Privacy policy for the procurement procedure

Compliance with data protection regulations is a high priority at MÜNCHENSTIFT. We would therefore like to inform you as a (potential) contractor as well as your employees and vicarious agents about the processing of personal data within the scope of the procurement procedure, the conclusion of the contract and the execution of the contract in accordance with Art. 13 of the General Data Protection Regulation (GDPR).

If you as a (potential) contractor, your employees or vicarious agents are natural persons whose data are processed in the context of a contract, you are a data subject in the sense of the following information.

1. Controller

The controller responsible for the data processing is named in the imprint.

2. Purposes of data processing

MÜNCHENSTIFT processes personal data that is disclosed to it by the (potential) contractor, its employees or vicarious agents in the course of the procurement procedure and the execution of the contract. This may be, for example

  • the company name, first name and surname of the (potential) contractor
  • the business address of the (potential) contractor
  • the full name of the contractor's contact person (i.e. the data subject)
  • the company for which the data subject works
  • the position of the data subject in the company
  • the contact details of the data subject

3. Legal bases of data processing

As part of the procurement procedure, we collect and process data about the data subjects of each potential contractor. We receive this information from the potential contractor. The purpose is to evaluate the most economical offer for the contract. We process the data of the data subjects in the procurement procedure on the basis of Art. 6 para. 1 lit. b), c), e) GDPR and Art. 4 of the Bavarian Data Protection Act (BayDSG). The provision of the data of the data subject serves on the one hand for the initiation of the contract.

At the same time, we collect and process the data in the public interest. The MÜNCHENSTIFT is a non-profit limited liability company and a wholly owned subsidiary of the City of Munich. The data processing is therefore carried out in the performance of a public task in the public interest, in this case to ensure that the population is provided with nursing homes that meet their needs. According to Art. 83 of the Constitution of the Free State of Bavaria (BV) and Art. 73 of the Act on the Implementation of Social Laws (AGSG), municipalities are responsible for local health care, which includes long-term care.

Once a contract has been concluded, data processing primarily serves the purpose of fulfilling the contract. The primary legal basis for this is Art. 6 para. 1 lit. b) GDPR. If necessary, the data subject's separate consent to MÜNCHENSTIFT pursuant to Art. 6 para. 1 lit. a) GDPR can also be used as a legal basis. Consent may be revoked at any time with effect for the future. Insofar as statutory retention periods exist, Art. 6 para. 1 lit. c) GDPR is the correct legal basis. If the vital interests of the data subject or another natural person are affected and the processing of personal data is necessary, Art. 6 para. 1 lit. d) GDPR serves as the legal basis for this processing. Art. 6 para. 1 lit. e) GDPR in conjunction with Art. 4 BayDSG serves as the legal basis for the above-mentioned reasons.

In addition, we compare the required data with the sanction lists of the currently binding EU regulations. This is a processing that is necessary to fulfill a legal obligation (Art. 6 para. 1 lit. c) GDPR).

4. Storage period

We delete data when it is no longer required for the purpose for which it was collected and when there is no legal obligation to retain it. In doing so, we adhere to the specifications of the standardized file plan for Bavarian municipalities and district offices with a list of retention periods (EAPlAufbew).

The current version of the EAPlAufbew is available at https://www.gda.bayern.de/publikationen/einheitsaktenplan/.

5. Treatment of your data and data recipients

Within MÜNCHENSTIFT, personal data is only made available to those persons and departments who need it to fulfill our contractual and legal obligations. We disclose personal data to service providers, business partners and other third parties only in accordance with applicable data protection laws. We may disclose information to third parties if required to do so by law or legal process.

If we transfer data to service providers outside the European Economic Area, the transfer will only take place if the third country has been certified by the European Commission as having an adequate level of data protection or if other adequate data protection safeguards (e.g. EU standard contractual clauses) are in place. In the absence of adequate data protection safeguards, a transfer to a third country may exceptionally take place if the requirements of Art. 49 GDPR are met.

6. Data subject rights

As a data subject, you have the right to information about the personal data that concerns you, as well as to the correction or deletion of incorrect data, provided that one of the reasons cited in Art. 17 GDPR is constituted, such as the data are no longer required for the purposes pursued.

You also hold the right to restrict processing if any of the preconditions set out in Art. 18 GDPR apply and, in cases of Art. 20 GDPR, the right to data transfer.

If data are collected on the basis of Art. 6 para. 1 p. 1 lit. f) GDPR, the data subject has the right to object to the processing at any time for reasons relating to their particular situation. In this case, we shall no longer process your personal data unless we can demonstrate compelling reasons for processing that override the interests, rights and freedoms of the data subject, or unless processing serves the assertion, exercise or defence of legal claims.

Any data subject has the right to complain to the supervisory authority if they consider that the processing of their personal data breaches data protection regulations. The responsible supervisory authority is:

Bayerische Landesamt für Datenschutzaufsicht
Home address: Promenade 18, 91522 Ansbach
Postal address: Postfach 13 49, 91504 Ansbach
+49 981 531300
poststelle@lda.bayern.de

7. Our data protection officer

You also have the right to contact our data protection officer at any time, who is bound to secrecy regarding your request. The contact details of our data protection officer can be found on the privacy policy page.

We will be happy to provide you with more detailed information on request.

Version: January 2024