Personal data processing

August 6, 2020 GDPR

Information on the processing of personal data under the Operational Programme Infrastructure and Environment 2014-2020 (OP I&E 2014-2020)

Several entities serving as controllers within the meaning of the GDPR [Regulation (EU) 2016/679 of the European Parliament and of the Council of by 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) dated 27 April 2016 (OJ EU L No. 119, p. 1)] participate in the processing of personal data within the OP I&E 2014-2020. These entities make decisions related to the personal data being processed, i.e. what personal data are processed, for what purpose and in what way. Each controller is individually responsible for the protection of personal data and for informing the public about the way in which it processes such data.

Due to the fact that it is the Minister of Development Funds and Regional Policy – as the Managing Authority of the OP I&E 2014-2020 – who determines: what personal data, how and for what purpose will be processed in connection with the implementation of the Programme, the Minister acts as the controller of personal data processed in connection with the implementation of the OP I&E 2014-2020.

The Minister is the controller of both the data the Minister obtained independently as well as of the personal data obtained by other entities involved in the implementation of the Programme (i.e. by other controllers, who in this case also perform the function of processors [Processors are institutions (Intermediate Bodies and Implementing Authorities), beneficiaries and other entities involved in the implementation of the OP I&E 2014-2020, to which the Minister (or another authorised entity) entrusted the processing of personal data within the OP I&E 2014-2020]).

The Minister of Development Funds and Regional Policy is also the controller of personal data that the Minister processes as a beneficiary of projects co-financed from the funds of OP I&E 2014-2020.

The Minister of Development Funds and Regional Policy is also the controller of data collected in the Central IT System managed by the Minister, which supports the implementation of OP I&E 2014-2020.

I. Purpose of personal data processing

The Minister of Development Funds and Regional Policy processes personal data in order to implement the tasks assigned to the Managing Authority to the extent that it is necessary such an objective. Similarly, processors process personal data in order to implement the tasks assigned to them within the scope of OP I&E 2014-2020’s implementation to the extent it is necessary to achieve this objective.

The Minister and processors process such data, in particular, for the following purposes:

  1. to grant support to the beneficiaries applying for co-financing and implementing projects;
  2. to confirm the eligibility of expenditure;
  3. to request payments from the European Commission;
  4. to report irregularities;
  5. to evaluate;
  6. to monitor;
  7. to control;
  8. to audit;
  9. to run reporting activities;
  10. to run information-promotion activities.

II. Legal grounds for data processing

Processing of personal data in connection with the implementation of OP I&E 2014-2020 is carried out in accordance with the GDPR.

1. The legal basis for data processing is primarily the need to fulfil the obligations incumbent on the Minister of Development Funds and Regional Policy – as the Managing Authority of the Programme – pursuant to the provisions of Union law and national laws (Article 6(1)(c) of the GDPR). These obligations arise from the following legal provisions:

  1. Regulation of the European Parliament and of the Council No. 1303/2013 of 17 December 2013 laying down common provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund, the European Agricultural Fund for Rural Development and the European Maritime and Fisheries Fund and laying down general provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund and the European Maritime and Fisheries fund, and repealing Council Regulation (EC) No 1083/2006;
  2. Commission Delegated Regulation (EU) No 480/2014 of 3 March 2014 supplementing Regulation (EU) No 1303/2013 of the European Parliament and of the Council laying down common provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund, the European Agricultural Fund for Rural Development and the European Maritime and Fisheries Fund and laying down general provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund and the European Maritime and Fisheries Fund;
  3. Commission Implementing Regulation (EU) No 1011/2014 of 22 September 2014 laying down detailed rules for implementing Regulation (EU) No 1303/2013 of the European Parliament and of the Council as regards the models for submission of certain information to the Commission and the detailed rules concerning the exchanges of information between beneficiaries and managing authorities, certifying authorities, audit authorities and intermediate bodies;
  4. Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012;
  5. Act of 11 July 2014 on the rules of implementing cohesion policy programmes financed under the 2014-2020 financial perspective;
  6. Act of 14 June 1960 – Polish Code of Administrative Procedure;
  7. Act of 27 August 2009 on Public Finance;
  8. Act of 29 January 2004 – Public Procurement Law.

2. Processing is also lawful if one of the following applies:

  1. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) of the GDPR) – this ground applies, inter alia,  to personal data of persons running a business as a sole trader, with whom the Minister concluded contracts in order to implement OP I&E 2014-2020;
  2. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested   in the Minister (Article 6(1)(e) of the GDPR) – this ground applies, inter alia, to competitions and promotional campaigns organised by the Minister concerning the Programme.

III. Categories of personal data processed

The Minister of Development Funds and Regional Policy, in order to implement OP I&E 2014-2020, processes personal data, of, among others:

  1. employees representing or performing tasks for entities involved in the service and implementation of the programme and projects, i.e. Intermediate Bodies and Implementing Authorities;
  2. contact persons, persons authorised to make binding decisions and other persons performing tasks for applicants, beneficiaries and partners;
  3. participants in trainings, competitions, conferences, monitoring committees, working groups, steering groups and information or promotional meetings organised under the Programme;
  4. candidates for experts and experts involved in the process of selecting projects to be co-financed or performing tasks related to the implementation of rights and duties of competent institutions, resulting from the concluded grant agreements;
  5. persons whose data will be processed in connection with the examination of eligibility of funds in the project, including in particular: project personnel, participants of tender commissions, bidders and contractors of public procurements, persons providing services under civil law contracts.

The types of personal data processed by the Minister include:

  1. identification data, in particular: name, surname, series and number of identity card, date and place of birth, place of residence, place of employment / form of conducting business activity, official position, PESEL (Personal Identification Number) / NIP (Tax Identification Number) / REGON (Statistical ID), user identifier / user login;
  2. data concerning the employment relationship, in particular: remuneration received and working time, occupation or education, length of service;
  3. contact details, which include in particular: e-mail address, telephone number, fax number, correspondence address;
  4. financial data, in particular: bank account number, amount of remuneration;
  5. other data, for example: information about the real property (plot number, land and mortgage register number, gas connection number).

Data are obtained directly from data subjects or institutions and entities involved in the implementation of operational programmes, in particular applicants, beneficiaries and partners.

Where data are collected directly from data subjects, the provision of data is voluntary. However, the refusal to provide the data is tantamount to the lack of possibility to take appropriate actions, e.g. applying for funds under OP I&E 2014-2020.

IV. Data retention period

Personal data will be stored for the period specified in Article 140(1) of Regulation (EU) No 1303/2013 of the European Parliament and of the Council of 17 December 2013 and at the same time for a period not shorter than 10 years from the date of awarding the last aid under OP I&E 2014-2020 – also taking into account the provisions of the Act of 14 July 1983 on National Archival Resources and Archives.

In some cases, e.g. when the EU authorities control the Minister, this period may be extended.

V. Data recipients

The recipients of personal data may be:

  • the entities to which the OP I&E 2014-2020 entrusted the performance of tasks related to the implementation of the Programme, including in particular entities acting as Intermediate Bodies and Implementing Authorities, as well as experts, entities conducting audits, controls, trainings and evaluations;
  • institutions, bodies and agencies of the European Union (EU), as well as other entities to which the EU has entrusted the performance of tasks related to the implementation of OP I&E 2014-2020;
  • entities providing the Minister with services related to the operation and development of IT systems and ensuring communication, in particular IT solutions providers and telecommunication operators.

VI. Rights of data subjects

Persons whose data are processed in connection with the implementation of OP I&E 2014-2020 have the following rights:

  1. to access their personal data and to receive a copy of the data (Article 15 of the GDPR) and the right to rectify the data (Article 16 of the GDPR) – Upon exercising this right, the data subject may ask the Minister, among others, whether the Minister processes his or her personal data, what personal data are processed by the Minister, and where the Minister has obtained them from, what is the purpose of the processing and its legal ground, and for how long the data will be processed. If the processed data prove to be outdated, the data subject may apply to the Minister with a request to update them,
  2. the right to have their data erased (Article 17 of the GDPR) – if the circumstances referred to in Article 17(3) of the GDPR did not occur,
  3. the right to demand that the controller restrict the processing of the data subject’s data (Article 18 of the GDPR) – Restriction of personal data processing causes that the Minister may only store personal data. The Minister may not transfer such data to other entities, modify or delete them. Restricting the processing of personal data is temporary and lasts until the Minister performs the assessment whether the personal data are accurate, processed in accordance with the law and necessary to achieve the purpose of processing.
  4. the right to lodge a complaint with the President of the Personal Data Protection Office (Article 77 of the GDPR),
  5. the right to data portability, includingthe right to receive their personal data in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (Article 21 of the GDPR), where the processing both is based on a contract (is necessary to sign or to carry out a contract to which the data subject is party, according to Article 6(1)(b) of the GDPR) and is carried out by automated means (an outline is enough to save the data on the storage device),
  6. the right to object to processing of personal data (Article 21 of the GDPR) – if the ground for the processing is the performance of public tasks of the controller (Article 6(1)(e) of the GDPR).

Filing an objection causes that the Minister will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

The data are not subject to the process of automated individual decision-making, including profiling.


Company DETAILS

SHIP IP LTD
VAT:BG 202572176
Rakovski STR.145
Sofia,
Bulgaria
Phone ( +359) 24929284
E-mail: sales(at)shipip.com

ISO 9001:2015 CERTIFIED