GENERAL CONDITIONS FOR SERVICE CONTRACTS FOR EXTERNAL ACTIONS FINANCED BY THE EUROPEAN UNION OR BY THE EUROPEAN DEVELOPMENT FUND:
ARTICLE 42. DATA PROTECTION 42.1. Any personal data included in the contract shall be processed pursuant to Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. The data shall be processed solely for the purposes of the performance, management and monitoring of the contract by the Contracting Authority without prejudice to possible transmission to the bodies charged with monitoring or inspection in application of EU law. The Contractor shall have the right to access his/her personal data and to rectify any such data. Should the Contractor have any queries concerning the processing of his/her personal data, s/he shall address them to the Contracting Authority. The Contractor shall have right of recourse at any time to the European Data Protection Supervisor. 42.2. Where the contract requires processing personal data, the Contractor may act only under the supervision of the data controller, in particular with regard to the purposes of processing, the categories of data which may be processed, the recipients of the data, and the means by which the data subject may exercise his/her rights. 42.3. The data shall be confidential within the meaning of Regulation (EC) No 45/2001 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by Community institutions and bodies and on the free movement of such data. The Contractor shall limit access to the data to staff strictly needed to perform, manage and monitor the contract. 42.4. The Contractor undertakes to adopt technical and organisational security measures to address the risks inherent in processing and in the nature of the personal data concerned in order to: a) prevent any unauthorised person from having access to computer systems processing personal data, and especially: aa) unauthorised reading, copying, alteration or removal of storage media; ab) unauthorised data input, unauthorised disclosure, alteration or erasure of stored personal data; ac) unauthorised persons from using data-processing systems by means of data transmission facilities; b) ensure that authorised users of a data-processing system can access only the personal data to which their access right refers; c) record which personal data have been communicated, when and to whom; d) ensure that personal data processed on behalf of third parties can be processed only in the manner prescribed by the contracting institution or body; e) ensure that, during communication of personal data and transport of storage media, the data cannot be read, copied or erased without authorisation; f) design its organisational structure in such a way that it meets data protection requirements.