AGREEMENT ON JOINT DATA CONTROL

Preamble

Following a selection process and pursuant to that process, in accordance with Customer’s manpower requirements, MŰISZ assigns its selected member (hereinafter: Member) to Customer with a view to Member performing work in person for Customer. For the purposes of selecting the Member to be assigned to Customer, and for the preparation and implementation of the performance of work by selected Member, personal data will be processed.

Purpose and nature of the data control

The purpose of joint data control as per this Agreement is to ensure that any and all personal data supplied and communicated to the Parties to the Agreement for the purposes of work to be performed by Member is used in an appropriate manner.
MŰISZ proposes to Customer Members it recruited and selected with a view to assigning them as workers to Customer. In this context, MŰISZ transmits to Customer the proposed Members’ personal data captured and controlled by MŰISZ, as contained in table 1. Customer selects a Member to work for Customer from the ranks of workers thus proposed to Customer.
In certain cases, it is Customer that will select in advance the person it wishes to employ and transmits their personal data as contained in table 1 to MŰISZ, who will then recruit the selected person to become a Member.

Member is to be employed in accordance with the terms and conditions of the service contract between the Contracting Parties, with regard to which the relevant personal data will also be processed.

While working for Customer, Member is effectively employed by Customer within Customer’s own work organisation, with Customer taking care of any and all tasks related to occupational safety and rest periods, including the registration thereof, as well as any and all instructions given to Member.
It is MŰISZ that provides for the basic conditions of employment and concludes the underlying contract with Member, including carrying out the related administrative tasks, as well as arranges for Member's income to be determined and paid.

The interconnected tasks of selection and employment ensure Customer and MŰISZ’s common objective: namely, to enable the Member to work under the terms and conditions they provide.
Pursuant to Article 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, hereinafter: GDPR): “Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers”.

Contracting Parties set out the division of responsibilities between them with a view to the fulfilment of obligations pursuant to the GDPR – in particular, in relation to the exercising of Member’s as data subject’s rights (hereinafter data subject is referred to as ‘Member’) and the supply of information to Member – in this present Agreement, in a clear and transparent manner.

Contracting Parties shall strive, at all stages of the data processing, to process personal data only to the minimal extent necessary for their purpose and to comply with the principles and provisions of the GDPR in their data processing activities.
Contracting Parties also agree to process Member’s data in accordance with their own respective Privacy Notice documents and any other documents.

The scope of jointly controlled personal data, legal grounds

Table 1

Jointly controlled data	Legal grounds for data processing by the joint controllers
e-mail address, family name and given names, date of birth, telephone number, sex, curriculum vitae, educational background, professional experience, areas of interest, hobbies, languages spoken, skills, agreed number of working hours per week, agreed shifts, Facebook profile, Viber contact details, Messenger contact details, family name and given names, unique identifier assigned by the Data Controller, date of birth, place of birth, permanent address, mailing address, mother’s name, nationality, dual nationality, personal identification document No., data on the student identity card, social security identifier (TAJ), tax identifier, bank account number, telephone number, educational background (institutions), wage and tax data, data in the residence permit (for non-Hungarian nationals), data in the health booklet, data in the fit-for-work document	Pursuant to Article 6 (1)(f) of the GDPR, legitimate interests of the Data Controllers. It is the Data Controllers’ legitimate interest to be capable of employing the Member. (A Balancing test has been made as part of this Agreement.)

Jointly controlled data

Legal grounds for data processing by the joint controllers

e-mail address, family name and given names, date of birth, telephone number, sex, curriculum vitae, educational background, professional experience, areas of interest, hobbies, languages spoken, skills, agreed number of working hours per week, agreed shifts, Facebook profile, Viber contact details, Messenger contact details, family name and given names, unique identifier assigned by the Data Controller, date of birth, place of birth, permanent address, mailing address, mother’s name, nationality, dual nationality, personal identification document No., data on the student identity card, social security identifier (TAJ), tax identifier, bank account number, telephone number, educational background (institutions), wage and tax data, data in the residence permit (for non-Hungarian nationals), data in the health booklet, data in the fit-for-work document

Pursuant to Article 6 (1)(f) of the GDPR, legitimate interests of the Data Controllers.

It is the Data Controllers’ legitimate interest to be capable of employing the Member. (A Balancing test has been made as part of this Agreement.)

Information

Customer and MŰISZ are obliged to inform the Member in advance, before Member’s membership is established and before entering into a contract with Member, about the transmission of their data, the scope of data transmitted, the legal grounds for and the purpose and duration of the data processing, the recipient of the data transmission, and the rights Member can exercise. Furthermore, Contracting Parties shall obtain the Member’s consent in a verifiable form.

Use of data processors

By signing this present Agreement, Contracting Parties authorize each other to mutually involve data processors in the processing of Member’s personal data.
For such data processors’ activities Contracting Parties shall be answerable to each other as if they themselves performed the processing of data.

Data transmission to third countries

Contracting Parties agree that any data processed hereunder shall not be transmitted to any third country outside of the European Union (except for the United States of America).

Data security

Contracting Parties shall ensure the security of personal data covered by this Agreement. They agree to implement such technical and organisational measures and set out such rules of procedures (updating existing ones as necessary) as may be required to ensure that personal data processed in any way is protected and to prevent the destruction, unauthorised use, alteration, potential loss of or damage to, as well as inaccessibility due to changes in the technology used of, any and all such data.

Personal data breach

Contracting Parties agree to promptly notify each other of any personal data breach; at least of the time the breach occurred, the nature of the breach, the number of data subjects and personal data concerned, the categories of data concerned, the (likely) consequences of the breach and any measures taken, or planned to be taken, to remedy the breach.
In the event of a personal data breach, Contracting Parties are required to cooperate in regard of the management of the breach in order to eliminate or mitigate the consequences thereof.

Rights and obligations

Contracting Parties are required to cooperate with each other at all times and help each other as appropriate without delay.

Exercising the Member’s rights

Member may exercise Member’s rights as set out in Articles 15-22 of the GDPR in relation to and vis-a-vis each one of the Contracting Parties, irrespectively of the terms of this Agreement.

Responsibility

Contracting Parties are jointly responsible for their joint processing of personal data, and they are severally responsible for data processing activities of their own.
Contracting Parties are jointly and severally responsible towards the Member.

Confidentiality

Any part of this Agreement that is not required to be disclosed under the Agreement is confidential. Contracting Parties shall be bound to maintain secrecy without any limitation in time.

Miscellaneous provisions

Any issues not regulated in this Agreement shall be governed by the provisions of applicable legal regulations.

BALANCING TEST

(part of the Agreement on joint data control)

Based on Article 6 (1)(f) of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR)

With respect to data jointly controlled in connection with the employment of school cooperative members

I. Data Controllers

Customer (hereinafter: Customer) and MŰISZ (hereinafter: MŰISZ) (hereinafter together: Data Controllers).

II. Subject matter of the Balancing test

Subject matter of the Balancing test

To establish the legitimacy of joint processing by Customer and MŰISZ of the personal data of MŰISZ members (as defined under section III).

III. The purpose of data processing, Data Subject

Purpose of data processing	The purpose of personal data processing is the selection of MŰISZ members for employment by Customer, and the preparation and implementation of such employment by Customer.
Data Subject(s)	MŰISZ members (hereinafter: Member).

IV. Legitimate interest of the Data Controllers

Is the data processing necessary for the purposes of the legitimate interests pursued by the Data Controllers or third parties?	The data processing is necessary for the purposes of the legitimate interests pursued by the Data Controllers. Third parties do not have any legitimate interest in the processing.
What are the legitimate interests of the Data Controllers?	The Data Controllers’ legitimate interests include using the Member’s personal data to complete the documents necessary for Member’s selection and employment (i.e., Membership Agreement, case-by-case agreements) and using Member’s data for the purposes of registration and administration during the course of Member’s employment.
What kinds of data are processed by the Data Controllers?	The data processed by the Data Controllers include: e-mail address, family name and given names, date of birth, telephone number, sex, curriculum vitae, educational background, professional experience, areas of interest, hobbies, languages spoken, skills, agreed number of working hours per week, agreed shifts, Facebook profile, Viber contact details, Messenger contact details, unique identifier assigned by the Data Controller, permanent address, mailing address, mother’s name, nationality, dual nationality, personal identification document number, data on the student identity card, social security identifier (TAJ), tax identifier, bank account number, wage and tax data, data in the residence permit (for non-Hungarian nationals), data in the health booklet, and data in the fit-for-work document.
What are the legal grounds for data processing?	Article 6 (1)(f) of the GDPR: legitimate interest of the Data Controllers.
What is the duration of data processing?	Five (5) years from the last day of the calendar year in which a tax return, data report, or other report with respect to any tax payable by the Member has to be filed, or – in the absence of such a tax return, data report, or other report – tax is due to be paid.

V. Necessity of data processing

Is the data processing necessary for the Data Controllers?	The data processing is necessary because the Data Controllers must share with each other personal data of the Member during the course of their joint employment of the Member in legal as well as practical terms. During the course of Member’s employment with Customer, Member is in fact employed by Customer within Customer’s own work organisation; it is Customer that determines the rules pertaining to occupational safety and rest periods, including the registration thereof, as well as any and all instructions given to the Member. MŰISZ takes care of the basic conditions for employment: i.e., it is MŰISZ that makes a contract with the Member, performs the related administrative tasks, and determines and pays out the Member’s wages.
Is the data processing necessary for the Member?	The data processing is necessary because this is how the Member can get into contact with the Data Controllers and be selected for potential future employment.
Can the purpose of data processing be achieved in any other way?	It cannot, because employment of the Member can only be implemented in a certain specific legal and practical framework, where both of the Data Controllers must know the personal data in order to carry out their respective tasks.
Can the purpose of data processing as specified above be achieved with less data being processed by the Data Controllers?	It cannot. The Data Controllers capture and process only such personal data as are necessary for employment of the Member.

VI. Proportionality test

Is the Member aware of and expect the processing of their personal data by the Data Controllers?	The Member is aware of the Data Controllers processing Member’s personal data for the purposes of Member’s employment. Members disclose their data themselves, on a voluntary basis.
What is the relationship between MŰISZ and the Member?	MŰISZ takes care of the basic conditions for Member’s employment. It is MŰISZ that makes a contract with the Member, performs the related administrative tasks, and determines and pays out the Member’s wages.
What is the relationship between Customer and the Member?	During the course of their employment by Customer, Member is in fact employed by Customer within Customer’s own work organisation; it is Customer that determines the rules pertaining to occupational safety and rest periods, including the registration thereof, as well as any and all instructions given to the Member.
Does the data processing potentially infringe on the Member’s rights?	Only if the Member’s personal data are processed unlawfully; otherwise it cannot.
Does non-processing of the data do any harm to the Data Controllers?	Yes, because in the absence of data processing the Data Controllers cannot employ the Member.
Does non-processing of the data do any harm to the Member?	Yes, because in the absence of data processing the Data Controllers cannot employ the Member.
Does either the Member or the Data Controller side have a dominant position with respect to the other party?	Neither of them has a dominant position over the other fundamentally; any inequality between the two sides is a natural consequence of the employer/employee relationship.
Do the Data Controllers process any special categories of personal data?	The Data Controllers do process special categories of data.
How do the Data Controllers obtain the Member’s personal data?	Directly from the Member.
Does the Member have control over the processing of their personal data?	Yes, the Member is entitled to Data Subject rights as specified in the GDPR.

Evaluation

Based on the above, Data Controllers have arrived at the following conclusions about the aforementioned purpose of data processing:

Data Controllers process personal data that is voluntarily disclosed to them by the Member. The disclosure of personal data serves both the Data Controllers’ and the Member’s interests, as otherwise employment would be prevented.

Data Controllers must jointly process the personal data because of the legal and practical connections between their respective tasks.

Data Controllers process the personal data in pursuance of the principles of necessity, purpose limitation and data minimisation. Member is entitled to exercise their rights, bestowed on them by the GDPR, during the processing of their data.

Considering the above, the processing of personal data is in the Data Controllers’ legitimate interest because the processing of such data is necessary for the employment; for the same reason, their interests overlap with those of the Member. Member’s personal data are only used for the purposes of, and to the extent necessary for, the employment, and the Data Subject’s rights are fully observed during the course of processing. Data processing as described above only limits the Member’s rights to their personal data proportionally.

Download in PDF