News
β Data transfer outside the EU!
π’ GDPR & Public Procurement: Transferring Data Outside the EU Can Invalidate a Contract Award! πβ
ποΈ On December 21, 2023, the Belgian Council of State annulled a public procurement award decision.
Why?
β The contract was awarded to a data controller, and the contracting authority should have checked the compliance of their application.
β‘οΈ This data controller used a subcontractor based in Tunisia to handle unpaid water bill collection files.
π The issue? The procurement specifications only allowed access to personal data from countries providing an adequate level of protection, in line with Article 45 of the GDPR.
π Reminder: Only a few countries are recognized as "adequate" by the European Commission:
Guernsey, Isle of Man, Faroe Islands, Israel, Japan, Jersey, New Zealand, United Kingdom, Switzerland, Uruguay…
π Since Tunisia is not on this list, the data transfer was non-compliant.
βοΈ The subcontractor tried to justify the setup of safeguards under Article 46 of the GDPR, but was rejected:
π According to Article 28.3-a, a subcontractor cannot independently decide on transferring data outside the EU. It may only act on instructions from the data controller.
π¨ Consequences:
• β The contract award was canceled.
• π Damage to the image of the contracting authority.
• β οΈ Reminder: GDPR compliance also applies to public procurement!
π GDPR is not optional.