Processing of personal data by the City of Espoo’s Procurement Centre

The privacy notice was published on 1 April 2022 

City of Espoo  

Procurement Director 

Procurement Coordinator 

Email address: hankinta@espoo.fi 

Data Protection Officer of the City of Espoo 

Address: P.O. Box 12, 02070 City of Espoo 

Tel. +358 9 81621 (switchboard) 

Email address: tietosuoja@espoo.fi  

Data is processed to implement the tendering processes and the contract and supplier management of the City of Espoo’s Procurement Centre. 

Key legislation:  

Act on Public Procurement and Concession Contracts (1397/2016)  

Act on the Openness of Government Activities (621/1999) 

Article 6(1)(b) of the General Data Protection Regulation of the European Union: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. 

Article 6(1)(c) of the General Data Protection Regulation of the European Union: processing is necessary for compliance with a legal obligation to which the controller is subject. 

Article 6(1)(e) of the General Data Protection Regulation of the European Union: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 

The following data is processed from the preparation of a procurement process to contract and supplier management: 

• contact information (e.g. name, personal identity code, telephone number, email address and postal address) of the representative of a tenderer or a candidate, a possible third party, the signatory of a contract and the contact person of the party submitting a tender; 

• personal data of a tenderer’s staff and/or subcontractors (e.g. CVs, criminal records extracts and other information concerning the tendering company) included in the tenders and collected during the procurement procedure and contract period.  

Some data may be considered confidential, for example on the basis of section 11, subsection 2, paragraph 6 of the Act on the Openness of Government Activities. 

• Data is obtained from tenderers and candidates and selected suppliers and service providers. 

• From various public and commercial sources, such as the Finnish Patent and Registration Office, Vastuu Group Oy and Suomen Asiakastieto Oy. 

• From the City of Espoo’s purchasing systems and the city’s other databases. 

Providing the above-mentioned personal data may be a statutory or contractual requirement or required to conclude a contract. 

As a rule, data will not be disclosed. In some cases, data may be disclosed to other authorities. 

Data will not be transferred outside the EU/EEA, unless an adequate level of data protection is ensured through agreements or other measures required by law.  

The storage periods of documents concerning the different stages of a procurement procedure and the related decisions have been defined in the Act on Public Procurement and Concession Contracts, Archives Act and other special acts. In addition, the City of Espoo’s records management plan and archival instructions are complied with when storing data. 

IT equipment is located in protected and supervised premises. Each user has personal user rights, and their use is monitored. Each user must accept the user agreement and non-disclosure agreement concerning the data and the data systems. 

Manual materials, such as tendering documents that are not in electronic format, are primarily stored in the Procurement Centre’s locked archives. The office has an access control system and locked doors. Documents are stored in supervised premises and/or locked cabinets. 

Further instructions on submitting information requests referred to in the General Data Protection Regulation: https://www.espoo.fi/en/city-espoo/data-protection#section-7317 

You have the right to obtain from the data controller a copy of the personal data that is subject to processing. The data controller must provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. 

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. 

Requests from the data subject and any resulting actions are free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request. 

You have the right to have inaccurate, incomplete, outdated or unnecessary personal data that we store either rectified or completed by us. 

You have the right to have the data controller erase your personal data without undue delay under certain conditions. The data subject does not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In these cases, the data will only be erased after the statutory time limit. 

If the data concerning you is inaccurate, you have the right to request that its processing be restricted until its accuracy has been verified. 

You have the right to lodge a complaint with a supervisory authority if you feel that the processing of your personal data is in infringement of data protection legislation. You can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi