GDPR - Zen Agenda - the efficient way to schedule your appointments

PREAMBLE:

1. Considering the service agreement (“Master Agreement”), the Controller (Client) uses the services of the Processor (Provider);

2. Considering that the Provider acts as a Processor and the Client as a Controller, the Processor has access to personal data belonging to the Controller;

3. This Agreement is an integral part of the Service Agreement.

4. This Agreement takes into account the data protection principles laid down in Regulation (EU) 2016/679, applicable from May 25, 2018 (“GDPR”), especially the requirements governing the collection, processing, and use of personal data by the Processor on behalf of the Controller.

The parties have agreed to conclude this Annex with the following provisions:

1. Definitions

“Service Agreement” or “Master Agreement”	This is the agreement between Fx Studio Software SRL and its clients (users of the “Zen Agenda” app), under which the latter benefit from a technical solution for managing online or SMS appointments. The agreement can be concluded physically by both parties signing it, or electronically by accepting the Terms and Conditions within the “Zen Agenda” app.
“Controller”	means the entity that determines the purposes and means of processing personal data.
“Data Subject”	means any identified or identifiable individual to whom the personal data refers.
“GDPR”	means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC.
“Personal data”	means any information relating to an identified or identifiable natural person.
“Processing”	means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor”	means the entity that processes personal data on behalf of the Controller.
“Special categories of personal data”	refers to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data for uniquely identifying a person, health data, or data concerning a person’s sex life or sexual orientation.
“Sub-processor”	means any person appointed by or on behalf of the Processor to process personal data.
“Supervisory Authority”	means the National Supervisory Authority for Personal Data Processing or any other authority assigned data protection responsibilities under the GDPR.

2. PURPOSE OF THE AGREEMENT

2.1. The purpose of this Agreement is the data processing activity to be carried out by the Processor in relation to the Service Agreement.

2.2. The Processor shall process Personal Data only on behalf of the Controller and for the purposes set out in this Annex, except where legally required to process Personal Data for its own purposes. In such cases, the Processor shall inform the Controller of the legal requirement prior to processing, unless the law prohibits such notification for reasons of public interest.

2.3. Any collection, processing, or use of Personal Data, including correction, deletion, blocking, and transfer of personal data, shall be subject to the Controller’s instructions, unless otherwise specified in this Agreement.

2.4. The provisions of this Agreement take precedence over those in the Master Agreement regarding the collection, processing, and use of personal data by the Processor on behalf of the Controller. Any existing provisions in the Master Agreement concerning data processing by the Processor shall be replaced by the terms of this Agreement as of its effective date.

2.5. The Personal Data required for processing activities and the group of individuals whose data are processed, as well as details related to the collection and processing of data, are specified below.

2.6. The parties understand that the Personal Data processed by the Processor on behalf of the Controller remain the property of the Controller and the data subjects, and that processing operations do not involve any transfer of ownership of the data.

3. DURATION OF THE AGREEMENT

3.1. This Agreement enters into force on the date the user logs into the application, with its acceptance being a prerequisite for using the application, and remains in effect until the termination of the Service Agreement.

4. PROCESSING ACTIVITY BY THE PROCESSOR

4.1. The personal data that will be subject to Processing are as follows:

Address
Age
Citizenship
Personal ID number
Position within the company
Authentication data (PIN/password)
Authentication data (username)
Credit/debit card details
Client’s financial data
Date of birth
Education
Email address
Employee identification number
Employee financial data
Fax number
First and/or last name
Gender
Geolocation data
IBAN
Image
IP address
Job title
Marital status
Copies of personal documents
Phone number(s) (contact)
Place of birth
Results of data collection for profiling
Series and number of ID card, passport and/or driver’s license
Signature (handwritten, electronic copies of signature)
Social media accounts (Facebook, LinkedIn, Instagram, Yahoo, etc.)
Vehicle registration number
Web cookies
Appointments for consultations/meetings

4.2. Data Subjects whose Personal Data will be processed by the Processor:

Individual clients;
Representatives or contact persons of corporate clients;
Employees of the clients;
Clients of the clients;
Representatives/agents/contact persons of business partners
Website visitors
Other data subjects ….. (please specify)

4.3. The purposes of Processing are as follows:

Conclusion and execution of the service agreement;
Technical support for application usage;
Invoicing and payments.

5. OBLIGATIONS

5.1. Processing. The Processor shall process the Personal Data covered by this Agreement only at the Controller’s request. Under this Agreement, the Processor is not entitled to collect, process, or use Personal Data for its own purposes.

5.2. Confidentiality. The Processor shall ensure that its staff involved in the Processing of Personal Data has been informed of the confidential nature of such data, has received appropriate training regarding their responsibilities, and has signed written confidentiality agreements.

5.3. Security measures. The Processor agrees and guarantees that it has implemented appropriate security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and all other unlawful forms of Processing. These measures ensure a security level appropriate to the risks involved and to the nature of the data to be protected, considering the current state of technology and the cost of implementation. The Processor shall implement and maintain technical and organizational measures to adequately protect the Controller’s personal data in accordance with legal provisions and ensure compliance with these measures.

5.4. Data Protection Impact Assessment and Prior Consultation. The Processor shall assist the Controller, upon request, in ensuring compliance with the Controller’s obligation to conduct a data protection impact assessment pursuant to Article 35 GDPR by providing relevant information required for the processing purpose. If necessary, the Processor shall also assist in the prior consultation procedure with the supervisory authority under Article 36 GDPR.

5.5. Requests from the Data Subject. Within a maximum of 4 (four) business days of receipt, the Processor shall inform the Controller of any request received from a Data Subject to exercise their rights under the GDPR. The Processor shall not respond to any such request without the Controller’s prior approval. Upon request, the Processor shall provide reasonable assistance in fulfilling such Data Subject requests. However, the Controller remains solely responsible for informing data subjects and ensuring the respect of their rights under the General Data Protection Regulation.

5.6. Supervisory Authority. Any inspection, request for information, or other action by the Supervisory Authority regarding Personal Data shall be brought to the Controller’s attention by the Processor within no more than 10 (ten) business days.

5.7. Records of processing activities. The Processor shall create, maintain, and continuously update a record of processing activities in accordance with Article 30 of the GDPR.

5.8. Location of processing. The Processor undertakes that the Processing shall not take place outside the European Economic Area, unless such transfer is legitimate under the GDPR or other applicable regulations.

5.9. Sub-processors. The Processor may subcontract its obligations under this Agreement to any Sub-processor or third party without requiring any prior consent or formalities from the Controller.

6. TERMINATION OF THIS AGREEMENT AND ITS CONSEQUENCES

6.1. This Agreement shall terminate as follows:

(a) By written notice with immediate effect from the Controller, without court intervention or any prior formalities, if the Processor breaches any of the obligations set forth in this Agreement or any requirements imposed by national or European data protection laws. The notice becomes effective 10 days from the date of its communication.

(b) Upon termination of the Service Agreement, regardless of the reason.

6.2. Termination of this Agreement and/or the Master Agreement, regardless of the reason, shall result in the return of all Personal Data by the Processor to the Controller, as well as the deletion of all such data by the Processor to the extent permitted by law. Any data stored on mobile storage devices shall be physically deleted before disposing of such devices. The Processor shall be responsible for ensuring that no personal data belonging to the Controller is transferred to third parties and that data stored on hardware systems to be repurposed is permanently deleted before being transferred to any third party.

7. INDEMNIFICATION

7.1. If either Party suffers any damage as a result of the other Party’s breach of this Agreement, regardless of fault, the injured Party is entitled to full compensation for all losses, including all costs and expenses, and to pursue all available remedies to be placed in the position it would have been in had the breach not occurred.

7.2. For the purpose of this Agreement, “Damages” means any and all compensations, fines, fees, penalties, investments, and current or future expenses incurred by one Party as a result of the other Party’s breach of this Agreement.

8. FINAL PROVISIONS

8.1 This Agreement shall be read in conjunction with the Service Agreement. In case of conflict, this Agreement shall prevail.
8.2 Any amendment to this Agreement shall be made in writing through an addendum signed by both Parties.
8.3 Any notice given by one Party to the other must be sent by registered letter with acknowledgment of receipt to the addresses specified in the Master Agreement.
8.4 This Agreement is governed by the laws of Romania. The Parties shall attempt to resolve any dispute amicably. If an amicable solution is not possible, the dispute shall be settled by the competent Romanian courts in accordance with the law.

Last Update: 27.01.2025