Privacy statement for procurements

  1. Name of data file:
    Personal data file concerning the implementation of procurements
  2. Controller:
    Länsimetro Oy (2124310-8)
    P.O. BOX 20491
    02070 ESPOON KAUPUNKI
  3. Person responsible for the data file:
    Mari Mannila,
    Contact information: mari.mannila@lansimetro.fi, 040 757 2907
  4. Contact person for the data file
    Mari Mannila,
    Contact information: mari.mannila@lansimetro.fi, 040 757 2907
  5. Purpose and legal basis of personal data processing:
    Personal data is processed so that Länsimetro Oy can implement its planned procurements and procurement-related measures. Personal data processing is necessary for the implementation of procurements.

    Personal data is processed in Länsimetro Oy’s procurement processes which may relate to, for instance, market surveys and various phases of the procurement procedure, such as procurement planning, tender processing and comparing, and preparing contracts for signing.

    Legal basis for personal data processing:

    EU General Data Protection Regulation (EU GDPR), Article 6(1)(f)

    Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

  6. Personal data in the data file
    The data file may include the following, among other, information:

     

    Market dialogue

    • the data subject’s first and last name
    • the name of the organisation the data subject represents (in some cases)
    • the data subject’s email address
    • the data subject’s phone number
    • the data subject’s job title
    • the first and last name of the reference organisation’s contact person
    • the name of the reference organisation (in certain cases)
    • the email address of the reference organisation’s contact person
    • the phone number of the reference organisation’s contact person
    • the job title of the reference organisation’s contact person

    Negotiations, tenders, tender comparisons

    • the data subject’s first and last name
    • the data subject’s date of birth
    • the name of the organisation the data subject represents (in some cases)
    • the data subject’s phone number
    • the data subject’s email address
    • the data subject’s job title
    • a photo of the data subject
    • information appearing on the data subject’s CV, such as their work experience and educational background
    • recordings: the data subject’s voice, video of the data subject
    • the first and last name of the reference organisation’s contact person
    • the name of the reference organisation (in certain cases)
    • the email address of the reference organisation’s contact person
    • the phone number of the reference organisation’s contact person
    • the job title of the reference organisation’s contact person

    In addition, Länsimetro Oy processes criminal record extracts in order to investigate the suitability of a supplier (Criminal Records Act [770/1993], Section 6 b), but does not save, store or make copies of them.

    • the data subject’s first and last name
    • the data subject’s personal identity code

    PUBLIC ACCESS TO DATA AND CONFIDENTIALITY:

    The data is only for Länsimetro Oy’s internal use.

    BASIS FOR CONFIDENTIALITY:

    – Criminal Records Act (770/1993)

  7. Sources of personal data 
    Länsimetro Oy obtains personal data from the parties involved in the various phases of the procurement process, from the offers it receives and from its contractual partners. Länsimetro Oy obtains criminal record extracts from the supplier that wins the competitive tender.

    Personal data is also obtained from publicly available registers and services, such as trade registers and Vastuu Group’s Reliable Partner report.

  8. Personal data recipients or groups of recipients
    Personal data is processed by Länsimetro Oy’s personnel or possibly by assisting experts who are not employed by Länsimetro Oy. Personal data is processed and stored in the cloud service of Länsimetro Oy’s external service provider.

    Personal data may be disclosed only to a requesting authority or if consent to disclose the data has been obtained.

  9. Transfer of data outside the EU or EEA
    Data is not disclosed, transferred or processed outside the EU or the European Economic Area (EEA).
  10. Data storage periods
    Procurement documents and contractual documents, including their appendices, are stored for a period of 10 years after the contract pertaining to the procurement in question ends or, for lump-sum contracts, after the contract has been accepted.

    Securing Länsimetro Oy’s contractual position requires procurement and contractual documents to be stored for a sufficiently long period of time.

  11. Data file maintenance systems and protection principles
    A. ELECTRONIC MAINTENANCE SYSTEMS:
    Tenders and appendices
    Contracts and orders

    Data is stored primarily in the following electronic systems:
    – The Cloudia tendering system
    – Länsimetro Oy’s SharePoint environment
    – The ContractZen contract management system
    – The secure network drive of Länsimetro Oy’s service pro-vider

    B. MANUAL DATA:
    Contracts and orders
    Minutes

    Data is stored primarily in Länsimetro Oy’s business premises.

    PRINCIPLES OF DATA PROTECTION:

    A. Electronic data
    Electronic data is saved in an outsourced cloud service. User rights to cloud services are based on personal user rights, the use of which is monitored. User rights are granted for each task.

    B. Manual data
    The archive has access control and locked doors.

    ARCHIVING AND REMOVAL OF DATA:
    The storage, archiving, disposal and other handling of data takes place as instructed by Länsimetro Oy.

  12. Rights of data subjects
    Right to erasure (GDPR, Article 17)

    The data subject shall have the right to obtain from the controller the erasure of personal data concerning them without undue delay where one of the grounds specified in Article 17(1), of the GDPR applies. The right to erasure does not apply if, for example, processing is neces-sary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in situations referred to in Article 17(3).

    Right to request the restriction of processing (GDPR, Article 18)

    The data subject shall have the right to obtain from the controller re-striction of processing where one of the grounds specified in Article 18(1)(a–d) applies.

    Notification obligation regarding rectification or erasure of personal data or restriction of processing (GDPR, Article 19)

    The controller shall communicate any rectification or erasure of per-sonal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data has been disclosed, unless this proves impossible or in-volves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

    The right to object (GDPR, Article 21)

    The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them which is based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The controller shall no longer process the personal data unless the controller demonstrates compelling legiti-mate grounds for the processing.

  13. Right to lodge a complaint
    Without prejudice to any other administrative or judicial remedy, the data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the member state of their habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to them infringes on this Regulation. The right is based on the EU General Data Protection Regulation (2016/679, Article 77).

    The complaint is addressed to the contact person for the data file (see section 4 above).