Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
TeamViewer is a remote access, remote support, and online collaboration platform developed by TeamViewer SE (Germany). It enables screen sharing, file transfer, and remote device management via encrypted peer to peer connections. The platform processes connection metadata, device identifiers, and session data, requiring GDPR compliance measures including a Data Processing Agreement and careful configuration of logging and access controls.
TeamViewer is a remote access, remote support, and online collaboration platform developed by TeamViewer SE, headquartered in Göppingen, Germany. It enables users to remotely control computers and mobile devices, share screens, transfer files, conduct online meetings, and manage IoT devices. TeamViewer uses encrypted peer to peer connections with 256 bit AES encryption and RSA 4096 key exchange. The platform is widely used by IT departments for help desk support, managed services providers for client device management, and organisations for remote work enablement.
TeamViewer collects connection metadata including IP addresses, TeamViewer IDs, device names, operating system versions, connection timestamps, and session durations. The web management console uses cookies for authentication and session management. When session recording is enabled, the full screen content of remote sessions is captured. File transfer logs record filenames, sizes, and transfer directions. The TeamViewer website and web portal set analytics and marketing cookies from domains including teamviewer.com and login.teamviewer.com. The desktop client itself operates primarily through direct encrypted connections without browser cookies.
TeamViewer presents unique GDPR challenges due to the nature of remote access software. During a remote session, the support technician can potentially view all content on the remote screen, including personal data, emails, documents, and browser content. TeamViewer SE acts as a data processor for connection infrastructure and provides a DPA incorporating SCCs. The company is headquartered in Germany and maintains its primary infrastructure in EU data centers. TeamViewer holds ISO 27001, SOC 2 Type II, and HIPAA certifications. However, organisations must implement appropriate access controls, session policies, and employee notification procedures to ensure lawful processing during remote support sessions.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Remote support sessions initiated by employees within an organisation typically rely on contract performance (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)) as the legal basis, particularly when support is part of the employment relationship. However, employees should be informed that their screen may be viewed during sessions. When TeamViewer is used for customer support, explicit consent from the end user is recommended before initiating the remote connection. The TeamViewer web portal and website set analytics cookies that require consent under the ePrivacy Directive. Session recording features require specific legal basis and employee notification in most EU jurisdictions.
TeamViewer SE is an EU based company with primary data centers in Germany, Austria, and the Netherlands. However, TeamViewer''s global routing infrastructure means that connection metadata may transit through servers in the US and Asia Pacific. For enterprise customers, EU routing preferences can be configured to minimise non EU data flows. TeamViewer provides a DPA with SCCs covering any transfers outside the EEA. The actual content of remote sessions (screen data, file transfers) is transmitted via end to end encrypted P2P connections, meaning TeamViewer cannot access the session content even though it facilitates the connection.
To ensure GDPR compliance with TeamViewer, organisations should take the following steps. First, execute the TeamViewer DPA available in the management console or via their legal team. Second, implement a clear internal policy on remote access usage, including when session recording is permitted. Third, inform employees that their screens may be accessed during support sessions and document this in your privacy notice. Fourth, configure access controls to limit which technicians can connect to which devices. Fifth, enable connection logging and audit trails in the management console. Sixth, disable session recording unless specifically required and legally justified. Seventh, configure EU routing preferences for enterprise deployments. Eighth, deploy cookie consent on any website embedding TeamViewer chat or support widgets. Finally, include TeamViewer in your DPIA if remote access to devices containing sensitive personal data is part of your operations.
Websites using TeamViewer must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for TeamViewer deployments, particularly when used for remote access to devices containing sensitive personal data, unattended access to servers or workstations, IT support involving access to employee screens and files, or large scale deployment across an organisation. Key risks include potential access to all data visible on the remote screen, session recording capabilities, file transfer logging, connection metadata (IP addresses, device names, user identifiers), and the broad access privileges inherent to remote control software.
Sample consent text
This site uses TeamViewer services for remote support that may process connection data including your IP address and device information on TeamViewer servers located in the EU and potentially routed through global infrastructure. By initiating a remote support session, you consent to this data processing. You can end the session at any time to stop data collection.
Third-party domains contacted
www.teamviewer.comlogin.teamviewer.comweb.teamviewer.comget.teamviewer.comapi.teamviewer.comrouter.teamviewer.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| tv_session | functionality | Session | Maintains the authenticated session for the TeamViewer web management console. |
| tv_csrf_token | security | Session | CSRF protection token for management console actions and account settings changes. |
| tv_auth_persistent | authentication | 30 days | Persistent authentication cookie enabling the Remember me functionality for the web management console. |
| _ga | analytics | 2 years | Google Analytics cookie tracking visitor behaviour on the TeamViewer website and web portal. |
| _gid | analytics | 24 hours | Google Analytics cookie distinguishing unique visitors to the TeamViewer website within a 24 hour period. |
| tv_cookie_consent | functionality | 1 year | Stores the visitor cookie consent preference for the TeamViewer website and web portal. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
The TeamViewer desktop client does not set browser cookies as it operates through direct encrypted P2P connections. However, the TeamViewer web management console and website set cookies including session authentication tokens, CSRF protection cookies, analytics cookies (Google Analytics based), and marketing cookies for advertising attribution. Domains setting cookies include teamviewer.com, login.teamviewer.com, and web.teamviewer.com.
For the desktop client used in internal IT support, consent is generally not required as legitimate interest or contract performance applies. However, when using TeamViewer for external customer support, explicit consent from the end user is recommended before initiating the remote connection. The web portal and website require cookie consent under the ePrivacy Directive for analytics and marketing cookies. Session recording always requires specific legal basis and employee notification.
Internal IT support sessions typically rely on contract performance (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)). Connection logging for security and audit purposes is covered by legitimate interest. Session recording requires specific justification, often consent or a documented legitimate interest with employee notification. Customer facing remote support should be based on consent. Web portal analytics cookies require consent under ePrivacy rules.
TeamViewer SE is headquartered in Germany with primary data centers in the EU (Germany, Austria, Netherlands). However, TeamViewer's global routing infrastructure means connection metadata may transit through US and Asia Pacific servers. Enterprise customers can configure EU routing preferences to minimise non EU data flows. TeamViewer provides a DPA with SCCs covering international transfers. Session content itself is transmitted via end to end encrypted P2P connections that TeamViewer cannot access.
A DPIA is recommended for TeamViewer deployments, particularly when the tool provides access to devices containing sensitive personal data, when unattended access is configured on servers or workstations, when session recording is enabled, or when deployed at scale across an organisation. The key risk is that remote access inherently grants potential visibility into all data on the target device, making the privacy impact proportional to the sensitivity of data accessible on managed endpoints.
Execute the TeamViewer DPA via the management console. Create an internal remote access policy defining when and how TeamViewer may be used. Inform employees their screens may be accessed during support. Configure role based access controls limiting which technicians can reach which devices. Enable connection logging and audit trails. Disable session recording unless legally justified. Configure EU routing for enterprise deployments. Deploy cookie consent for web portal embeds. Include TeamViewer in your DPIA.
Alternatives include RustDesk (open source, self hosted remote desktop), Apache Guacamole (open source clientless remote desktop gateway), AnyDesk (German based alternative with EU data centers), Meshcentral (open source self hosted remote management), and Remmina (open source Linux remote desktop client). For organisations prioritising data sovereignty, self hosted solutions like RustDesk or Meshcentral eliminate reliance on third party routing infrastructure entirely.
If you embed TeamViewer support widgets or quick support links on your website, document the cookies set by teamviewer.com and login.teamviewer.com domains. Specify the authentication, analytics, and marketing cookies deposited. Describe the connection metadata collected during remote sessions (IP addresses, device names, timestamps). Reference TeamViewer's role as data processor and the DPA with SCCs. Provide instructions for users to manage consent and end remote sessions at any time.