Privacy statement for public procurement procedures
Privacy statement for processing of personal data within the implementation of the public procurement procedures organised by the BEREC Office
The processing of personal data by the BEREC Office for the purpose of implementing procurement procedures is subject to Regulation (EC) No. 45/2001 ('the Regulation'). In accordance with Article 11 of the Regulation, the BEREC Office supplies the following information:
The Management Committee of the BEREC Office and the Administrative Manager are the controllers of those processing operations. The controller in practice is the Head of Administration & Finance for procurement procedures launched under Titles 1 & 2. For those procedures launched under Title 3, the person in charge of the processing operation is the Head of the Operational Unit. The two Heads of Unit may sub delegate the role of controller in practice to the relevant project manager of each procurement procedure. As such, project managers act as processors of personal data.
Description of processing operations and recipients
The BEREC Office organizes and launches procurement procedures through calls for tender. The largest part of tendering procedures has been either low value negotiated procedures or open tendering procedures. BEREC Office may decide to launch restricted procedures, if needed. Those calls involve evaluation of submitted offers which are sent by bidders according to a set of criteria. Those criteria, in particular selection and exclusion criteria are imposed by the Financial Regulations (FR) in order to ensure the optimal use of EU financial funds. The BEREC Office is subject to the respect of the Financial Regulation, as an instrument of primary Law, through the existence of the MC Decision 10(44), namely article 74, the BEREC Office undertakes to apply the rules of the FR-RAP (Financial Regulations and its Rules of Application) with regard to procurement procedures.
In principle, the BEREC Office collects the needed data on the last day for the submission of the offers. Exceptionally, those data are collected at a later stage if any document is missing.
Categories of personal data
The following categories of personal data are collected from the data subject and processed:
· VAT number
· Contact details
· Work experience
· Academic background
· Language and technical skills
· Date of birth
· Reference number of Passport or ID card
Recipients of personal data
Internally, at the BEREC Office, the Procurement and Legal Officer, the project manager of each tendering procedure, the members of the selection & evaluation panel(s), the DPO if needed, the AO(S)BD have access to those data. Externally, the Court of Auditors, IAS, OLAF, EDPS, European Courts and local Latvian courts (for the cases of litigation about the contracts implementation) may have access to those data.
Exercise of data subject rights
You have the right to access, update or correct your personal data and have them rectified. The right of rectification is obviously limited to the factual data for reasons of transparency and equal treatment. Any such requests will be dealt with within 30 working days. The exercise of this right is guaranteed through the possibility to reach either the Controller in practice or the Data Protection Officer. In each Invitation to tender, in all signed contracts, there is a chapter or a clause with reference to the e-mail address of the “controller in practice” (firstname.lastname@example.org) and the e-mail address of the DPO (email@example.com). However, those rights may be restricted in case it is necessary to safeguard an important economic interest of the EU, including budgetary matters and the right of freedom of others. In this latter case, the data subject will be duly informed of the main reasons for restrictions and of his right to recur to the EDPS.
Legal basis and lawfulness of the processing operations
The processing is lawful under Article 5(a) of regulation 45/2001: the data subject has unambiguously given his or her consent.
In the MC Decision 10(44), namely article 74, the BEREC Office undertakes to apply the rules of the FR-RAP with regard to procurement procedures. The Administrative Manager, who is acting as Data Controller on behalf of the BEREC Office, ensures the implementation of those principles through Internal Administrative Instructions (IAI). The IAI is prior checked by the EDPS.
Your data will be stored at the BEREC Office for maximum seven years in case of data of the successful bidder and for five years in case of data of the unsuccessful tenderers. This retention period is needed for auditing purposes and for the case of appeals and litigation.
Regardless of whether the bidder is successful or not, the extracts from the judicial records will be kept by the BEREC Office for up to two years as of the day of the award decision.
Your data will not be kept from the BEREC Office after the end of the above mentioned retention periods.
Information to data subjects
The permanent publication of this privacy statement on BEREC Office website shall be deemed as information to the data subjects about their rights. This privacy statement, as of the day of its approval by the Administrative Manager, will have to be included also in all invitations to tender launched by the BEREC Office.
Transfer of data
The data subject shall give his own consent that his personal data may be transferred to external recipient. The publication of the name of the awarded data subject in the OJ is imposed by the FR (Contract Award Notice to be executed within 48 days as of the day of the signature of the contract or as of the day of the award decision).
Rights to recourse
You have the right to have recourse to the BEREC Office Data Protection Officer (firstname.lastname@example.org) if you consider that your rights under the Regulation have been infringed as a result of the processing of your personal data, and, to the EDPS at: https://secure.edps.europa.eu/EDPSWEB/edps/lang/en/EDPS