Data Processing Agreement


Electrosonic Group Companies and third parties where these terms are incorporated into the contract between Electrosonic and the third party “Third Party” - Collectively, the “Parties”.


Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures:  as defined in the Data Protection Legislation.

Data Protection Legislation: all Data protection legislation and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications). For avoidance of doubt, if this includes the provision of goods/services in countries other than the EU or UK, then the local data protection laws must be adhered to in addition to the requirements of the UK and EU GDPR to maintain a ‘privacy-first’ approach.;

UK Data Protection Legislation:  all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation; the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.


1.1 Electrosonic and the Third Party agree and acknowledge that for the purpose of the Data Protection Legislation:

a) They will allocate the responsibilities of Controller and Processor between them in respect of any processing of personal data under the Contract.

b) The Controller retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Provider.

1.2  Both parties will comply with all applicable laws and requirements of the Data Protection Legislation. This agreement is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation. In this Clause 1, Applicable Laws means (for so long as, and to the extent that they apply to the Third Party) the law of the UK, European Union, the law of any member state of the European Union, and any local data protection laws as imposed by countries outside of these stated regions where the provision of goods/services are taking place.

1.3  The parties will ensure that the processing of any personal data is undertaken with due consideration of the personal data subjects rights, and agree to define the:

  1. subject matter;
  2. nature and purpose of processing;
  3. duration of the processing;
  4. types of Personal Data;
  5. categories of Data Subject;
  6. location of the processing activities; and
  7. list of approved subcontractors.

1.4  Without prejudice to the generality of Clause 1.1, the Controller will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Processor (and/or lawful collection of the Personal Data by the Processor on behalf of the Controller) for the duration and purposes of this agreement.

1.5 Without prejudice to the generality of Clause 1.1, the Processor shall, in relation to any Personal Data processed in connection with the performance by the Processor of its obligations under this agreement:

a)  process that Personal Data only on the documented written instructions of the Controller under Schedule 1 unless the Processor is required by Applicable Laws to otherwise process that Personal Data. Where the Processor is relying on Applicable Laws as the basis for processing Personal Data, the Processor shall promptly notify Controller of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Processor from so notifying Controller;

b)  ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and

c)  where applicable, not transfer any Personal Data from within the European Economic Area outside of the European Economic Area unless the prior written consent of Controller has been obtained and the following conditions are fulfilled:

  1. the Processor has provided appropriate safeguards in relation to the transfer;
  2. the data subject has enforceable rights and effective legal remedies; 
  3. the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
  4. the Processor complies with reasonable instructions notified to it in advance by Controller with respect to the processing of the Personal Data;

d)  assist Controller in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators in the territories where the provision of goods/services are taking place;

e)  notify Controller without undue delay on becoming aware of a Personal Data Breach, and include a description of the breach, including the categories of in-scope personal data, the approximate number of data subjects, the likely consequences, and a description of the measures taken or proposed to address and/or mitigate its possible adverse effects;

f) immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Processor will reasonably co-operate with Controller (at no additional cost), in Controllers handling of the matter, including but not limited to: assisting with any investigation; providing Controller with physical access to any facilities and operations affected (upon reasonable notice); facilitating interviews with Processor’s employees, former employees, and other involved in the matter, but not limited to, its officers/directors; and making available all relevant records, logs, files, data reporting, and other materials required to comply with all data protection legislation or as otherwise reasonably required by Controller;

g)  at the written direction of Controller, delete or return Personal Data and copies thereof to Controller on termination of the Contract unless required by Applicable Law to store the Personal Data. If any law, regulation, or government or regulatory body requires the Processor to retain any documents, materials or Personal Data that the Processor would otherwise be required to return or destroy, it will notify Controller in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends. The Processor will certify in writing to Controller that it has deleted or destroyed the Personal Data within 7 days after it completes the deletion or destruction;

h)  maintain complete and accurate records and information, and allow for audits by Controller or Controller’s designated auditor and immediately inform Controller if, in the opinion of the Processor, an instruction infringes the Data Protection Legislation;

i) notify Controller promptly of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting the Processor’s performance.

1.6 Should the Processor wish to appoint any third-party processor of Personal Data under this agreement, it must request Controller’s consent. In the event that Controller grants its consent to the Processor appointing a third-party processor of Personal Data under this agreement. The Processor confirms that it has entered or will enter with the third-party processor into a written agreement incorporating terms which are substantially similar to those set out in this agreement and in either case which the Processor confirms reflect and will continue to reflect the requirements of the Data Protection Legislation. The Processor agrees to provide Controller a copy of the third-parties processing activities which should include, at the minimum the information set out in Clause 1.3. As between Controller and the Processor, the Processor shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this agreement.

1.7 Electrosonic may, at any time on not less than 30 days’ notice, revise this agreement by replacing it with any applicable controller to processor standard clauses, or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).


2.1 The Third Party shall ensure that all of its employees:

a) are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;

b) have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and

c) are aware both of the Provider's duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.


3.1 The Third Party must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to: Physical access controls, System access controls, Transmission controls, Input controls, Data backups, and Data segregation.

3.2 The Third Party must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

a) the pseudonymisation and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

3.3 The Processor agrees that Controller has the sole right to determine:

a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in Controller’s discretion, including the contents and delivery method of the notice; and

b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

3.4 The Party’s will cover all reasonable expenses associated with the performance of their respective obligations under this agreement.


4.1 The Processor must, at no additional cost to Controller, take such technical and organisational measures as may be appropriate, and promptly provide such information to Controller as Controller may reasonably require, to enable Controller to comply with:

a) the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and

b) information or assessment notices served on Controller by the Commissioner (or other relevant regulator) under the Data Protection Legislation.

4.2 The Processor must notify Controller immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.

4.3 The Processor must notify Controller without undue delay if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.

4.4 The Processor will give Controller, at no additional cost to Controller, its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject Access request.


5.1 This agreement will remain in full force and effect so long as:

a) the Contract remains in effect; or

b) The Processor retains any of the personal data related to the Contract in its possession or control (Term).

5.2 Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Contract in order to protect the Personal Data will remain in full force and effect.

5.3 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Contract obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements.


6.1 The Third Party warrants and represents that:

a) Its employees, subcontractors, agents and any other person or persons accessing the Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation;

b) It and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments;

c) It has no reason to believe that the Data Protection Legislation prevents it from complying with the Contract; and

d) Considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the accidental, unauthorised or unlawful processing of Personal Data and the loss or damage to, the Personal Data, and ensure a level of security appropriate to:

  1. the harm that might result from such accidental, unauthorised or unlawful processing and loss or damage
  2. the nature of the Personal Data protected; and
  3. comply with all applicable data protection legislation, and its information and security policies, including the security measures clause 3.

 6.2 Controller warrants and represents that the Processors expected use of the Personal Data for the business purposes (and as specifically instructed by Controller) will comply with the Data Protection Legislation.



Last updated: December 9, 2022