The Importance of Data Protection by Design in Public Administration Contracts
Data protection by design encourages the creation of data protection compliance processing activities from the first moment of their conception, eliminating possible redesign costs, thus complying with the requirements of the Public Sector Contracts Law in relation to compliance with current data protection regulations.
Photo of John Schnobrich in Unsplash.
Data protection by design is an essential obligation that public administrations must take into account in public contracts as required by article 211(1)(f) of the Public Sector Contracts Law, that in not fulfilled by the inclusion of general clauses regarding GDPR duties.
Within the framework of the management of an organization, data protection by design emerges as a fundamental pillar in the safeguarding of the rights and freedoms of natural persons. This requirement, enshrined in Article 25 of the General Data Protection Regulation (GDPR), requires considering measures to protect fundamental rights with a proactive vision, integrating data protection from the very conception of any project that involves or may involve a processing by a public institution.
To achieve the data protection objectives from the design of a processing, a reflective position is required during the design, not only of the processing that needs to be carried out, but from the design of the legislative measure itself that makes the data processing necessary. This is established by the CJEU (joined cases C-293/12 and C-594/12) when it considers that any processing operation provided for by law entails a limitation of the right to the protection of personal data, regardless of whether such limitation may be justified. Therefore, it is necessary to carry out a regulatory impact assessment whose result would make it possible to determine data protection requirements by design. From this analysis, among others, the proposal of measures by design and by default that try to minimize these impacts and the specific risks identified in relation to the way to make processing implicit in a legislative measure a reality, which must necessarily be incorporated into the technical prescriptions of the specifications as part of the set of decisions that the controller will need to be addressed in a future contract of processing.
Along these lines, recital 78 of the GDPR highlights the relevance of this approach in the context of public tenders, quoting verbatim at the end of it that “The principles of data protection by design and by default should also be taken into consideration in the context of public tenders”. This legal framework encourages public administrations to lead by example in the implementation of practices that ensure the protection of citizens' data, and this is how the European Data Protection Board includes it in its Guidelines 4/2019 on Article 25 Data Protection by Design and by Default:
“Recital 78 of the GDPR adds that DPbDD should be taken into consideration in the context of public tenders. Despite all controllers having the duty to integrate DPbDD into their processing activities, this provision fosters the adoption of the data protection principles, where public administrations should lead by example.”
In this way, data protection by design and by default not only becomes a mandatory requirement, but also an ethical and quality standard that must permeate all the actions of public administrations.
Beyond being a mere regulatory requirement that is included in the Public Sector Contracts Law through its articles 122(2) and 211(1)(f), data protection by design is an essential obligation of the GDPR's accountability principle. This principle implies the adoption of technical and organisational measures necessary to guarantee the data protection and data privacy before carrying out any processing. In short, it is a matter of reducing the limitation of rights, anticipating risks and establishing an organisational culture that promotes data protection as an added and intrinsic value to all activities related to the processing of personal data.
The controller must assume the responsibility of guaranteeing and demonstrating that all processing operations, carried out both by themselves and by their processors and sub-processors, comply with the necessary measures to mitigate or avoid the limitation of rights and risks of varying probability and severity for the rights and freedoms of natural persons in view of nature, the scope, context and purposes of the processing, with those relating to implementing data protection obligations by design and by default being particularly relevant.
As part of the requirements that the controller must meet when selecting a processor, it is established as a first indication that “controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures”, according to Article 28(1) GDPR. However, the reality of the clauses included in the specifications of public tenders is limited to pointing out the general obligations contained in Article 28(3), without exhaustively evaluating the type of technical and organisational measures necessary to comply with the GDPR to its full extent. In this regard, it should be recalled that the Public Sector Contracts Law itself establishes that general clauses are not admissible for the purposes of terminating a possible contract, but that it is necessary that the essential obligations of the contract are listed precisely, clearly and unequivocally in the specifications or in their descriptive documents (Article 211(1)(f) Public Sector Contracts Law).
Among all the technical and organisational measures, it is obligatory, for full compliance with the GDPR, to take into account the requirements established in Article 25 which, in practice, implies a clear guideline: data protection by design and by default is not simply a legal obligation, but is part of a continuous risk management process that constitutes one of the obligations of the controller:
- “Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures (…), which are designed to implement data-protection principles (…), in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
- The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. (…)”
This approach recognises that data protection is not a one-off action, but a process in which risks must be assessed and mitigated from the initial concept of processing and throughout its entire lifecycle. The accountability principle, which includes data protection by design and by default, has the importance of applying the necessary technical and organisational measures to guarantee the protection and privacy of the data of the data subjects before carrying out processing, thus guaranteeing that the controllers and processors can comply with their obligations in terms of data protection.
Therefore, the framework of public tenders, administrations and the public sector in general, should not be limited to making a generic reference to compliance with the applicable data protection regulations or compliance with Article 25 of the GDPR, since such obligations exist without the need for an explicit general reference, but it is necessary to specify and qualify in the specifications these requirements as specific essential obligations listed in the precise, clear and unequivocal in the specifications or in their descriptive documents, thus effectively implementing data protection by design and by default of processing in which it is necessary to subcontract any of its processing operations.
The entity responsible for the processing will be the one who best knows the processing that needs to be carried out in its nature, scope, context and purposes and who will be in a position to require a series of specific design measures that must be reflected in the specifications as essential obligations of the processing contract; however, in turn, the processor, to the extent that it is aware of the technological context and of its own organisation, it has the obligation to help the controller to achieve the design requirements (Article 28(3)(f) of the GDPR) so that decisions that impact the rights and freedoms of citizens are not outside the knowledge of the controller.
The delegation of the design requirements decisions by the controller exclusively in the hands of the processor does not exempt him/her from facing the consequences arising from them. Decision-making regarding data protection by design and by default is an obligation of the controller that must be reflected in the legal link required by Article 28 of the GDPR, and failure to do so would call into question the controller's ability to demonstrate compliance. It could even allow the processor to carry out processing operations that may not be necessary or lawful for the ultimate purposes of the processing. In this sense, when the data processor carries out the decision-making beyond what is indicated in compliance with Article 28 of the GDPR by the controller; it could be exercising its role as controller outside the data processor itself.
As already noted, public administration can and should also play an important role in promoting technological innovation by ensuring data protection by design and by default. This proactive approach ensures that privacy is integrated into all stages of technology solution development, fostering an ecosystem that prioritizes the protection of rights and freedoms. By implementing these measures from the outset, companies are incentivized to develop products and services that meet high data protection standards. In addition, administrations can lead pilot projects and offer flexible regulatory frameworks that allow controlled experimentation, favouring the creation of innovative and safe technological solutions.
In conclusion, data protection by design and by default in the context of public tenders, where public administrations are the entities that process the largest volume of personal data, acquires even greater relevance, since administrations have the duty not only to comply with regulations, but to lead by example and establish the highest standards in data protection, also favouring innovation for the creation of privacy-friendly technological solutions.
This article is related to other publications of the AEPD Technological Innovation Division, such as, for example:
- A Guide to Privacy by Design [oct 2019]
- Guidelines for Data Protection by Default [oct 2020]
- Risk Management and Impact Assessment in the Processing of Personal Data [jun 2021]
- Guidelines for conducting a data protection impact assessment in regulatory development [jun 2023]
- Blog post When to review data protection measures [feb 2023]
- Blog post Data Governance and Data Protection Policy [sep 2020]
- Blog post Data and information in Artificial Intelligence [dic 2024]
