DETAILS OF REGISTER

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

dataprotection@eda.europa.eu

Directorate General DIGIT, European Commission provides the online platforms used by EDA for its procurement, grants and contracting activities:

• e-Submission platform for the electronic submission of tenders (in response to open calls);

• Funding & tender opportunities portal which grants or calls for experts are handled. 

EDA makes use of the abovementioned platforms on the basis of a SLA signed with the Commission.

Personal data of individuals submitted as part of the above activities. Personal data collected and further processed concern the applicant or tenderer and its staff and subcontractors (natural persons). Information can relate to the following data:

• names, functions and contact details;
• certificates of social security contributions and taxes paid;
• extracts from judicial records;
• financial information including identification data, bank account details (IBAN and BIC codes)
• information for the evaluation of eligibility and selection criteria: technical skills, educational background, professional experience;
• appraisal data on tenders/applications in evaluation reports, which may include observations on the individuals, consultations and/or experts proposed.

• Extracts from judicial records in electronic format are kept for a period of two years after the signature of the respective contract;
• Tenders, applications and proposals not selected in the context of procurement/grant activities are kept for five years after the budget discharge;
• Procurement contracts, including personal data contained therein, are kept for five years after the budget discharge.

Personal data contained in EDA "ad hoc" contracts (concluded for the purposes of projects or programmes in accordance with Article 19 and 20), including personal data contained therein, are kept for an unlimited period under the exception referred to in Article 25(a) of Regulation 2018/1725. Data subjects may request the deletion of their personal data in specific contract. This request will be addressed in accordance with point 19. For historical data purposes and in order to enable EDA to capitalize on past activities and lessons learned, technical specifications are kept indefinitely. Contracts awarded as result of procurement activities are equally kept, along with result of such contracts (the studies in general). Contracts are composed of annexes (mainly annex I - technical specifications and Annex II - the tender). The tender may contain some personal data but such data are scarce as solely the technical tender/proposal is kept. - Ad hoc defence contracts are kept for an unlimited period (under exemption of Article 25 (a) of Regulation 2018/1725). Data subjects may request the deletion of their personal data in a specific contract.

For the above-mentioned purpose of processing, access to personal data is granted on a need-to-know basis. Recipients of personal data shall process it exclusively for the purposes for which they were transmitted. The following recipients of personal data have been identified:

• The Responsible Authorising Officer;
• The Director/Head of Unit with managerial responsibilities in the procedure at stake;
• Members of the opening and evaluation committees. Such committees are composed of EDA staff, but might occasionally require the participation of external experts from EDA participating Member States (pMS) or other relevant EU institutions or (international) organisations or independent experts which are appointed and contracted ‘ad personam’ in the frame of grant activities. The transmission of personal data to such external experts shall be assessed on a case-by-case basis as per the requirements of Article 9 (external experts from EU origin) and the provisions under Chapter V (external experts from outside the EU) of Regulation 2018/1725;
• Accounting Officer, Finance Unit staff and other staff involved in the purchase life cycle;
• EDA Legal Advisor;
• Monitoring auditing and inspecting authorities, such as the Internal Auditor, the College of Auditors, the EU Ombudsman and the EDPS;
• In case of dispute, the European Court of Justice or the meditation, conciliation or arbitration entity appointed by the parties. Basic information on the outcome of the procedure (e.g. financial year, contractor name, address, contract name, value) is also made available to EDA pMS and published as appropriate in the Official Journal of the European Union and on EDA website.

If applicable, the collected personal data and all related information are stored on the designated premises and servers in line with the security provisions laid down in the Council Decision 2013/488/EU of 23rd September 2013 on the security rules for protecting EU classified information. Having regard to the state of the art and the cost of their implementation, the controller has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, or alteration, and to prevent all other unlawful forms of processing. For the personal data that are processed by automated means, measures have been taken with the aim of:

(a) preventing any unauthorized person from gaining access to computer systems processing personal data, Salto locks, passwords;

(b) preventing any unauthorized reading, copying, alteration or removal of storage media, access limited to procurement files;

(c) preventing any unauthorized memory inputs as well as any unauthorized disclosure, alteration or erasure of stored personal data;

(d) preventing unauthorized persons from using data-processing systems by means of data transmission facilities;

(e) ensuring that authorized users of a data-processing system can access no personal data other than those to which their access right refers;

(f) recording which personal data have been communicated, at what times and whom;

(g) ensuring that it will subsequently be possible to check which personal data have been processed, at what times and by whom.

(i) ensuring that, during communication of personal data and during transport of storage media, that data cannot be read, copied or erased without authorization;

(j) designing the organizational structure within EDA in such a way that it meets the special requirements of data protection.