Privacy statement for public procurement procedures



Privacy statement for processing of personal data within the implementation of the public procurement procedures organised by the BEREC Office

  1. What personal data do we collect?

The following personal data are obtained from tenderers/candidates and contractors:

  • Identification data e.g. name, nationality, gender, place and date of birth, title, function, department and company, passport number, ID number, bank account reference (IBAN and BIC codes);
  • Contact details e.g. e-mail address, business telephone number, mobile telephone number, fax number, postal address, country of residence, internet address;
  • Information relating to exclusion criteria e.g. declaration on honour, certificates for social security contributions and taxes paid, extract from judicial records;
  • Information relating to selection criteria e.g. expertise, technical skills and languages, educational background, professional experience including details on current and past employment.
  1. For what purpose do we collect personal data and on which legal basis?

The processing of personal data is necessary to run procurement procedures and manage corresponding contracts in the context of the performance of a public interest task, namely the management and functioning of the BEREC Office and BEREC.

Therefore, the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the BEREC Office (Article 5(a) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC).

The legal bases confirming the lawfulness of the respective data processing operations can be found in the following legal acts:

Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (‘Financial Regulation’) and in particular Article 38, 167, 198, 200.

The processing of data relating to offences and criminal convictions in the form of an extract from the judicial record or declaration of honour is justified in view of Article 11 of Regulation 2018/1725 since it is explicitly foreseen in the Financial Regulation

  1. Who may receive your personal data?

For the purpose detailed above, access to your personal data is granted to:

  • the staff of the BEREC Office in charge of procurement procedures;
  • experts from BEREC providing opinions and advice in specific cases;
  • Members of the public: in case you are awarded a contract by the BEREC Office, in accordance with Article 38 of the Financial Regulation, the BEREC Office has the obligation to publish the information on the outcome of the procurement procedure (except for very low value contracts i.e. below EUR 15. 000). The information will concern in particular your name and address, the amount awarded and the name of the project or programme for which you are awarded a contract.

In compliance with Article 57 of the Financial Regulation, candidates and tenderers are informed that, for the purposes of safeguarding the financial interests of the Union, their personal data may also be communicated to internal audit services, to the Court of Auditors or to the European Anti-Fraud Office (OLAF) and to other EU institutions and bodies.

  1. How long are your personal data kept?

Your personal data are kept seven years as of the year following the last payment under the awarded contract. This retention period applies to both successful and unsuccessful tenderers/candidates as well as contractors.

Where personal data are published in compliance with Article 38 of the Financial Regulation, the information shall be removed two years after the end of the financial year in which the funds were legally committed. This shall also apply to personal data referring to legal persons whose official name identifies one or more natural persons. 

  1. What are your rights?

You have the right to request from the controller access to and rectification or erasure of your personal data or restriction of processing.

You also have the right to object to processing of personal data.

The controller shall provide information on action taken on a request within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

  1. Who is the data controller and how to exercise your rights?

The BEREC Office shall exercise the tasks of the data controller for the purpose of these processing operations.

To exercise the mentioned rights, you can contact the controller as follows:


If you feel your data protection rights have been breached, you can always lodge a complaint with the BEREC Office’s Data Protection Officer ( or with the European Data Protection Supervisor: