Public procurement in the GDPR era


Contracting authorities have to bear in mind that protected personal data are processed in their procedures. Procedure documentation has to comply with new laws now that the GDPR is in effect.

A new Personal Data Protection Act and the GDPR (the EU’s General Data Protection Regulation) came into force on 25 May 2018. These laws mean that parties have to modify their practice in procedures conducted according to the Public Procurement Law. The laws also impose disclosure obligations on contracting authorities.

The Public Procurement Office has just published Guidelines on public procurement proceedings in light of the GDPR. The office has also posted on its website proposed wording of clauses informing tender participants of the rules on data processing under art. 13 of the GDPR and a form for the declaration that has to be obtained from a contractor.

The fundamental issues to be borne in mind in a tender are:

  • Personal data provided in a bid, an application for admission to proceedings, a European Single Procurement Document, and any other documents filed during proceedings, for example powers of attorney, are protected;
  • The new personal data protection laws apply to proceedings in progress as of 25 May 2018 and which commence after that date;
  • In proceedings in progress, a contracting authority is required to comply with GDPR obligations in the first action performed after 25 May 2018;
  • Information about past convictions and breaches of law is subject to special protection and may only be disclosed to entities entitled to make use of legal remedies. Persons authorised to process data of that kind must be required to keep the data confidential. Certificates confirming no criminal record are not subject to special personal data protection rules, as discussed here;
  • As data controllers, contracting authorities have obligations under art. 13 of the GDPR. These are described in the template prepared by the Public Procurement Office;
  • The disclosure obligation can be complied with by personally sending information to particular contractors or placing additional information in the call for tender or the tender terms of reference;
  • If third-party data are processed in the course of the proceedings, for example of an entity providing capacity, of key personnel, of an attorney-in-fact, or subcontractor, those parties’ data are subject to the same protection; they also have to be informed of their rights;
  • As third-party data are obtained for the purposes of proceedings by a contractor who relies on those persons, when participating in the proceedings, it is advisable to require contractors to make a declaration of compliance with the disclosure obligations provided for in art. 13 or 14 of the GDPR; a form for the declaration that might be an element in ongoing proceedings as the law stands at the moment can be found on the Public Procurement Office website.

Anna Prigan, legal adviser, Infrastructure, Transport, Public Procurement & PPP practice, Wardyński & Partners