GDPR

PREAMBLE:

1. Considering the service provision contract ("Framework Agreement"), the Operator (Client) using the services of the Authorized Person (Provider);

2. Considering that the Provider has the status of an authorized person, and the Client has the status of an operator, the authorized person has access to personal data belonging to the Operator;

3. This Agreement is an integral part of the Service Provision Contract.

4. This Agreement takes into account the data protection principles provided by the General Data Protection Regulation No. 2016/679 applicable from May 25, 2018 ("GDPR") and, in particular, the requirements governing the collection, processing, and use of personal data by the Authorized Person on behalf of the Operator.

The Parties have agreed to conclude this Annex with the following provisions:

1. Definitions

"Service Provision Contract" or "Framework Agreement"	Represents the Contract entered into between Fx Studio Software SRL and its clients (users of the "Zen Agenda" application) through which the latter will benefit from a technical solution for managing online appointments or via SMS. The Contract may be concluded physically, by signing by the parties or electronically, by accepting the Terms and Conditions within the "Zen Agenda" application.
“Operator”	means the entity that determines the purposes and means of processing personal data.
“Data Subject”	means any identified or identifiable person to whom the personal data refers.
“GDPR”	means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
“Personal Data”	means any information relating to an identified or identifiable natural person.
“Processing”	designates any operation or set of operations performed on personal data, whether or not by automated means, such as, for example, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available in any other way, alignment or combination, restriction, erasure or destruction.
“Processor”	designates the entity that processes personal data on behalf of the Operator.
“Special Categories of Personal Data”	designates personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, processing of genetic data, biometric data for the unique identification of a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person.
"Authorized Representative"	means any person designated by or on behalf of the Authorizer to process personal data.
"Supervisory Authority"	means the National Supervisory Authority for Personal Data Processing or any other authority to which responsibilities for data protection have been assigned in accordance with GDPR.

2. SUBJECT OF THE AGREEMENT

2.1. The subject of this Agreement consists of the processing activity to be carried out by the Authorizer in connection with the Service Provision Contract.

2.2. The Authorizer will process Personal Data only on behalf of the Operator and for the purposes set forth in this Annex, except in situations provided by law that require
the Authorizer to process Personal Data for its own purposes. In this latter case, the Authorizer informs the Operator about this legal requirement prior to
processing, unless the law prohibits such notification for reasons of public interest.

2.3. Any collection, processing, or use of Personal Data, including correction, deletion, blocking, and transfer of personal data, is subject to the instructions
of the Operator, unless otherwise provided in this Agreement.

2.4. The provisions of this Agreement take precedence over the provisions of the Framework Contract regarding the collection, processing, and full use of personal data by the Processor on behalf of and based on the instructions of the Operator. Any existing provisions in the Framework Contract regarding the processing of Personal Data by the Processor will be replaced by the provisions of this Agreement, from the date of its entry into force.

2.5. The Personal Data necessary for carrying out the processing activities and the group of individuals whose data is processed, as well as the details related to the collection and processing of data, are specified below.

2.6. The Parties understand that the Personal Data processed by the Processor on behalf of and for the Operator remains the property of the Operator and the data subjects, and the performance of the processing operations does not involve any transfer of ownership over the data.

3. DURATION OF THE AGREEMENT

3.1. This Agreement enters into force on the date the user logs into the application, acceptance of it being a prerequisite for using the application, and will remain in force until the termination of the Service Provision Contract.

4. PROCESSING ACTIVITY BY THE PROCESSOR

4.1. The personal data that will be subject to Processing are as follows:

Address
Age
Citizenship
Personal Identification Number (CNP)
Position within the company
Authentication data (PIN password)
Authentication data (username)
Credit/debit card details
Client's financial data
Date of birth
Education
Email address
Employee identification number
Employee's financial data
Fax number
First name and/or last name
Gender
Geolocation data
IBAN
Image
IP address
Position
Marital status
Copies of personal documents
Phone number(s) (contact)
Place of birth
Results of data collection for profile creation
Series and number of identity card, passport, and/or driver's license
Signature (handwritten, electronic copies of the signature)
Accounts on social media platforms (Facebook, LinkedIn, Instagram, Yahoo, etc.)
Vehicle registration number
Web cookies
Appointments for consultations/meetings

4.2. Data Subjects whose personal data will be subject to Processing by the Processor:

Individual clients;
Representatives or contact persons within corporate clients;
Employees of clients;
Clients of clients;
Representatives/agents/contact persons of business partners
Website visitors
Other data subjects ….. (please specify)

4.3. Purposes of Processing are as follows:

Conclusion and execution of the service contract;
Technical support for using the application;
Invoicing and payments.

5. OBLIGATIONS

5.1. Processing. The Processor processes the Personal Data subject to this Agreement only at the request of the Operator. Under this Agreement, the Processor is not entitled to collect, process, or use the Personal Data for its own purposes.

5.2. Confidentiality. The Processor shall ensure that its personnel involved in the Processing of Personal Data have been informed about the confidential nature of the Personal Data, that they have received adequate training regarding their responsibilities, and that they have signed written confidentiality agreements.

5.3. Security measures. The Processor agrees and guarantees that it has implemented appropriate security measures to protect the Personal Data against accidental or unlawful destruction or against loss, alteration, disclosure, or unauthorized access and against all other illegal forms of Processing, and that these measures ensure an adequate level of security relative to the risks presented by the processing and the nature of the personal data that must be protected, taking into account the current state of technology and the cost of implementing them. The Processor will implement and maintain technical and organizational measures to adequately protect the Operator's personal data in accordance with legal provisions and will ensure compliance with these measures.

5.4. Impact assessment and prior consultation. The Processor shall assist the Controller, at the latter's request, to ensure compliance with the Controller's obligation to carry out a data protection impact assessment in accordance with section 35 GDPR, by providing relevant information requested by the Controller for the purpose of processing, and subsequently, if applicable, the Processor shall assist the Controller in the prior consultation procedure with the supervisory authority in accordance with section 36 GDPR.

5.5. Requests from the Data Subject. Within a maximum of 4 (four) working days from the date of receipt, the Processor shall inform the Controller of any request from a Data Subject to exercise the rights provided by GDPR. The Processor shall not respond to a Data Subject's Request without the prior consent of the Controller. The Processor shall provide reasonable assistance, at the request of the Controller, to honor such a Request from the Data Subject. However, the Controller remains solely responsible for informing and respecting the rights of individuals conferred by the General Data Protection Regulation.

5.6. Supervisory authority. Any inspection, request for information, or any other action by the Supervisory Authority regarding Personal Data shall be communicated by the Processor to the Controller within a maximum of 10 (ten) working days.

5.7. Records of processing activities. The Processor shall create, maintain, and constantly update a current record of processing activities in accordance with Art. 30 GDPR.

5.8. Location of processing. The Processor undertakes that the Processing shall not exceed the European Economic Area, except in cases where such transfer is legitimate under GDPR or other regulations.

5.9. Sub-processors. The Processor may subcontract its obligations under this Agreement to a Sub-processor to any third party, without the need for any agreement or prior formalities from the Controller.

6. TERMINATION OF THIS AGREEMENT AND CONSEQUENCES OF TERMINATION

6.1. This agreement terminates as follows:

(a) By written notice with immediate effect from the Controller, without the intervention of a court and without fulfilling any prior formalities, in the event that the Processor breaches any of the obligations imposed under this Agreement or any of the requirements imposed by national and European legislation for the protection of personal data. The notice takes effect within 10 days from the date of its communication.

(b) By termination of the Service Contract, regardless of the cause.

6.2. The termination of this Agreement and/or the Framework Contract, regardless of the cause, shall result in the return of all Personal Data by the Processor to the Operator, as well as the deletion of all Data by the Processor to the extent permitted by law. Data stored on any type of mobile storage devices shall be physically deleted prior to the removal of such devices. The Processor shall be responsible for ensuring that none of the personal data belonging to the Operator is transmitted to third parties or that the personal data stored on hardware systems that are to be modified is permanently deleted prior to the transfer of the hardware system to such third party.

7. INDEMNIFICATION

7.1. In the event that either Party suffers any damages as a result of a breach of this Agreement by the other Party, regardless of fault, the other Party shall be entitled to full indemnification for all losses, including all costs and expenses, and to utilize all available remedies to restore it to the position it would have been in had the breach not occurred.

7.2. For the purposes of this Agreement, "Damages" means any and all damages, fines, fees, penalties, investments, and current and future expenses incurred by either Party as a result of the other Party's breach of this Agreement.

8. FINAL PROVISIONS

8.1 This Agreement shall be read together with the Service Provision Contract. In case of conflict, this Agreement shall take precedence.
8.2 Any amendment to this Agreement shall be made in writing by an additional act signed by both Parties.
8.3 Any notification addressed by one Party to the other Party shall be made by registered letter with acknowledgment of receipt at the addresses indicated in the Framework Contract.
8.4 This Agreement is governed by the applicable law in Romania. The Parties shall attempt to resolve any misunderstanding amicably. If an amicable resolution is not possible, the dispute shall be resolved by the competent Romanian courts in accordance with the law.

Last Updated: 21.02.2019