Privacy Policy: Public procurement

Updated 22.12.2025

Data Controller

Geological Survey of Finland
P.O. Box 96, 02151 Espoo, Finland
tel. +358 29 503 0000, gtk(at)gtk.fi

Contact persons for register matters

Anu Erolahti
P.O. Box 96, 02151 Espoo, Finland
tel. +358 29 503 0000, anu.erolahti(at)gtk.fi

Contact details of the data protection officer

tietosuojavastaava(at)gtk.fi
tel. +358 29 503 0000

Purpose of the processing personal data and its legal basis

Personal data is processed by the Geologian tutkimuskeskus (GTK) for the purposes of public procurement procedures in accordance with procurement legislation, in particular the Act on Public Procurement and Concession Contracts (1397/2016). This includes the organisation of competitive tendering, the processing of tenders and requests to participate (including the verification of references and qualifications), the conclusion of procurement contracts, and participation in possible appeal procedures and legal proceedings.

Personal data is also processed in connection with procurements that fall below the national threshold values or are otherwise exempt from competitive tendering under applicable legislation.

Legal basis

Compliance with a legal obligation

GTK is a Contracting Authority under the Act on Public Procurement and Concession Contracts (1397/2016). When personal data that is collected for public procurement process is processed, the legal basis for processing is compliance with GTK’s legal obligation.

The verification of criminal records of key personnel of the winning tenderer is based on the Act on Public Procurement and Concession Contracts and the Criminal Records Act (770/1993).

Likewise, the processing of personal data is based on compliance of legal obligation when personal data is processed for sanction list screening based on Embargo Act (659/1967) or for any other statutory requirement aimed at ensuring compliance or legality of transaction.

The processing of personal data is based on Article 6 (1) c of the General Data Protection Regulation (2016/679) according to which processing is necessary for compliance with a legal obligation to which the Controller is subject.

Performance of a contract or in order to take steps at prior to entering into a contract

Processing of personal data is a prerequisite for entering into the procurement contract. For example, personal data is processed in the contract preparation, the execution of contract and the contract management.

The processing of personal data is based on Article 6 (1) b of the General Data Protection Regulation (2016/679) according to which processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.

Performance of a task carried out in the public interest

Processing of personal data is a prerequisite for performing task carried out in the public interest. For example, in relation to public procurement procedures, planning is carried out to enhancing the efficiency and effectiveness of GTK’s public expenditure. During the planning personal data is processed.

The processing of personal data is based on Article 6 (1) e of the General Data Protection Regulation (2016/679) according to which processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

In addition, processing of personal data is based on Section 4(1) 2 of the Finnish Data Protection Act (1050/2018) according to which personal data may be processed when the processing is proportionate and necessary for the performance of a task carried out in the public interest by an authority.

Data content

Data content of the Register and the categories of personal data concerned

Information concerning the contact persons of tenderers or candidate:

  • Name
  • Represented organization and the position
  • Contact details

Information concerning the members of the administrative, management or supervisory body or persons having powers of representation, decision or Control of the tenderers or candidates:

  • Name
  • Represented organization and the position
  • Details revealed in the criminal record (extract of the winning tenderer)

Information concerning experts named in the tender or request to participate, as well as persons participating in interviews or assessments related to the evaluation of tender:

  • Name
  • Represented organization and the position
  • Details of education, professional qualification, experiences and other characteristics relevant to the subject matter of the procurement

Information concerning the contact persons of references provided in the tender or request to participate:

  • Name
  • Represented organization and the position
  • Contact details
  • Details of the reference

Other personal data included in tenders or requests to participate, or collected and processed during the procurement procedure, such as: information concerning the personnel of the tenderer concluded in project, research, deployment or implementation plans, as well as information obtained from trade register extracts or other sources regarding the tenderer’s owners and beneficial owners, auditors, holders of procuration, and other individuals connected to the tenderer or its subcontractors, in particular:

  • Name
  • Represented organization and the position
  • Date of birth
  • Details of education, professional qualifications, experience, and other characteristics relevant to the subject matter of the procurement

Sources of the processed data

The tenderer or candidate provides the data to GTK during the public procurement. The data provider is either The Data Subject themselves, an employer of The Data Subject, or a person authorized to disclose the information.

Criminal record extracts are obtained by the GTK from selected tenderer. GTK may also obtain information from public sources, including the Trade Register maintained by the Finnish Patent and Registration Office, and from the information services of Alma Talent Oy. In conducting company background checks Alma Talent information services’ embargo check tool is used alongside other tools, such as those for verifying bankruptcy records.

Retention period of personal data

Tenders, requests to participate, and other procurement documents are stored in the GTK’s case management system (Juoni) and retained in accordance with the records management plan (TOS).

The retention period is based on national legislation concerning accounting, archiving, and special laws (including Section 170 of the Public Procurement Act (1397/2016)), as well as the need to document and ensure legal protection for both the authority and private individuals and entities.

Procurement documents (including tenders) shall be retained for at least ten years after the end of the financial year. However, the selected tender and its annexes must always be retained for at least as long as the procurement contract and the obligations based on it remain in force.

Procurement documents related to appeal processes (including tenders) shall always be retained for at least the duration of the appeal process and for as long as required by the measures resulting from the outcome of the appeal.

Information contained in criminal record extracts shall not be stored or retained, expect for the fact that the extract has been checked and what has been the outcome. The extracts are immediately returned or destroyed after review

Data processing

Recipients or groups of recipients of personal data (Recipients of personal data)

People employed by GTK process the personal data contained. Personal data is not regularly disclosed to third parties.

The GTK is subject to the Act on the Openness of Government Activities (612/1999), under which information may be disclosed to requesting parties within the limits provided by law. The National Audit Office of Finland may process personal data contained in procurement documents as part of audits conducted under the Act on the State Budget (423/1988) and the regulations issued thereunder.

The European Anti-Fraud Office (OLAF) may process personal data contained in procurement documents as part of investigations conducted under Regulation (EU, Euratom) No 883/2013. The European Public Prosecutor’s Office (EPPO) may process personal data contained in procurement documents as part of investigations conducted under Regulation (EU) 2017/1939.

External funders (e.g. the European Commission and other EU institutions, the Academy of Finland, Business Finland Ltd) may process personal data contained in procurement documents when it is related to the projects they fund as part of the monitoring of the use of public funding or financing, in accordance with the Act on Discretionary Government Transfers (688/2001) or the applicable funding agreement.

Orders in relating to procurement contracts may be placed through HANDI system maintained by Government Financial and Personnel Administration Service Centre Palkeet. GTK and Palkeet are Joint Controllers subject to the Act on the Government Financial and Personnel Administration Service Centre (179/2019).

Processing personal data on behalf of a Controller

Personal data is processed in the information systems of GTK’s contractual partners (e.g., the Government ICT Centre Valtori, Triplan Oy), whose service providers also act as data processors or sub-processors. In connection with the public procurement procedures, personal data is processed, for example, in the tendering service maintained by Cloudia Oy.

Transfer of personal data outside the EU or European Economic Area (EEA)

Personal data may be transferred outside the EU or EEA. If personal data is transferred, transfers are carried out in accordance with the requirements of the General Data Protection Regulation.

Automated deisions and profiling

No automated decisions or profiling are carried out.

Protection of personal data

As Data Controller GTK has implemented all necessary technical and organizational measures and GTK also requires the same measures from its service providers.

Rights of the Data Subject

Exercise of the rights

The Data Subject may exercise their rights by submitting a request to Data Controller (Geologian tutkimuskeskus) at the address provided above under “Data Controller”. To expedite the processing of the request, we kindly ask that you specify the register to which the request pertains.

Right to lodge a complaint to supervisory authority

If The Data Subject considers that the processing of their personal data is in conflict with applicable legislation, they have the right to lodge a complaint with a supervisory authority in the EU Member State of their habitual residence, place of work, or the place of the alleged infringement.
In Finland, the matter can be brought to the attention of the Office of the Data Protection Ombudsman:

Postal address: P.O Box 800, 00531 Helsinki, Finland
Email: tietosuoja(at)om.fi
Phone: 029 566 6700

Right to access to their personal data

The Data Subject has the right to receive confirmation from the Data Controller on whether or not the Controller is processing personal data that concerns them.

If data concerning the Data Subject is being processed, the Data Subject has a right to access, i.e. receive a copy of the personal data being processed. In addition, the Data Subject has a right to know for which purposes and how the personal data is processed.

Right to rectification

The Data Subject have the right to demand the rectification of inaccurate personal data concerning them and to have incomplete personal data completed.

Right to restriction of processing

The Data Subject has the right to request Controller to restrict the processing of their personal data if:

  • the accuracy of the personal data is contested by The Data Subject;
  • the processing is unlawful and The Data Subject opposes the erasure of the personal data and request the restriction of their use instead;
  • the Controller no longer needs the personal data for the purposes of the processing, but they are required by The Data Subject for the preparation, exercise or defence of legal claims;
  • the Data Subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.

Right to object to the processing of their data

In situation where the processing of personal data is based on the performance of a task carried out in the public interest The Data Subject has the right to object to the processing of their personal data. If the Data Subject exercises this right, the Controller has obligation to cease the processing personal data, unless the Controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject, or if the processing is necessary for the establishment, exercise, or defence of legal claims.

Right to erasure, i.e. the so-called right to be forgotten

In situation where the processing of personal data is based on a legal basis other than compliance with a legal obligation or the performance of a task carried out in the public interest, The Data Subject has the right to request the erasure of their personal data. The requested data will be erased unless the has a legal ground to reuse the erasure, such as a statutory obligation to remain the data.