This document is the Data Processing Agreement (“DPA”) of SimplyBook.me Ltd, and it is prepared pursuant to Article 28 of the EU General Data Protection Regulation (“GDPR”) and it is a legally binding agreement between SimplyBook.me Ltd and You, the User of the SimplyMeet.me Online Solution.
It is recommended that You read this document carefully, together with:
Where you use the enterprise solutions of any of our products and/or services, unless a separate data processing agreement has been signed as part of the legal agreement for that product or service, the provisions herein shall apply appropriately.
Con el fin de garantizar el cumplimiento del GDPR y / o cambios de identidad en nuestras operaciones comerciales, podemos realizar cualquier cambio razonable en las disposiciones a continuación. Se le notificará cuando entren en vigor cambios clave.
You can request a DPA, and we will send it to your email.
You can contact our dpo@simplybook.me or legal@simplybook.me if you have any questions on this DPA.
1.1. In addition to the terms defined elsewhere in this Agreement and the Main Agreement, for all the purposes of the subject matter hereof, the terms included in Annex 1 (the “Definitions”) herein shall have the meanings set forth therein.
1.2. The Parties mutually agree and understand that for the purposes of this Agreement, all the definitions of the European Data Protection Laws are adopted.
2.1. In line with the provisions of this DPA and Main Agreement, You are responsible to comply as Data Controller with all requirements applicable to your operations under applicable Data Protection Laws, for the Processing of Personal Data.
2.2. Usted acepta y reconoce que, sin perjuicio de la generalidad de lo expuesto a continuación, es responsable de: (i) de la exactitud, calidad y legalidad de los Datos Personales facilitados por Usted a la Empresa a los efectos de los Servicios, así como de los medios y métodos de adquisición de los mismos; (ii) del cumplimiento de todos los requisitos de transparencia y legalidad necesarios en virtud de las Leyes de Protección de Datos aplicables, incluidas las Leyes Europeas de Protección de Datos; (iii) de la recopilación y uso de los Datos Personales, incluida la obtención de los consentimientos y autorizaciones necesarios, en particular para su uso por el Usuario con fines de marketing; (iv) garantizar que Usted tiene derecho a transferirnos los Datos Personales o a proporcionarnos acceso a los mismos para su Tratamiento de conformidad con los términos del presente APD y del Contrato Principal; (v) garantizar que Usted cumple cualquier legislación que le sea aplicable, incluidas, entre otras, las Leyes de Protección de Datos, para cualquier correo electrónico u otro contenido creado, enviado o gestionado de cualquier otra forma a través de nuestros Servicios.
2.3. Por la presente, confirma y acepta informar a la Empresa con prontitud y sin ninguna demora indebida, en caso de que no pueda cumplir con sus obligaciones en virtud del presente documento, y específicamente en virtud de las Leyes de Protección de Datos aplicables.
2.4. Por la presente, usted reconoce y entiende que las disposiciones del presente documento y cualquier disposición pertinente del Acuerdo Principal y cualquier solicitud adicional por escrito en su calidad de Sujeto de Datos; constituirán las Instrucciones completas y definitivas de Usted como Controlador de Datos a los efectos del presente APD para y en relación con el Procesamiento de Sus Datos Personales.
2.5. Por la presente, usted reconoce, entiende y acepta que, cualquier Instrucción adicional fuera del ámbito de este documento, requerirá su solicitud previa por escrito.
3.1. The Company shall only Process Personal Data for the purpose of described in this DPA and in line with Annex 2 herein (the “Details of Processing”) or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by the Data Protection Laws, including but not limited to European Data Protection Laws and other applicable laws and regulations relevant to the Parties.
3.2. La Compañía no se hace responsable del cumplimiento de las leyes de protección de datos aplicables que se aplican únicamente a usted y / o su industria y no son legalmente aplicables a las operaciones de SimplyBook.me Ltd.
3.3. La Empresa le notificará inmediatamente y sin ninguna demora indebida, en la medida permitida por la ley; cuando se considere que esta última no puede Procesar Datos Personales de conformidad con las disposiciones de esta DPA y debido a requisitos legales de las leyes y/o reglamentos aplicables.
3.4. By considering the state of art, the costs of implementing and the nature, scope, context and purposes of Processing of Personal Data pursuant to the provisions of this DPA, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons; the Company shall implement and maintain appropriate technical and organisational measures to ensure the appropriate level of security to that risk, as per provisions of Annex 3 herein (collectively the “Security Measures”).
3.5. The Company shall ensure that the Security Measures form part of its implemented Information Security Management System (the “ISMS”), in line with the ISO/IEC 27001:2013 standard and issued certificate by an accredited certifying body.
3.6. Notwithstanding any provision to the contrary, the Company may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures and/or comply with relevant laws and legal obligations.
3.7. The Company hereby ensures that any worker or appointed person authorised to Process Personal Data for and on our behalf is subject to appropriate confidentiality obligations, contractual and statutory obligations with respect to that Personal Data.
3.8. The Company hereby agrees to notify prompt and without undue delay once becoming aware of any Personal Data Breach, following the provisions of applicable Data Protection Laws and where necessary provide You with information as it becomes known or reasonably requested by You.
3.9. Por la presente, la Empresa se compromete a prestarle con prontitud toda la asistencia razonable que sea necesaria para permitir la notificación de las violaciones de datos personales pertinentes a las autoridades competentes y/o a los interesados afectados, de conformidad con las leyes de protección de datos aplicables y previa solicitud por escrito.
3.10. SimplyBook.me hereby agrees to delete or return to You all Personal Data relating to the Main Agreement and this DPA, including but not limited to copies of Personal Data which was Processed for the purpose of this DPA, on termination or expiration of Services, in line with the relevant provisions of the Main Agreement.
3.11. The requirement herein shall be exercised pursuant to any applicable law which may require to retain some or all Personal Data, subject to additional security measures such as isolation and protection from further Processing.
4.1. Por la presente, usted reconoce, acuerda y acepta que la Empresa le proporcionará controles en el Software a través de los cuales podrá recuperar, corregir, eliminar o restringir Datos Personales con el fin de ayudarle en relación con los requisitos de las Leyes de Protección de Datos.
4.2. La Empresa podrá, previa solicitud por escrito de Usted, proporcionar asistencia razonable para responder a cualquier Solicitud de los Interesados o solicitudes de las Autoridades de Protección de Datos en relación con el Tratamiento de Datos Personales en virtud de la presente DPA, sujeto a cualquier reembolso que se considere necesario.
4.2. Usted asume la responsabilidad total, exclusiva y única de responder a la(s) solicitud(es) del Sujeto de los Datos u otra comunicación relativa al Tratamiento de Datos Personales de la(s) persona(s) que sea(n) identificada(s) como Su cliente y que pueda(n) ser dirigida(s) a la Empresa, sujeto a la pronta notificación de dicha solicitud por nuestra parte a Usted.
5.1. You hereby acknowledge, agree, accept and authorise the appointment of the Sub-Processors for the Process of Personal Data pursuant to this DPA and Main Agreement included in Annex 4 herein, the Sub-Processors’ List.
5.2. Por la presente, la Empresa garantiza que, cuando se designe a un Subencargado del Tratamiento, el acuerdo legal pertinente que se celebre entre ellos incluirá las condiciones adecuadas de protección de datos sujetas a las Leyes de Protección de Datos apropiadas e impondrá al menos el mismo nivel de protección de los Datos Personales que las disposiciones de la presente DPA y, cuando se considere necesario, incluirá la última versión de las Cláusulas Contractuales Tipo, publicadas por la Comisión Europea.
5.2. SimplyBook.me shall remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and and for any acts or omissions of such Sub-Processor that cause us to breach any of its obligations under this DPA.
6.1. Por la presente, usted reconoce, consiente y autoriza a la Empresa, con sujeción a lo dispuesto en el presente documento, a realizar las Transferencias de Datos necesarias para las operaciones comerciales internas y externas a terceros identificados como Subencargados del Tratamiento en el presente documento, que pueden estar ubicados fuera de la UE y/o del EEE.
6.2. De conformidad con la cláusula 6.1. anterior, ambas Partes confirman y acuerdan por la presente que cualquier Transferencia de Datos se llevará a cabo únicamente a los efectos del Contrato Principal, de la presente DPA y de cualquier Instrucción adicional por escrito comunicada por Usted a la Empresa, únicamente para el objeto de la misma.
6.3. The Parties hereby mutually agrees that pursuant to clause 6 herein, the Company shall perform any and all Data Transfers subject to the provisions of Chapter 5 (Article 44-50) of the GDPR and always in compliance with the requirements of applicable Data Protection Laws for the duration of this DPA and the Main Agreement.
6.4. De conformidad con la cláusula 6.3 anterior, la Empresa no realizará ninguna Transferencia de Datos Europeos a ningún país o destinatario que no esté reconocido como proveedor de un nivel adecuado de protección de los Datos Personales, de conformidad con las disposiciones de las Leyes Europeas de Protección de Datos; a menos que dichas medidas se tomen primero para garantizar que la transferencia cumple con las Leyes Europeas de Protección de Datos aplicables.
6.5. De conformidad con la cláusula 6.4 anterior, la Sociedad no autorizará ninguna Transferencia de Datos a un país que no esté reconocido como proveedor de un nivel adecuado de protección vía:
6.5.1. a valid Adequate Decision issued by the European Commission, subject to Article 45 of the GDPR and as this may be illustrated at the official website of the European Commission (Adequacy Decisions);
6.5.2. approved and authorised Binding Corporate Rules, subject to Article 47 of the GDPR;
6.5.3. conclusion and reliance on approved Standard Contractual Clauses, subject to relevant European Data Protection Laws and as per the official website of the European Commission (Standard Contractual Clauses (SCC)).
6.6. The Parties hereby acknowledge and agree that SimplyBook.me shall not rely on the EU-US Privacy Shield and related principles for the purposes of transferring Personal Data and ensure appropriate measures are taken to comply with applicable Data Protection Laws as may be amended from time to time.
7.1. The Parties hereby conclude the Standard Contractual Clauses, as per Annex 5 solely for the purposes of the Main Agreement and the provision of the Services which form part of this DPA, as may be amended to reflect any changes to the European Data Protection Laws.
7.2. The Parties hereby mutually understand and agree that the Company undertakes the rights and obligations of the Data Importer and subsequently other Party, the rights and obligations of the Data Exporter, as defined in the Standard Contractual Clauses and/or the UK IDTA, and those shall come into effect on the later of either Party becoming a party to them and the commencement of the relevant data transfer.
7.3. The Parties hereby agree that where European Data fall under the application of the UK GDPR, the UK IDTA shall be incorporated and form part of this Agreement as included in Annex 6 herein.
7.4. The Parties hereby mutually agree that where the Standard Contractual Clauses or the UK IDTA are applicable and there is a conflict with any provision of this DPA, the Standard Contractual Clauses or the UK IDTA accordingly, will prevail to the extent of such conflict for the subject matter.
8.1. This part of the DPA applies to European Data for the purposes of the Main Agreement.
8.2. The Parties hereby agree that when Processing European Data in accordance with the Instructions, You are the Controller of European Data and SimplyBook.me Ltd is the Processor.
8.3. SimplyBook.me reserves the right to inform You where Instructions infringes European Data Protection Laws, as and when applicable, without undue delay.
8.2. SimplyBook.me will make any necessary changes to Annex 4 regarding the appointed Sub-Processors and give you the opportunity to be notified via email in which case You have the opportunity to object to the engagement on reasonable grounds relating this DPA and within 30 (thirty) days after such notification.
8.5. The Company shall, to the extent that the required information is reasonably available and you do not otherwise have access to the required information; provide reasonable assistance to You with any Data Protection Impact Assessments (“DPIA”), and prior consultations with Supervisory Authorities or other competent Data Privacy Authorities to the extent required by European Data Protection Laws.
8.6. SimplyBook.me shall make all information reasonably necessary to demonstrate compliance with provisions herein, available to You and may allow for audits including but not limited to inspections.
8.7. The Data Processor has appointed a Data Protection Officer (“DPO”) in line with the European Data Protection Laws and can be contacted for the purposes of this DPA and Main Agreement via email: dpo@simplybook.me.
8.8. This part of the DPA applies to Personal Data other than European Data, under the provisions of applicable Data Protection Laws.
8.9. The Parties agree that SimplyBook.me Ltd shall Process such Personal Data strictly in accordance with applicable Data Protection Laws and solely for the purposes of providing the Services under the provisions of the Main Agreement.
8.10. The Parties shall enter into any additional agreements required by law for the purpose complying with the applicable Data Protection Laws.
9.1. By signing the Main Agreement, You as a User of the System enter into this DPA on behalf of Yourself and where applicable and to the extent permitted by law and applicable Data Protection Laws, in the name and on behalf of Your Permitted Affiliates, establishing a separate DPA between us and each such Permitted Affiliate subject to the Agreement and provisions herein.
9.2. You hereby agree and acknowledge that each Permitted Affiliate agrees to be bound by the obligations of this DPA and as applicable to the Main Agreement.
9.3. You hereby agree and acknowledge that to the extent permitted by law, for the purposes of this DPA and except as otherwise provided herein, “User”, “You” and “Your” will include You and such Permitted Affiliates.
9.4. The legal entity agreeing to this DPA as User represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.
10.1. This DPA will remain in force from the Effective Date and until the Data Controller or Data Processor terminates the Main Agreement, in line with applicable provisions and pursuant to provisions which shall remain valid irrespective of termination of the DPA and/or the Main Agreement.
10.2. This DPA may be terminated by either party with a 30 (thirty) days written notice, pursuant to the provisions of the Main Agreement and by cancelling the system in system settings.
10.3. Notwithstanding anything else to the contrary in this DPA and Main Agreement, SimplyBook.me reserves the right to make any updates and amendments to this DPA subject to any additional terms herein.
10.5. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
10.5. Neither party may, without the prior written consent of the other party assign, transfer, charge, license or otherwise deal in or dispose of any contractual rights or obligations under this Agreement.
10.6. The Parties and Permitted Affiliates' liability arising out of or related to this DPA in whole whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the Main Agreement.
10.7. The Parties hereby agree and accept the choice of the jurisdiction indicated in the Main Agreement in respect of this DPA.
“Data Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Laws”: means all applicable worldwide legislation relating to data protection and privacy which applies to the respective Party in the role of Processing Personal Data in question under the Agreement, including without limitation: (1) the European Data Protection Laws; (2) the California Consumer Privacy Act of 2018 (“CCPA”); (3) the data protection and privacy laws of Australia and Singapore; (4) and other; in each case as amended, repealed, consolidated or replaced from time to time.
“Data Subject”: means the individual to whom Personal Data relates.
“Data Processor”: means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller.
"Europe": means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.
“European Data”: means Personal Data that is subject to the protection of European Data Protection Laws, defined below.
"European Data Protection Laws": means data protection laws applicable in Europe, including:
(1) Regulation 2016/679 - the EU General Data Protection Regulation ("GDPR");
(2) Directive 2002/58/EC - the Directive on privacy and electronic communications;
(3) applicable national implementations of 1 and 2 points above;
(4) any applicable national legislation that replaces or converts in domestic law the GDPR;
(5) the Data Protection Act 2018 of the United Kingdom (the “UK GDPR”) in each case, as may be amended, superseded or replaced.
“EU-US Privacy Shield”: the self-certification program operated by the U.S. Department of Commerce and approved by the European Commission, as may be amended, superseded or replaced.
“Instructions”: any written, documented instructions issued by the Data Controller to the Data Processor, and directing the same to perform a specific or general action with regard to Personal Data, including, but not limited to, depersonalizing, blocking, deletion, making available.
"Permitted Affiliates": shall include any of Your Affiliates that is permitted to obtain the Services on your behalf, pursuant to the Main Agreement, but have not signed their own separate agreement with us and are not users and qualify as a Controller of Personal Data Processed by us, and can be subject to European Data Protection Laws.
“Personal Data”: means any information relating to an identified or identifiable individual where such information is contained within the Account (as defined in the Main Agreement) and is protected as other personal information or personally identifiable information under applicable Data Protection Laws.
“Personal Data Breach”: shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Services but does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Processing”: shall mean any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data and the terms “Process”, “Processes” and “Processed” will be construed accordingly.
“Services”: shall have the same meaning as in the Main Agreement.
“Standard Contractual Clauses”: means the standard contractual clauses for Data Processors approved pursuant to the European Commission’s relevant decision and as included in Annex 5 herein which forms part of the Agreement and as may be amended, superseded or replaced.
“Sub-Processor”: means any Data Processor engaged by us to assist fulfilling our obligations with respect to the provision of the Services under the Main Agreement and may include third parties, excluding any employee or consultant of SimplyBook.me Ltd.
Nature and Purposes of the Process: the Company will Process Personal Data as required for the purposes of providing the SimplyMeet.me Online Solution as per the provisions of the Main Agreement and as may further be specified in additional documentation which forms part of the Main Agreement and DPA.
Duration of the Processing: subject to any provisions contained herein specifying otherwise, Processing of Personal Data shall occur for the duration of the Main Agreement, unless otherwise agreed in writing.
Categories of Data Subjects: pursuant to the provisions of the Main Agreement, Data Subjects shall include any type of User’s clients and therefore may vary by the system usage from the Data Controller.
Categories of Personal Data: pursuant to the provisions of the Main Agreement, categories of Personal Data may vary in accordance with the usage of the System and my cover the below:
Usage Data: company information, IP address, geographical location, browser type and version, operating system, referred source, length of visit, and page views and website navigation paths, as well as information about the timing, frequency and pattern of your system use.
Account Data: name, contact email address, profile photo, bio, other details to your profile information displayed in your SimplyMeet.me Account.
Query Data: name, contact email address, other details you include in the communication means.
Financial data: such as your name, surname, contact details and transaction details which may contain personal data.
Other data which you may include in the Account.
Special Categories of Personal Data (where applicable): N/A
Processing Operations: include the standardised internal processes in which system users’ data are continuously or systematically collected, stored and used for the provision of the Services, in line with the Main Agreement.
1. This Annex 3: Security Measures forms part of the DPA and all capitalised terms, not otherwise defined herein, shall have the same meaning set forth in the Main Agreement.
2. The measures herein form part of the ISMS which shall be maintained in accordance with best practices and standards.
The Company has taken appropriate measures to prevent unauthorised access to the System, network, applications and eventually Personal Data such as: (a) implementation and maintenance of Access Control Policies and Procedures as part of the internal Information Security Management System (“ISMS”); (b) following of access rules based on the “need-to-know” and “least privileged”; (c) restriction principles for direct access to databases.
The Company shall use appropriate encryption technologies to protect Personal Data and where applicable for data in transit (for all communications, between end-users and server).
The Company shall have in place an appropriate Record of Processing Operations, an Asset Handling Procedure and an Acceptable Use Policy all of which ensure that all information, including Personal Data are classified in accordance with its criticality and sensitivity to unauthorised access, disclosure or modification.
The Company has taken reasonable measures to ensure that its employees and contractors, which have access to Personal Data are aware of and adhere to the security and privacy policies and procedures.
The measures include: (a) background verification checks, such as criminal records checking for all employees and contractors with access to Personal Data; (b) conclusion of Non-Disclosure and Confidentiality Agreement and Data Processing Agreement for all employees and contractors; (c) participation in training and awareness programs by employees and contractors, focused on the protection of personal data, privacy and security.
The Company is committed to ensure that correct and secure facilities for the Processing of Personal Data by: (i) controlling the changes to the processing systems and facilities by implementing and maintaining procedures in line with the internal Change Management Policy;
(ii) performing regular back-ups and test of back-ups, by implementing and maintaining procedures in line with the internal Back-Up Policy; (iii) maintaining event logging with records of user activities, exceptions, errors and information security events; (iv) ensure clock synchronisation for all relevant Information Processing Systems.
The Company has implemented a Firewall Protection, an Intrusion Detection System and is regularly monitoring the Network Activity.
The Company performs software development and relevant support processes according to adopted secure system engineering principles such as: Security by design; Security testing shall be performed for any changes or new developments; Development/testing/production environments shall be separated.
The Company performs regular assessments of supplier services and acknowledges the responsibility to inform the Data Controller for any changes to the provision of Services pursuant to the Main Agreement.
The Company ensures a consistent approach to the management of privacy and security incidents, including communication on security breaches and weaknesses via: (a) the Business Continuity and Incident Management Procedures which is documented and tested regularly; and (b) the Personal Data Breach Notification Procedure which is documented and tested regularly.
La Empresa realiza evaluaciones periódicas de los riesgos para los Datos Personales y revisa la eficacia de las políticas y procedimientos de seguridad implantados.
Read this Annex 4 in conjunction with Clause 5 and other applicable provisions of the DPA.
| Fiesta | Finalidad del tratamiento/servicio | Ubicación |
|---|---|---|
| Apply by default | ||
| Linode | Email server | UK |
| Google Cloud | Hosting service provider | Germany (EU) |
| Google captcha | Bot defence | Google global |
| Live Agent | Chat service provider | Slovakia (EU) |
| Google Analytics | Statistics and Analytics | EE.UU. |
| Optional - applicable when used, integrated (as per https://help.simplymeet.me/index.php/Integrations as amended) to Account or opt-in. | ||
| PandaDoc | system we use for electronic signatures (optional- applied when in use). | |
| Google Meet / Hangout | integration which automates your clients' booking by generating a unique video meeting link for every meeting. | |
| Conector Zapier | integration in order to connect the Account with apps available. | |
| Microsoft 365/Teams | integration for generating a unique video meeting link for meetings. | |
| Zoom Integration | as per above. | |
| Whereby | as per above. | |
| SMS gateway integration of Twilio and Nexmo/Vonage. | ||
| Facebook Pixel | integration by which you can collect data to track conversion from advertising to Facebook etc. | |
| Okta integration | integration which enables SSO authentication to your SimplyMeet.me account, allowing fast and simple login for your team members. | |
1. The latest version of the Standard Contractual Clauses available on the official website of the European Commission here is implemented and followed for the subject matter.
2. These Standard Contractual Clauses (“SCC”) form part of this Agreement, to the extent applicable to the Parties in accordance with the European Data Protection Laws.
3. A efectos del presente Acuerdo y de la relación contractual de las Partes, se adopta el Módulo Dos: Transferencia entre Responsable y Encargado del Tratamiento.
Get the full signed version of our DPA - this will contain the full version of the latest SCC - here.
Versión: 3.0
Last update: 02/04/2025
Effective date: 03/04/2025
Previous version available here