News

📢 GDPR & Public Procurement: Transferring Data Outside the EU Can Invalidate a Contract Award! 🌍❌

🗓️ On December 21, 2023, the Belgian Council of State annulled a public procurement award decision.

Why?
❌ The contract was awarded to a data controller, and the contracting authority should have checked the compliance of their application.
➡️ This data controller used a subcontractor based in Tunisia to handle unpaid water bill collection files.

🔍 The issue? The procurement specifications only allowed access to personal data from countries providing an adequate level of protection, in line with Article 45 of the GDPR.

📜 Reminder: Only a few countries are recognized as "adequate" by the European Commission:
Guernsey, Isle of Man, Faroe Islands, Israel, Japan, Jersey, New Zealand, United Kingdom, Switzerland, Uruguay…

📛 Since Tunisia is not on this list, the data transfer was non-compliant.

⚖️ The subcontractor tried to justify the setup of safeguards under Article 46 of the GDPR, but was rejected:
👉 According to Article 28.3-a, a subcontractor cannot independently decide on transferring data outside the EU. It may only act on instructions from the data controller.

🚨 Consequences:
 • ❌ The contract award was canceled.
• 📉 Damage to the image of the contracting authority.
• ⚠️ Reminder: GDPR compliance also applies to public procurement!

🔐 GDPR is not optional.