Agreement on Commissioned Data Processing




– hereinafter referred to as
„Data Controller“


OL Munkaidő Kft.



– hereinafter referred to as
„Data Processor“


In the „Agreement (…………)” as of […] (hereinafter referred to as “Main Contract”) Data Processor undertakes to provide the following services for Data Controller. The Main Contract regulates the general contractual relationship between the Parties and the services to be provided by the Data Processor in detail.


The services to be provided by the Data Processor according to the Main Contract (hereinafter referred to as “Services”) require the processing of personal data on behalf of the Data Controller (hereinafter referred to as “Data Processing”). Thereby, ECE acts as Data Controller and (…) as the company performing the Data Processing on instruction of the Data Controller (hereinafter referred to as “Data Processor”).

This Agreement, being an Annex to the Main Contract, stipulates the data protection obligations of the Parties regarding the Data Processing. If there are any inconsistencies between the provisions of this Agreement and those of the Main Contract the provisions of this Agreement in relation to the processing of personal data shall prevail.


In order to ensure suitable measures regarding the protection of privacy and of personal data of the concerned persons the parties hereby mutually agree and covenant to be bound by the terms and conditions of this Agreement and its attached Annexes as follows:


1. Subject Matter and Duration of the commission

Subject Matter

The subject matter of the commission is derived from the [e. g. Service Agreement]……. as of …..…day………month……..year to which is made reference here (hereinafter referred to as „Service Agreement“).

The subject matter of the data processing commission is the performance of the following tasks by the Data Processor:

Softwvare processing worktime and labor datas.


Duration of the commission


The commission is for an indefinite period and may be terminated by either party giving ………………. notice to……………. The right to terminate the commission without notice is unaffected by the above.

2. Substantiation of the content of the assignment

Scope and Purpose of the intended collection, processing and use of data

Scope and purpose of the collection, processingby the Data Processor on behalf of the Data Controller are described in detail in the Service Agreement as of contract day.


Nature of Data

The subject matter of the collection, processing and / or use of the personal data covers the following types / categories of data (list / description of the categories of data):

Person master data (such as name, address, date of birth, National Insurance Number, Tax Number, Mother’s name)

Employment relationship datas

Worktime datas

Legal status information datas

Work schedule datas

Contact details (such as phone, email)

Work Contract master data (contractual relation)

Billing and payment data

Planning and management data

Hereinafter referred to as: „Data“

Concerned persons

Persons affected by the processing of their Data within the scope of this commission are (list / description of the concerned categories of persons):




3. Technical and organizational measures

(1)    Data Processor undertakes to document the technical and organizational measures required according to Art. 32 General Data Protection Regulation (“GDPR”) prior to the start of the Processing and to present it to the Data Controller for review purposes. Provided the Data Controller approves the concrete technical and organizational measures the Data Processing may start, subject to other requirements under this Agreement. The presented technical and organizational measures become component part of this Agreement and are attached as Annex 1. The Data Processor undertakes to implement and adhere to these measures during the term of this Agreement.


(2)    In case an examination / audit of the measures by the Data Controller or a statutory or technical amendment requires an adjustment of the measures, Data Controller shall promptly implement and prove this adjustment. Annex 1 shall be updated accordingly.


(3)    The technical and organizational measures shall constantly be updated to reflect the technical state-of-the-art, whereby the security level of the updated measures shall not fall below the originally determined level. Substantial amendments affecting the integrity, confidentiality or availability of the Data shall be reported to and coordinated with the Data Controller in advance within a reasonable period of time; substantial amendments shall be documented, reported to the Data Controller and attached to this Agreement as Annex 1. Measures which would imply only slight technical or organizational amendments and which would not affect the integrity, confidentiality and availability of data in a negative way, may be implemented by the Data Processor without consultation of the Data Controller.


4. Protection of the concerned persons’ rights

(1)     Data Processor shall correct, delete or restrict the Data being processed on behalf of the Data Controller only in accordance with the Data Controller’s instructions. If the Data Processor is directly requested by a concerned person to correct or delete his Data, Data Processor will forward this request immediately to the Data Controller.

(2)      Data Processor shall co-operate with Data Controller where a person concerned exercises his or her rights under the applicable data protection law; this comprises in particular the assistance regarding responses to requests in connection with the protection of concerned persons’ rights by means of proper technical and organizational measures.

5.  Controls and other obligations of the Data Processor

The Data Processor ensures compliance with the following obligations:

(1)      Written appointment of a Data Protection Officer where prescribed by law. The contact details must be supplied to the Data Controller to enable direct contact to be made. The Data Controller shall promptly by notified about a replacement of the Data Protection Officer.

(2)      All persons being able to access personal Data of the Data Controller within the scope of the commission shall be obligated to keep confidentiality and shall be instructed regarding the particular data protection obligations resulting from this commission as well as the existing commitment to instructions and purpose of Data Processing. The Data Processor shall on request present the respective declarations of commitment to the Data Controller.



(3)      Data Processor shall grant to the data protection supervisory authorities competent the possibility to conduct audits to the same extent as would apply to an audit of the Data Controller. Assistance of the Data Controller regarding controls and requests by the supervisory authorities.



(4)      Immediate information of the Data Controller about controls and measures of the data protection supervisory authority. This also applies if the competent authority investigates at the Data Processor’s premises according to Art. 57, 58 GDPR.



(5)    Appropriate assistance of the Data Controller if the Processing is subject to a privacy impact assessment according to Art. At its own cost the data manager can request the data processor to carry out an impact assessment. 35 GDPR respectively a prior consultation of the competent data protection supervisory authority according to Art. 36 GDPR becomes necessary.

(6)      The presentation of details required according to Art 30 sec. 2 GDPR.




6. Subcontracting

(1)      Data Processor shall not subcontract any of his contractual obligations under this Agreement without the prior written consent of the Data Controller. In such case the Data Processor shall set out the contractual agreements with the subcontractor(s) in such a way that they reflect the data protection provisions agreed between Data Controller and Data Processor in this Agreement and the requirements of the GDPR. A further subcontracting by the subcontractor is only permitted after prior written consent of the Data Controller.

(2)      The Data Processor shall carefully select the subcontractor and ensure prior to the assignment that the subcontractor is able to observe the Agreement concluded between the Data Controller and the Data Processor. In particular, the Data Processor shall control in advance and regularly that the subcontractor has implemented the technical and organizational measures for the protection of personal data according to Art. 32 GDPR.


(3)      Any monitoring- and instruction rights of the Data Controller shall be incorporated into the agreement with the subcontractor. This also includes the Data Controller’s right to obtain information from the Data Processor, upon written request, on the substance of the agreement and the implementation of the data protection obligations within the sub-contractual relationship, where necessary by inspecting the relevant contract documents or by presentation of appropriate certificates by independent auditors.

(4)      If the subcontractor is situated in a country outside the European Union (“EU”) or the European Economic Area (“EEA”), sec. 7 of the Agreement applies.

(5)      The Data Processor remains fully liable for the subcontractors assigned by him.

7. Transfer to third countries


The processing of Data by the Data Processor is limited to the area of the EU and the EEA. The transfer of Data to a recipient with registered seat outside the EEA by the Data Processor shall only be admissible if compliant with the requirements of Art. 44 et seq. GDPR and is subject to a separate prior written approval of the Data Controller. In particular, Data Processor shall ensure that Data Controller may conclude the Standard Contractual Clauses with the recipient of the Data (cf. e. g. the decision of the European Commission of February 5, 2010 published in the Official Journal of the European Union L39/5, C (2010) 593).


8. Control rights of the Data Controller

(1)   In consultation with the Data Processor, Data Controller may carry out controls whether the processing by the Data Processor is performed in compliance with this Agreement and the obligations according to Art. 28 GDPR or may engage an auditor to do so. He has the right to make sure by such controls that the Data Processor adheres to the Agreement during the course of the Data Processor’s business operations.


(2)   Furthermore, Data Processor undertakes to provide the Data Controller with the necessary information proving the adherence to the obligations of this Agreement respectively of Art. 28 GDPR and to make available the corresponding evidence. This also comprises the provision of evidence regarding the implementation of technical and organizational measures. Thereby, the Data Controller may as an alternative request the Data Processor to present updated evidence according to Art. 42 et. seq. GDPR regarding the adherence to the technical and organizational measures prior to the start of the Data Processing and then periodically at reasonable intervals.



9. Notifications of infringements by the Data Processor

(1)   Data Processor shall promptly notify the Data Controller about any violations of regulations regarding the protection of the Data Controller’s Data (in particular the GDPR) or regarding the provisions of this Agreement caused by him, his employees or any subcontractors employed by him or if there is a corresponding suspicion.


(2)   Data Processor shall document such incidents, clear them up promptly and provide for relief. He shall keep the Data Controller informed about the process until the matter is remedied.

(3)   In case the infringement would result in a risk for the rights and freedom of the persons concerned according to Art. 34 GDPR Data Processor shall assist Data Controller comprehensively regarding the clarification of the incident and regarding a corresponding notification of the data protection supervisory authority or the person concerned.

10. Instruction right of the Data Controller

(1)   The Data may only be processed under the terms of the contractual agreements and the instructions issued by the Data Controller. Under the terms of the commission as described in this Agreement Data Controller retains a general right of instruction regarding nature, scope and method of the Data Processing, which he may substantiate by individual instructions. Amendments to the subject matter of the processing and to the process shall be mutually agreed and documented. Data Processor may only pass on information to third parties or concerned persons with the prior written consent of the Data Controller.

(2)   Oral instructions require a prompt written confirmation or a confirmation by email (in text form) by the Data Controller. Data Processor shall not use the Data for other purposes and in particular is not permitted to transfer them to third parties. Copies or duplicates shall not be produced without knowledge of the Data Controller. This does not apply to security backups where these are required to assure a proper data processing as well as Data required to comply with statutory retention obligations.

(3)   Data Processor shall promptly notify Data Controller if he believes that any instruction would result in a violation of Data Protection provisions. Data Processor may suspend the execution of the instruction until it is confirmed or changed in writing by the authorized person of the Data Controller

(4)   Data Processor shall document the instructions.

11. Deletion of data and return of data carriers

(1)   Upon completion of the contractual work or earlier on instruction of the Data Controller – not later than upon termination of the Service Agreement – Data Processor shall either return to the Data Controller all documents that have come to his possession, any processing- or use results as well as data files in connection with the contractual relationship or delete them in compliance with the applicable data protection law with the prior consent of the Data Controller. The same applies for testing and degraded material. The log of the deletion shall be presented on request. At its own cost the data manager can request the data processor to carry out an impact assessment.


(2)   Documentation that serve to prove proper data processing in accordance with the commission shall be retained by the Data Processor according to the relevant retention period beyond the term of the Agreement and shall only be used for this purpose. To his relief he may hand them over to the Data Controller upon termination of the Agreement.

12. Liability

(1)   Data Processor remains fully liable to the Data Controller for all damages negligently caused by him, his employees or any person commissioned by him during the performance of the contractual services.

(2)   Data Controller and Data Processor are fully liable for the compensation of damages sustained by a concerned person due to data processing being inadmissible or incorrect according to the relevant legal data protection provisions within the scope of the contractual relationship as far as they are not relieved from liability according to Art. 82 sec. 3 GDPR. If the concerned person has asserted a claim against the Data Controller due to the compensation of damages, the Data Controller is entitled – according to the provisions of Art. 82 GDPR – to make a recourse against the Data Processor. The same applies for the Data Processor if claims are asserted against him by a concerned person.


13.  Miscellaneous, written form, severability clause, jurisdiction


Data Processor shall collateralize to the Data Controller the data carriers with files containing Data of the Data Controllers. These data carriers shall be specially marked.

(3)   If the Data Controller’s property is endangered in the possession of the Data Processor by third parties’ measures (such as impoundment or seizure), by an insolvency or composition proceeding or by other incidents Data Processor shall promptly notify Data Controller.


(4)    Any changes and supplements or abrogation of this Agreement must be in writing. This also applies for the amendment of this written-form-clause.



(5)        The validity of this Agreement shall not be affected by the ineffectiveness of individual provisions or regulatory gaps. A legally ineffective provision or regulatory gap shall be replaced by a legally effective provision which conforms as closely as possible to purpose of the invalid provision or the remaining provisions of this Agreement.


(5)        All disputes arising from the Agreement or related to the Agreement or its validity shall be subject to the exclusive jurisdiction of either the Central District Court of Buda.

For …………………….




……………, this …………………..







Information regarding the drafting of an Annex 1 to the Agreement according to Art. 28 GDPR (example):


Technical and organizational measures of the Data Processor

Suitable technical and organizational measures shall comply with the requirements of Art. 32 GPDR. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.


Dependent on the respective order processing the observance of the following measures may serve such compliance:

  • Pseudonymization

Processing of Personal Data in a way that this data may no longer be associated with a specific concerned person without utilization of further information, as far as such additional information is stored separately and is subject to technical and organizational measures itself which ensure that the Personal Data are not assigned to an identified or identifiable natural person.




  • Encryption

The Data may be encrypted according to the latest technology.


  • Access control to premises and facilities


An unauthorized access to premises etc. shall be prevented (in the physical sense)


Technical and organizational measures to control access to premises, in particular for the legitimation of authorized persons.



  • Examples: Access control systems ID reader, magnetic card, chip card; keys / issue of keys; door locking (electric door openers etc.); security staff, doormen; surveillance facilities; alarm system; video / TV monitor.




  • Access control to systems


Denying access to processing facilities, by means of which the Data Processing is performed, for unauthorized persons.


Technical (ID/password security) and organizational (user master data) measures for user identification and authentication:


  • Example: Password procedures (special characters, minimum length, regular change of password); automatic blocking (e. g. password or timeout); creation of one master record per user.




  • Storage control

Preventing of unauthorized entry of Personal Data as well as unauthorized access, change or deletion of stored Persona Data






Demand-oriented definition of the authorization concept, technical and organizational measures regarding the identification and authentication of the user.




  • Examples: Password procedures (special characters, minimum length, regular change of password); automatic blocking (e.g. password or timeout); implementation of differentiated authorizations (e. g. profiles or roles divided into write, read, change, delete).





  • User control

Preventing of use of automated processing systems by unauthorized persons by means of data transfer facilities.




Implementation of an authorization concept respectively of access rights and their monitoring and logging.




  • Examples: Implementation of differentiated authorizations (profiles, roles, transactions and objects); password procedures; recording of accesses through the system.



  • Access control to data

Ensuring that the persons who are authorized to use an automated processing system are only able to access the Personal Data within the scope of their access permission.




Demand-oriented definition of the authorization concept and of the access rights as well as their monitoring and logging.



  • Examples: Differentiated authorizations (profiles, roles, transactions and objects); reports; information regarding access, change, deletion.




  • Transmission control

Ensuring that it can be verified and determined where Personal Data was or can be transmitted or made available by means of data transfer facilities. Aspects of the transfer of Personal Data are to be regulated: Electronic transmission, control of transfer.





Technical and organizational measures regarding the transfer and transmission and the subsequent verification.



  • Examples: encryption / tunneling (VPN = Virtual Private Network); electronic signature, logging / audit trails; password protection.



  • Control of data carriers

Preventing of unauthorized reading, copying, changing or deleting of data carriers.



Technical and organizational measures (password protection) regarding the storage on and the use of data carriers (manually or electronically)




  • Examples: Encryption of data carriers by passwords; separate notification of the password to the recipient.



  • Transport control

Ensuring that the confidentiality and integrity of the Data is protected upon transfer of Personal Data and transport of the data carriers.



Technical and organizational measures for the transport of data carriers as well as for the transfer and transmission of Data. Subsequent verification of the correct recipient.


  • Examples: Encryption, tunneling (VPN = Virtual Private Network); electronic signature; audit trails; logging of the dispatch; password protection of the data carriers; separate notification of the password to the recipient; confirmation of the receipt by the recipient; transport security respectively secure transport of the data carriers by a courier.



  • Input control

Ensuring that a subsequent verification and determination is possible as to which Personal Data have been entered into automated processing systems or changed when and by whom.



Technical and organizational measures for subsequent verification if data have been entered, changed or removed (deleted) and by whom.




  • Example: Logging and reporting systems.


  • Control of commissioned processing

Ensuring that Personal Data that is processed on behalf of the Data Controller shall only be processed according to the instructions of the Data Controller.

Technical and organizational measures to segregate the responsibilities between the Data Controller and the Data Processor.

  • Examples: Unambiguous wording of the Agreement; formal commissioning (request form); criteria for the selection of the Data Processor; monitoring of the contract execution.




  • Availability control

The data have to be protected against destruction or loss.


Technical measures to assure data security (physically / logically).


  • Examples: backup procedures, mirroring of hard drives, such as RAID-technology; uninterruptable power supply (UPS); remote storage, anti-virus systems / firewalls; disaster recovery plan.



  • Control of data separation

Ensuring the possibility of separate processing of Data which have been collected for different purposes.


Measures to provide for separate processing (storage, change, deletion, transmission) of data for different purposes:




  • Examples: „Internal client“ / limitation of use; segregation of functions, e. g. production, quality assurance, training and test environment.
  • Recoverability

Ensuring, that installed systems can be restored in the event of a failure.


Measures providing a prompt recoverability of Personal Data and access to it; data backups.


  • Example: Implementation of a process-oriented disaster recovery plan, backup procedures.



  • Reliability

Ensuring that all functions of the system are available and occurring malfunctions are reported.


Procedures for the regular control of the effectiveness of the technical and organizational measures and control of the functionalities of the systems; organizational measures regarding the reporting of failures.

  • Examples: Penetration tests of the entire IT environment; implementation of measures for the protection of the systems against hacker attacks, viruses etc.; assuring of the scalability of systems; auditing of the systems, implementation of a process-oriented reporting and troubleshooting procedure.





  • Data Integrity

Ensuring that stored Personal Data cannot be damaged by malfunctions of the system.


Measures to ensure that data during the processing or transmission cannot be removed or changed by unauthorized persons and that data are correct, reliable and consistent.




Examples: Encryption; regular control of the Data; implementation of measures for the protection against hacker attacks, viruses, etc.; implementation of authorization concepts; audit trails.