Privacy statement for corporate & technical assistance procurement and contracting activities
This privacy statement provides information regarding the processing of personal data (information related to an identified or identifiable natural person) carried out by the European Investment Bank in the course of our corporate and technical assistance (C&TA) procurement activities, including contract and vendor management. It includes important information about your rights under EU data protection law.
The personal data provided by you will be processed in accordance with Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.
What is the purpose of the collection of personal data?
The purpose is to evaluate your expression of interest, tender or request to participate in relation to a C&TA procurement procedure launched by the EIB. Specifically, your personal data will be collected and further processed, in line with the requirements set forth in the relevant procurement documentation, for tender evaluation purposes.
If you are successful in the competition, further personal data will be collected, stored and processed for the purpose of executing and managing the resulting contract(s), and ensuring compliance with the Bank’s sanctions policy and, in some cases, the physical and information security of the Bank.
The data subjects whose data are processed for the above purposes are natural persons who may act as representatives of, or are otherwise associated with, businesses or organisations contracting with, or otherwise participating in, EIB’s C&TA procurement activities (for example, employees, officers or directors of those businesses or organisations, including their proposed consortium partners and subcontractors).
What is the legal basis for processing personal data?
Processing is necessary, primarily, for the performance of a task (conduct of a procurement procedure as a contracting authority and management of the resulting contract) in the exercise of official authority by EIB (lawfulness).
Consent is not required for the processing operations falling under the scope of the present privacy statement. If consent is envisaged as a basis for any such processing operation, EIB shall address the data subjects concerned with a request, presented in a manner clearly distinguishable from other matters, in an intelligible and easily accessible form.
What personal data is collected?
Your personal data is provided by you by submitting your tender and responding to contractual requirements. Personal data are inter alia:
Identification details (name, gender, address, ID number, passport number, country of birth and country of residence);
Professional details (e.g. function, company department, e-mail address, phone/fax/mobile numbers);
Education and training details (CVs or short descriptions (pen portraits) of team members);
Information required in relation to assessing compliance with the exclusion criteria such as certificates for social security contributions and taxes paid, extracts from judicial records, etc.;
Information required for the evaluation of selection criteria or eligibility criteria: expertise, technical skills and languages, educational background, professional experience including details on current and past employment;
Powers of signature and of attorney, where required;
VAT registration number;
Invoices including supporting documentation such as timesheets, receipts etc.; and
Other personal data that may be included in a CV.
Who has access to your personal data and to whom is it disclosed?
For the purpose detailed above, access to your personal data is given to the following persons:
On a need to know basis: Staff of the EIB services responsible for running C&TA procurement procedures; staff of the relevant EIB Accounting team;
Staff involved in the management of contracts such as contract managers, budget officers, persons involved in the payment of invoices, scanning team, etc.;
Members of Opening and Evaluation Committees;
Senior management of the requesting EIB Department and contract managers;
Staff of the Legal Directorate;
Only in special situations, EIB’s:
Office of the Chief Compliance Officer,
External legal advisors;
Inspectorate General, and
Physical Security & Safety Unit;
Members of the public: only in case of a contract award to a natural person, in particular their name and address as well as the amount awarded, which will be published in supplement S of the Official Journal of the European Union;
EU Institutions (mainly European Commission) or third party mandators having entered into agreements with EIB for the provision of advisory services by the latter;
The European Ombudsman on a need to know basis (i.e. complaint submission)
Authorised staff from other EU Institutions bodies (i.e. OLAF, Court of Auditors) charged with monitoring and inspection tasks and duties under European Union Law,
competent courts in case of disputes;
Service providers who hold and process your personal data on our behalf, under strict conditions of confidentiality and security;
Local Tax Authorities in case of the VAT matters;
Any other EIB staff processing the data for business needs on a need to know basis; and
Project promoters or other legal entities (public or private located within or outside EU/EEA countries) with whom EIB has entered to a contractual relationship for the provision of advisory services, to the extent that the provisions of Chapter V of Regulation 2018/1725 are complied with (existence of adequacy decisions or other ad hoc appropriate safeguards).
Actors in the data collection
The Controller is the EIB Corporate Services Directorate, the EIB Secretary General Directorate and the EIB Financial Control Directorate, depending on the C&TA activity.
How does the EIB process personal data?
The data collected is processed either manually or electronically.
Manual processing: hard copies of the submitted offers (which may contain personal data, as specified above) are stored unopened until the opening session. Then, they are made available to the duly appointed members of the Opening and Evaluation Committees. Upon termination of the evaluation process, the “hard” originals of the tenders together with electronic copies in the form of CDs/USB sticks are stored in the EIB Central Archives.
A hard copy of the signed contract, its appendices, and any subsequent addenda are also stored in the EIB Central Archives.
The invoices and any supporting documents submitted to the EIB are scanned manually and controlled by the relevant EIB teams. If the invoices are received:
electronically, they are stored in the EIB’s electronic document management and storage system (Livelink)
paper form, the hard copies are stored by the relevant EIB accounting team for one year; afterwards they are securely transferred to the EIB Central Archive.
Electronic processing: the Evaluation Committee always receives electronic versions of offers, vendor information and supporting documents through a dedicated, restricted area in Livelink where they are also stored after the evaluation process.
A scanned version of the signed contract, its appendices, any subsequent addenda, vendor information and contract management communications are also stored in a restricted area in Livelink.
Vendor information are registered and stored in the EIB’s electronic accounting system (PeopleSoft Financials).
After validation by the relevant accounting team, the invoices are submitted via PeopleSoft Financials during the approval process to relevant staff. Approved invoices are automatically selected for payment during the overnight process and processed for payment via Multiline application.
How do we protect and safeguard your information?
Data is stored:
Electronically in PeopleSoft Financials and specific areas of EIB electronic document management and storage system (Livelink) with restricted access rights; and
Paper files are stored in archives, locked and only accessible to EIB’s Central Archiving team.
In all cases, access and control rights to the files are limited and granted only on a need-to-know basis. The access rights are regularly reviewed.
How long is your personal data kept?
The data of successful and unsuccessful tenderers shall be retained for a period of ten years starting from the end of contract date in the central archives, unless these data are needed in the context of litigation or claims extending beyond this duration. Contracts whose financing originates from sources other than EIB funds may be subject to a retention period of up to 7 years starting from the end of the implementation period or termination of the underlying agreement between the Bank and provider of funds.
The data contained in the invoices and/or any supporting documents are physically archived in the EIB Central Archive and stored for 10 years.
After the periods mentioned above have elapsed, the procurement files are destroyed.
To provide an audit trail and allow queries on past payments at all times, no recorded vendor data are deleted from the accounts. However, after two years of inactivity, i.e. no financial transaction between the vendor and the EIB, vendor data will be deactivated in the accounting system to prevent further use.
What are your rights and how can you exercise them?
You as a Data Subject shall have the right of access to your personal data and the right to request that any such data that is inaccurate or incomplete be rectified or erased. You also have the right to object to processing and the right to request a restriction of the processing. You can exercise these rights by contacting
the Head of the Procurement and Purchasing Division in relation to procurement activities/contract matters concerning EIB’s own needs (CSfirstname.lastname@example.org),
the Head of the Consultant Procurement & Contract Management Division in relation to technical assistance procurement (email@example.com) or
the EIB’s Data Protection Officer (firstname.lastname@example.org). In addition, you also have the right to have recourse at any time to the European Data Protection Supervisor email@example.com.
Changes to this privacy statement
This privacy statement was last updated on 01/08/2019. If we change it, to keep you fully aware of our processing of your personal data and related matters, we will post the new version to this website.