HomeGlossaryGDPR Compliance in Procurement
IT & Digital Procurement

GDPR Compliance in Procurement

GDPR compliance in procurement requires contracting authorities across EU member states and the UK to embed data protection obligations into technology contracts, including data processing agreements, controller/processor role definitions, sub-processor controls, and breach notification requirements, before any personal data is processed.

Quick answer

GDPR compliance in procurement requires contracting authorities across EU member states and the UK to embed data protection obligations into technology contracts, including data processing agreements, controller/processor role definitions, sub-processor controls, and breach notification requirements, before any personal data is processed.


GDPR compliance in procurement is the process of ensuring that technology contracts entered into by public sector contracting authorities meet the obligations imposed by the General Data Protection Regulation (Regulation (EU) 2016/679) and, in the UK, the UK GDPR incorporated through the Data Protection Act 2018. It is not a post-award consideration: data protection requirements must be built into tender specifications, evaluated as part of supplier selection, and enforced through contract terms before any personal data is processed under the arrangement.

What is GDPR compliance in procurement?

When a contracting authority buys any technology that will process personal data, whether a SaaS platform, cloud hosting service, or bespoke digital service, it must establish the correct legal relationship with the supplier. GDPR Article 28 requires that where a controller engages a processor to process personal data on its behalf, it must do so under a binding contract (a Data Processing Agreement, DPA) that specifies the subject matter, duration, nature, and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.

The DPA must impose specific obligations on the processor: to process data only on documented instructions from the controller; to ensure that persons authorised to process the data are bound by confidentiality; to implement appropriate technical and organisational security measures; to assist the controller with data subject rights requests, security obligations, breach notifications, and the completion of data protection impact assessments (DPIAs); and to delete or return all personal data at the end of the contract. Sub-processors (for example, the infrastructure provider used by a SaaS supplier) must be subject to the same obligations under a back-to-back agreement, and the controller must approve their use.

Data residency is a significant practical issue in procurement. GDPR restricts transfers of personal data to countries outside the EEA (and, post-Brexit, outside the UK's adequacy framework) unless appropriate safeguards are in place. Buyers must confirm that personal data processed under the contract will remain within compliant jurisdictions or that standard contractual clauses, adequacy decisions, or binding corporate rules cover any transfers.

Why it matters for bidders

Suppliers who can demonstrate mature GDPR compliance processes, including pre-drafted DPAs, a clear sub-processor list, documented breach notification procedures, and evidence of data residency within the EEA or UK, have a material advantage in public sector technology procurement. Buyers increasingly treat GDPR compliance as a gateway criterion rather than a scored criterion: suppliers who cannot commit to Article 28-compliant terms will not proceed to evaluation.

Suppliers should prepare and maintain a standard DPA template aligned to GDPR Article 28, a sub-processor register (with locations and purposes), and a data breach notification procedure meeting the 72-hour supervisory authority notification requirement. These documents should be available on request during the procurement process. Linking GDPR compliance to Cyber Essentials (procurement requirement) or ISO 27001 evidence strengthens the supplier's overall compliance posture in bids.

Example

An Irish government agency procures a cloud-based grants management system. The tender specification requires suppliers to confirm: data residency within the EU, a GDPR Article 28-compliant DPA, a list of sub-processors and their locations, a breach notification SLA of 24 hours to the controller (enabling the controller to meet its 72-hour obligation to the Data Protection Commission), and evidence of ISO 27001 certification. Suppliers who cannot meet the DPA requirement are excluded before technical evaluation.

Frequently Asked Questions

What is the difference between a data controller and a data processor in procurement?

The contracting authority (buyer) is typically the data controller: it determines the purposes and means of processing. The supplier is typically the data processor: it processes data on behalf of and under the instructions of the controller. This distinction matters because controllers and processors have different obligations under GDPR, and the DPA must correctly reflect the relationship. In some cases, such as where a supplier uses data for its own purposes (for example, for product improvement), the supplier may become a joint controller, which requires a different contractual arrangement.

What happens if a supplier suffers a data breach affecting the buyer's data?

Under GDPR Article 33, a controller must notify its supervisory authority within 72 hours of becoming aware of a breach. The processor (supplier) must notify the controller "without undue delay" after becoming aware of a breach. DPAs typically set this at 24 to 48 hours to give the controller time to assess and notify. Buyers should include a specific breach notification SLA in their DPA and verify that the supplier's incident response procedures can meet it.

Does GDPR apply to public sector procurement across all European countries?

GDPR applies directly in all EU member states and has been incorporated into domestic law in the UK. The EEA countries (Norway, Liechtenstein, Iceland) apply equivalent obligations through their EEA Agreement implementation. Switzerland has its own Federal Act on Data Protection (nFADP) with similar requirements. Ukraine is working towards GDPR alignment as part of its EU accession process. Buyers and suppliers operating across these markets should confirm the applicable data protection framework for each jurisdiction.

How Bidovate helps

Bidovate puts GDPR Compliance in Procurement to work inside your capture and proposal workflow.

Tender discovery

See Bidovate in action

Book a demo and we will show you the platform using your actual contract data.

Related terms

Data Protection Impact Assessment (DPIA) in Procurement

A Data Protection Impact Assessment (DPIA) in procurement is a structured process required under GDPR before deploying any technology that processes personal data at significant scale or risk, identifying privacy risks and mitigation measures before a contract is signed and a system goes live.

View

Software as a Service (SaaS) Procurement

Software as a Service (SaaS) procurement covers the purchase of cloud-delivered software applications accessed over the internet on a subscription basis, where the supplier manages infrastructure, updates, and security, requiring public sector buyers to evaluate vendor lock-in, data residency, and GDPR compliance alongside functionality.

View

Cloud Hosting Procurement

Cloud hosting procurement covers the purchase of infrastructure-as-a-service and platform-as-a-service resources from commercial cloud providers, requiring public sector buyers to assess data sovereignty, security accreditation, exit costs, and compliance with national and EU cloud policy before contracting.

View

ICT Procurement

ICT procurement covers the purchase of information and communications technology goods and services by public sector organisations, encompassing hardware, software, cloud services, telecommunications, and associated support, governed by EU Directive 2014/24/EU and national implementing legislation across European member states.

View

Interoperability Requirements

Interoperability requirements in procurement specify that technology systems must be capable of exchanging data with, and working alongside, other systems using defined standards and protocols, preventing lock-in, enabling cross-agency data sharing, and supporting the European Interoperability Framework across EU member states.

View