Forewarned can be forearmed – GDPR and Public Procurement

Context

On 6 May 2022, the Belgian Council of State has issued a judgment relating to the verification of the conformity of an offer with the General Data Protection Regulation No. 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”).

To understand the concrete impact of this judgment, it should be recalled that, under Belgian Law, tenderers are obliged to submit offers that are compliant with the technical specifications and contracting authorities must verify whether the offers submitted are really compliant or, if they do contain a substantial irregularity justifying their rejection (Article 76 of the Royal Decree of 18 April 2017). A substantial irregularity is an irregularity which is such as to give the tenderer a discriminatory advantage, to distort competition, to prevent the evaluation of the tenderer's tender or its comparison with other tenders, or to render the tenderer's engagement to perform the contract in accordance with the conditions set in the procurement documents non-existent, incomplete or uncertain.

In assessing whether an offer does contain a substantial irregularity, the contracting authority has to assess the services proposed by the tenderer in its offer. And, in case of contradiction between the services proposed and the tender specifications (including those contained in the Royal Decree of 14 January 2013), the contracting authority has the right to reject the offer should it consider that the contradiction does constitute a substantial irregularity.

Judgment

In the matter at hand, the public contract related to the subscription to a collective tool for analysis and feedback analysis and feedback tool for hospital activity. The management of this tool involved the processing of personal data, in particular health data.

It is apparent from the judgment that the procurement documents did not include a specification relating to the compliance with the GDPR. At most, the procurement documents contained a specific provision, in the performance conditions of the contract, stating that

“The successful tenderer and the contractor undertake to process personal data collected in the context of this public contract in accordance with the General Data Protection Regulation No. 2016/679 of the European Parliament and of the Council of 27 April 2016.

In this context, the successful tenderer and its subcontractors undertake to ensure that the personal data collected is used solely for the performance of the contract, or in fulfilment of a legal obligation, or with the explicit consent of the contracting authority.”

In the case at hand, the applicant argued that:

1. The contracting authority should have verified whether the winning bid complied with the GDPR;

2. Since this verification has not been proceeded, the award decision was illegal;

3. There were several potential violations of the GDPR, including the transfer of personal data to a third country to a third company located in Russia. Considering the existence of this potential transfer, the contracting authority should have also verified that the offer did comply with Chapter V of the GDPR to ensure that the level of protection of individuals guaranteed by the GDPR is not compromised.

The Council of State did agree with this view.

It observed that, in this particular procurement, the contracting authority were the “controller” of personal data, within the meaning of the GDPR and had to check that the services offered by the tenderer provide the guarantees required by the GDPR. Even though the procurement document did not provide it explicitly, the Council of State considered that this requirement was not only performance condition of the contract, but also a “technical specification” of the contract, which, given its nature, was a minimum requirement that the tenders must necessarily meet.

Accordingly, the Council of State considered that the contracting authority should have assessed the compliance of the offer with the GDPR at the stage of the award of the procurement. In the matter at hand, it observed that the contracting authority decided to suspend the decision to award the contract to the winning tenderer as the contracting authority did not proceed to this assessment.

Lessons

What lessons can be drawn from this judgment?

4. On contracting authorities’ side, this judgment further demonstrates that they are not only responsible to verify the compliance of the offer with public procurement legislations, but also with other legislations applicable to the provisions to perform (including the GDPR). This means that contracting authorities need to reinforce their internal capacity in order to ensure that they do have the competent person to proceed to the required assessment.

On the downside however, as we observed more and more in Belgium, we cannot exclude that several contracting authorities will tend to centralize their procurements using for example central purchasing bodies with the appropriate capacity and knowledge to proceed to comprehensive assessments.

5. On the bidders side, you must really proceed to a comprehensive compliance check of any offer you submit as part of a tender procedure. If the services to be performed entail the processing of personal data, an analysis under the GDPR is therefore mandatory and must be done before the submission the offer and not during the performance of the contract.