirement

Securing data against accidental destruction or loss

Implementation in practice

Availability, rapid recoverability and protection against losses are ensured by uninterruptible power supply (UPS) with surge protection, RAID solutions and daily backups. All offices and server rooms are equipped with fire and smoke detection systems. An analysis of the server room situation has been carried out, server rooms are air- conditioned. Regular updates are carried out on all systems.

Call for action

Data Segregation Control/Client Separation Control

Legal requirement

Ensuring the separation of data collected for different purposes

Implementation in practice

Development/test and productive environments are separated from each other and data processing systems are separated from each other for specific purposes. Only those personal data are collected that are necessary for the respective purpose. During the development process of new software, it is already ensured that it is realised in a data protection-friendly manner.

Call for action

Procedures for regular review, Assessment and evaluation of effectiveness

Legal requirement

-

Implementation in practice

Responsibilities for data privacy and information security are defined. A DPO has been appointed. Regular internal controls of the security measures take place in the PDCA cycle. Management is regularly informed about the status of data privacy and information security as well as possible risks and consequences due to missing measures. In the event of a negative outcome of the aforementioned review, the security measures are adjusted, renewed and implemented on a risk-related basis.