Skip to main content
European Health and Digital Executive Agency (HaDEA)

DPN public procurement

Data Protection Notice

for Public Procurement Procedures and Contract Implementation

The European Health And Digital Executive Agency (HaDEA) processes your personal data in line with Regulation (EU) 2018/1725 of the European Parliament and of theCouncil of 23 October 2018 on the protection of personal data by the European Union's institutions, bodies and agencies and on the free movement of such data.


What is personal data and what is a personal data processing operation?

Personal data shall mean any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data processing operations can be any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


Short description of the processing activity:

Evaluation of tenders, award and signature of contracts, contract implementation.


Purpose of the data protection notice and the grounds on which it is based:

We process your personal data based on Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Text with EEA relevance).

The following information is provided as required in Articles 15 and 16 of Regulation (EU) 2018/1725.


Who is the ‘data controller’?

The data controller, performing the personal data processing operation is the Head of the unit launching and managing the procurement procedure at the European Health and Digital Executive Agency (HaDEA).


European Commission (processor)

DG BUDGET manages ABAC, the financial and accounting application set up by the Commission, to monitor the execution of its budget and to prepare its accounts.

DG DIGIT (DIGIT-SYSPER2atec [dot] europa [dot] eu (DIGIT-SYSPER2[at]ec[dot]europa[dot]eu)) implements and maintains the accounting IT tool ABAC.

When the tender is submitted using the European Commission’s e-Submission portal, the European Commission acts as a data processor, in particular by facilitating the whole process and providing the storage of the data in encrypted form in its servers,  specifically dedicated for this purpose. The decryption of the tender files can only be performed locally by the HaDEA's or other authorised staff. The European Commission has no access to the content of the tender files, and included personal data.


What personal data is collected?

The following of your personal data are collected:

  • Identification and contact details of the legal representative of the contractor first name, family name, function, e-mail address, business telephone number, mobile telephone number, fax number, postal address, company and department, country of residence, internet address, passport or ID number, etc.;
  • declaration on honour (declaration of not being in one of the exclusion situations referred to in Article 136 of the Financial Regulation) of the legal representative of the contractor and requested evidence, such as extracts from judicial records or evidence covering the fulfillment of taxes and social security contributions
  • other data contained in the submitted offers, such as CVs (providing information on expertise, technical skills, educational background, languages, professional experience including details on current and past employment);
  • bank account holder’s personal data: name, address, city, postcode, country, contact name, telephone number, email address, bank name, branch address, city, postcode, country, bank account number, IBAN.

Please note that when using the European Commission’s e-Submission/eTendering portal for submitting tenders, the following data is also gathered by the European Commission: ECAS user account, eSignature (if used), type of web browser, type of Operating System, IP address used to download the Call For Tender and/or to submit the Tender Bundle. Please, refer to the relevant privacy statement of the European Commission for more information.

These are mandatory data for the purpose(s) outline above.


Who has access to the personal data of data subjects and to whom can they be disclosed?

The recipients of your personal data will be HaDEA's staff and Commission staff. The European Commission ABAC system’s operators.

External experts participating in the evaluation of tenders could get access to your personal data. However, the participation of experts in the evaluation of tenders is done on an exceptional basis.

Members of the public: In case you are awarded a contract by HaDEA, limited personal data will be made public, in accordance with HaDEA's obligation to publish information on the outcome of the procurement procedure. The information will concern in particular the  name, address and email address of the contractor, the year, the amount awarded and the name of the project for which you are awarded a contract. This information is published on the Financial Transparency system website: and in the Tender’s electronic daily (TED) part with award notices (

On a need to know basis and in compliance with the relevant current legislation, bodies charged with monitoring or inspection tasks in application of EU law (e.g. EC internal audit, Court of Auditors, European Anti-fraud Office (OLAF), the European Ombudsman, the European Data Protection Supervisor, European Public Prosecutor’s Office (EPPO)).

Your personal data will not be transferred to third countries or international organisations.


Where did we get your personal data?

From the tenderers/contractors.

From you.


What is the purpose and legal basis for processing your personal data?

The legal basis for the processing activities are:

    • Article 5(a) of Regulation EU 2018/1725 processing is necessary for the performance of a task carried out in the public interest
    • during contract implementation, Article 5(b) of Regulation EU 2018/1725 processing is necessary for the performance contract to which the data subject is party;

The processing will be carried out also in line with:

  • Financial Regulation (FR) (Regulation (EU, Euratom) No 2018/1046).
  • Commission Regulation (EC) No 1653/2004 of 21 September 2004 on a standard financial regulation for the executive agencies pursuant to Council Regulation (EC) No 58/2003 laying down the statute for executive agencies to be entrusted with certain tasks in the management of Community programmes, (OJ L 297, 22.09.2004, p. 6);

The purpose(s) of this processing is to evaluate tenders, award and signature of public procurement contracts and management of contracts.


How long do we keep your data?

The files of successful tenderers including personal data are kept for ten years after the signature of the respective contract.

The files of unsuccessful tenderers may be retained only for five years after the end of the particular procedure to allow for all possible appeals.

Extracts of judicial records/ tax and social security data kept in the electronic form shall be retained for a maximum of 2 years following signature of the contract.

Data are also kept until the end of a possible audit/OLAF or EPPO investigation if it started before the end of the above period.

In any case personal data contained in supporting documents are deleted where possible where these data are not necessary for budgetary discharge, control and audit purposes.


What are your rights regarding your personal data?

You have the right to access your personal data and to request your personal data to be rectified, if the data is inaccurate or incomplete; where applicable, you have the right to request restriction or to object to processing, to request a copy, erasure or transmit to other controller of your personal data held by the data controller.

Your request to exercise one of the above rights will be dealt with without undue delay and in any case within one month.

Please note that after the deadline for submission tenderers cannot request the contracting authority to modify the offers. This limitation of the rectification right is provided for by article 169 of the Financial Regulation.


How to withdraw your consent and the consequences of doing this



Automated decision-making



Contact details for enquiries regarding your personal data

In case of any queries concerning the processing of personal data, you may send a written request via: HaDEA-DPOatec [dot] europa [dot] eu (HaDEA-DPO[at]ec[dot]europa[dot]eu)

The HaDEA Data Protection Officer is at your disposal for any clarification you might need on your rights under Regulation (EU) 2018/1725 at the following e-mail address: HADEA-DPOatec [dot] europa [dot] eu (HADEA-DPO[at]ec[dot]europa[dot]eu)


You have the right to lodge a complaint

You may lodge a complaint to the European Data Protection Supervisor: EDPSatedps [dot] europa [dot] eu (EDPS[at]edps[dot]europa[dot]eu)


Version July 2021