The General Data Protection Regulation (GDPR) affects public procurement on multiple levels. From the processing of personal data in tenders to the data processing agreement in IT contracts, and from the tension between transparency and privacy to the role of the Data Protection Officer — GDPR compliance has become an integral part of the procurement process.
Where does GDPR affect procurement?
Personal data in tenders
Every tender contains personal data: names of contact persons, CVs of proposed staff, references with contact details of previous clients, certificates in individuals’ names. The contracting authority processes this data when evaluating tenders.
The legal basis for this processing is typically legitimate interest (Article 6.1.f GDPR) or the necessity for the performance of a task carried out in the public interest (Article 6.1.e GDPR) on the part of the authority. The tenderer sharing personal data of its employees must inform those employees that their data is being provided in the context of a tender.
Data processing agreement for service contracts
For contracts where the contractor processes personal data on behalf of the contracting authority — think IT services, HR administration, cloud hosting, facility management — a data processing agreement (Article 28 GDPR) is mandatory. The procurement documents increasingly include a draft processing agreement as an annex.
The processing agreement covers, among other things:
- The subject matter and duration of the processing.
- The nature and purpose of the processing.
- The type of personal data and categories of data subjects.
- The obligations and rights of the controller.
- Security measures the processor must implement.
- Rules on sub-processors (subcontractors who also process personal data).
- The return or destruction of data at the end of the contract.
Transparency versus privacy
Public procurement is subject to transparency obligations: the award decision is reasoned and communicated, tender prices are published, and the public has a right to information on public spending. At the same time, the GDPR protects the personal data processed in this context.
The balance works as follows:
- The names of directors or managers of tendering companies are generally considered public information — they are published in the Belgian Official Gazette and the CBE.
- CVs, staff contact details and detailed reference information are not public and are protected by the confidentiality rules of Article 13 of the Act of 17 June 2016.
- When a freedom of information request is made, the authority weighs the transparency interest against the right to privacy.
GDPR requirements in specifications
DPO requirements
For contracts involving significant processing of personal data, the specifications may require the tenderer to have a Data Protection Officer (DPO). This is particularly common for:
- IT contracts involving processing of health data.
- Data processing or analytics contracts.
- Cloud services where large volumes of personal data are stored.
Certifications as award criterion
The GDPR provides for the possibility of certification mechanisms (Article 42 GDPR). Although these are not yet widely available, related certifications are increasingly used as selection or award criteria:
- ISO 27001 (information security) as evidence of adequate security measures.
- ISO 27701 (privacy information management) supplementing ISO 27001.
- SOC 2 for cloud and IT service providers.
Data Protection Impact Assessment (DPIA)
For contracts with a high risk to the rights and freedoms of data subjects — such as large-scale processing of special categories of personal data — the authority may require a Data Protection Impact Assessment. The tenderer must then demonstrate in its tender how it mitigates the risks.
International dimension
Transfers outside the EEA
For contracts with an international element — cloud services with servers outside the EEA, international subcontractors, multinational IT suppliers — the transfer of personal data outside the European Economic Area is a critical concern.
Following the Schrems II judgment (2020) of the Court of Justice and the subsequent EU-US Data Privacy Framework (2023), the contracting authority must verify:
- Whether the transfer is to a country with an adequacy decision.
- Whether there are appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules).
- Whether a supplementary risk assessment (Transfer Impact Assessment) has been carried out.
Specifications increasingly require that data be processed exclusively within the EEA.
Common mistakes
No processing agreement provided. The specifications contain no data processing agreement although the contractor processes personal data. This is a breach of Article 28 GDPR — for both parties.
Requesting excessive data. The specifications ask for more personal data than necessary for the evaluation (detailed medical data of staff, unnecessary copies of identity cards). The data minimisation principle (Article 5.1.c GDPR) also applies to contracting authorities.
No retention periods. The authority retains tenders and associated personal data indefinitely, without a policy for destruction after the retention period expires.
GDPR requirements not proportionate to risk. A contract for supplying office furniture has different GDPR requirements than a contract for cloud hosting of patient records. The specifications must be proportionate.
Tips
Read the processing agreement. As a tenderer, review the draft processing agreement in the specifications before bidding. Unrealistic or one-sided clauses (unlimited liability, immediate notification of every incident) are negotiable — ask questions in good time.
Inform your employees. If you include CVs and personal data of employees in a tender, inform them about the processing in accordance with Article 13/14 GDPR.
Offer GDPR compliance as an asset. In IT and service contracts, demonstrable GDPR compliance is a differentiating factor. ISO 27001/27701 certification, an appointed DPO and a mature privacy organisation make an impression.
Prepare a processing register. An up-to-date record of processing activities (Article 30 GDPR) demonstrates that you take GDPR seriously and speeds up the evaluation of your tender.