- PRIVACY STATEMENT
Privacy statement for procurement procedures
What is our legal framework?
All personal data are processed in accordance with European Union data protection law, that is to say in line with Regulation (EU) 2018/1725.
Why do we process personal data?
Personal data are processed for the management and administration of procurement procedures.
What is the legal basis for processing your personal data?
Your personal data are processed by the ECB:
- in the performance of a task carried out in the public interest, based on Article 5(1)(a) of Regulation (EU) 2018/1725, in conjunction with Decision (EU) 2016/245, as well as any subsequent legal acts replacing or amending that Decision;
- based on a legal obligation to which the ECB is subject, as detailed in Decision (EU) 2016/245, as well as any subsequent legal acts replacing or amending that Decision;
- because they are necessary for the performance of contractual obligations between you and the ECB, as detailed in Decision (EU) 2016/245, as well as any subsequent legal acts replacing or amending that Decision.
Who is responsible for processing your personal data?
The ECB is the controller for the processing of your personal data. The Central Procurement Division or, in certain cases, the procuring Business Area is responsible for this processing. A limited number of staff of the ECB’s Internal Audit function who are involved in audits or conduct specific inquiries related to procurement procedures may further process some of your personal data in line with their mandate.
Who will be the recipients of your personal data?
The recipients of your personal data (including entities who have access to that personal data) are:
- staff members of the ECB’s Central Procurement Office and dedicated staff members of the procuring Business Area;
- dedicated ECB staff members providing opinions and advice in specific cases in relation to procurement procedures, e.g. staff from Legal Services or Budget Experts;
- dedicated ECB staff dealing with appeal procedures;
- a limited number of staff of the ECB’s Internal Audit function who are involved in audits or conduct specific inquiries related to procurement procedures;
- staff of the National Central Banks of the European System of Central Banks;
- external experts and contractors working on behalf of the ECB for the purpose of managing the procurement procedure and tender evaluation;
- Union institutions and bodies charged with monitoring or inspection tasks in the application of Union law (e.g. the European Commission, internal auditors, the European Anti-Fraud Office);
- other tenderers or candidates in the same procurement procedure executing their right to request information;
- in the event of a contract award, members of the general public. Some personal data of the winning tenderer (name, address, the amount awarded and the subject matter of the contract) will be published in supplement of the Official Journal of the European Union and/or on the ECB’s website in accordance with Articles 34 and 36 of Decision (EU) 2016/245.
What categories of personal data are collected?
The ECB processes the following personal data:
- identification data, e.g. full name, ID/passport number;
- position and function in a company;
- contact details, e.g. e-mail address, business/mobile telephone number, fax number, postal address, company and department, country of residence, internet address;
- financial data, e.g. bank account (IBAN and BIC codes) and VAT number;
- information for the evaluation of selection or eligibility criteria, e.g. expertise, technical skills, language skills, educational background, professional experience including details on current and past employment, test results, declaration of honour, certificates for social security contributions and taxes paid, extracts from judicial records and any other information required to verify compliance with Article 30 of Decision (EU) 2016/245.
Will your personal data (in a clear or encrypted form) be processed (e.g. transferred, accessed or stored) in third countries or by international organisations?
Your personal data might exceptionally be processed in third countries/international organisations based on the derogations for specific situations set out in Article 50(1) EUDPR.
Your personal data will also be processed in third countries or by international organisations based on an adequacy decision of the European Commission (pursuant to Article 47 EUDPR), which can be found on the European Commission's website.
How long will the ECB keep personal data?
Your personal data will be stored for a maximum of 5 years following the completion of the procurement process before being deleted.
If administrative (e.g. appeal) or judicial proceedings are initiated, the retention period ends two years after such proceedings are concluded by a final decision, or 5 years following the completion of the procurement process, whichever is longer. This further retention of data is considered necessary for any recourse to the respective legal remedies.
Personal data of successful tenderers for contracts related to the construction/purchase of the ECB’s buildings are stored for an unlimited period in accordance with the ECB’s retention policy. Data subjects may request the deletion of their personal data from the specific procurement dossier as detailed below.
Personal data provided as an indication of interest regarding future procurement are managed directly by the interested party. In particular: (a) the data remain in the ECB’s electronic tendering system for as long as an account is in use; (b) the data can be updated and overwritten with new information by the interested party; and (c) the ECB may delete the account and related data after a period of prolonged inactivity of the account.
What are your rights?
You have the right to access your personal data and correct any data that is inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data and to object to or to restrict the processing of your personal data in line with Regulation (EU) 2018/1725. The ECB may restrict your rights to safeguard the interests and objectives referred to in Article 25(1) of Regulation (EU) 2018/1725.
Who can you contact for queries or requests?
You can exercise your rights by contacting the ECB contact person for the specific procurement procedure. You can also directly contact the ECB’s Data Protection Officer at dpo@ecb.europa.eu for all queries relating to your personal data.
Addressing the European Data Protection Supervisor
If you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.