Table of Contents Hide
- Why apply GDPR to public contracts?
- Public bodies assume the responsibility for processing
- An additional validation level for personal data: the DPO
- Subcontracting subject to a more restrictive regulatory framework
- How to comply with GDPR and win public contracts?
- Win new bids thanks to your GDPR compliance.
- Retain your customer base, demonstrate your compliance with new rules
- GDPR compliance throughout the contract execution
- Conclusion: To win (public) contracts, GDPR compliance is a must
Public contracts involving personal data processing are subject to the GDPR. The general buyer assumes responsibility for processing, while subcontractors are strengthened. GDPR compliance is now part of candidates’ requirements to win new contracts and retain customers. This is our Product News of the day.
Why apply GDPR to public contracts?
Public bodies are responsible for compliance with personal data processing, including when they are subcontracted. Therefore, the Data Protection Officer logically contributes to the selection criteria of the candidate who will be retained for the contract. This candidate must present the necessary guarantees justifying their compliance with the strengthened requirements of the GDPR.
Public bodies assume the responsibility for processing
The GDPR regulates general orders in the same way as purchases by private entities of services or solutions involving the manipulation of personal data. Legal obligations thus punctuate all stages of the public contract:
- The selection of the service provider by the general buyer;
- The way it supervises the subcontracting of specific tasks;
- The execution of services by the holders of public contracts.
If you apply to public contract offers, be aware that the potential general buyer assumes responsibility for these processing operations, including the services entrusted to you.
An additional validation level for personal data: the DPO
To select or reject your application, the public buyer will rely on a list of technical criteria, including compliance with the GDPR. The Data Protection Officer, therefore, becomes a contributor, even an actor, in the progress of public contracts.
He proposes a list of criteria to evaluate the maturity of your company regarding the GDPR;
He advises internal services on the measures to ensure processing compliance, including subcontracted services.
Subcontracting subject to a more restrictive regulatory framework
The GDPR goes further than the LIL. Before the GDPR, as a subcontractor, you only had to ensure the security of the data handled on behalf of your clients.
Now, the GDPR outlines commitments related to the way you handle data:
- Localization of data hosting servers;
- Restriction of data use purposes;
- Limitation of access to data;
- Prior authorization from the public buyer in case of recourse to level 2 or 3 subcontractors
How to comply with GDPR and win public contracts?
You risk losing contracts if your level of compliance is deemed insufficient. Therefore, the overall compliance of your activities will allow you to:
- Demonstrate your seriousness when applying for new public orders;
- Adapt to the strengthened requirements of your existing customers;
- Guarantee a level of compliance throughout the service.
Win new bids thanks to your GDPR compliance.
To launch new orders, public buyers can rely on an update of reference documents from the Ministry of Economy and Finance Directorate of Legal Affairs, accompanied by the CNIL.
In principle, the documentation describing the contract conditions describes the subcontracted services and the resulting personal data processing. In particular, it should include the contractual requirements you must respect.
Therefore, your commercial offer must be accompanied by additional documents demonstrating your compliance with GDPR. If you offer quality service at the right price, your ability to take care of your legal obligations will be a real plus.
Retain your customer base, demonstrate your compliance with new rules
The execution of the contract for the provision of services continues. Therefore, expect your customers to contact you to update the contractual framework of the entrusted service. A commitment letter to comply with GDPR and an amendment to the contract will be among the documents you will ask to sign.
Revising the contractual framework will also allow the public purchaser to ensure that their data processing complies with GDPR requirements. Therefore, it is crucial that you can make commitments demonstrating your level of compliance with legal obligations.
GDPR compliance throughout the contract execution
A company is not GDPR compliant solely because it has signed contracts with the holders of public warrants. It must ensure that adequate protection and security measures are applied throughout the execution phase of the arrangements. The services responsible for monitoring this execution, particularly the purchasers, will therefore monitor the maintenance of compliance criteria.
You may be subject to an audit to ensure that your compliance commitments are more than good intentions.
In a word, winning public contracts is not the end; it’s just the beginning.
Conclusion: To win (public) contracts, GDPR compliance is a must
GDPR requirements now permeate the criteria that structure the launch of a public contract insofar as personal data is processed. Since public bodies are responsible for such processing, they must seriously supervise the sub-contracting phases they plan to undertake. Therefore, complying with your regulatory obligations is a sign of professionalism and an opportunity to differentiate yourself from the competition.
To win contracts, you must be compliant.