This is an HTML version of an attachment to the Freedom of Information request 'FP6 & FP7 Programmes, Personal Data Protection - Compliance with Regulation 45/2001, Commission Policy'.


Ref. Ares(2011)87573 - 26/01/2011
 
Annex 5 
 
Guidelines 
 
 
1/ Global notification, responsibility of the Controller, subsequent obligations of 
Processors 

In the framework of the implementation of Regulation N° 45/20011, a simplified procedure 
has been made available regarding data protection when organising a procurement procedure 
or a selection of experts based on Article 179a of the Financial Regulation.  
A dedicated notification2 is required by the Regulation for each manual or electronic 
processing operation carried out on personal data. Consequently, each time a procurement 
procedure or call for expression of interests for experts (which usually implies processing 
personal data)
 is organised, it should be, in principle, notified to the Data Protection Officer 
(DPO)3. 
To reduce this administrative burden, the General Director has agreed to be mentioned as the 
responsible Data Controller4 in a general procurement and expert selection global notification  
(N° DPO-2978 V3, enclosed in Annex 4) which covers all the processing operations related to 
procurement and call for expression of interest for the selection of experts while each Head of 
Unit / Director and the staff in charge of the practical organisation will be considered as the 
Data Processor5 and should process personal data only in accordance with the requirements 
below.  
                                                 
1  
Regulation (EC) N° 45/2001 of 18 December 2000 on the protection of individuals with regard to  
processing of personal data by the Community institutions and bodies and on the free movement of such data  
(OJ L 8 of 12/01/2001, p.1). 
2  
notification is the preliminary information that a Data Controller must necessarily submit to the Data 
Protection Officer (DPO) via the questionnaire that was created by the DPO on My Intracomm and that you can 
access from the home page of his site at http://www.cc.cec/dataprotectionofficer/. 
3  
The Data Protection Officer ensures the application of the principles of personal data protection in the 
Commission. The DPO keeps a register of all personal data processing operations in the Commission and 
provides advice and makes recommendations on rights and obligations.  
4  
The Data Controller means the official of Union institution or body, the Directorate-General, the unit 
or any other organisational entity which alone or jointly with others determines the purposes and means of the 
processing of personal data. A Controller can be a Director General, a Director, a Head of Unit or an Assistant. 
The Data Controller has to: 
 
a) define the data processing that s/he plans to do; 
 
b) determine the purposes and the means while respecting the basic principles;   
c) implement the data processing while respecting the various obligations; 
 
d) allow the Data Subjects to exercise their rights. In this way, s/he contributes to ensure a high level of personal 
data protection to the Data Subjects within his/her Institution.   
The Data Controller has to inform the Data Protection Officer of any processing operation on personal data. The 
Data Controller remains responsible even if the personal data are processed by a Processor. 
5  
The Processor is the natural or legal person, public authority, agency or any other body, who processes 
personal data on instruction, and only on instruction, of the Controller. The Processor has to provide sufficient 
guarantees in respect of the technical and organisational security measures required and ensuring compliance 

This procurement notification covers:  
1.  All public procurement procedures (whatever the amount involved) ; 
2.  Calls for expression of interest for the selection of experts under Article 179a of the 
Financial Regulation. 
It does not cover:  
•  The execution of contracts following the above mentioned procedures;  
•  Cases where personal data processing is covered by a special notification to the Data 
Protection Officer, in particular if they are processed via an IT system, including the 
Commission's accounting system;  
•  Cases where personal data are processed for any other purpose(s) or conditions which are 
not strictly described in the general procurement and expert selection notification.  
Any changes in the information provided have to be communicated in a separate notification 
to the DPO. 
As far as management and follow-up of IT framework contracts are concerned, notification 
DPO-842 of DIGIT prevails. 
In order for Acting Data Controllers to benefit from and be covered by this global 
notification, they must: 
•  Respect the purpose and means mentioned in the global notification in Annex 1 
•  Comply with the requirements of Regulation 45/2001, including those relating to 
processing personal data fairly and lawfully by respecting all the commitments 
declared towards the Data Protection Officer in the global notification and taken 
towards the tenderers in the Privacy Statement6 (see Annex 2) 
•  Ensure that tenderers, candidates and experts are given sufficient information ahead of 
the procedure by referring to the Privacy Statement in the tender documents (invitation 
to tender - the DG BUDG model includes a specific clause with the correct reference-)
 
and in the expert call for expression of interest; 
•  Duly fill and, where appropriate, adapt the standard clause on data protection in the 
draft contract (the DG BUDG model contracts include the Data Protection clause - 
see  Annex 3)
 to their needs before the launch of the procurement procedure. 
(If there is no change with respect to the models of DG BUDG, the links to the generic 
Privacy Statement and Standard Clause in the Invitation to tender, are sufficient).
 
This global notification relieves the services from the obligation to make an individual 
notification for each procedure. However, this global notification, and the responsibility7 of 
                                                                                                                                                         
with those measures. Controller and Processor need to be bound by a contract or legal act for the carrying out of 
the processing operations of personal data. 
6 The Privacy Statement is a document provided to the Data Subject before his/her data have been processed 
and informing the Subject on how the data are going to be processed. The standardised Privacy Statement for 
procurement and expert selection is available on:  
 
http://ec.europa.eu/dataprotectionofficer/PrivacyStatement_Procurement.pdf 
7  
Article 49 of the Regulation 1049/2001 – Sanctions: “Any failure to comply with the obligations 
pursuant to this Regulation, whether intentionally or through negligence on his or her part, shall make an official 
or other servant of the European Communities liable to disciplinary action, in accordance with the rules and 
procedures laid down in the Staff Regulations of Officials of the European Communities or in the conditions of 
employment applicable to other servants”. 

the Data Controller, will only be effective and lawful if the services comply with their 
obligations under the arrangement explained in this note.  
2/ Curricula vitae 
Due to their sensitivity as regards personal data protection, special attention should be drawn 
to curricula vitae (CVs). CVs are usually included in all copies of a tender or request to 
participate, or in the expression of interest from the experts.  
During these procedures: 
•  All CV included in the original tenders / calls for expression of interests and copies should 
be kept with clear identification of the file, in a secure manner, in the Unit's working file 
storage, both on paper and electronically (if applicable).; 
•  The procedure files (including the CVs) can be accessed only by persons that manage the 
procedure (including evaluation) on a need-to-know basis. 
Once the procurement procedure / call for expression of interest has been finalised: 
•  Only the CV included in the original tender should be kept with clear identification of the 
file, in a secure manner, in the DG storage or archives.  
•  All copies received should be destroyed except the copy that will form an integral part of 
the Contract; 
•  CVs received by electronic mail will have to be stored on a drive specific to the 
administrative entity in charge (Unit, Directorate…), in a folder displaying the reference of 
the procurement procedure and these folders will be made accessible only to staff on a 
"need to know" basis for the duration of the execution of the contract, or the duration of the 
multi-annual programme under which the call for interest for the selection of experts was 
launched. Thereafter the electronic CVs will be deleted.  
3/ Further information and contact points 
Additional information on data protection, including the name of the local Data Protection 
Coordinator, is available on www.cc.cec/dataprotectionofficer.