Search Options
Home Media Explainers Research & Publications Statistics Monetary Policy The €uro Payments & Markets Careers
Suggestions
Sort by
  • PRIVACY STATEMENT

Privacy statement for contract management

What is our legal framework?

All personal data are processed in accordance with European Union data protection law, that is to say in line with Regulation (EU) 2018/1725.

Why do we process personal data?

Personal data are processed for the purposes of contract award and subsequent contract management.

What is the legal basis for processing your personal data?

Your personal data are processed by the ECB:

  • in the performance of a task carried out in the public interest, based on Article 5(1)(a) of Regulation (EU) 2018/1725;
  • because they are necessary for the performance of contractual obligations between you and the ECB.

Who is responsible for processing your personal data?

The ECB is the controller for the processing of your personal data. The ECB’s business area/organisational unit in charge of contract management is responsible for this processing.

Who will be the recipients of your personal data?

The recipients of your personal data (including entities who have access to that personal data) are:

  • ECB staff members involved in contract awards and subsequent contract management;
  • dedicated ECB staff members providing opinions and advice in specific cases dealing with contract award and subsequent contract management;
  • dedicated ECB staff dealing with appeal procedures;
  • a limited number of staff of the ECB’s Internal Audit function who are involved in audits or conduct specific inquiries related to contract awards and management may further process some of the personal data in line with their mandate;
  • staff of the National Central Banks of the European System of Central Banks;
  • external experts and contractors on behalf of the ECB for the purpose of managing the contract award and subsequent contract management;
  • Union institutions and bodies charged with monitoring or inspection tasks in the application of Union law (e.g. the European Commission, the European Anti-Fraud Office).

What categories of personal data are collected

The ECB processes the following personal data related to contractors, their staff, their subcontractors and the subcontractor’s staff (natural persons):

  • identification data, e.g. full name, ID/passport number;
  • position and function in a company;
  • contact details, e.g. e-mail address, business telephone number, mobile telephone number, fax number, postal address, company and department, country of residence, internet address;
  • financial data, e.g. bank account (IBAN and BIC codes), VAT number;
  • information for the evaluation of selection or eligibility criteria, e.g. expertise, technical skills, languages, educational background, professional experience including details on current and past employment;
  • personal data contained in communication in the context of contract management e.g. orders under framework agreements, termination letters, contract amendments, feedback provided to contractors, references;
  • personal data contained in internal assessments of contractor’s performance.

Will your personal data (in a clear or encrypted form) be processed (e.g. transferred, accessed or stored) in third countries or by international organisations?

Your personal data might exceptionally be processed in third countries/international organisations based on the derogations for specific situations set out in Article 50(1) EUDPR.

Your personal data will also be processed in third countries or by international organisations based on an adequacy decision of the European Commission (pursuant to Article 47 EUDPR), which can be found on the European Commission's website.

How long will the ECB keep personal data?

Your personal data will be stored for a maximum of 10 years before being deleted following the end of the contract period.

In the event that administrative (e.g. appeal) or judicial proceedings are initiated, the retention period ends 2 years after such proceedings are concluded by a final decision or 10 years following the end of the contract period, whichever is longer. This further retention of data is considered necessary for the respective legal remedies.

Moreover, contracts concluded for the purposes of construction/ purchase of the ECB’s buildings or acquisition of artworks, including personal data contained therein, are kept for an unlimited period in accordance with the ECB’s retention policy. Data subjects may request the deletion of their personal data in the specific contract dossier.

What are your rights?

You have the right to access your personal data and correct any data that is inaccurate or incomplete. You also have (with some limitations) the right to delete your personal data and to object to or to restrict the processing of your personal data in line with Regulation (EU) 2018/1725. The ECB may restrict your rights to safeguard the interests and objectives referred to in Article 25(1) of Regulation (EU) 2018/1725.

Who can you contact for queries or requests?

You can exercise your rights by contacting the ECB’s Contract Manager indicated in the signed contract. You can also directly contact the ECB’s Data Protection Officer at dpo@ecb.europa.eu for all queries relating to your personal data.

Addressing the European Data Protection Supervisor

If you consider that your rights under Regulation (EU) 2018/1725 have been infringed as a result of the processing of your personal data, you have the right to lodge a complaint with the European Data Protection Supervisor at any time.