Data Processing Agreement (DPA)
Last Updated: 20th March 2026
This Data Processing Agreement ("DPA") is made part of the EuroVOX Terms and Conditions between:
Controller: Member.
Processor: European Broadcasting Union ("EBU").
Together referred to as the "Parties."
1. Purpose of the DPA
This DPA governs the processing of Personal Information by the Processor on behalf of the Controller in connection with the use of EBU's EuroVOX platform, its AI-powered translation services, and any integrated third-party processing tools.
2. Processing Activities
Subject Matter: Processing of Member-provided inputs and generated outputs as part of the EuroVOX services.
Duration: For the term of the Member's engagement with EBU Services.
Nature and Purpose: Processing of personal data for transcription, translation, dubbing, real-time captioning, and synthetic media generation tasks.
Type of Data: Personal Information submitted through Member inputs, including audio recordings, textual data, and voice synthesis recordings.
Categories of Data Subjects: Identified or identifiable individuals whose personal data is included in the Member's inputs.
3. Processor Obligations
The Processor shall:
Process personal data only on documented instructions from the Controller, including as outlined in the Terms and Conditions or this DPA.
Implement appropriate technical and organizational measures to protect personal data, ensuring a level of security in compliance with GDPR Article 32.
Ensure that all personnel authorized to process personal data are bound by confidentiality obligations.
Not engage sub-processors to process the Controller's personal data other than those appearing on the approved sub-processor list and selected or accepted by the Controller in accordance with Section 5 of this DPA.
Inform the Controller of any data breaches within 72 hours and assist with breach reporting and mitigation efforts.
Assist the Controller in responding to data subject rights requests, including erasure, access, rectification, or objection to processing, in compliance with GDPR Articles 12 to 23.
Assist the Controller with performing data protection impact assessments if required by applicable privacy laws (Privacy Laws).
Upon termination of services, delete all personal data as instructed by the Controller unless retention is required by law. Where the Controller requires an export of personal data, such request should be made prior to termination.
4. Controller Obligations
The Controller shall:
Ensure it has obtained all necessary consents and legal grounds to submit personal data to the Processor.
Inform data subjects about the processing activities and their rights as required by GDPR.
Provide instructions to the Processor that comply with applicable data protection laws.
Notify the Processor of changes in processing instructions that affect compliance with Privacy Laws.
5. Sub-Processors
The Processor maintains a list of approved sub-processors, each of which has been assessed against minimum governance standards (including, without limitation, prohibitions on using input data for model training and requirements for GDPR-compliant data handling). This list is publicly available at https://www.eurovox.io/subprocessors.html and is updated when sub-processors are added or removed.
The Controller may either accept the full list of approved sub-processors or, with the assistance of the Processor, designate a subset of approved sub-processors for use in connection with their services. The Controller's acceptance of this DPA constitutes general written authorisation under GDPR Article 28(2) for the Processor to engage the approved sub-processors, subject to the notification right below.
The Processor shall notify the Controller's designated contact (as specified in the applicable Service Order) by email of any intended addition to or replacement of sub-processors no less than 7 calendar days before the change takes effect. The Controller may object to any such change in writing within that 7-calendar-day period. Where the Controller objects and the Parties cannot reach agreement, either Party may terminate the affected services on written notice without penalty.
The Processor shall ensure that all approved sub-processors are bound by data protection obligations equivalent to those set out in this DPA.
6. Cross-Border Data Transfers
Any transfer of personal data outside of the EEA or Switzerland will be subject to appropriate safeguards, such as Standard Contractual Clauses, in accordance with GDPR Article 46.
If applicable, Processor shall ensure sub-processors comply with these safeguards.
7. Data Security Measures
The Processor shall implement measures including but not limited to:
Encryption of personal data during transmission and storage.
Regular auditing and risk assessments of systems handling personal data.
Limiting physical and logical access to personal data.
Adequate backup and recovery procedures.
8. Data Breach Notification
In the event of a data breach, the Processor will notify the Controller within 72 hours of becoming aware of the breach and:
Provide sufficient detail regarding the incident.
Assist the Controller in complying with its obligations under GDPR to notify applicable regulators and affected data subjects.
9. Audit Rights
The Controller may conduct audits, no more than once per calendar year, to verify compliance with this DPA. Audit costs shall be borne by the Controller.
10. Term and Termination
This DPA remains in effect for the duration of services provided under the Terms and Conditions. Upon termination of services, the Processor will delete or return all personal data per the Controller's instructions.
11. Liability
The liability provisions of the Terms and Conditions apply to this DPA. Parties shall indemnify each other for penalties or damages resulting from non-compliance with applicable data protection laws, to the extent it relates to their respective roles.
12. Governing Law
This DPA shall be governed by the laws of Switzerland, and disputes shall be exclusively resolved in the courts of Geneva, Switzerland as set out in the Terms and Conditions.