Skip to main content
European Union flag
The independent public prosecution office of the EU
Report a crime

Data Protection Notice – Procurement Procedures and Contract Management

The European Public Prosecutor’s Office (“EPPO”) is committed to ensuring that you have all the information you need in order to understand how your data is being processed, understand your rights, and how to exercise them. Below you can find all the details of the processing of personal data in the context of procurement procedures and contract management and the relevant contact details for further information, assistance or redress. 

a) Identity and contact details of the controller

The entity that determines how and why your personal data are processed in the context of procurement procedures and contract management and which is legally responsible for complying with data protection obligations under Regulation (EU) 2018/1725 is the EPPO. You may contact the EPPO by email to EPPO-procurement (at) or by mail marked for the attention of the Head of the Finance and Procurement Sector, EPPO, 11 Avenue John F. Kennedy, 1855 Luxembourg.

b) Contact details of the Data Protection Officer

The Data Protection Officer (“DPO”) of the EPPO can be reached by email to EPPO-DPO (at), or by mail marked for the attention of the DPO, EPPO, 11, Avenue John F. Kennedy, 1855 Luxembourg, for assistance and with regard to any issues in relation to the processing of your personal data and the exercise of your rights, as outlined below under h). 

c) Purpose and legal basis for the processing of personal data

The EPPO processes personal data for the purposes of running its procurement procedures for the selection of a successful tenderer and the management of its contracts as required by law for purchasing goods and services in exchange for remuneration. This includes the processing of personal data for related administrative aspects. Information about all procurement procedures and contracts, including personal data, is logged in ABAC (Accrual Based Accounting), the financial and accounting tool set up by the European Commission to allow for the execution and monitoring of all budgetary and accounting operations by the European Commission, an EU Agency, Body or Institution.

The legal bases are Article 5(1)(a) Regulation (EU) 2018/1725, as processing is necessary for the performance of a task carried out in the public interest, namely, the management and functioning of the EPPO in accordance with Regulation (EU) 2017/1939, and Article 5(1)(b) Regulation (EU) 2018/1725, as the processing is necessary for compliance with a legal obligation to which the EPPO is subject, namely Article 95 Regulation (EU) 2017/1939 in conjunction with the EPPO’s Financial Rules / the EU Financial Regulation.

d) Categories of personal data concerned

Personal data identifying every tenderer who submits an offer and, depending on the tenderer, their staff, such as name, family name, nationality, gender, place and date of birth, title, function, department and company, passport number, ID number, bank account reference (IBAN and BIC), and their contact details such as email address, business telephone number, mobile telephone number, fax number, postal address, country of residence, website address; Personal data related to the selection criteria (e.g. CV, expertise, technical skills and language knowledge, educational background, professional experience) and to the exclusion criteria (e.g. social security contribution certificates and taxes paid, Early Detection and Exclusion System (EDES) flags); Personal data of successful tenderers necessary in order to implement and manage the resulting contract and personal data of successful tenderers that must be published in accordance with the Financial Regulation (the name and address of the successful tenderer, the amount awarded, and the name of the project or programme for which the contract is awarded); Personal data other than those related to the tenderers / their staff required to conduct the procurement procedure (e.g. the personal data of the external experts, where applicable); Personal data contained in the information about the procurement procedure which is to be inserted in ABAC in accordance with the dedicated European Commission’s record (e.g.: the resulting contract); Special categories data / data related to criminal convictions or offences: Declarations of honour on exclusion and selection criteria and extracts from judicial records are required to be submitted under the EPPO’s Financial Rules / EU Financial Regulation. Additionally, any special categories of personal data which may be contained in CVs or other forms submitted by tenderers.

e) Recipients or categories of recipients of the personal data

The staff of the EPPO’s Finance and Procurement Sector in charge of the procurement and contract file, the members of evaluation committees or persons responsible for evaluations, the Operational Initiating / Operational Verifying Agent (OIA / OVA), the Financial Initiating / Financial Verifying Agent (FIA / FVA), the Responsible Authorising Officers; The external experts providing opinions and advice in specific cases; Other members of the Sector or Unit of the EPPO who are involved in the procurement procedure / management of the contract, depending on the goods or services which are the subject matter of the call for tenders / contract; The European Commission and, as a result, the public at large, through the Financial Transparency System website, as the EPPO is obliged to make available to the public some information on the outcome of the procurement procedure (see above under letter c)); The European Commission as processor, when users access and / or insert personal data in the ABAC tool and when providing administrative support to the EPPO’s procurement activities; Other persons, internal or external, in the context of legal proceedings, audits, internal investigations, or responding to data protection or security related incidents may also have access to all or some of the personal data, to the extent determined by the circumstances.

f) Transfers to third countries and / or international organisations


g) Period for which the personal data will be stored

The files of successful tenderers are kept for 10 years following signature of the contract or following the last payment by the EPPO, for control and audit purposes in accordance with the Financial Regulation; The files of unsuccessful tenderers, are retained for at least 5 years following signature of the contract to allow for appeals, in accordance with the Financial Regulation. The retention period may be prolonged until the end of possible audits or legal proceedings if started before the end of it. Personal data processed by the European Commission as processor are retained in accordance with their records of processing activity related to the variety of services that they provide to the EPPO. In particular, with reference to the ABAC tool, details in relation to the retention period may be found in the dedicated European Commission’s record.

h) Right to request access, rectification, erasure, restriction, objection and data portability

You have the right at any time to request access to your personal data and to have them rectified in case they are inaccurate or incomplete, to object to or request restriction of processing of your personal data, to erase your personal data and to data portability where applicable. To exercise these rights, request assistance or if you have a question thereto, or to file a complaint, you may contact the DPO of the EPPO by using the contact details above.

i) Right to withdraw consent


j) Complaints to the European Data Protection Supervisor

You have the right to address yourself to the European Data Protection Supervisor (“EDPS”) to lodge a complaint. The EDPS can be contacted by email to EDPS (at), or by post to EDPS, Rue Wiertz 60, B-1047 Brussels.

k) Source from which the personal data originate

Personal data are submitted in the context of the procurement procedure / awarding of the contract and are usually static. Any change is communicated by the tenderer / external expert or, at a later stage, by the successful tenderer in the course of the management and execution of the contract. Personal data may also stem from the European Commission, when providing administrative support to the EPPO’s procurement activities. EDES flags stem from searches in the Early Detection and Exclusion System (EDES) service provided by the European Commission. The provision of personal data is mandatory to be able to participate to the procurement procedure and to be awarded contracts.

l) Mandatory nature of provision of personal data

The provision of personal data as indicated in this notice is mandatory to be able to participate to the procurement procedure and to be awarded contracts.

m) Automated decision-making

The processing of your personal data by the EPPO in the context of this processing activity does not result in any decision, which produces legal effects concerning you or similarly significantly affects you.

n) Record of processing activity

The related record of processing activity kept by the EPPO with record no. APD-220521-FP is available from the EPPO’s DPO.


Last Update: 15/03/2024