The draft Opinion was sent to the DPO for comments on 24 November These were received on 16 January 2012.

Similar documents
(Announcements) ADMINISTRATIVE PROCEDURES COURT OF AUDITORS VACANCY NOTICE ECA/2018/1. One (1) Director s post Audit. (AD function group, grade 14)

EDPS - European Data Protection Supervisor CEPD - Contrôleur européen de la protection des données

Call for tender for translation services for the Translation Centre Frequently asked questions (FAQs) FL/LEG17

Tallinn, Estonia. Regulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011, OJ L 286,

Template Vacancy Notice

DIRECTORATE-GENERAL FOR COMMUNICATION DIRECTORATE FOR MEDIA CONDITIONS FOR SUBMITTING A TENDER INVITATION TO TENDER NEGOCIATED PROCEDURE

ROSTERS OF JUNIOR AND SENIOR EXPERTS Specifications of the Call for expression of interest

Vacancy for two posts of Programme Manager (Contract Agent FG IV) in the Shift2Rail Joint Undertaking. REF.: Shift2Rail/2016/01.

(Legislative acts) DIRECTIVE 2014/55/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 16 April 2014 on electronic invoicing in public procurement

EDPS - European Data Protection Supervisor CEPD - Contrôleur européen de la protection des données

ARTICLE 29 DATA PROTECTION WORKING PARTY

Guidelines on the protection of personal data in IT governance and IT management of EU institutions

QUESTIONS AND ANSWERS

VACANCY NOTICE 06/04/2017 AT NOON, BARCELONA GMT+1

CALL TO EXPRESS INTEREST FOR PARTICIPATING IN THE PROCUREMENT FOR THE PROVISION OF TEAM TRAINING SERVICES PRO

The Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe,

C 227 A of the European Union

Dear Sir or Madam, Lot 1 : Export Performance. Internal Devaluation

COMMISSION OF THE EUROPEAN COMMUNITIES. Draft INTERINSTITUTIONAL AGREEMENT. on the operating framework for the European regulatory agencies

Practical Guide to Contract procedures for EC external actions

DIRECTORATE-GENERAL INTERNAL POLICIES DIRECTORATE A - Economic and Scientific Policies

ECB - T109 Construction Manager Coordination of construction works and site supervision for the New ECB Premises (D-Frankfurt-on-Main)

FRAMEWORK PARTNERSHIP AGREEMENT WITH HUMANITARIAN ORGANISATIONS

General Personal Data Protection Policy

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

Selecting Economic Operators

CALL FOR EXPRESSION OF INTEREST FOR TWO POSTS OF SECONDED NATIONAL EXPERTS (SNE) AND ESTABLISHMENT OF A RESERVE LIST

Casework Technical Support (Social Welfare - Project Management)

Guidelines on the management body of market operators and data reporting services providers

EUROPEAN SPACE AGENCY ESA EXPRESS PROCUREMENT PROCEDURE EXPRO / EXPRO+ TENDERING CONDITIONS ( EXPRO/TC ) NOTE

Brussels, 2 0 SEP, 2017

EBA/CP/2016/ December Consultation Paper. Draft Guidelines on supervision of significant branches

TENDER SPECIFICATIONS ATTACHED TO THE INVITATION TO TENDER. Invitation to tender No. GSA/OP/05/07. for the provision of support

EBA FINAL draft Regulatory Technical Standards

INSTRUCTIONS TO TENDERERS

Vacancy for a post of Data Protection Officer (Temporary Agent, AD 5) in the European Asylum Support Office (EASO) REF.

Tender Specifications. Office Cleaning Services - Ref. DELSGPS

PRE-QUALIFICATION FOR PROVISION OF TEAM BUILDING CONSULTANCY SERVICES TENDER NO. KPPF /HRA-B/1-A/22/17-18

Vacancy for a post of Procurement Officer (Temporary Agent, AD 6) in the European Asylum Support Office (EASO) REF.

Practical Guide to Contract procedures for EU external actions published on the EuropeAid web site in March 2011

Group of the European People s Party (Christian Democrats) in the European Parliament NOTICE OF RECRUITMENT N 2013/1/AD

Call for tenders FL/LEG17-03EN

EU General Data Protection Regulation (GDPR)

SINGLE RESOLUTION BOARD VACANCY NOTICE PROCUREMENT OFFICER (SRB/AD/2014/011)

Guidelines for Observers for open plenary meetings

General Optical Council. Data Protection Policy

External evaluation of the activities of the European Union Agency for Network and Information Security

OPEN CALL FOR TENDERS. Supporting Work on Security in the Electronic Communications Sector

Temporary Storage Facilities Manual

COMMISSION INTERPRETATIVE COMMUNICATION

CALL FOR AN EXPRESSION OF INTEREST FOR A SECONDED NATIONAL EXPERT

Manager, Sourcing Supply and Contracts, Grid Projects Approved By:

EUROPE OF NATIONS AND FREEDOM GROUP IN THE EUROPEAN PARLIAMENT NOTICE OF RECRUITMENT ICR

EU GENERAL DATA PROTECTION REGULATION

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a COUNCIL DECISION

SUPPLY CONTRACT NOTICE

Trethowans LLP. Recruitment Agency Preferred Supplier List (PSL) Invitation to Tender

VACANCY NOTICE CONTRACT STAFF Reference number: FRONTEX/13/CA/FGIII/28.1 Project Assistant (Maximum three years contract)

Rules governing the 2015 official traineeships scheme of the European Foundation for the Improvement of Living and Working Conditions (Eurofound)

Public Procurement Procedures

EUROPE OF NATIONS AND FREEDOM GROUP IN THE EUROPEAN PARLIAMENT NOTICE OF RECRUITMENT IRC

Vacancy for a post of Communications Assistant (Contract Agent, FG III) in the European Asylum Support Office (EASO) REF.

Vacancy notice for the post. Knowledge Management and Policy Officer to the Fuel Cells and Hydrogen Joint Undertaking (FCH JU)

EUROPEAN UNION. Brussels, 27 March 2013 (OR. en) 2011/0374 (COD) PE-CONS 80/12 CONSOM 164 MI 853 JUSTCIV 382 CODEC 3131 OC 774

Applications are invited for the above Contract Agent post at the European Centre for Disease Prevention and Control (ECDC).

POLICY EXPERT (Credit/Market Risk)

Germany-Frankfurt-on-Main: ECB - Provision of a treasury management system 2016/S Contract notice. Services

UNIVERSITY OF SUNDERLAND STANDING ORDERS TENDERING AND CONTRACT PROCEDURES

Vacancy for a post of HR Assistant (Temporary Agent, AST 3) in the European Asylum Support Office (EASO) REF.: EASO/2017/TA/029

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

ACCOUNTING ADVICE & FINANCIAL AUDITS SERVICES TENDER SPECIFICATIONS

EXECUTIVE DIRECTOR OF THE EUROPEAN CHEMICALS AGENCY (ECHA) HELSINKI

RECRUITMENT FOR POSITION OF HR OFFICER (FGIII) THE EUROPEAN AGENCY FOR SAFETY AND HEALTH AT WORK (EU-OSHA)

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

Germany-Frankfurt-on-Main: ECB - Supply of electricity 2016/S Contract notice. Supplies

Germany-Frankfurt-on-Main: ECB - Provision of translation services from Estonian, Finnish and Latvian into English 2017/S

Vacancy for a post of HR Officer (Temporary Agent, AD 5) in the European Asylum Support Office (EASO) REF.: EASO/2017/TA/030

PREQUALIFICATION OF BIDDERS FOR SUPPLY/PROVISION OF GOODS, SERVICES AND WORKS FOR 2016 FINANCIAL YEAR ENDING DECEMBER 2016 CATEGORY CHS/..

Official Journal of the European Union. (Acts whose publication is obligatory)

EBA/CP/2013/12 21 May Consultation Paper

REGISTRATION FOR SUPPLY, DELIVERY, INSTALLATION, REPAIR AND MAINTENANCE OF AIR CONDITIONERS SERVICE PROVIDERS

German Corporate Governance Code

COUNCIL OF MINISTERS DECREE NO 48/06 OF 1 SEPTEMBER

REGULATION FOR PRODUCTION CONTROL OF PERSONAL

THE SOUTH AFRICAN NATIONAL ROADS AGENCY LIMITED

SAI Global Full Service Team

Brussels, 16 August 2017

Syntel Human Resources Privacy Statement

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Privacy Policy PURPOSE SCOPE POLICY. Data Collection

DISCUSSION PAPER ON ACCESS TO SERVICE FACILITIES AND RAIL RELATED SERVICES. Article 1. Subject matter

Data Privacy Policy for Employees and Employee Candidates in the European Union

EUROPEAN COMMISSION HEALTH AND CONSUMERS DIRECTORATE-GENERAL

The General Data Protection Regulation An Overview

Group of the European People s Party (Christian Democrats) in the European Parliament NOTICE OF RECRUITMENT N 2013/3/AST

Template Vacancy Notice

* Availability of this new posts in Frontex is subject to the final decision on amendment of the budget (establishment plan) of Frontex.

EUROPEAN AVIATION SAFETY AGENCY VACANCY NOTICE REF.: EASA/AD/2007/072. Certification Policy Officer (F/M) Temporary Agent (AD 7)

Europol Public Information VACANCY NOTICE

Tender specifications for advertising Satellite image analyses for agricultural control 2018

Transcription:

Opinion on the notification for prior checking from the Data Protection Officer of the European Centre for the Development of Vocational Training (CEDEFOP) concerning public procurement and grant award procedures Brussels, 19 January 2012 (case 2011-0542) 1. Proceedings On 22 July 2011, the European Data Protection Supervisor (EDPS) received from the Data Protection Officer (DPO) of the European Centre for the Development of Vocational Training (CEDEFOP) a notification for prior checking concerning public procurement and grant award procedures. The notification was accompanied by a privacy statement, a note from the controller to the DPO and a set of documents relating to the procurement and grant award procedures. Further to the EDPS request for clarifications, on 3 November 2011 CEDEFOP submitted a revised privacy statement and other documents relevant to the procedures under review. The draft Opinion was sent to the DPO for comments on 24 November 2011. These were received on 16 January 2012. 2. Facts CEDEFOP is organizing public procurement procedures intended to obtain the supply of goods, the execution of works or the provision of services necessary for its activities and grant award procedures intended to provide direct financial contributions to activities relating to the implementation of EU policies and objectives. The data is therefore collected and processed with the purpose to evaluate the eligibility of economic operators and other candidates (natural and legal persons) to participate in the public procurement/grant award procedures and to be awarded a procurement/grant contract in accordance with exclusion and selection criteria as defined in the Financial Regulation. The controller is CEDEFOP, represented here by the Head of Finance and Procurement Service. Data subjects are natural persons participating in the public procurement and grant award procedures: tenderers/grant candidates, representatives and staff of tenderers/grant candidates, subcontractors, consortium members, project managers and authorising officers. The following data categories may be processed within the public procurement and grant award procedures: Postal address: rue Wiertz 60 - B-1047 Brussels Offices: rue Montoyer 63 E-mail : edps@edps.europa.eu - Website: www.edps.europa.eu Tel.: 02-283 19 00 - Fax : 02-283 19 50

Public procurement procedures Data relating to tenderers (legal persons or individual economic operators): - identification and contact details (official name, official legal form, abbreviation, name and first name of individual economic operators, place of registration, date of registration, VAT registration number, address, phone number, fax number, e-mail address, identity card number, date of birth, country of birth); - proof of an independent worker status (if applicable) and extract from the trade register, bank certificate stating his/her financial situation; bank account number and bank s name; - statement of the overall turnover for the supplies and/or services referred to in the procurement procedure; - organisational chart of the tenderer and company profile; - proof of having fulfilled all obligations to pay social-security contributions and taxes; - certificate of clear criminal record or extract of judicial record (for individual economic operators); - extract from the register of bankruptcy and reorganization procedures or extract from the register of debt regulations or a certificate given by a creditor, as applicable; - documents attesting professional standing (curriculum vitae, copies of diplomas, certificates, references regarding professional activities); - list of similar services provided by the tenderer and information on three contracts considered similar in scope; - proof of security clearance (if applicable); - national insurance number for successful tenderer in case of contract amount over 125.000 Euro. Data relating to the staff members of tenderers participating in the procurement procedure: - identification and contact details (name -first name, family name-, function, e-mail address, business telephone number, mobile telephone number, fax number, postal address, company and department, country of residence, internet address); - other data contained in the CVs (expertise, technical skills, educational background, languages, professional experience including details on current and past employment); - extracts from judicial records only of the CEO and for high-value contracts (over 125.000 Euros) before the award of the contract; - declaration of honour of the CEO that they are not in one of the exclusion situations referred in Articles 93 and 94 of the Financial Regulation. Data relating to the tenderers' subcontractors and consortium members (section 4.1 Guidelines for drafting tender specifications): - identification and contact details (official name, official legal form, address, VAT registration form); - financial identification data (account name, address, city, country; bank name, branch address, account number, IBAN, name under which the account is opened and the telephone number, email address and fax number of the person concerned); - data contained in the Declaration on exclusion criteria and absence of conflict of interest; - data contained in the documents proving the economic/financial and technical/professional capacity of the subcontractor; - data contained in the Model of Letter of Intent for Subcontractors, stating unambiguous undertaking to collaborate with the tenderer if the latter wins the contract. 2

Grant award procedures Data relating to grant candidates and associated third parties (subcontractors), contained in the grant application form, payment request for pre-financing, budget estimates and subcontracting form: - identification and contact details of the applicant (name, official legal form, legal capacity, company registration number, VAT number, telephone number, mobile telephone number, fax number, postal address, e-mail address, internet address); - identification and contact details of the person responsible for the proposal (name, position/function, e-mail address, telephone number, mobile telephone number, fax number); - identification and contact details of the person authorized to sign the agreement (name, position/function, mandate, e-mail address, telephone number, mobile telephone number, fax number); - operational and financial capacity of the applicant (technical and professional capacity to complete the proposed work plan and presentation of the applicant's institution - including organigramme, list of projects, reports, publications, online databases and the like, regular contacts with other national institutions, proof of financial capacity, guarantees granted); - identification and contact details of the subcontractor (official name, official legal form, legal capacity, company registration number, main activities, official address, name and position of the persons authorized to sign the agreement and responsible for the operations). Data processed within the processing operations may be disclosed to the following recipients: - staff of Finance and Procurement Service of CEDEFOP participating in procurement/grant procedures and the legal advisor and internal translator, if requested; - members of Opening and Evaluation Committees, and external evaluators when external expertise is required, on the basis of Article 179a of the Financial Regulation; - European Court of Auditors (ECA), OLAF, Internal Audit System (IAS), Financial Irregularities Panel and other EU institutions, bodies and offices if necessary in the context of official investigations or for audit purposes; - European Commission and EU agencies in the context of the implementation of European Commission s Decision of 16 December 2008 on the Early Warning System for the use of the authorising officers of the Commission and the executive agencies (2008/969/EC); - members of the public in accordance with CEDEFOP's obligation to publish information on the outcome of public procurement and grant award procedures relating to funds deriving from the budget of the European Union (Articles 30(3), 90 and 110(2) of the Financial Regulation and CEDEFOP's financial rules). Members of Opening and Evaluation Committees are required to sign a Declaration of absence of conflict of interest and statement of confidentiality. The following statement is included: "I also confirm that I will keep all matters entrusted to me confidential. I will not communicate outside the committee any confidential information that is revealed to me or that I have discovered. I will not make any adverse use of information given to me". The following retention policy applies. Files relating to procurement procedures are to be retained in the service in charge until the procedure is finalised. Afterwards, the following retention schedule is applicable: 3

- data relating to successful tenderers is stored in the archives for a period of at most ten years following the signature of the contract (the reduction of this time to seven years is being considered). - files of unsuccessful tenderers/candidates are kept for at most five years following the signature of the respective contract. The following information to data subjects is provided in the privacy statement and the calls for tenders and proposals posted on the CEDEFOP s website: - the identity of the controller; - legal basis of the processing; - purpose of the processing; - categories of data processed; - recipients of the data processed; - retention policy; - existence of the rights of access and rectification; - existence of the right to address queries concerning the processing of personal data to the data controller or the DPO of CEDEFOP; - existence of the right to have recourse at any time to the EDPS. Data subjects are granted the rights of access and rectification. They may access their data by submitting a request to the controller to an email address mentioned in the privacy statement. Data subjects may also modify, update or delete their data at any time. However, some restrictions to the right of access and rectification are imposed before the opening procedure, when contacts between CEDEFOP and the tenderers/candidates are not allowed (without prejudice to the exception of making clarifications or correction of administrative errors). Data is provided by submission of a tender or an application and is processed both automatically and manually. As regards security measures, (...) 3. Legal aspects 3.1. Prior checking The processing of personal data related to procurement and grant award procedures falls within the scope of Regulation (EC) 45/2001 ("the Regulation"). It is subject to prior checking by the EDPS pursuant to its Article 27(2)(a) and (b) since it clearly relates to the evaluation and ranking of information relating to the legal, financial, economic, technical and professional capacity of tenderers/applicants with a view to select the tenders/proposals in accordance with the exclusion and selection criteria as defined in the Financial Regulation and further specified in the respective calls for tenders/applications. It also possibly involves processing of data relating to (suspected) offences and criminal convictions in the form of extracts from judicial records. Since prior checking is designed to address situations that are likely to present certain risks, the Opinion of the EDPS should be given prior to the start of the processing operation. In this case, the EDPS regrets that the processing operations have already been established prior his prior-checking Opinion. However, the EDPS underlines that all his recommendations given in the present Opinion should be duly implemented and the processing operations adjusted accordingly. 4

The notification of the DPO was received on 22 July 2011. According to Article 27(4) of the Regulation, the EDPS Opinion must be delivered within a period of two months. The procedure at hand was suspended for 52 days to allow for providing additional information and clarifications requested by the EDPS and comments on the draft Opinion. Taking into account also that the deadline for ex post prior checking notifications was suspended in the month of August, the present Opinion must be delivered no later than 24 January 2012. 3.2. Lawfulness of the processing The legal basis of the processing of personal data within procurement and grant award procedures at CEDEFOP can be found in Articles 93 and 94 of the Financial Regulation and Articles 134, 136 and 137 of its implementing rules 1. The privacy statement clarifies further that CEDEFOP is organizing and managing the respective calls for tenders/applications in accordance with its founding regulation 2 and the decisions of the Governing board on the financial rules applicable to CEDEFOP 3 and their implementing provisions. CEDEFOP adopted also internal rules concerning the organization of procurement procedures 4 and some specific aspects such as retention 5, language regime 6 and others. As already mentioned, CEDEFOP is organizing public procurement procedures (intended to obtain the supply of goods, the execution of works or the provision of services necessary for its activities) and grant award procedures (intended to provide direct financial contribution from CEDEFOP's budget and finance an action related to its mandate and to the objectives of European Union policies). Therefore, processing of respective personal data within procurement/grant award procedures at CEDEFOP can be considered as necessary for the performance of tasks carried out in the public interest on the basis of the above mentioned legal acts. Therefore, processing of 1 Council Regulation (EC, Euratom) No 1605/2002 of 25 June 2002 on the Financial Regulation applicable to the general budget of the European Communities (OJ L 248/1 of 16.9.2002) and the subsequent regulations and corrigenda amending and correcting that regulation; Commission Regulation (EC, Euratom) No 2342/2002 of 23 December 2002 laying down detailed rules for the implementation of Council Regulation (EC, Euratom) No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities (OJ L 357/1 of 31.12.2002) and the subsequent regulations and corrigendum amending and correcting that regulation. 2 Regulation (EEC) No 337/75 of the Council of 10 February 1975 establishing a European Centre for the Development of Vocational Training, as last amended by Council Regulation (EC) No 2051/2004 of 25 October 2004, posted on CEDEFOP's website at: http://www.cedefop.europa.eu/en/about-cedefop/governance/cedefopfounding-regulation.aspx. 3 Decision of the Governing Board of 5 June 2009 on the financial rules applicable to the European Centre for the Development of Vocational Training in conformity with the Commission Regulation no 2343/2002 on the framework financial regulation for the bodies referred to in article 185 of Council Regulation No 1605/2002 on the Financial Regulation applicable to the general budget of the European Communities, as amended by Commission Regulation No 652/2008 of 9 July 2008, posted on CEDEFOP's website at: http://www.cedefop.europa.eu/en/about-cedefop/governance/financial-rules.aspx. Decision of the Governing Board of 17 December 2010 laying down detailed rules for the implementation of the Financial Rules applicable to CEDEFOP, posted on CEDEFOP's website at: http://www.cedefop.europa.eu/en/about-cedefop/governance/financial-rules.aspx 4 Decision DIR/2011 on the application of procurement procedures and thresholds at CEDEFOP, adopted by the CEDEFOP's Director on 17.02.1011. 5 Records Classification Plan and Retention Schedule, adopted on 13 October 2011. 6 Note relating to the language regime of tender procedures, adopted on 2 September 2008. 5

personal data in the case at hand seems to be lawful within the meaning of Article 5(a) of the Regulation (read together with its recital 27). 3.3. Processing of special categories of data Processing of personal data contained in the above mentioned declarations of honour and extracts from judicial records or other certificates to this respect 7 is explicitly authorised in Article 93(1) of the Financial Regulation. Thus, the condition for processing of data relating to (suspected) offences and criminal convictions set out in Article 10(5) of the Regulation is met. 3.4. Data quality Pursuant to Article 4(1)(a), (c) and (d) of the Regulation, personal data must be processed fairly and lawfully, be adequate, relevant and not excessive in relation to the purpose for which they are collected or further processed, as well as accurate and kept up to date. In the case at hand the collection of personal data listed above seems in principle to be relevant to the purpose of evaluating the eligibility of economic operators and other candidates to participate in the public procurement/grant award procedures and to be awarded a procurement/grant contract in accordance with the criteria set out in the Financial Regulation. However, taking into account the extensive amount of personal data collected, the EDPS recommends CEDEFOP to make a case by case assessment of each call for tenders/ applications in the light of Article 4(1)(a), (c) and (d) of the Regulation and to procedurally ensure that only data that are strictly necessary and not excessive to the purpose of the specific processing operation are collected and further processed. Data are provided by the respective data subjects; hence the procedure itself helps to guarantee accuracy of data being processed. The rights of access and rectification contribute further to ensure that the data processed are accurate and up to date (cf. section 3.7. below). The EDPS takes note that the tender/grant documentation provides information on the categories of data requested for the purpose of the processing operation. However, it cannot be excluded that despite this guidance provided, applicants may submit via their CVs and other supporting documents, information which might not be necessary or excessive for the purpose pursued by the respective procedure. Provided that the controller does not process data that are irrelevant and excessive to what is requested and necessary for the processing operations at hand, compliance with the principles relating to data quality as stipulated by Article 4 (1)(c) of the Regulation can be ensured. Therefore, the EDPS invites CEDEFOP to procedurally ensure that unnecessary and excessive information submitted by tenderers/candidates is not treated (e.g. by providing instructions to its staff participating in the processing operations). In respect of the above considerations additional information has been provided by CEDEFOP following EDPS request for comments on the draft Opinion. The EDPS takes note with satisfaction that CEDEFOP is in a process of reviewing its internal guidelines on drafting tender specifications and opening and evaluation procedures. CEDEFOP envisages to limit the number and scope of documents requested from tenderers/grant applicants to the minimum necessary for proper evaluation, and to reserve the request for additional documentation (already announced in the call for tenders or proposals) for the stage between conclusion of the evaluation process and contract award, thus making only the successful tenderer/applicant the addressee of such request. The EDPS welcomes the willingness of 7 As mentioned in Article 134(3) of the Implementing Rules to the Financial Regulation. 6

CEDEFOP to comply with EDPS recommendations stated in the present Opinion and looks forward to receiving the new guidelines as a follow up measure. 3.5. Data retention According to Article 4(1)(e) of the Regulation, personal data may be kept in a form enabling identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. The EDPS welcomes the announced intention to reduce the maximum storage time for successful tenders to seven years since this retention period does not exceed the maximum period of time for which personal data are necessary for control and audit purposes in line with Article 49(1)(d) and (2) of the Implementing Rules to the Financial Regulation In any case, the EDPS would like to point out that according to Article 49(3) of the Implementing Rules as modified by the Commission Regulation 478/2007 of 23 April 2007 "personal data contained in supporting documents relating to the budget implementation measures shall be deleted where possible when those data are not necessary for budgetary discharge, control and audit purposes". As regard the retention period for unsuccessful candidates, the EDPS invites CEDEFOP to reconsider the need to keep their data for a period longer than it is necessary to exhaust available legal remedies. 3.6. Transfer of data. Processing of data on behalf of the controller The internal and inter-institutional data transfers mentioned above are subject to Article 7 of the Regulation. They should be necessary for the legitimate performance of tasks covered by the competence of the particular recipient who can process the data only for the purposes for which they were transmitted. In the present case, the transfers of personal data to the CEDEFOP staff participating in the procurement/grant procedures are in principle considered as necessary for their administration and management. Similarly, the transfers to the EU institutions and bodies tasked with control and monitoring of the application of Union law (e.g. respective services of the European Commission, including Internal Audit Service, OLAF, Internal Financial Irregularities Panel, EU Courts etc.) are considered necessary in the context of their specific competences. As regards the possible transfer of certain categories of personal data to the Early Warning System (EWS), it is aimed at preserving the Union's financial interests and ensuring the sound financial management of its general budget and is performed on the basis of respective legal acts 8. The EWS has already been prior checked by the EDPS. 9 The EDPS takes note that the members of the Opening and Evaluation Committees sign a declaration of absence of conflict of interest and statement of confidentiality before starting their work. Provided that CEDEFOP procedurally ensures that all other intra- and interinstitutional data recipients are reminded of the purpose limitation of the transfer in question and the obligation of confidentiality (e.g. by providing instructions to its staff participating in the processing operations), compliance with Articles 7 (1) and (3) and 21 of the Regulation will to be also ensured. 8 EC Decision 2008/969 of 16.12.2008 on the Early Warning System. EC Regulation 2008/1302 of 17.12.2008 on the Central Exclusion Database. 9 Opinion on a notification for prior checking received from the Data Protection Officer of the European Commission on the Early Warning System (EDPS case 2005-0120). 7

Further, the notification for prior checking specifies that external experts may participate in the evaluation of tenders when external expertise is required in accordance to Article 179a of the Financial Regulation. Consequently, data are transferred to recipients subject to national law adopted pursuant to Directive 95/46/EC. Such a transfer will be covered by Article 8 (a) of the Regulation which provides that data may be transferred "if the recipient establishes that the data are necessary for the performance of a task carried out in the public interest or subject to the exercise of public authority". In this case external experts process data on behalf of CEDEFOP in connection with tasks described above which are carried out in the public interest. Given that the data are not requested by the recipient but rather are transferred on the basis of a decision by the controller, it is for the latter to establish the "necessity" of the transfer. The EDPS notes that the "necessity" of the processing for the purposes of performing the CEDEFOP`s tasks was established in section 3.2. The EDPS notes also that external experts are legally bound to process personal data only on instructions from the controller and to respect the obligation of confidentiality by signing a Declaration of absence of conflict of interest and statement of confidentiality. Thus, compliance with the requirements of Article 23 of the Regulation seems to be ensured. 3.7. Rights of access and rectification Article 13 of the Regulation provides for a right of access and sets out the modalities of its application following the request of the data subject concerned. Article 14 of the Regulation provides that "the data subject shall have a right to obtain from the controller the rectification without delay of inaccurate or incomplete personal data". In the case at hand, data subjects are granted rights of access and rectification upon a request to the controller. The right to rectify however is subject to certain limitations before the opening procedure during which contacts between CEDEFOP and the tenderers/candidates are not allowed (without prejudice to the exception of making clarifications or correcting administrative errors). The EDPS considers that this limitation of the rectification right could be considered as justified in light of Article 148(3) of the Financial Regulation aiming to ensure transparency and equality of treatment; hence it is in compliance with Article 20(1) (b) and (c) of the Regulation. 3.8. Information to the persons concerned Articles 11 and 12 of the Regulation provide that the data subjects must be informed of the processing of data relating to them and list a range of general and additional items which apply insofar as they are necessary to guarantee fair processing in respect of the data subject having regard to the specific circumstances of the processing operation. The EDPS notes that the privacy statement contains necessary information to be supplied to data subjects as prescribed by the Regulation. In addition, information related to different aspects of the data processing operations is provided in the calls for tenders/proposals and respective documentation attached to them. Thus, the data processing under review seems to guarantee the right to information in the light of Articles 11 and 12 of the Regulation. 3.10. Security measures On the basis of the information available, the EDPS has no reason to believe that the measures implemented by CEDEFOP are not adequate in light of Article 22 of the Regulation. 8

4. Conclusion The processing under review does not appear to involve any infringement of the provisions of Regulation (EC) No 45/2001 provided that the comments made above are taken into account. This means, in particular, that: - the retention periods for storage of personal data contained in files relating to procurement/grant award procedures should be reduced in line with section 3.5 of the present Opinion; - intra- and inter- institutional data recipients should be reminded of the purpose limitation of the transfer in question and the obligation of confidentiality; - the controller should procedurally ensure that only data that are strictly necessary and not excessive to the purpose of the specific processing operation are collected and further processed. Done at Brussels, on 19 January 2012 (signed) Giovanni BUTTARELLI Assistant European Data Protection Supervisor 9

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback