News
Data protection rules are often overlooked when it comes to public procurement
Data protection rules are often overlooked when it comes to public procurement
Last year, over 9,000 public procurements were organised in Estonia, with an estimated total value of over 8 billion euros. Given this scale, disputes are nothing out of the ordinary, but data protection is increasingly emerging as a central issue in these disputes. This most frequently concerns procurements in the IT and construction sectors, writes Keidi Kõiv, head of the public procurement practice at RASK law firm.
In public procurement, contractual relationships often involve the collection and processing of personal data. Unfortunately, however, awareness of the principles of personal data protection, and compliance with these principles, is often lacking. In practice, procurement conditions sometimes impose obligations on tenderers that do not comply with applicable law.
Procurement conditions must be clear, precise, and unequivocal. These principles also apply to data protection. The recitals of the GDPR specifically emphasize that data processing must be transparent, and the same requirements must be followed when conducting public procurement.
Therefore, when drafting procurement documents, all aspects related to data processing must be thoroughly considered. If the contract requires the collection or processing of personal data, it must be assessed whether the contracting authority has a legal basis for doing so. Specifically, data processing is not at the contracting authority’s discretion; rather, any processing of personal data must be based on a clear legal basis.
If the legal basis does not stem directly from a specific law, data processing must be based on some other permissible basis, the existence of which must be assessed and justified in advance. Unfortunately, practice shows that not all contracting authorities are aware of this nuance. As a result, procurement documents often contain data processing requirements that are not in compliance with the law.
In a recent dispute brought before the Public Procurement Review Committee regarding the procurement of the Republic of Estonia’s State Budget Information System, the contracting authority argued that it has the right to process personal data for the purpose of conducting background checks on the tenderer’s team. The authority cited the relevant provision in the General Data Protection Regulation which grants the controller the right to process personal data on the basis of a legitimate interest (Article 6 GDPR, subsection 1, subparagraph f).
However, this view is fundamentally incorrect. The recitals of the General Data Protection Regulation clearly states that this basis does not apply when a public sector organisation processes personal data while carrying out its duties.
The creation of government information systems and the enforcement of security requirements are undoubtedly public duties. The Data Protection Inspectorate has confirmed this interpretation, emphasising that, as a general rule, the public sector cannot rely on this legal basis when performing contracts.
In the dispute in question, the contracting authority argued, among other things, that it had the right to conduct background checks pursuant to the provision of the General Data Protection Regulation that permits the processing of personal data with the data subject’s consent for a specific purpose (Article 6 GDPR, subsection 1, subparagraph a).
However, the problem was that the procurement documents did not specify the purpose, nature, composition or scope of the data to be processed. Instead, the draft contract stated that the contractor must obtain the necessary consents from their employees. This raises a number of legal issues.
The Employment Contracts Act imposes an obligation on employers to comply with data protection requirements when processing employees’ personal data. Consent must be voluntary, and an employer may not coerce an employee into giving it, particularly in situations where it is unclear for what purpose and to what extent consent is being sought. Therefore, imposing such an obligation on an employee is not lawful.
The Data Protection Inspectorate has emphasized that, as a general rule, a public authority cannot rely on consent when processing personal data. The reason for this is that whenever the controller is a public sector organisation, there is an imbalance in the relationship between the controller and the data subject.
Consequently, when conducting public procurement, the legal basis for a public authority’s processing of personal data is one of two provisions of the General Data Protection Regulation (GDPR, Article 6(c) or (e)). In both cases, however, the Regulation additionally requires that the basis for processing personal data be further established by European Union or Member State law. In Estonia, such a basis stems solely from the Police and Border Guard Act, but this cannot be applied by nearly every contracting authority.
Therefore, a procurement contract does not, in and of itself, grant the contracting authority the right to process personal data. Nor may the contracting authority require the contractor to process personal data in a manner for which there is no legal basis or which would be prohibited for the contractor itself.
In recent years, there have also been cases in which the contracting authority has sought to monitor the activities of tenderers' employees using surveillance cameras. However, when imposing such a requirement, the proportionality and legality of doing so must be carefully assessed.
If the objective can be achieved through less intrusive measures, using surveillance cameras to monitor employees is not justified. Surveillance cameras are generally installed for the protection of property and individuals, rather than for monitoring employees' work performance.
In such a situation, the contractor also has no right to use surveillance cameras to monitor employees. Similarly, the contracting authority cannot grant this right through the terms of the contract or create it artificially.
In summary, data protection in public procurement is not a mere formality, but a substantive issue that affects competition, contract performance, and the liability of the parties. Therefore, before establishing terms and conditions, three questions should always be answered: what data is being processed, for what purpose, and on what legal basis. If there are no clear answers to these questions, the problem may not lie with the tenderer, but with the procurement terms themselves.
In public procurement, contractual relationships often involve the collection and processing of personal data. Unfortunately, however, awareness of the principles of personal data protection, and compliance with these principles, is often lacking. In practice, procurement conditions sometimes impose obligations on tenderers that do not comply with applicable law.
What data is being processed, for what purpose, and is there a legal basis for this?
Procurement conditions must be clear, precise, and unequivocal. These principles also apply to data protection. The recitals of the GDPR specifically emphasize that data processing must be transparent, and the same requirements must be followed when conducting public procurement.
Therefore, when drafting procurement documents, all aspects related to data processing must be thoroughly considered. If the contract requires the collection or processing of personal data, it must be assessed whether the contracting authority has a legal basis for doing so. Specifically, data processing is not at the contracting authority’s discretion; rather, any processing of personal data must be based on a clear legal basis.
If the legal basis does not stem directly from a specific law, data processing must be based on some other permissible basis, the existence of which must be assessed and justified in advance. Unfortunately, practice shows that not all contracting authorities are aware of this nuance. As a result, procurement documents often contain data processing requirements that are not in compliance with the law.
In general, the public sector cannot have a legitimate interest in processing data
In a recent dispute brought before the Public Procurement Review Committee regarding the procurement of the Republic of Estonia’s State Budget Information System, the contracting authority argued that it has the right to process personal data for the purpose of conducting background checks on the tenderer’s team. The authority cited the relevant provision in the General Data Protection Regulation which grants the controller the right to process personal data on the basis of a legitimate interest (Article 6 GDPR, subsection 1, subparagraph f).
However, this view is fundamentally incorrect. The recitals of the General Data Protection Regulation clearly states that this basis does not apply when a public sector organisation processes personal data while carrying out its duties.
The creation of government information systems and the enforcement of security requirements are undoubtedly public duties. The Data Protection Inspectorate has confirmed this interpretation, emphasising that, as a general rule, the public sector cannot rely on this legal basis when performing contracts.
No contracting authority may conduct background checks on contractors' employees
In the dispute in question, the contracting authority argued, among other things, that it had the right to conduct background checks pursuant to the provision of the General Data Protection Regulation that permits the processing of personal data with the data subject’s consent for a specific purpose (Article 6 GDPR, subsection 1, subparagraph a).
However, the problem was that the procurement documents did not specify the purpose, nature, composition or scope of the data to be processed. Instead, the draft contract stated that the contractor must obtain the necessary consents from their employees. This raises a number of legal issues.
The Employment Contracts Act imposes an obligation on employers to comply with data protection requirements when processing employees’ personal data. Consent must be voluntary, and an employer may not coerce an employee into giving it, particularly in situations where it is unclear for what purpose and to what extent consent is being sought. Therefore, imposing such an obligation on an employee is not lawful.
The Data Protection Inspectorate has emphasized that, as a general rule, a public authority cannot rely on consent when processing personal data. The reason for this is that whenever the controller is a public sector organisation, there is an imbalance in the relationship between the controller and the data subject.
Consequently, when conducting public procurement, the legal basis for a public authority’s processing of personal data is one of two provisions of the General Data Protection Regulation (GDPR, Article 6(c) or (e)). In both cases, however, the Regulation additionally requires that the basis for processing personal data be further established by European Union or Member State law. In Estonia, such a basis stems solely from the Police and Border Guard Act, but this cannot be applied by nearly every contracting authority.
Therefore, a procurement contract does not, in and of itself, grant the contracting authority the right to process personal data. Nor may the contracting authority require the contractor to process personal data in a manner for which there is no legal basis or which would be prohibited for the contractor itself.
It is not lawful to monitor employees using cameras
In recent years, there have also been cases in which the contracting authority has sought to monitor the activities of tenderers' employees using surveillance cameras. However, when imposing such a requirement, the proportionality and legality of doing so must be carefully assessed.
If the objective can be achieved through less intrusive measures, using surveillance cameras to monitor employees is not justified. Surveillance cameras are generally installed for the protection of property and individuals, rather than for monitoring employees' work performance.
In such a situation, the contractor also has no right to use surveillance cameras to monitor employees. Similarly, the contracting authority cannot grant this right through the terms of the contract or create it artificially.
In summary, data protection in public procurement is not a mere formality, but a substantive issue that affects competition, contract performance, and the liability of the parties. Therefore, before establishing terms and conditions, three questions should always be answered: what data is being processed, for what purpose, and on what legal basis. If there are no clear answers to these questions, the problem may not lie with the tenderer, but with the procurement terms themselves.