Privacy policy of G DATA Business Software

In the following, we would like to inform you about which personal data G DATA processes and for what purposes. We will also inform you about other important details under data protection law, for example about your rights.
With G DATA Antivirus Business / Client Security Business / Endpoint Protection Business / Managed Endpoint Security / Mobile Device Management (hereinafter: "G DATA Business Software"), we offer you protection against viruses, Trojans, phishing and other malware. G DATA Business Software comprises several components in which we process personal data.

1. Responsible body and data protection officer

The controller for the data processing described below within the meaning of data protection regulations is the:

G DATA CyberDefense AG
Königsallee 178 a
44799 Bochum
Germany

E-mail: info@remove-this.gdata.de
You can also send further questions about data protection by e-mail to: dsgvo@remove-this.gdata.de

Data protection officer
Our data protection officer is:
Ali Chakari
Bitkom Servicegesellschaft mbH
Albrechtstrasse 10
10117 Berlin
Germany

You can send inquiries to the following e-mail address: datenschutz@remove-this.bitkom-consult.de

2. General information on data processing

a) Scope of the processing of personal data

We only process personal data of our users insofar as this is necessary to provide our service or to use our software.

b) Legal basis for the processing of personal data

G DATA processes personal data exclusively on the basis of the General Data Protection Regulation.

  1. Insofar as we obtain your consent for the processing of personal data, Art. 6 para. 1 sentence 1 lit. a GDPR serves as the legal basis.
  2. When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 sentence 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the initiation of a contract (pre-contractual measures).
  3. Insofar as the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 sentence 1 lit. c GDPR serves as the legal basis.
  4. If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 sentence 1 lit. f GDPR serves as the legal basis for the processing.

c) No automated decision-making

Automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements, does not take place within the scope of the data processing described.

3. Purposes and legal bases of data processing

a) Registration in the G DATA Business Software

To activate your trial version, we will ask you for your name and e-mail address during the registration process. You can also voluntarily enter your address. If you activate a paid license, this information will be linked to your registration number. You can also voluntarily enter the name of the dealer from whom you obtained the license. We use this data to activate your license and to ensure the proper licensing of our application.
This data is processed for the fulfillment of our contract or pre-contractual measures with you regarding the use of the respective G DATA Business Software in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR.

b) Malware detection

G DATA Business Software performs malware detection in various modules (e.g. Malware Scan, Bank Guard, Exploit Protection) to identify malware, detect suspicious application behavior and improve our detection techniques. In the event that G DATA Business Software identifies a malware find, we process unique identifiers for each device and application installation (e.g. unique identifiers of application installations, operating system used or malware finds and your IP address) as well as checksums of the files identified by our application as potentially malicious and their file path. We also use this data for statistical evaluation of malware found and its spread and to improve our analysis methods.
This data is processed to fulfill our contract with you for the use of the respective G DATA Business Software in accordance with Art. 6 Para. 1 S.1. lit. b GDPR. Our statistical evaluation of the processing takes place on the basis of your consent given in advance in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future. To do so, you can activate the corresponding opt-out option in the G DATA Business Software settings.

c) Updates to the G DATA Business Software

G DATA Business Software performs regular signature updates to maintain malware protection. We process your IP address and the information you provided during registration to check your license status.
This data is processed to fulfill our contract with you for the use of the respective G DATA Business Software in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR.

d) Web protection / web content control (optional module)

If you activate the "Web protection" or "Web content control" module, G DATA Business Software sends URLs accessed from your device to our server. We process this data to provide you with an assessment of the security of the URL accessed. In addition, we categorize URLs called up in order to prevent them from being called up according to your administrator's specifications. During the connection between our server and the requesting computer, the IP address of the requesting computer must be known. The IP address is not stored. In the event that a website is blocked, we use the IP address to calculate the country from which the request originated. The IP address is then discarded and it is no longer possible to identify the originator of the entry from the available data. We continue to use this data for statistical evaluation of harmful websites and their spread and to improve our analysis methods.
This data is processed to fulfill our contract with you for the use of the respective G DATA Business Software in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR.  Our statistical analysis is based on our legitimate interest in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR for [name interest].

e) Spam filter (optional module)

If you activate the "Spam filter" module, G DATA Business Software processes incoming e-mails to analyze them for spam. We work together with our technology partner Data443 for this purpose. In order to compare and classify incoming e-mails with known spam messages, we transmit corresponding hash values to Data443 for e-mail components such as body, sender, recipient or subject.
This data is processed to fulfill our contract with you for the use of the respective G DATA Business Software in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR.

f) iOS Mobile Device Management

G DATA Business Software allows you to manage mobile iOS devices via the G DATA ActionCenter. To register or connect your device to the G DATA ActionCenter, we process unique device identifiers and the data you provided during registration. Apple Push Notification Service is used to communicate with the iOS device to assign the configured profile. After assigning an iOS device to a ManagementServer, certain device information is available, such as the phone number and IMEI.
This data is processed to fulfill our contract with you for the use of G DATA Business Software in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR.

g) Android Mobile Device Management

G DATA Android Device Management and the G DATA Endpoint Security app allow you to manage mobile Android devices centrally via a web service. G DATA Endpoint Security uses Google Firebase Cloud Messaging (FCM) to perform emergency actions on the Android device remotely via G DATA Android Device Management. When an emergency action is triggered, a unique device identifier is processed via Google FCM. When the "Locate device" action is triggered, the location data of the Android device is also retrieved. The location determination function provided by the Android operating system is used for this. The location data is only retrieved when the "Locate device" action is used and is not tracked.
As part of G DATA Android Device Management, it is also possible for administrators to make settings for the possible uses of Android apps. This gives administrators a complete overview of all apps installed on the devices they manage.
This data is processed to fulfill our contract with you for the use of the respective G DATA Business Software in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR.

h) Newsletter and advertising

If you give your consent, we will use your contact details (name, email address) to conduct surveys and marketing campaigns, including to send you our newsletter and information about product updates. We also carry out analyses by individually measuring, storing and evaluating opening rates and click rates in recipient profiles for the purpose of tailoring future communications to your interests.
All details on the marketing measures we carry out can be found in the privacy policy of our website.

i) Anonymized further processing for product improvement

As part of our software, we use telemetry and log data to continuously improve the performance of our products and optimize your user experience. This data is anonymized and aggregated to protect personal information. Further processing of your telemetry and log data allows us to gain insights into the usage patterns of our software and identify potential problems or opportunities for improvement. This allows us to develop targeted updates and feature enhancements to increase your satisfaction with our products. We will only use your telemetry and log data for internal analysis purposes and will not share it with third parties unless required by law or expressly authorized by you.
The further processing of your telemetry and log data serves our legitimate interest (pursuant to Art. 6 para. 1 lit. f GDPR) in the provision and improvement of a high-quality and reliable software solution. Please note that you have the right to object to the collection and processing of your telemetry and log data at any time.

4. Recipients or categories of recipients of the data

G DATA transfers your personal data to the following recipients or categories of recipients:

Data443 Risk Mitigation Inc.

4000 Sancar Way,

Suite 400, Research Triangle Park,

27709 North Carolina, USA

If your personal data is transferred to G DATA service providers, this is done on the basis of contracts for order processing in accordance with Art. 28 GDPR.

G DATA does not sell personal data.

5. Third country transfer

Third countries are all countries outside the European Economic Area (EEA). The European Economic Area includes all countries of the European Union as well as the countries of the so-called European Free Trade Association. These are Norway, Iceland and Liechtenstein.

A third country transfer takes place for the spam filter option:

Data443 Risk Mitigation Inc.

4000 Sancar Way,

Suite 400, Research Triangle Park,

27709 North Carolina, USA

G DATA transfers personal data to third countries outside the EEA on the basis of an adequacy decision by the European Commission. If there is no adequacy decision of the European Commission for the respective third country, the transfer to a third country is based on appropriate safeguards within the meaning of Art. 46 (2) GDPR. Copies of these guarantees can be requested from us at the above address.

6. Storage duration of your data

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which we as the controller are subject.

We store your registration and user data for the entire term of your license and delete it no later than three months after the end of your license.

With the spam filter option, personal data is deleted after 90 days.

We delete further contract and tax-relevant data in accordance with the statutory requirements of 10 years from the calendar year in which the license ends.

We anonymize your telemetry and log data at the time of collection and process it as described.

7. Your rights as a data subject

With regard to the data processing listed here, you are entitled to various data subject rights that are regulated in the GDPR.


Right to information (Art. 15 GDPR) - You have the right to request information from us about your stored personal data. On request, we will provide you with a copy of the data that is the subject of the processing.

Right to rectification (Art. 16 GDPR) - You can request that we rectify inaccurate personal data.

Right to erasure (Art. 17 GDPR) - You have the right to request that we erase your personal data. Among other things, we are obliged to erase your personal data if it is no longer necessary for the purposes for which it was collected or otherwise processed, if you have withdrawn your consent or if the data has been processed unlawfully.

Right to restriction (Art. 18 GDPR) - Under certain conditions, you have the right to demand that we restrict processing. This includes if you dispute the accuracy of your personal data and we must verify your objection. In this case, your data may not be further processed by us, with the exception of storage, until the question of accuracy has been clarified.

Right to data portability (Art. 20 GDPR) - You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, provided that the data processing is based on your consent or a contract.

Right to withdraw consent at any time (Art. 7 GDPR) - If the data processing by us is based on your consent, you have the right to withdraw your consent at any time. The legality of the processing carried out on the basis of the consent until the revocation remains unaffected by the revocation.

Right to object at any time (Art. 21 GDPR) - If the processing of your data by us is based on the performance of a task carried out in the public interest or in the exercise of official authority (Art. 6 para. 1 sentence 1 lit. e GDPR) or if the data processing is based on legitimate interests on our part, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation. We will then stop the processing unless we can demonstrate compelling legitimate grounds for the processing which override your interests in stopping the processing.

You can object to the processing of your personal data for direct marketing purposes at any time without restriction.

Right to lodge a complaint (Art. 77 GDPR) - You also have the right to lodge a complaint with a data protection supervisory authority. You can contact the data protection supervisory authority of your usual place of residence or our company headquarters. The address of the supervisory authority responsible for us is

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia

Kavalleriestrasse 2 - 4

40213 Düsseldorf

8. Final provisions

G Data reserves the right to amend this Privacy Policy at any time to ensure that it always complies with current legal requirements or to implement changes to the services in the Privacy Policy, e.g. when introducing new services or changes to the G DATA Business Software.

Status of the privacy policy: August 2024.