In accordance with Regulation (EU) 2018/1725 of 23 October 2018 on data protection (hereinafter the Regulation), the European Climate, Infrastructure and Environment Executive Agency (hereafter CINEA) collects your personal data only to the extent necessary to fulfil the precise purpose related to its tasks.
1. The controller is CINEA:
- The Operational Unit responsible for launching the call for tender and signing the contract
- Person responsible for the processing: the Head of Operational Unit
- Email: email address indicated in the relevant documents of the underlying procurement procedure.
2. The purpose of the processing is the evaluation of tenders and the management and administration of contracts between the Agency and the economic operator(s) in the context of its administrative and operational budgets, including related communication.
The data is collected and processed with the purpose:
- to evaluate the eligibility of economic operators to participate in the procurement procedure in accordance with exclusion and selection criteria as defined in articles 136 to 143 of the Financial Regulation 20181 (hereafter the Financial Regulation), including checking economic operators’ representatives criminal records;
- to evaluate the content of tenders submitted during the procurement procedure with the view to award a contract, in accordance with award criteria as defined in article 167 of the Financial Regulation and in the tender specifications;
- to manage and monitor the execution of the awarded contracts.
3. The data subjects concerned by this notice are the natural persons representing economic operators submitting tenders to or signing contracts with the Agency (authorised/legal representatives and contact persons).
4. The categories of personal data collected and used for the processing operations are:
For economic operators:
- Name, surname, passport number, ID number
- Contact details (e-mail address, business telephone number, mobile telephone number, fax number, postal address, company and department, country of residence, internet address)
- Financial data: bank account reference (IBAN and BIC codes), VAT number
- Data related to the legal existence and representatives: company registration details, legal representative data
- CV of staff employed by economic operators and involved in the implementation of the contract
- Documentary evidence of exclusion criteria as mentioned in Article 137 of the Financial Regulation, such as:
- Certificates for social security contributions and taxes paid, extract from judicial records;
- Declaration on honour that the economic operator is not in one of the exclusion situation referred to in Article 136 and 141 of the Financial Regulation 2018.
- Information for the evaluation of selection criteria: expertise, technical skills and languages, educational background, professional experience including details on current and past employments.
In case personal data have not been obtained from the data subject: evidence that the economic operator is not in a situation of exclusion can be accessed by the Contracting authority on a national database free of charge, in which case the economic operator shall provide the Contracting authority with the internet address of the database and, if needed, the necessary identification data to retrieve the document.
5. The recipients of the data are:
All recipients are on a "need to know" basis:
- Staff members of the Operational and/or Administrative Units in the Agency - and if applicable other EU Institutions, bodies and agencies - in charge of the call for tenders, procurement , financial and legal matters as specified in the relevant data protection notice;
- Members of the Evaluation Committee appointed from the Agency or other EU Institutions, bodies and agencies;
- External experts participating in evaluation of tenders in the CINEA's procurement procedures (if applicable);
- Contractors staff working as processors on behalf of the Agency or the EU Institutions in various stages of the procurement procedures (publication, evaluation, contract execution, checks, reviews, ex-post controls);
- Contractors staff entitled to collect data or to run satisfactions surveys to assess the performance of the Agency or if applicable other EU Institutions, bodies and agencies;
- In addition, data may be disclosed to public authorities, which are not regarded as recipient but may receive personal data in the frame of a particular inquiry in accordance with Union and Member State law, namely:
- The European Court of Justice or a national judge as well as the lawyers and the agents of the parties in case of a legal procedure;
- The competent Appointing Authority in case of a request or a complaint lodged under Articles 90 of the Staff Regulations;
- IDOC in line with Commission Decision of 12 June 2019 laying down general implementing provisions on the conduct of administrative inquiries and disciplinary proceedings - C(2019)4231
- OLAF in case of an investigation conducted in application of Regulation (EC) No 1073/1999
- The Internal Audit Service of the Commission within the scope of the tasks entrusted by article 118 of the Financial Regulation and by article 49 of the Regulation (EC) No 1653/2004
- The Court of Auditors within the tasks entrusted to it by Article 287 of the Treaty on the Functioning of the European Union of the EC Treaty and Article 20, paragraph 5 of Regulation (EC) No 58/2003
- The European Ombudsman within the scope of the tasks entrusted to it by Article 228 of the Treaty on the Functioning of the European Union
- The European Data Protection supervisor in accordance with Article 58 of the Regulation (EC) 2018/1725
- The European Public Prosecutor’s Office within the scope of Article 4 of Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office
- Members of the public: in case you are awarded a contract by the Agency, part of your personal data may be made public, in accordance with the Agency's obligation to publish information on the outcome of the procurement procedure and on the beneficiaries of funds deriving from the Union’s budget (Articles 38(2), 163 and 189(2) of the Financial Regulation 2018). The personal data concerned by this obligation are your name and address, the amount awarded and the name of the project or programme for which you are awarded a contract. It will be published in supplement S of the Official Journal of the European Union and/or on the website of the Commission (see the Financial Transparency System of the European Commission) and/or on the website of the Agency.
In case of audits or proceedings, etc., personal data may be provided to CINEA’s Internal Controller, DPO, Legal Sector, Staff Committee, etc.
6. Data Subjects rights:
You can exercise your rights by sending an email with the requested change(s) to the controller via the functional mailbox indicated here-above in Section 1, by explicitly describing your request. Any correction of your personal data will be taken into consideration from the data protection point of view. Special attention is drawn to the consequences of a request for deletion, as this may lead to an alteration of the terms of the tender and lead to rejection.
In any cases your data will be modified or removed accordingly and as soon as practicable (maximum within 20 working days).
When processing is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such a withdrawal.
However, in line with Article 25 of the Regulation, the data controller may restrict the rights of the data subjects based on the Decision of the Steering Committee (2020) 26 of 14/10/20 (OJEU L 45 on 9.2.2021, p. 80), in case where such restriction constitutes a measure necessary to safeguard the protection of the data subjects or the rights and freedoms of other data subjects, etc.
7. How does CINEA protect and safeguard your data?
Procurement procedures in place in CINEA ensure that documents submitted in a paper form are only available to the relevant persons and locked at all times when not used during evaluations.
When processed through electronic means, access to data is possible through User-ID and password on a need-to-know basis.
Your data resides on the servers of the European Commission, which abide by strict security measures implemented by DG DIGIT to protect the security and integrity of the relevant electronic assets.
8. The legal basis of the processing are:
- Council Regulation 58/2003 of 19 December 2002, laying down the Statute for executive agencies to be entrusted with certain tasks in the management of EU programmes;
- Commission Implementing Decision (EU) 2021/173 of 12 February 2021 establishing the European Climate, Infrastructure and Environment Executive Agency;
- Commission Decision C(2021)947 of 12 February 2021 delegating powers to the European Climate, Infrastructure and Environment Executive Agency2;
9. The time limits for keeping the data are the following:
In accordance with the 2019 Retention List of the Commission:
- 10 years for successful tenders;
- 5 years for unsuccessful tenders;
- 10 years for contract management following award of contracts;
- 2 years for economic operators’ representatives’ criminal records.
After the period mentioned above has elapsed, the files containing personal data may be sampled to be sent to the historical archives of the Agency and/or the European Commission for further conservation in line with the retention policy applied by the Commission . The non-sampled files are destroyed.
10. Contact information
In case you have any questions about the collection/processing of your personal data, you may contact the data controller who is responsible for this processing activity by using the email address mentioned here above in Section 1.
You may contact at any time the Data Protection Officer of the Agency (CINEA-DPO@ec.europa.eu). You have the right to have recourse at any time to the European Data Protection Supervisor (firstname.lastname@example.org).