Your personal data is processed in accordance with Regulation (EU) No 2018/17251 on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
The data controller of the processing operation is Head of Unit I.02 SMP/SME pillar of the European Innovation Council and SMEs Executive Agency (EISMEA).
The following entity/ies process your personal data on our behalf:
- Netcompany - Intrasoft S.A. - 2B Rue Nicolas Bové, L – 1253 Luxembourg, Luxembourg; info@netcompany-intrasoft.com as the Platform developer and IT service provider
- Staff of DG GROW – Unit 02 as the moderators of the platform
Furthermore, other stakeholders (e.g., community moderators and community leaders) may process your personal data in cases where you submit request to join communities on-boarded on the Platform. These moderators manage content of each community and will authenticate the community members. In case of closed communities, the moderators will also process your applications in order to authenticate your eligibility and subsequently grant access.
Third party tools may be used within different communities, such as EU survey, LinkedIn, Twitter, YouTub (see below).
The legal basis for the processing activities is/are
- Article 5(1)(a) of Regulation (EU) 2018/1725 because processing is necessary for the performance of a task carried out in the public interest by the Agency (or in the exercise of official authority vested in the Agency)2 laid down in Union law;
- Article 5(1)(d) of Regulation (EU) 2018/1725 based on your explicit prior consent for your non-mandatory personal data indicated below.
The purpose of this processing is:
- to manage the Digital Public Buyer Community (the Platform).
- to allow for general moderation and maintenance of the Platform and
- to allow identification of users and
- to manage access rights of the general community and open and closed communities on- boarded.
- to manage memberships or to contact members of the platform/communities.
On top of the general membership part, the digital platform consists of a set of closed communities. ‘Community’ is a subset of stakeholders who wish to communicate amongst themselves and/or with the service provider or EISMEA/European Commission on a specific topic.
Verifications can take the form of:
- verification of identity of the users to allow for the access to the specific community.
- verification of stakeholders who wish to communicate with each other and to disseminate their views.
- verification of other stakeholders to comment on topics presented on the platform or on the output of the stakeholder groups.
The following of your personal data are collected:
In order to carry out this processing operation, the following mandatory categories of personal data are processed:
- Authentication data from your EU Login: surname, given name, EU Login ID, email address, organisation and department you work for (this data is accessed by the Technical Administrator of the platform).
- Data required for gaining full access to the closed Platform functionalities: your role in the organisation.
- Authentication of the data to provide you access to closed communities – this authentication is being performed by the community moderator via EU survey or other external medium, such as email.
In addition, the following non-mandatory personal data are collected:
• your image (phote, video)
• a short descriptive text of yourself
• type of organisation you work for
• your organisation’s address
• the department in which you work for
• communities you have joined
• your social media link (refers only to Linkedin)
• groups to which you have been added
• you individual procurement interests
• postings, content or comments on the platform.
• extra information and documents may be required by the Community Moderator of the closed community you wish to become member to. In such a case, the files you will upload on the platform will be automatically deleted once the process is completed and you are granted or rejected membership in the closed community.
These non-mandatory data can only be processed based on your explicit prior consent.
The Platform may contain personal data in the form of contact details and photos. This platform may collect personal data via cookies based on consent (see below). The restricted Platform sections (the communities) contain information uploaded by users, common actions, useful information related to the community topic and contact information.
The recipients of your personal data will (or may be) the authorised Agency and Commission staff in charge of the management of the Platform, authorised staff of the Agency or Commission contractors, moderators of the communities, other members of the Platform or the public and bodies in charge of monitoring or inspection tasks in application of Union or national law (e.g. internal audits, Court of Auditors, European Anti-fraud Office (OLAF), European Public Prosecutor’s Office (EPPO), law enforcement bodies).
The data processors have access to the public and private content uploaded by you on the platform, to ensure appropriate use of the platform.
Your member’s profile in the General Platform (Members area) may be visible to other members of the platform upon the provision of your explicit consent, during the registration phase in the platform.
Your first and last name together with the public content item uploaded by you will be visible on the public website, if any.
The type of access to the platform’s data and content depends on the role(s) of the user accessing the content.
- As Anonymous user, like visitor of the platform, you can view only public content available on the platform. When you view a content item, you can see the first and the last name of the member that has uploaded the specific content on the platform.
- As Platform member you can access the public data of other members profiles and the public content uploaded by you as well as other members of the Platform. Also, as a Platform member you can launch and participate in discussions, create content, and send private message to other members of the platform.
- As Member of a Community you can access the public data of other members profiles, the public content uploaded by you or others, as well as the private content uploaded by you or other members of the community you belong to. Also, as a Member of a Community you can launch and participate in discussions, create content, and send private message to other members of the platform.
- As User with Administrative Role (community moderator, general platform moderator, general user moderator, technical administrator) you can access all members profile data and edit all public and private content uploaded in the platform. Also, as a User with Administrative Role you can launch and participate in discussions, create content, and send private message to other members of the platform.
Your personal data will not be transferred to third countries or international organisations, except as outline below by third party tools and social media, if any.
The processing of your data will not include automated decision-making (such as profiling).
The following technical and organisational security measures are in place to safeguard the processing of your personal data.
Access to the general part of the platform is regulated through the EU login. Processing of data related to the EU login based control will be performed, covered by the data protection policy of that system. The username, name, e-mail address and password are stored in the Commission's EU login system.
Personal data are processed on a need-to-know basis by authorised staff only, with limited access rights. All personal data in electronic format (documents, databases, uploaded batches of data, etc.) are stored on the servers of the European Commission or the Agency or of its contractors. All processing operations are carried out pursuant to the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission. Electronic communication and files are secured for internal communication purposes.
The contractors are bound by a specific contractual clause for any processing operations of your data on behalf of the Agency or the Commission, and by the confidentiality obligations deriving from the General Data Protection Regulation in the EU Member States (‘GDPR’ Regulation (EU) 2016/679).
Your personal data will be kept for the maximum periods mentioned below. Data will be deleted at the end of this period:
- Authentication data will be kept in the IT system for the duration of your platform registration.
- The optional data mentioned above can be deleted at any moment upon your request, as it is not necessary for getting access to the platform itself.
- In case the IT tool is permanently discontinued, all data will be pseudonymised and kept for a maximum of 5 years.
However, the contributor's name remains attached to content or comments provided through the web. The site administrator upon request of the contributor can delete these posts at any time.
Names are kept with the posts and comments and are visible for logged-in members of the same community until the consent of author of the article or comment is withdrawn. In that case the related content is deleted. In any case, any user may delete themselves and their member profile. The data collected within the documents not related to member profiles, such as documents in the repository (videos of trainings for example), the retention period is 5 years after the project, the Public Buyers Community (Platform), has ended. Public Buyers Community can remain active after the present contract has ended through the subsequent contract with external operator or a takeover – in this case EU services would take over the management of the Platform.
Your rights
You have the right to access your personal data and to request your personal data to be rectified, if the data is inaccurate or incomplete; where applicable, you have the right to request restriction or to object to processing, to request a copy or erasure of your personal data held by the data controller. If processing is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on your consent before its withdrawal.
Your request to exercise one of the above rights will be dealt with without undue delay and within one month.
Your right to information, access, rectification, erasure, restriction or objection to processing, communication of a personal data breach or confidentiality of electronic communications may be restricted only under certain specific conditions as set out in the applicable Restriction Decision in accordance with Article 25 of Regulation (EU) 2018/1725.
If you have any queries concerning the processing of your personal data, you may address them to EISMEA Head of Unit SMP/SME pillar (entity acting as data controller) via EISMEA-SMP-COSME-ENQUIRIES@ec.europa.eu.
You shall have the right of recourse at any time to the EISMEA Data Protection Officer at EISMEA-DPO@ec.europa.eu and to the European Data Protection Supervisor at https://edps.europa.eu.
Version April 2023
Social media
The social media may be used to present the work being done by the stakeholders of the Platform or Commission or EISMEA services through widely used and contemporary channels.
For instance, when uploading content, the members/moderators disseminate it through the social media channels while other members can, for example, follow links to Twitter and LinkedIn.
Cookies are not set by our display of social media buttons to connect to those services when our website pages are loaded on your computer (or other devices) or from components from those services embedded in our web pages.
Each social media channel has their own policy on the way they process your personal data when you access their sites. For example, if you choose to watch a video on YouTube, you will be asked for explicit consent to accept YouTube cookies; if you look at the Twitter activity on Twitter, you will be asked for explicit consent to accept Twitter cookies; the same applies for LinkedIn.
If you have any concerns or questions about their use of your personal data, you should read their respective privacy policies carefully before using them.
Cookies of the Platform
Cookies are used for the technical functioning of a website or for gathering statistics.
Cookies are also typically used to provide a more personalised experience for a user for example, when an online service remembers your user profile without you having to login.
When you visit the Platform, some data may be collected on your browsing experience such as your IP address, the page you visited, when you visited and the website page you were redirected from.
This information is used to gather aggregated and anonymous statistics with a view to improving our services and to enhance your user experience.
The collection, aggregation and anonymising operations are performed in the data centre of the European Commission under adequate security measures.