Data protection and public procurement | In Principle

Go to content
Subscribe to newsletter
In principle newsletter subscription form

Data protection and public procurement

A key element of the proposed new Public Procurement Law is to regulate the protection of personal data collected in the course of procurement procedures. Significant exceptions from the general rules of the GDPR are planned. What should they consist of?

Specific challenges

Organising and participating in public procurement procedures inevitably involves processing of a significant amount of personal data. These include for example criminal records of the members of management boards of companies submitting bids, as an offer failing to attach criminal record certificates of the relevant persons is usually rejected. Moreover, to prove that the contractor’s personnel are able to perform certain work, the contractor submits health certificates of individuals to be involved in the work after the award of the contract.

In practice, questions arise about the best ways to fulfil the information obligations of contracting authorities that become controllers of personal data provided to them by contractors. At a later stage, the issue of the exercise of data subjects’ rights, e.g. with regard to rectification or erasure of data, may become a problem. These are key issues addressed in the draft of the new Public Procurement Law published on 24 January 2019.

Access to criminal record certificates and medical data

As a rule, public procurement procedures are public. This applies, among other things, to the protocol of the procedure and, in some cases, also the appendices to the protocol.

Admittedly, data contained in criminal record certificates are no longer treated as sensitive data under the General Data Protection Regulation. However, due to their specific nature, the draft provides for restrictions on access to personal data relating to legal convictions and violations. Access to such personal data is to be possible only for the purpose of pursuing legal protection measures provided for in Chapter IX of the draft act, and only up until the deadline for filing them. Even more far-reaching protection is to be ensured in relation to health data. Providing access to such data is to be prohibited entirely.

These are important exceptions to the principle that public procurement procedures are public. The restrictions on access to personal data are also intended to apply to the disclosure of appendices to the protocol, to contractors and to other entities entitled to seek legal remedies.

Enforcement of data subjects’ rights

It is not always possible to fully exercise the rights of data subjects, as this could paralyse procurement procedures and prevent the parties from effectively transitioning to the contract execution phase.

The draft of the new law provides in this respect:

  • Exercise by the data subject of the right of rectification or supplementation cannot result in a change in the outcome of the procurement procedure or modification of the contract to an extent inconsistent with the act.
  • In the procurement procedure, notification of a request to limit the processing of personal data will not limit the processing until the end of the procedure.

The draft confirms that the contracting authority may fulfil the information obligation towards data subjects by including the required information in the contract notice or in the contract documents. It is the contracting authority’s duty to inform data subjects of the limitations on the exercise of their rights. According to the draft, this may be done on the contracting authority’s website, in the contract notice, in contract documents, or in any other way accessible to data subjects. The list of possible ways of providing this information to data subjects is therefore to be non-exhaustive.

Arduous shaping of practice

The practice of applying the GDPR in individual sectors is constantly being shaped and thus changing. It is hoped that the proposed new Public Procurement Law contributes to clarification of at least some practical doubts and helps develop solutions that will prove effective in applying the GDPR on a daily basis.

Joanna Krakowiak, attorney-at-law, Life Science & Regulatory practice, M&A and Corporate practice, Wardyński & Partners