Effective date: 01 March 2026
Last updated: 01 March 2026
This Data Processing Agreement (“DPA”) forms part of and is an integral appendix to the Evenda platform Organizer Agreement and governs the processing of personal data that ZURKA CE BITI DOO carries out on behalf of the Organizer when using the Evenda SaaS platform.
This DPA is entered into between:
ZURKA CE BITI DOO
PIB: 114432064
MB: 22023195
Beograd, Kraljice Natalije 11, Serbia
Email: [email protected]
(“Evenda” or “Processor”)
and
the person who registers an organizer account, accepts this DPA, or uses the Evenda platform as an event organizer
(“Organizer” or “Controller”).
If the parties have concluded a separate written data processing agreement, it takes precedence over this DPA for matters expressly covered by it.
1.1. This DPA applies only where Evenda processes personal data on behalf of and under the instructions of the Organizer in connection with use of the Evenda platform.
1.2. This DPA does not apply where Evenda acts as an independent controller of personal data, including without limitation:
1.3. This DPA governs only processing performed by Evenda as Processor. All other matters relating to use of the platform are governed by the Organizer Agreement and other applicable Evenda documents.
For the purposes of this DPA, the following terms apply:
Controller — the Organizer who determines the purposes of processing and essential parameters of personal data processing through the Evenda platform.
Processor — Evenda, which processes personal data on behalf of the Controller.
Applicable data protection law — applicable personal data protection law, including the GDPR where it applies, and other mandatory rules governing the relevant processing.
Personal Data — any information relating to an identified or identifiable natural person.
Data Subject — the natural person to whom Personal Data relates.
Sub-processor — any processor engaged by Evenda that processes Personal Data on behalf of the Organizer in connection with Evenda’s services.
Personal data breach — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
If a term is used in this DPA and is defined in Applicable data protection law, it is interpreted in accordance with that law.
3.1. The subject matter of this DPA is Evenda’s processing of Personal Data on behalf of the Organizer when providing Evenda platform SaaS functionality.
3.2. Processing begins when Evenda starts processing Personal Data on behalf of the Organizer and continues for the period of use of the relevant platform features and for any period of retention, deletion, return, or other completion of processing in accordance with this DPA and Applicable data protection law.
3.3. Depending on the platform features used, the nature of processing may include:
3.4. The purposes of processing are determined by the Organizer and may include:
3.5. Categories of Data Subjects, categories of Personal Data, and a description of processing are set out in Appendix 1 to this DPA.
4.1. The Organizer acts as Controller in respect of Personal Data that it uploads, collects, structures, or otherwise processes through the Evenda platform in connection with its events, orders, tickets, registrations, and communications with buyers and participants.
4.2. Evenda acts as Processor only to the extent that it processes such Personal Data on behalf of and under the documented instructions of the Organizer.
4.3. The Organizer confirms that it independently determines the purposes of processing and essential parameters of processing, including:
5.1. Evenda processes Personal Data only on the basis of the Organizer’s documented instructions, unless Applicable data protection law requires otherwise.
5.2. This DPA, the Organizer Agreement, Organizer account settings, selected platform functionality, event configuration, forms, fields, access rights, and other Organizer actions in the Evenda interface are treated as documented instructions of the Controller.
5.3. The Organizer may issue reasonable additional written instructions where they:
5.4. If Evenda considers that an Organizer instruction violates Applicable data protection law, Evenda may notify the Organizer and suspend execution of that instruction until clarifications or a lawful basis are provided.
The Organizer undertakes and warrants that:
6.1. it has a lawful basis for processing Personal Data and for instructing Evenda to process such data;
6.2. it provides appropriate information to Data Subjects where required by law;
6.3. it independently determines what Personal Data is collected through the platform and does not instruct Evenda to process data unlawfully;
6.4. it does not use the Evenda platform to process special categories of personal data, criminal offence data, or other sensitive data unless such processing is lawful, necessary, and properly regulated;
6.5. it is responsible for the lawfulness of its events, forms, fields, descriptions, notifications, communication scenarios, its team’s access rights, and other settings affecting Personal Data processing;
6.6. it is responsible for handling buyers’ and participants’ requests to the extent it acts as Controller.
Evenda undertakes to:
7.1. process Personal Data only in accordance with the Organizer’s documented instructions;
7.2. not use Personal Data for its own purposes incompatible with the Processor role;
7.3. ensure that persons authorised to process Personal Data are bound by confidentiality obligations or an appropriate statutory duty of confidentiality;
7.4. implement appropriate technical and organisational security measures in accordance with Section 10 of this DPA and Applicable data protection law;
7.5. comply with the Sub-processor engagement terms set out in Section 8;
7.6. assist the Organizer, as far as reasonably possible, in fulfilling its obligations to respond to Data Subject requests;
7.7. assist the Organizer, as far as reasonably possible, in fulfilling its obligations regarding security, breach notification, data protection impact assessment, and prior consultation with a supervisory authority where required by law;
7.8. at the end of processing, delete or return Personal Data as provided in this DPA, unless retention is required by law;
7.9. provide the Organizer with information necessary to demonstrate compliance with this DPA and cooperate with audits as provided in this DPA.
8.1. The Organizer grants Evenda general written authorisation to engage Sub-processors to provide Evenda’s services.
8.2. Evenda will maintain an up-to-date list of Sub-processors and, on request, provide it to the Organizer or publish it in a place accessible to the Organizer on the website or in the account area.
8.3. Where Evenda intends to add a new Sub-processor or replace an existing one, Evenda will notify the Organizer in advance by reasonable means if the change is material for Personal Data processing.
8.4. The Organizer may raise a reasoned objection to a new Sub-processor within a reasonable time after notification if it has documented grounds to believe the change creates a material risk of breach of Applicable data protection law.
8.5. If the parties cannot reasonably resolve such objection, Evenda may discontinue the relevant part of processing or propose that the Organizer stop using the affected functionality.
8.6. Evenda will enter into a written agreement with each Sub-processor imposing data protection obligations not materially lower than those under this DPA, insofar as they apply to the services provided.
8.7. Evenda remains liable for the actions of its Sub-processors within the limits set by Applicable data protection law and the parties’ agreements.
9.1. Evenda does not carry out international transfers of Personal Data outside the applicable jurisdiction without an appropriate legal basis where such a basis is required by Applicable data protection law.
9.2. If providing Evenda’s services or using Sub-processors requires international transfer of Personal Data, Evenda will apply an appropriate transfer mechanism, including where applicable:
9.3. On reasonable request from the Organizer, Evenda provides general information about transfer mechanisms used, where such transfers occur.
10.1. Taking into account the state of the art, implementation costs, nature, scope, context, and purposes of processing, and the risks to individuals’ rights and freedoms, Evenda implements appropriate technical and organisational security measures.
10.2. Such measures may include, where applicable:
10.3. The Organizer acknowledges that no method of transmission or storage can guarantee absolute security.
10.4. The Organizer is also responsible for security on its side, including:
11.1. Given the nature of processing, Evenda provides the Organizer with reasonable assistance, as far as possible, in fulfilling its obligations to respond to Data Subject requests.
11.2. If Evenda receives a Data Subject request relating to processing for which the Organizer is Controller, Evenda may:
11.3. Unless required by law, Evenda is not obliged to substantively respond to such a request on the Organizer’s behalf without the Organizer’s instructions.
12.1. Given the nature of processing and information available to Evenda, Evenda provides the Organizer with reasonable assistance in complying with obligations relating to:
12.2. If required assistance goes beyond standard functionality and ordinary Evenda support, the parties may separately agree timing, format, and reasonable remuneration for such assistance where permitted by law.
13.1. Evenda notifies the Organizer without undue delay after becoming aware of a confirmed personal data breach affecting Personal Data that Evenda processes on behalf of the Organizer.
13.2. That notification shall, to the extent possible at the time it is sent, include:
13.3. Evenda may provide information in phases if the full detail is not available at the time of the first notification.
13.4. The Organizer independently determines whether notification to a supervisory authority or Data Subjects is required, unless otherwise provided by applicable law.
14.1. On reasonable written request from the Organizer, Evenda provides information necessary to demonstrate compliance with this DPA.
14.2. The Organizer may audit compliance with this DPA no more than once per calendar year, unless more frequent audit is required:
14.3. To the maximum extent possible, audits shall be conducted in a way that minimises burden on Evenda and security risks, for example:
14.4. On-site audits are permitted only if:
14.5. The Organizer bears its own audit costs unless the parties agree otherwise.
15.1. On termination of the relevant processing or on reasonable request from the Organizer, Evenda shall, at the Organizer’s choice:
15.2. If return in a reasonable format is technically impossible within standard platform functionality, Evenda may provide data in a commonly used format available in the service or delete it in accordance with standard procedures.
15.3. Evenda may retain Personal Data after processing ends to the extent required:
16.1. Evenda ensures that persons authorised to process Personal Data are properly instructed and bound by confidentiality obligations.
16.2. Evenda does not disclose Personal Data to third parties except where:
17.1. Evenda maintains measures, policies, and processes reasonably necessary to comply with its obligations as Processor.
17.2. On reasonable request from the Organizer, Evenda provides information available to it sufficient to confirm that it fulfils its Processor obligations under this DPA.
18.1. Unless expressly provided otherwise in this DPA, liability of the parties is governed by the Organizer Agreement.
18.2. Nothing in this DPA excludes or limits either party’s liability that cannot be excluded or limited under Applicable data protection law.
19.1. In case of conflict between this DPA and the Organizer Agreement, the provisions of this DPA prevail with respect to Evenda’s processing of Personal Data on behalf of the Organizer.
19.2. In case of conflict between this DPA and a separate written data protection agreement signed by the parties, that separate agreement prevails for matters expressly covered by it.
20.1. Evenda may amend this DPA from time to time where necessary to:
20.2. The current version of the DPA is published on the website. If changes are material, Evenda will endeavour to notify the Organizer by reasonable means, for example via the website, email, or account area.
20.3. Continued use of Evenda after a new version takes effect constitutes acceptance of the updated DPA, unless prohibited by Applicable data protection law.
21.1. This DPA is governed by and construed in accordance with the laws of the Republic of Serbia, unless Applicable data protection law requires otherwise.
21.2. Any dispute, disagreement, or claim arising out of or in connection with this DPA shall be subject to the competent courts in Belgrade, Republic of Serbia, unless mandatory provisions of applicable law provide otherwise.
If you have questions about this DPA, you can contact us:
ZURKA CE BITI DOO
PIB: 114432064
MB: 22023195
Beograd, Kraljice Natalije 11, Serbia
[email protected]
1. Subject matter of processing
Processing of Personal Data by Evenda on behalf of the Organizer in connection with use of the Evenda platform to publish events, manage orders, tickets, registrations, attendees, and communications related to the Organizer’s events.
2. Duration of processing
For the period during which the Organizer uses the relevant Evenda platform features and thereafter for the period necessary for return, deletion, backup retention, legal compliance, and protection of Evenda’s or the Organizer’s rights, to the extent permitted by Applicable data protection law.
3. Nature of processing
Collecting, recording, storing, organizing, structuring, viewing, using, transmitting, providing access, deleting, destroying and other actions necessary to provide Evenda services.
4. Purposes of processing
5. Categories of Data Subjects
Depending on the platform configuration and the Organizer’s actions:
6. Categories of Personal Data
Depending on the Organizer settings and the functions used:
7. Special categories of data
Unless otherwise expressly agreed by the parties in writing, Evenda does not undertake to process special categories of personal data on behalf of the Organizer. The Organizer must not use the platform for such processing without a lawful basis and sufficient protective measures.
8. Processing operations
Providing hosting, interfaces, storage, administration, search, structuring, export, sending service notifications and other operations necessary for the functioning of the Evenda platform in accordance with the Organizer’s instructions.