TOS – Real VNC

I only started reading the RealVNC ToS – and wow. I was only at 2.3 when I saw this: 2.3 You are only permitted to use the Software for educational and non-commercial purposes.

who knew?

And then this…

Where is this Data Agreement of which they speak? I pasted the DATA PROCESSING AGREEMENT AT THE END…

10.1 If REALVNC acts as a processor of your personal data in accordance with applicable data protection law the terms of the Data Processing Agreement which is hereby incorporated by reference shall apply. In the event of a direct conflict between this Agreement and the Data Processing Agreement, the Data Processing Agreement will govern.

Gets a little more dark as you read the Data Processing agreement!

2.1 Customer will share Data with RealVNC and hereby appoints RealVNC as a Processor to Process the Data in connection with the provision of the Services (the “Permitted Purpose”).

I will? No. I will not!

14.8 Categories of personal data transferred: first name, last name, User Principal Name (UPN) (only if SSO is in use), country, phone number (if provided), email address, computer name (hostname), team name, device name, screenshots taken during the connection (only if enabled), labels, IP address, Mac addresses, product usage data and chat transcripts.

But why do you need to collect this data?!

While there were sections stating RealVNC would protect privacy laws, the mere fact they are collecting data such as usage and transcripts is a bit disconcerting as there was not full transparency of this when using the free version on Raspberry Pi OS or previously Raspbian.

Try another remote desktop app.

Again… if the product is free, you are the product.

Word Count: 5445 words

Average wpm: 240

Estimated read time: 22 minutes

REALvnc tos

VNC CONNECT END USER LICENSE AGREEMENT
IN ORDER TO RETAIN THE SERVICES (AS DEFINED BELOW) OF REALVNC, YOU
MUST FIRST ACCEPT THE TERMS AND CONDITIONS OF THIS AGREEMENT. BY
USING ALL OR ANY PORTION OF THE SOFTWARE YOU ACCEPT ALL THE TERMS
AND CONDITIONS OF THIS AGREEMENT. YOU AGREE THAT THIS AGREEMENT IS
ENFORCEABLE LIKE ANY WRITTEN NEGOTIATED AGREEMENT SIGNED BY YOU. IF
YOU DO NOT AGREE THEN DO NOT USE ANY PART OF THE SOFTWARE. BY
INSTALLING ANY UPDATED VERSION OF THE SOFTWARE WHICH MAY BE MADE
AVAILABLE, YOU ACCEPT THAT THE TERMS OF THIS AGREEMENT APPLY TO SUCH
UPDATED SOFTWARE. REALVNC LIMITED (“REALVNC”) MAY MODIFY THESE TERMS
AND CONDITIONS AT ANY TIME. BY INSTALLING ANY UPDATED VERSION OF THE
SOFTWARE WHICH MAY BE MADE AVAILABLE, YOU ACCEPT THAT THE MODIFIED
TERMS OF THIS AGREEMENT APPLY TO SUCH UPDATED SOFTWARE.
1 Definitions
In this Agreement:
“Desktop” means a graphical user interface, whether accessible via a console
attached to the Raspberry Pi Host, via the Software, or by any similar means.
“License Key” means a code obtained from RealVNC which enables the Software to
be used.
“Raspberry Pi Host” means the Raspberry Pi computer on which the Software is run.
“Raspberry Pi License Key” means the License Key that is automatically provided to
users of a Raspberry Pi Host running Raspbian August 2016, enabling enhanced
functionality as described on the Website.
“Raspbian” means the Raspberry Pi Foundation’s official supported operating system.
“Raspbian August 2016” means the August 2016 version Raspbian.
“Raspbian Repositories” means the software package repositories that are
maintained by the Raspberry Pi Foundation and made available for Raspbian.
“Server Software” means VNC Server Version 6.0 or later of the programs available
from the Website or Raspbian Repositories, including documentation, updates,
modified versions and copies of the Server Software.
“Services” means the support services set out in clause 5.
“Software” means the Server Software and/or the Viewer Software.
“Subscription” means a subscription purchased for or by you and/or obtained from
RealVNC that enables the Software.
“Viewer Software” means VNC Viewer Version 6.0 or later of the programs available
from the Website or Raspbian Repositories, including documentation, updates,
modified versions and copies of the Viewer Software.
“Website” means https://www.realvnc.com and associated web applications.
2 Raspberry Pi License
2.1 In consideration of you agreeing to comply with the terms of this Agreement,
RealVNC grants you a perpetual, non-exclusive, worldwide, royalty-free, nontransferable
(except as otherwise stated herein), non-sublicensable license (the
“License”) to use the pre-installed Software and Raspberry Pi License Key on no
more than 10 Desktops.
2.2 If the Software is used with a Subscription, the licence to use the Software will
instead be granted on the terms of the End User License Agreement for VNC
Connect, available on the Website.
2.3 You are only permitted to use the Software for educational and non-commercial
purposes.
2.4 Notwithstanding 2.3, should you require the Software for commercial or corporate
applications of any kind, you shall first purchase a commercial software license,
which shall be governed by separate licensing terms and conditions.
2.5 Except as expressly stated in this Agreement, RealVNC provides the Software “as
is” and makes no representations or warranties of any kind in relation to the
Software.
2.6 The Raspberry Pi License Key (as defined above) is available only on Raspbian
August 2016 or later.
2.7 You may make as many copies of the Server Software as you require and use the
Server Software on your Raspberry Pi Host. You are expressly prohibited from
transferring or distributing the Server Software in any format, in whole or in part, for
sale, for commercial use, or for any unlawful purpose.
2.8 You may not rent, lease or otherwise transfer the Software or allow it to be copied
except as expressly permitted under this Agreement. Unless permitted by law, you
may not modify, reverse engineer, decompile or disassemble the Software or use
any of the confidential information of RealVNC contained in or derived from the
Software to develop or market any software which is substantially similar in its
function or expression to any part of the Software.
2.9 You must treat the source code of the Software as RealVNC’s confidential
information in accordance with the provisions of clause 4
2.10 During the term of this Agreement and as long as you comply with the terms of this
Agreement, RealVNC, on behalf of itself, its subsidiaries and any licensors, hereby
grants to you a non-exclusive, worldwide, non-transferable, non-sublicensable
license to use the Viewer Software for your personal use or for the internal use of
your business or organisation. You are expressly prohibited from transferring or
distributing the Viewer Software in any format, in whole or in part, for sale, for
commercial use, or for any unlawful purpose.
2.11 The Viewer Software is only warranted and supported to the extent it is used in
conjunction with a licensed copy of the Server Software or of any other RealVNC
Server product explicitly stated to qualify for use with the Viewer Software.
2.12 You are expressly prohibited from sub-licensing the licences granted to you
pursuant to clauses 2.1 and 2.10.
3 Intellectual Property Rights
The Software, its structure and algorithms, and the information provided with the
Software or available on the Website or Raspbian Repositories are protected by
copyright and other intellectual property laws, and all intellectual property rights in
them belong to RealVNC or are licensed to it. You may not reproduce, publish,
transmit, modify, create derivative works from, or publicly display the Software or
any part of it. Copying or storing or using the Software other than as permitted in
this Agreement is expressly prohibited unless you obtain prior written permission
from RealVNC.
4 Confidentiality
Unless as may be required by law you shall keep confidential all information
supplied by RealVNC which is marked or asserted as confidential at the time of its
disclosure, and shall not without the prior written consent of RealVNC use, make
copies, or disclose to any third party the confidential information for any purpose
whatsoever except for the purposes permitted or set out under this Agreement and
only to the extent necessary for those purposes.
5 Support Services
5.1 In consideration of you agreeing to comply with the terms of this Agreement, during
the terms of this Agreement and as long as you comply with the terms of this
Agreement, RealVNC will provide the following Services to you in relation to the
Software in accordance with the terms and conditions of this Agreement:
5.1.1 provided that you promptly notify RealVNC of any material defect in the Software
(including, but not limited to, any corrupt download), RealVNC shall, subject to
clause 5.2, use its reasonable endeavours to rectify the reported problem and
provide a corrected version as soon as reasonably practicable after being so
notified; and
5.1.2 updates or improvements to the Software published by RealVNC shall be made
available on the Website or Raspbian Repositories.
5.2 The Services do not include the correction of any defects due to:-
5.2.1 any combination or inclusion of the Software with or in any computer program,
equipment or devices not on the approved list on the Website;
5.2.2 you not giving RealVNC a sufficiently detailed description of the defect to enable
RealVNC to identify the defect and to perform the Services; or
5.2.3 any improper or unauthorised use or operation of the Software.
5.3 If a defect cannot be resolved in a reasonable time your sole and exclusive remedy
will be for RealVNC to, at its sole option replace the Software.
5.4 The Services shall continue from the date of activation of the Software until
terminated in accordance with clause 9.
6 Limited Warranty
6.1 RealVNC warrants to the original licensee that the Software will perform
substantially in accordance with any documentation provided for it for 90 days from
the date of activation of the Software (the “Warranty Period”) when used on
Raspberry Pi Hosts meeting the minimum hardware and software requirements
specified on the Website.
6.2 If the Software does not perform according to the above warranty, then you must
make a warranty claim in writing to RealVNC and your exclusive remedy will be for
RealVNC to, at its sole option, replace the Software.
6.3 This limited warranty set out in clause 6.1 applies only if any problem is reported in
writing to RealVNC during the above Warranty Period. It is void if the failure of the
Software is the result of accident, abuse, misapplication or inappropriate use of the
Software or use with Raspbery Pi Hosts not meeting the minimum hardware and
software requirements specified on the Website.
7 Limitation on Liability
7.1 Except for the express warranties given in this agreement, to the extent permitted by
law, RealVNC disclaims all warranties conditions or representations on the software
and/or services, either express or implied, including but not limited to the implied
warranties of merchantability, non-infringement of third party rights and fitness for
particular purpose.
7.2 To the extent permitted by law RealVNC shall not be liable for any direct,
consequential indirect or incidental loss, costs or damages whatsoever including lost
profits or savings arising from the services, the use of the software, reliance on the
data produced or inability to use the software, or RealVNC’s negligence (including
loss or damage to your (or any other person’s) data or computer programs) even if
RealVNC has been advised of the possibility of such damages. RealVNC’s liability
under or in connection with this agreement shall be limited to the amount paid for
the software, if any.
7.3 Nothing in this agreement limits liability for death or personal injury arising from a
party’s negligence or from fraudulent misrepresentation on the part of a party.
8 Export Control
8.1 The United States and other countries control the export of Software and
information. You are responsible for compliance with the laws of your local
jurisdiction regarding the import, export or re-export of the Software, and agree to
comply with such restrictions and not to export or re-export the Software where this
is prohibited. By downloading the Software, you are agreeing that you are not a
person or entity to which such export is prohibited. RealVNC is a Limited company
in England and Wales.
9 Term and Termination
9.1 This License shall continue in force unless and until it is terminated by RealVNC by
e-mail notice to you, if it reasonably believes that you have breached a material term
of this Agreement.
9.2 In the case above, you must delete and destroy all copies of the Software in your
possession and control and overwrite any electronic memory or storage locations
containing the Software.
10 Data Protection
10.1 If REALVNC acts as a processor of your personal data in accordance with applicable
data protection law the terms of the Data Processing Agreement which is hereby incorporated
by reference shall apply. In the event of a direct conflict between this Agreement and the Data
Processing Agreement, the Data Processing Agreement will govern.
11 General Terms
11.1 The construction, validity and performance of this Agreement shall be governed in
all respects by English law, and the parties agree to submit to the non-exclusive
jurisdiction of the English courts.
11.2 If any provision of this Agreement is found to be invalid by any court having
competent jurisdiction, the invalidity of such provision shall not affect the validity of
the remaining provisions of this Agreement, which shall remain in full force and
effect.
11.3 Despite anything else contained in this Agreement, neither party will be liable for any
delay in performing its obligations under this Agreement if that delay is caused by
circumstances beyond its reasonable control (including, without limitation, any delay
caused by an act or omission of the other party) and the party affected will be
entitled to a reasonable extension of time for the performance of its obligations.
11.4 No waiver of any term of this Agreement shall be deemed a further or continuing
waiver of such term or any other term.
11.5 You may not assign, subcontract, sublicense or otherwise transfer any of your rights
or obligations under this Agreement.
11.6 RealVNC may assign all or part of the benefits or all or part of its obligations under
this Agreement to any affiliated company.
11.7 This Agreement constitutes the entire Agreement between you and RealVNC in
relation to the provision of the Software or the Services.
Version 4.0-raspi November 2021

Data Processing Agreement (DPA)

This DPA is between RealVNC Limited incorporated and registered in England and Wales with company number 04446945 whose registered office is at 50-60 Station Road, Cambridge, CB1 2JH, United Kingdom (“RealVNC“) and the customer identified in the relevant agreement for Services (the “Customer“).

Agreed Terms

1.  INTERPRETATION

1.1 The following definitions and rules of interpretation apply in this DPA:

1.1.1 “business”, “consumer”, “controller“, “processor“, “data subject“, “personal data“, “personal information”, processing” (“process“), “service provider” and “special categories of personal data” shall have the meanings given in Applicable Data Protection Law;

1.1.2 “Applicable Data Protection Law” shall mean: all applicable privacy and data protection laws, including the EU General Data Protection Regulation (Regulation 2016/679), the UK GDPR; the Data Protection Act 2018 and any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of personal data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426), and the California Consumer Privacy Act of 2018 and its implementing regulations (collectively CCPA), and other United States federal or state privacy, data security, and data breach notification laws and regulations as adopted, further amended, replaced or updated from time to time;

1.1.3 “Data” means Personal Data, Personal Information or any functional equivalent of these terms relevant under any Applicable Data Protection Law which RealVNC is Processing in connection with the provision of the Services, as described in the Schedule to this DPA;

1.1.4 “Services” means the Data Processing RealVNC is to carry out on behalf of the Customer in connection with any end user license agreement in place between the parties;

1.1.5 “Standard Contractual Clauses” means as applicable (a) the standard contractual clauses available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR (“EU SCCs“); and (b) the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner’s Office under S119A(1) of the Data Protection Act available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf effective from 21 March 2022 (“UK Addendum“);

1.1.6 “Territory of Adequate Protection” means a country (or sector) within the European Economic Area or UK and/or in respect of which any positive adequacy decision (under Article 45 of the GDPR or UK GDPR) is issued;

1.1.7 “UK GDPR” means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018;

1.1.8 Clause, Schedule and paragraph headings shall not affect the interpretation of this DPA;

1.1.9 the Schedules form part of this DPA and shall have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Schedules;

1.1.10 if there is any conflict between the terms of this DPA and the agreement to which it relates the terms of this DPA shall prevail. If there is any conflict between the terms of Schedule 1 and the DPA or agreement to which it relates the terms of Schedule 1 shall prevail; and

1.1.11 any words following the terms including, include, in particular or for example or any similar phrase shall be construed as illustrative and shall not limit the generality of the related general words.

2. Customer’s Responsibilities in relation to the data

2.1 Customer will share Data with RealVNC and hereby appoints RealVNC as a Processor to Process the Data in connection with the provision of the Services (the “Permitted Purpose”).

2.2 Customer:

2.2.1 warrants, represents and undertakes that RealVNC’s use of the Data for the Permitted Purpose will comply with Applicable Data Protection Law;

2.2.2 shall obtain all necessary consents or satisfy another lawful ground for processing; and

2.2.3 shall provide privacy notices to its customers (as required by Applicable Data Protection Law),

such that Customer can share the Data with RealVNC for the Permitted Purpose and that RealVNC can perform the Services in accordance with Applicable Data Protection Law.

2.3.            Customer shall not provide to RealVNC or otherwise cause RealVNC to create, receive, transmit or maintain “protected health information” subject to the U.S. Health Insurance Portability and Accountability Act’s Privacy, Security and Breach Notification  Rules (45 C.F.R. Parts, 160, 164) (“HIPAA Rules”) without previously having entered into a separate business associate agreement with RealVNC that satisfies the requirements of the HIPAA Rules.

3 RealVNC’s Responsibility in relation to the data

3.1 RealVNC shall:

3.1.1 process the Data only for the Permitted Purpose and in accordance with the Customer’s written and lawful instructions as issued from time to time, unless required to do so by law to which RealVNC is subject. In such circumstances, RealVNC shall inform the Customer of that legal requirement prior to processing, unless that law prohibits such information on important grounds of public interest;

3.1.2 ensure that any person it authorises to process the Data is subject to a statutory or contractual obligation of confidentiality;

3.1.3 implement technical and organisational measures to protect the Data from accidental or unlawful destruction, and loss, alteration, unauthorised disclosure, or unauthorized acquisition or access (a “Security Incident“);

3.1.4 if it becomes aware of a confirmed Security Incident, inform Customer without undue delay and provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under Applicable Data Protection Law;

3.1.5 not transfer the Data outside of the European Economic Area (“EEA“) or UK unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law;

3.1.6 notify the Customer as soon as reasonably practicable if it receives a request from a Data Subject to exercise their right under the Applicable Data Protection Law in relation to the Data;

3.1.7 provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to:

3.1.7.1 comply with its responsibilities in connection with Applicable Data Protection Law, including but not limited to compliance with relevant security, breach notification, impact assessment and prior consultation obligations;

3.1.7.2 respond to any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law. RealVNC must not disclose the Data to any Data Subject other than at the Customer’s request or instruction, as provided for in this DPA or as required by law; and

3.1.7.3 respond to any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to RealVNC, RealVNC shall promptly inform the Customer, providing full details of the request.

3.2 To the extent Customer is acting as a Business and RealVNC is acting as a Service Provider for purposes of the CCPA, RealVNC shall not retain, use or disclose any Personal Information received from Customer for any commercial or other purpose except for the specific purpose of performing the Services as specified in the DPA unless otherwise permitted by the CCPA. RealVNC will comply with the obligations of a Service Provider under the CCPA, to the extent applicable, including deleting Personal Information at the direction of Customer in response to a verifiable Consumer request.

3.3 To the extent Customer is subject to the Massachusetts “Standards for the Protection of Personal Information of Residents of the Commonwealth” (201 CMR 17.00), and Data that RealVNC processes on Customer’s behalf constitutes Personal Information under those regulations, RealVNC will implement appropriate security measures to protect such Personal Information consistent with 201 CMR 17.00.

4 Subcontracting

4.1 Customer consents to RealVNC engaging the third party subprocessors listed on RealVNC’s website at https://help.realvnc.com/hc/en-us/articles/360014324617-Sub-processors in connection with the Permitted Purpose, provided that:

4.1.1 RealVNC notifies the Customer with details of any change in such subprocessor at least 14 days prior to any such change, giving the Customer a chance to object to such proposed change, provided such objection is based on reasonable grounds of data protection. Customer acknowledges that to receive such notifications, it must subscribe to receive them on RealVNC’s subprocessor webpage at the link set out in clause 4.1;

4.1.2 RealVNC imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and

4.1.3 RealVNC remains liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor.

5 International transfers

5.1 The provisions of Schedule 1 shall apply to the extent RealVNC provides Services based outside of a Territory of Adequate Protection, and no alternative protection mechanism  is being relied on by the parties.

5.2 If RealVNC uses a subprocessor based outside of a Territory of Adequate Protection, then RealVNC shall enter into module three (processor to processor) or another module of the Standard Contractual Clauses with the relevant subprocessor as appropriate. RealVNC will make the executed Standard Contractual Clauses available to the Customer on request.

5.3 Customer acknowledges that to ensure the relevant Services comply with Applicable Data Protection Law, RealVNC may use the complete range of protection measures available under Applicable Data Protection Law to protect any international transfers of the Data.

6 Deletion / return of Data

Upon termination or expiry of this DPA, RealVNC shall (at Customer’s election) destroy or return to Customer all Data in its possession or control.  This requirement shall not apply to the extent that RealVNC is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, which RealVNC shall securely isolate and protect from any further Processing except to the extent required by law until deletion is possible.

7 Audit

Upon 30 days’ written notice, the Customer or Customer’s auditor may, not more than once per calendar year audit RealVNC’s compliance with this DPA. The parties shall agree the scope and duration of the audit before the audit. Any audit shall be at the Customer’s cost.

8 Liability

8.1 Nothing in this DPA shall limit any liability which cannot be limited by law.

8.2 Subject to clause 8.1, RealVNC shall not be liable, whether in contract, tort or otherwise, for any indirect, consequential or special losses relating to or in connection with this DPA.

8.3 Subject to clauses 8.1. and 8.2, RealVNC’s total liability, whether in contract, tort or otherwise, for any losses or damages relating to or in connection with this DPA shall be £500,000.

9 Complaints

If the Customer receives a complaint, notice or communication which relates directly or indirectly to the Processing of Data by RealVNC or to RealVNC’s compliance with the Applicable Data Protection Law, it shall as soon as reasonably practicable notify RealVNC and shall provide RealVNC with reasonable co-operation and assistance in relation to any such compliant, notice or communication.

10 ASSIGNMENT

This DPA is personal to the parties and neither party shall assign, transfer, mortgage, charge, subcontract, declare a trust of or deal in any other manner with any of its rights and obligations under this DPA without the prior written consent of the other (which is not to be unreasonably withheld or delayed).

11 ENTIRE AGREEMENT

11.1 This DPA constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.

11.2 Each party acknowledges that in entering into this DPA it does not rely on, and shall have no remedies in respect of, any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this DPA. Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in this DPA.

12 SEVERANCE

If any provision or part-provision of this DPA is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this DPA.

13 THIRD-PARTY RIGHTS

Except as expressly provided elsewhere in this DPA, a person who is not a party to this Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this DPA. This does not affect any right or remedy of a third party which exists, or is available, apart from that Act, and the consent of any third party shall not be required to vary this DPA.

14 GOVERNING LAW AND jurisdiction

14.1 Subject to Schedule 1, this DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England.

14.2 Subject to Schedule 1, each party irrevocably agrees that the courts of England shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA or its subject matter or formation (including non-contractual disputes or claims).

SCHEDULE 1 – STANDARD CONTRACTUAL CLAUSES

The parties agree that the Standard Contractual Clauses are incorporated into this DPA by reference, as if they had been set out in full, and are populated as follows. Unless expressly stated below, any optional clauses contained within the Standard Contractual Clauses shall not apply. The Supplementary Clauses shall apply.

As applicable, the following Modules of the Standard Contractual Clauses shall apply where Personal Data is transferred to a country based outside of a Territory of Adequate Protection, and no alternative protection mechanism is being relied on by the parties:

a) CONTROLLER -> PROCESSOR (Module Two of the EU SCCs) if the Customer, acting as a Controller, is making a restricted transfer of Personal Data subject to the GDPR and/or UK GDPR to RealVNC, acting as a Processor; and/or

b) PROCESSOR -> CONTROLLER (Module Four of the EU SCCs) if the RealVNC acting as a Processor, makes a restricted transfer of Personal Data subject to the GDPR and/or UK GDPR to the Customer, acting as a Controller.

Governing Law and Jurisdiction: For the purposes of Clauses 17 and 18, Section IV of Module Two of the EU SCCs, the parties agree the governing law and jurisdiction shall be Ireland. For the purposes of Clauses 17 and 18, Section IV of Module Four of the EU SCCs and the UK Addendum, the Parties agree that the laws and courts of England and Wales will apply.

Sub-Processors: For the purposes of Clause 9, Section II of Module Two of the EU SCCs, the parties agree that option 2: general written authorization shall apply and the data importer shall notify the data exporter of any changes in accordance with clause 4 of the DPA.

Competent Supervisory Authority: In respect of the EU SCCs, the competent supervisory authority shall be determined in accordance with Clause 11, Section II of Module Two of the EU SCCs. In respect of the UK Addendum, the competent supervisory shall be read as Information Commissioner.  

UK Addendum

Start Date

The UK Addendum is effective from 21 March 2022.  

1. Table 1: Parties

Exporter and key contact: As set out in Annex 1 of the Standard Contractual Clauses below.

Importer and key contact: As set out in Annex 1 of the Standard Contractual Clauses below.

2. Table 2: Selected SCCs, Modules and Clauses

Module Two of the EU SCCs and/or Module Four of the EU SCCs, as detailed above.

3. Table 3: Appendix Information

As set out in Annex 1 and Annex 2 of the of the Standard Contractual Clauses below.

4. Table 4: Ending this Addendum when the Approved Addendum Changes

In the event the Information Commissioner’s Office issues a revised Approved Addendum, in accordance with Section ‎18 of the UK Addendum which as a direct result of such changes has a substantial, disproportionate and demonstrable increase in: (a) the data importer’s direct costs of performing its obligations under the Addendum; and/or (b) the data importer’s risk under the Addendum, the data importer may terminate this UK Addendum on reasonable written notice to the data exporter in accordance with Table 4 and paragraph 19 of the UK Addendum.

Annex 1 to the Standard Contractual Clauses

The Parties

14.3 For Module Two of the EU SCCs the exporter is: the Customer whose details are set out in the agreement for Services.

14.4 For Module Two of the EU SCCs the importer is: RealVNC whose details are set out in the agreement for Services.

14.5 For Module Four of the EU SCCs the exporter is: Real VNC whose details are set out in the agreement for Services.

14.6 For Module Four of the EU SCCs the importer is: the Customer

Description of Data Processing

14.7 Categories of data subjects: employees of the customer and employees of clients of the customer.

14.8 Categories of personal data transferred: first name, last name, User Principal Name (UPN) (only if SSO is in use), country, phone number (if provided), email address, computer name (hostname), team name, device name, screenshots taken during the connection (only if enabled), labels, IP address, Mac addresses, product usage data and chat transcripts.

14.9 Sensitive data transferred:

14.10 Frequency of the transfer:

14.11 Nature of the processing: Provide VNC Connect services to customers utilising RealVNC Cloud services (address book synchronisation, cloud brokered connections, RealVNC On-Demand Assist (formerly known as Instant Support). As part of providing the VNC Connect service, RealVNC may need to analyse service log files to assist in problem diagnosis In order to provide insights into customer product usage to inform future development, aggregated queries may be run against product usage data periodically.

14.12 Purpose of the processing: to provide the Services as set out in the DPA.

14.13 Duration of the processing: for the duration of this DPA.

14.14 Sub-Processor Transfers: as set out at https://help.realvnc.com/hc/en-us/articles/360014324617-Sub-processors.

14.15 Technical and Organisational Measures: Restriction of access to buildings, data centres and server rooms as necessary, adequate locks on all doors, monitoring of unauthorised access, written procedures for employees, contractors and visitors covering confidentiality and security of information, restricting access to systems depending on the sensitivity/criticality of such systems, use of password protection where such functionality is available, maintaining records of the access granted to which individuals, ensuring prompt deployment of updates, bug-fixes and security patches for all systems.

Supplementary Clauses

Erasure and deletion: For the purposes of Clause 8.5, Section II of Module Two of the Standard Contractual Clauses the data importer shall delete the Personal Data in accordance with clause 6 of this DPA. For the purposes of Clause 8.1(d), Section II of Module Four of the Standard Contractual Clauses, the data exporter shall delete the Personal Data in accordance with clause 7 of this DPA.  

Audit: The parties acknowledge that the data importer complies with its obligations under Clause 8.9, Section II of Module Two of the Standard Contractual Clauses by complying with clause 7 of this DPA and exercising its contractual audit rights it has agreed with its Sub-Processors.

Transfer impact assessment: The data exporter acknowledges a transfer impact assessment has been made available by the data importer which the data exporter accepts as sufficient to fulfil the data importer’s obligations pursuant to Clause 14(c) and 14(a) of the Standard Contractual Clauses.

For the purposes of Clause 14(c), 15.1(b) and 15.2, Section III of Module Two of the Standard Contractual Clauses, the parties agree that “best efforts” and the obligations of the data importer under clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.

https://help.realvnc.com/hc/en-us/articles/5438412949405-Data-Processing-Agreement-DPA#annex-1-to-the-standard-contractual-clauses-0-16

Similar Posts