Few considerations on the impact of the data protection obligations – including the ones set forth in the GDPR – on the public procurement processes

Few considerations on the impact of the data protection obligations – including the ones set forth in the GDPR – on the public procurement processes

by Raluca Nechimis, “Raluca Nechimis Law Office”, EMEA Conferences

At a first glance, data protection and public procurement seem to be very distinct fields that never interact. However, non-compliance with data protection obligations may have a significant impact on the “fate” of a bid.

Non-compliance with data protection regulations may lead to the bid being deselected obligatorily on two mandatory grounds or on non-compliance with selection criteria. There is also the case where the bid does not get the highest scoring at the evaluation and thus the submitting bidder does not get the contract due to failure to meet the privacy by design award criterion.

In the more initial phase of the assessment of a bid, the non-compliance with the data protection obligations may lead to the mandatory de-selection of the bid on two reasons depending on the situation at hand.

The mandatory de-selection will come into play if the breach of the data protections regulations may qualify as a grave professional misconduct, which renders the bidder’s integrity questionable.

Breach of data protection obligations by a bidder amounts to grave professional misconduct depending on circumstances of the breach as it is not enough to qualify as a professional misconduct but it must be a grave misconduct. Furthermore, the breach must bring the integrity of the bidder into question by affecting the bidder’s credibility that it actually may legally perform the contract in case it is awarded the contract.

Another instance where de-selection of the bid may occur is due to a significant or persistent performance deficiency(ies) in a substantive requirement of a prior contract which led to early termination, damages or other comparable sanctions. In this case, it should be determined if the relevant breach of the data protection obligations by a bidder represents a substantive requirement and also if such breach has led to early termination, damages and other comparable sanctions.

In order to be construed as a breach of a substantive requirement of the prior contract that has led to the termination of such contract, damages or other comparable sanctions the data processing must represent one of the essential obligations of the contract.

Therefore, it would be reasonable to say that such situation occurs usually where the bidder was previously awarded a contract where it had to perform substantial data processing operations and he failed to do so in accordance with the applicable norms.

One such situation is where the bidder entered previously into a contract for the issuance of health cards. If in such case the bidder has failed to process and ensure the security of the personal data submitted by the contracting authority for the issuance of the cards and such information went public and were abused, such may be construed as a breach of a significant requirement of the contract.

Another important condition is for such a breach to have led to the termination of contract or the award of damages.

In addition to the mandatory grounds for the de-selection of the bid mentioned above, the contracting authority may deselect the bid discretionary based on its assessment as to whether the bidder’s certification and experience on privacy matters meets the selection criteria set up in this respect by the contracting authority as being relevant to the subject matter of the contract.

Therefore, where the contracting authority may impose requirements ensuring that bidders possess the necessary human and technical resources and experience to perform the contract to an appropriate quality standard (for instance, in the procurements for health, social and education services), the contracting authority may set forth in the award documentation selection criteria regarding the previous experience of the bidder in processing a large amount of data and ensuring the security thereof. The essential condition is that al criteria must be related and proportionate to the subject-matter of the contract.

In terms of using the data processing as an award criterion, it is worth noting that even in the preamble (78) of the General Data Protection Regulation no. 679/2016 (“GDPR”) it is provided that The principles of data protection by design and by default should also be taken into consideration in the context of public tenders“.

To the extent that the security of data is relevant to the products, services or works being procured, then such may be used as an award criterion.

The question that springs, however, is whether such may be qualified as a mandatory or as a scored criterion, given that privacy by design and privacy by default are mandatory under the GDPR.

It would be reasonable to argue that – after 25 May 2018 when GDPR will commence producing effects – all the products and services that are procured should incorporate privacy by design as GDPR requires. Therefore, privacy by design maybe seen as a general standard and not scored specifically in the evaluation phase. However, in specific cases where a higher level of data security must be ensured, the security of processing can be provided as a scored criterion.

For instance, procedures and certifications (ISO/IEC 29100 – Privacy Framework) in place may be considered scored criteria. Again, setting such requirements as award criteria may be valid only as long as they are relevant for the purposes of the procurement.

GDPR producing effects may lead to modifications to the already concluded public procurement contracts to adjust them according to GDPR,  to a procurement strategy that takes into account GDPR, to increased procurement budgets, to more market consultations to procure products and services incorporating privacy by design and to a more complex form of the draft procurement contract to be included in the award documentation so as to properly cover as well the rights and obligations of the contracting authority and the contractor as data controller and data processor. These are all points of interference between public procurement and data protection even if not apparent at first glance.