Privacy statement for the procurement of the Digital and Population Data Services Agency

Digital and Population Data Services Agency

Lintulahdenkuja 2, 00530 Helsinki, Finland

PO Box 123, 00531 Helsinki, Finland

Telephone (switchboard) +358 295 536 000

Email kirjaamo(at)dvv.fi

 

Contact person in register-related matters

Juha Kontkanen, Senior Specialist

Lintulahdenkuja 2, 00530 Helsinki, Finland

Telephone (switchboard): 02 9553 6000

Email: [email protected]

Telephone (switchboard) +358 295 536 000

Email [email protected]

In the Digital and Population Data Services Agency’s tasks related to procurement, the basis for processing personal data is compliance with legal obligations and performance of tasks carried out in the public interest (General Data Protection Regulation, Article 6(1)(c),(e).

The Agency is the contracting entity referred to in section 5 of the Act on Public Procurement and Concession Contracts (1397/2016, “Public Contracts Act”) and therefore obliged to comply with the legislation in question and other legislation related to procurement, such as the Act on the Contractor’s Obligations and Liability when Work is Contracted Out (1233/2006 “Contractor’s Liability Act”), when carrying out procurement.

In addition to the above, the Agency also needs to process personal data in other procurement that is not within the scope of the Public Contracts Act so that other procurement can also be implemented appropriately in the manner required from an authority exercising public powers.

To carry out its legal obligations, the Agency must process the personal data of the tendering organisations participating in the procurement procedures to ensure, among other things, that the compliance of the tendering organisation and the tendering organisation’s tender with the requirements and other obligations set for them can be ascertained. In addition, it is necessary to process personal data to take through the

procurement processes, implement agreements, manage risks, enable cooperation during the contract period and carry out the statutory archiving.

In connection with procurement, personal data can be processed in the following situations and for the following purposes, among others:

• data and responses received in the context of marketing consultations
• registration for events related to marketing consultations/technical dialogues
• processing of tenders submitted in connection with competitive tendering
• drawing up of procurement agreements and their management during their validity
• monitoring of the financial status of the contractual partner and possible subcontractors during the validity of the procurement contract and monitoring of their compliance with the other obligations laid down in the Contractor’s Liability Act.
• feedback surveys and other similar surveys (e.g. surveys conducted with Microsoft Forms software)
• archiving of procurement documents
• information requests based on the statutory right of the authorities to access information in relation to matters such as processing of procurement matters in the Market Court, the Finnish Competition and Consumer Authority or the National Audit Office of Finland.

In the Agency’s archive formation and records management plan, an archiving and retention time of 10 years has mainly been determined for documents related to procurement. Therefore, if the procurement documents received in connection with procurement contain personal data, the personal data in question will be stored for 10 years.

In the competitive tendering process, the selected tender and its accompanying documents will be stored for 10 years after the validity of the procurement contract and the obligations based on it. Other procurement documents are mainly stored for 10 years.

The storage times are based on the archives and special acts and the need in the Agency’s activities to record documents, which may also affect the legal protection of the Agency or a person/community external to the agency afterwards.

Information from criminal record extracts is neither recorded nor stored, but either returned to the tendering organisation on request or destroyed immediately after the extracts have been inspected.

The following personal data are typically processed in connection with the Agency’s procurement.

Personal data of the contact persons of the tendering organisation;

• name
• organisation represented and position in the organisation
• contact information (email address, telephone number, postal address where necessary).

 

Personal data of the members of the administration or management of the tendering organisation or the persons exercising representative, managerial or regulatory authority in the tendering organisation;

• name
• organisation represented and position in the organisation
• information from criminal record extracts (only in procurement exceeding the EU threshold values).

 

Personal data of the experts named in the tenders and the persons participating in any possible interviews or personal evaluations related to the tender evaluation process;

 

• name
• organisation represented and position in the organisation
• CV details that typically provide information on the person's professional competence, experience, education, professional qualifications and other characteristics relevant to the subject of the procurement.

 

Personal data of the contact persons for the references indicated in the tender;

• name
• organisation represented and position in the organisation
• contact information
• details of the reference in question.

 

Other possible information included in the tenders or collected during the procurement procedure, such as:

• Personal data of the persons of the tendering organisation included in the project or implementation plans
• Personal data in extracts from the Trade Register or other official registers, which contain information on persons related to the tendering organisation, such as information on the auditors, procuration holders and other persons linked to the tendering organisation or its subcontractors.

In connection with competitive tendering processes related to procurement, the Agency collects information on persons of the tendering organisation from the following information sources, for example:

• Information included in the tenders drawn up by the tendering organisation that the Agency processes in connection with inspecting and evaluating the tenders.
• Answers/information provided by the tendering organisations in possible feedback surveys or other surveys that can be carried out using, for example, the Microsoft
• Forms software.
• Information on members of the tendering organisation’s administration or management or persons exercising representative, managerial or regulatory authority in the tendering organisation is obtained and collected from different authorities as disclosures from registers. For example, information is obtained from sources such as the Business Information System, the system of Suomen Asiakaspalvelu Oy and other general information sources. Personal data is retrieved from the following registers, for example:

 

• Finnish Patent and Registration Office: Finnish Trade Register, Finnish Register of Enterprise Mortgages
• Finnish Tax Administration: Employer Register, prepayment register, VAT register, shareholders, ownerships, reference relationships
• Finnish Centre for Pensions: employer’s pension insurance
• Unemployment Insurance Fund: unemployment insurance
• Finnish Workers’ Compensation Centre: accident insurance
• National Board of Customs: fees collected by Finnish Customs
• Legal Register Centre: bankruptcy and restructuring phases
• Enforcement authorities: enforcement register

 

With regard to members of the administration or management of the tendering organisation or persons exercising representative, managerial or regulatory authority in it, the Agency also processes information related to the criminal records data of the above-mentioned group of people in the winning tendering organisation if the procurement exceeds the EU threshold levels. With the approval of the tendering organisation, the extracts from the criminal records are inspected but no copies are taken of them, nor is the information recorded in any other way.

If the tendering organisation or the tenderer’s person refuses to give the above-mentioned information, the tendering organisation cannot participate in the Agency’s statutory procurement process in which the Agency has a legal obligation to inspect and make sure that the requirements and obligations set for the tendering organisation are met.

The persons receiving and handling the personal data obtained in connection with the Agency’s procurement are the specialists at the Agency’s procurement services, other specialists at the Agency who participate in the procurement, and the Agency’s employees who need procurement contracts because of their work. Personal data are processed only when it is required by the work tasks. All officials at the Agency are bound by the secrecy obligation.

No data is disclosed to third parties on a regular basis. Personal data is disclosed to outside the Agency in situations required in legislation and to the parties required in legislation, such as courts (Market Court and Supreme Administrative Court), the Finn-ish Competition and Consumer Authority in matters related to procurement supervision and the National Audit Office of Finland in connection with possible inspection requests.

To meet its legal obligations and implement procurement, the Agency may in some procurement use consulting services in which the Agency's contractual partner, such as Hansel Oy or some other expert company/organisation, may participate in the processing of personal data on behalf of the Agency. In such situations, the contractual partner is required to commit to the conditions for the processing of personal data in the manner required in the General Data Protection Regulation, security clearances are required from the persons participating in processing the contractual partner’s data and a non-disclosure commitment is required from them.

In connection with the competitive tendering process, personal data may also be processed in the Supplier Portal maintained by Cloudia Oy, in the HILMA system maintained by the Ministry of Finance, and in the Agency’s case management system.

No personal data is transferred outside the EU or the EEA or to international organisations.

No personal data is used for automated decision-making.

Right of access

You have the right to access your personal data and check its content. You can send a request to check your personal data to the Registry office of the Agency. Be prepared to provide proof of your identity.

Right of revision

You have the right to correct your personal data if you notice that it contains inaccurate or incorrect information. The request for corrections must be submitted in writing to the contact person of the registry. In your request, you must specify which information should be corrected and what changes or additions should be made. Be prepared to provide proof of your identity.

Limitations to the rights of the data subject

Most of the services provided by the Agency are based on compliance with the controller’s statutory obligation, on the performance of a duty of public interest or the exercise of public authority. In such cases, you do not have any right to demand that your personal data should be deleted or transferred to another system. Moreover, as a rule, you do not have any right to object to the processing of your personal data.

If you think that your personal data is processed unlawfully, you can submit a complaint to the Office of the Data Protection Ombudsman.

Office of the Data Protection Ombudsman

Street address Lintulahdenkuja 4, 00530 Helsinki, Finland

Postal address PO Box 800, 00531 Helsinki, Finland

Email tietosuoja(at)om.fi

Switchboard +358 29 566 6700

Registry +358 29 566 6768

For more information on submitting a complaint, see the website of the Office of the Data Protection Ombudsman at https://tietosuoja.fi/.