Privacy statement for Public Procurement procedures
PRIVACY STATEMENT for the processing of personal data within public procurement procedures and contract management
The Agency for Support for BEREC (BEREC Office) processes the personal data of a natural person in compliance with Regulation 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (hereinafter – Regulation 2018/1725).
This privacy notice explains the BEREC Office policies and practices regarding its collection and use of your personal data, and sets forth your privacy rights. The BEREC Office recognises that information privacy is an ongoing responsibility and will update this notice where necessary.
1. What is the purpose and legal basis for processing your personal data?
The processing of personal data is necessary to run procurement procedures and manage contracts in the context of the performance of a public interest task, namely the management, functioning and fulfilment of the mission of the BEREC Office and BEREC, i.e. purchasing of supplies and services through the selection of a contractor and the execution of the contract by the BEREC Office.
Personal data can also be processed for the purpose of control, check, audit and litigation.
Therefore, the processing is necessary for the performance of a task carried out in the public interest based on Article 5(a) of Regulation (EU) 2018/1725.
In addition, particular obligations incumbent on the BEREC Office as per Article 5(b) of the Regulation (EU) 2018/1725 are included in the Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (hereinafter the ‘Financial Regulation’), in particular, Articles 38, 57, 137, 142, 167, 198, 200.
Article 5(c) of the Regulation (EU) 2018/1725 is another basis for the processing as certain personal data is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
2. What personal data is collected and processed?
External to the BEREC Office: personal data of natural persons related to a tenderer, candidate, contractor, sub-contractor and entities on which the tenderer/candidate/contractor relies to perform the contract, and their staff.
Information processed relates to the following categories of personal data:
- Identification: name, surname, signature, nationality, place and date of birth, title, function, department and company, passport/ID number, bank account reference (IBAN and BIC codes), VAT number, IP address;
- Contact details, e.g., e-mail address, business telephone number, mobile telephone number, fax number, postal address, company name and department, country of residence, internet address;
- Information relating to exclusion criteria included in the declaration on honour, certificates for social security contributions and taxes paid, extract from judicial records, etc.;
- Information relating to selection criteria included in the declaration on honour and supporting documents, e.g. expertise, technical skills and languages, educational background, professional experience including details on current and past employment;
- System related data: European Commission Authentication Service (EU login) login name and password (only stored in EU login), security data/log files (for audit trails) processed when submitting tenders electronically via eSubmission and when submitting questions about the procurement procedures via eTendering.
In addition, in order to verify whether a tenderer/candidate is in one of the situations mentioned in Article 136 of the Financial Regulation, BEREC Office checks whether it has been registered in the Early Detection and Exclusion System (EDES) managed by the European Commission.
Internal to the BEREC Office: personal data of staff members, experts of BEREC and staff of the contractors who work with the BEREC Office for the purposes mentioned in Section 1:
- Identification data: name surname, email address, IP address;
- Organisational data: unit, team, etc.
- System related data: European Commission Authentication Service (EU login) login name and password (only stored in EU login), security data/log files (for audit trails) when managing public procurement procedures and contracts using various corporate tools and applications.
3. Who has access to your personal data and to whom is it disclosed?
For the purpose detailed above, access to your personal data is granted strictly on the “need-to-know” basis to:
Within the BEREC Office:
- Authorised staff of the BEREC Office, authorised BEREC experts and staff of the contractors working with the BEREC Office in the management of public procurement procedures and execution of contracts in all their various stages (publication, evaluation, contract execution, checks, reviews, ex-post controls, etc.)
Outside the BEREC Office:
- Staff Members of the European Commission developing, maintaining and supporting the electronic systems for the submission of tenders via eSubmission and staff members of the Publications Office of the European Union responsible for the developing, maintaining and supporting eNotices for the publication of contract notices, corrigenda and contract award notices and eTendering for the publication of procurement documents as well as questions and answers relevant to the procurement procedures.
- In case of a dispute, lawyers and agents of the parties within out of court and court cases.
- Members of the public: in case of the award of a contract by the BEREC Office, the BEREC Office has the obligation to publish the information on the outcome of the procurement procedure (except for very low value contracts i.e. contracts below EUR 15 000). The information concern name and address, the amount awarded and the subject of a contract.
4. How long are your personal data kept?
Your personal data are kept for seven years as of the year following the last payment under the awarded contract. This retention period applies to both successful and unsuccessful tenderers/candidates as well as contractors.
Where personal data are published in compliance with Article 38 of the Financial Regulation, the information shall be removed two years after the end of the financial year in which the funds were legally committed. This shall also apply to personal data referring to legal persons whose official name identifies one or more natural persons.
5. What are your rights?
You have the right to request from the controller access to and rectification or erasure of your personal data or restriction of processing.
You also have the right to object to processing of your personal data.
The controller shall provide information on action taken on a request within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.
6. Who is the data controller and how to exercise your rights?
BEREC Office shall exercise the tasks of the data controller for the purpose of these processing operations.
To exercise the mentioned rights, you can contact the controller by sending an email to: [email protected].
If you consider your data protection rights have been breached, you can always lodge a complaint with the BEREC Office’s Data Protection Officer ([email protected]) or with the European Data Protection Supervisor: [email protected].