Procurement

This privacy notice applies to the public procurement register of the University of Applied Sciences of South-Eastern Finland.

Updated 1.3.2020

This document is based on the requirements of the EU General Data Protection Regulation (GDPR) regarding the information to be provided to data subjects, in accordance with Articles 13 and 14 of the Regulation.

South-Eastern Finland University of Applied Sciences

P.O. Box 68 (Patteristonkatu 3)

50101 Mikkeli

Business ID: 2472908-2

The person in charge of the Procurement Information Group

Satu Sirkiä, Procurement Manager

040 868 6439

firstname.surname@xamk.fi

Data Protection Officer

Pekka Uotila, Manager

050 312 5087

tietosuojavastaava@xamk.fi

The purpose of processing personal data is to carry out the purchases required for teaching, support services and research, development and innovation activities, and to manage supplier and service provider relationships.

The processing of personal data in the register is based on the Act on Public Procurement and Concessions (1397/2016).

The processing of personal data in the register is based on a material connection or the performance of a contract to which the data subject is party. The processing is based on the legitimate interest of the UAS in the case of business transactions and the processing of data of potential suppliers. The personal data are stored as part of offers from potential suppliers. The bid data will be kept for a period of time in accordance with the controller’s data management plan, after which they will be deleted.

The processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party (GDPR Article 6.1.f). The aforementioned legitimate interest of the controller may exist, for example, where there is a relevant and appropriate relationship between the data subject and the controller, which arises when the data subject has a relationship with the controller related to the purpose of the processing and where the processing is carried out for purposes which the data subject could reasonably have expected at the time and in the context of the collection of the personal data. For example, in the case of a business transaction and the processing of data of potential suppliers. Personal data are stored at this stage in order to communicate with the potential supplier and to verify and authenticate the information provided in the tenders that affects the quality of the tenders.

Name, function, telephone number, e-mail address, postal address of the contact person for the offer. In addition, the following may be recorded about the persons appointed in the tender to provide the service, as specified in each call for tenders: valid qualifications, diplomas obtained, year of graduation and institution, job description, employer and date of employment. In addition, reference data from previous services provided may be recorded to demonstrate expertise.

As a general rule, telephone and address information is recorded as contact details related to the person’s place of work.

Procurement system. The name, telephone number, e-mail address and postal address of the contact persons of the companies that have submitted a tender are entered in the system. In addition, for the persons appointed in the tender to perform the service, as specified in each call for tenders, the following may be recorded, for example: valid qualifications, diplomas obtained, year of graduation and institution, job description, employer and date of employment. In addition, reference data from previous services provided may be recorded to demonstrate expertise.

E-mail system. When performing procurement tasks, contact details of potential and contracted suppliers: name, function, employer, contact details, can be stored in the address book of the e-mail system.

Procurement documents, including tenders, are generally public under the law on public access to documents. The tenderer has the right to access the contract documents after the decision has been signed, except for business or professional secrets of the other tenderer. The information may also be processed by auditors and persons involved in payment control by the authorities financing the projects.

The data recorded in the registers of e-mail correspondence (e.g. for contract negotiations) will not be disclosed to third parties.

No data from the register will be transferred outside the EU or EEA.

Tender data are kept for 20 years after the contract award decision, in accordance with the controller’s data management plan, after which they are deleted. If the data subject requests the deletion of personal data concerning him or her, the data will be deleted from the register.

The information is stored in the information system. Users have personal user IDs. Data maintenance is protected by an AD ID and password. The data stored in the system are accessible in the register by a restricted group of users. Access to and use of the data in the system is restricted to data controllers whose job entitles them to do so.

Right of access to personal data. The data subject may request information about him or herself. The request must be made in writing to the Data Protection Officer or by using the online form (available at: www.xamk.fi/tietosuojailmoitus). In the request, the data subject must specify which data are concerned.

Right to rectification. The data subject may submit a request for rectification of his or her data to the Data Protection Officer.

Right to erasure. The data subject may request the erasure of personal data concerning him or her from the procurement register. The data will be deleted if the University of Applied Sciences of South-Eastern Finland has no legal reason to retain the data, for example, to fulfil a contractual obligation or to carry out teaching or technical education work.

Right to restriction of processing. The data subject has the right to restriction of processing if one of the following occurs:

  • If the data subject contests the accuracy of the personal data, processing is limited to a period of time during which the controller can verify the accuracy of the data.
  • The processing is unlawful and the data subject objects to the erasure of the personal data and requests instead the restriction of their use
  • The controller no longer needs the personal data concerned for the purposes of the processing, but the data subject needs them for the establishment, exercise or defence of legal claims
  • The data subject has objected to the processing of personal data under Article 21 pending verification whether the legitimate grounds of the controller override those of the data subject.

The right to transfer data from one system to another. The data subject has the right to receive in machine-readable form the personal data concerning him or her which he or she has provided to the controller, provided that the processing is based on consent and is carried out automatically.

Information about the right to withdraw consent at any time (If processing is based on consent). Where the processing of personal data is based on consent (designated experts from whom the employer requested consent when making an offer), the data subject may withdraw his or her consent by notifying the Data Protection Officer in writing.

The right to lodge a complaint with a supervisory authority. Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State where he or she has his or her habitual residence or place of work or where the alleged breach has occurred, if the data subject considers that the processing of personal data concerning him or her infringes this Regulation. The complaint should be addressed to the EDPS. www.tietosuoja.fi

Whether the provision of personal data is a legal or contractual requirement or a requirement for the conclusion of a contract, whether the data subject is obliged to provide the personal data and the possible consequences of not providing such data.

In the case of a supply relationship which is the subject of a written contract, the conclusion of the contract is subject to the condition of obtaining sufficient personal data necessary for the preparation and performance of the contract.

The personal data in the public procurement register are obtained from the data subjects themselves or from the data subject’s employer as part of the tender or from public sources such as websites or business directories.