Ref. Ares(2011)87573 - 26/01/2011
Annex 5
Guidelines
1/ Global notification, responsibility of the Controller, subsequent obligations of
Processors
In the framework of the implementation of Regulation N° 45/20011, a simplified procedure
has been made available regarding data protection when organising a procurement procedure
or a selection of experts based on Article 179a of the Financial Regulation.
A dedicated notification2 is required by the Regulation for each manual or electronic
processing operation carried out on personal data. Consequently, each time a procurement
procedure or call for expression of interests for
experts (which usually implies processing
personal data) is organised, it should be, in principle, notified to the Data Protection Officer
(DPO)3.
To reduce this administrative burden, the General Director has agreed to be mentioned as the
responsible Data Controller4 in a general procurement and expert selection global notification
(N° DPO-2978 V3, enclosed in Annex 4) which covers all the processing operations related to
procurement and call for expression of interest for the selection of experts while each Head of
Unit / Director and the staff in charge of the practical organisation will be considered as the
Data Processor5 and should process personal data only in accordance with the requirements
below.
1
Regulation (EC) N° 45/2001 of 18 December 2000 on the protection of individuals with regard to
processing of personal data by the Community institutions and bodies and on the free movement of such data
(OJ L 8 of 12/01/2001, p.1).
2
A
notification is the preliminary information that a Data Controller must necessarily submit to the Data
Protection Officer (DPO) via the questionnaire that was created by the DPO on My Intracomm and that you can
access from the home page
of his site at http://www.cc.cec/dataprotectionofficer/.
3
The
Data Protection Officer ensures the application of the principles of personal data protection in the
Commission. The DPO keeps a register of all personal data processing operations in the Commission and
provides advice and makes recommendations on rights and obligations.
4
The
Data Controller means the official of Union institution or body, the Directorate-General, the unit
or any other organisational entity which alone or jointly with others determines the purposes and means of the
processing of personal data. A Controller can be a Director General, a Director, a Head of Unit or an Assistant.
The Data Controller has to:
a) define the data processing that s/he plans to do;
b) determine the purposes and the means while respecting the basic principles;
c) implement the data processing while respecting the various obligations;
d) allow the Data Subjects to exercise their rights. In this way, s/he contributes to ensure a high level of personal
data protection to the Data Subjects within his/her Institution.
The Data Controller has to inform the Data Protection Officer of any processing operation on personal data. The
Data Controller remains responsible even if the personal data are processed by a Processor.
5
The
Processor is the natural or legal person, public authority, agency or any other body, who processes
personal data on instruction, and only on instruction, of the Controller. The Processor has to provide sufficient
guarantees in respect of the technical and organisational security measures required and ensuring compliance
This procurement notification covers:
1. All public procurement procedures
(whatever the amount involved) ;
2. Calls for expression of interest for the selection of experts under Article 179a of the
Financial Regulation.
It does
not cover:
• The execution of contracts following the above mentioned procedures;
• Cases where personal data processing is covered by a special notification to the Data
Protection Officer, in particular if they are processed via an IT system, including the
Commission's accounting system;
• Cases where personal data are processed for any other purpose(s) or conditions which are
not strictly described in the general procurement and expert selection notification.
Any changes in the information provided have to be communicated in a separate notification
to the DPO.
As far as management and follow-up of IT framework contracts are concerned, notification
DPO-842 of DIGIT prevails.
In order for Acting Data Controllers to benefit from and be covered by this global
notification, they must:
• Respect the purpose and means mentioned in the global notification in
Annex 1;
• Comply with the requirements of Regulation 45/2001, including those relating to
processing personal data fairly and lawfully by respecting all the commitments
declared towards the Data Protection Officer in the global notification and taken
towards the tenderers in the Privacy Statement6
(see Annex 2);
• Ensure that tenderers, candidates and experts are given sufficient information ahead of
the procedure by referring to the Privacy Statement in the tender documents
(invitation
to tender - the DG BUDG model includes a specific clause with the correct reference-) and in the expert call for expression of interest;
• Duly fill and, where appropriate, adapt the standard clause on data protection in the
draft contract
(the DG BUDG model contracts include the Data Protection clause -
see Annex 3) to their needs before the launch of the procurement procedure.
(If there is no change with respect to the models of DG BUDG, the links to the generic
Privacy Statement and Standard Clause in the Invitation to tender, are sufficient).
This global notification relieves the services from the obligation to make an individual
notification for each procedure. However, this global notification, and the responsibility7 of
with those measures. Controller and Processor need to be bound by a contract or legal act for the carrying out of
the processing operations of personal data.
6 The
Privacy Statement is a document provided to the Data Subject before his/her data have been processed
and informing the Subject on how the data are going to be processed. The standardised Privacy Statement for
procurement and expert selection is available on:
http://ec.europa.eu/dataprotectionofficer/PrivacyStatement_Procurement.pdf
7
Article 49 of the Regulation 1049/2001 –
Sanctions: “Any failure to comply with the obligations
pursuant to this Regulation, whether intentionally or through negligence on his or her part, shall make an official
or other servant of the European Communities liable to disciplinary action, in accordance with the rules and
procedures laid down in the Staff Regulations of Officials of the European Communities or in the conditions of
employment applicable to other servants”.
the Data Controller, will only be effective and lawful if the services comply with their
obligations under the arrangement explained in this note.
2/ Curricula vitae
Due to their sensitivity as regards personal data protection, special attention should be drawn
to curricula vitae
(CVs). CVs are usually included in all copies of a tender or request to
participate, or in the expression of interest from the experts.
During these procedures:
• All CV included in the original tenders / calls for expression of interests and copies should
be kept with clear identification of the file, in a secure manner, in the Unit's working file
storage, both on paper and electronically (if applicable).;
• The procedure files
(including the CVs) can be accessed only by persons that manage the
procedure
(including evaluation) on a need-to-know basis.
Once the procurement procedure / call for expression of interest has been finalised:
• Only the CV included in the original tender should be kept with clear identification of the
file, in a secure manner, in the DG storage or archives.
• All copies received should be destroyed except the copy that will form an integral part of
the Contract;
• CVs received by electronic mail will have to be stored on a drive specific to the
administrative entity in charge
(Unit, Directorate…), in a folder displaying the reference of
the procurement procedure and these folders will be made accessible only to staff on a
"need to know" basis for the duration of the execution of the contract, or the duration of the
multi-annual programme under which the call for interest for the selection of experts was
launched. Thereafter the electronic CVs will be deleted.
3/ Further information and contact points
Additional information on data protection, including the name of the local Data Protection
Coordinator, is available on www.cc.cec/dataprotectionofficer.