State Aid? State What?!

Do you need to think
about State Aid risk on
your procurement project?

Make sure you know what
to look out for with our
handy new guide
from our state aid experts.

Looking to challenge a procurement decision?

Suppliers wishing to challenge have only a short time frame in which to act. Click here for our useful guide.

Which Regulations do you need?

To get up to speed with the various new procurement law regulations, please click below;

> Concession Contracts Regulations 2016 

> Utilities Contracts Regulations 2016

> Public Contracts Regulations 2015 

If you're not sure which regulations apply, click here.

May 2018

May 25, 2018 11:35 AM | Posted by Beresford-Jones, Jenny | Permalink

The fact that the GDPR comes into force today needs no introduction, given the constant bombardment of all our inboxes with requests to ‘opt in’ over the last week.

Whilst you may have heard quite enough about the GDPR for now, there are some important implications in the public procurement/public contracts context.

Specifically, we note that the Crown Commercial Service has just updated its original Procurement Policy Note on Changes to Data Protection Legislation and GDPR – the previous PPN (03/17) has been amended and replaced by Action Note PPN 05/18 You should now refer to the updated version only.

The new PPN states that "for any contract amendments yet to be agreed and for new contracts to be let after 25 May, you should use the provisions of the new PPN including the updated standard generic clauses at Annex A". This suggests that there is no need to go back and amend model clauses based on those in the older PPN, where these have already been agreed as part of your GDPR preparation work stream.

The scope of the PPN continues to include Central Government Departments, their Executive Agencies and Non Departmental Public Bodies, with other public bodies being advised to follow it given that they are also subject to the GDPR and Data Protection Act obligations.

The original PPN included model GDPR clauses for new contracts and guidance on how to make existing contracts compliant. The updated note was issued to provide greater clarity on questions and issues that arose in response to organisations preparing to use those model clauses in practice. For example:

  • The new PPN clarifies the distinction between Controllers and Processors, pointing out that a Processor does not process personal data for its own purposes. A Processor has no interest in the personal data save to the extent it is obliged to process it as a part of its contract with the Controller.
  • There are also updates to the model clauses to try to build in some flexibility to reflect the fact that not every contract that involves the processing of personal data will automatically involve a Controller to Processor arrangement. For example, we have become aware of public bodies seeking to incorporate the model “Controller to Processor” clauses into all their contracts on the basis that they were within scope of the old PPN, even when it was not appropriate to do so because the arrangement was in fact a “Controller to Controller” arrangement.
  • The original PPN noted that you should avoid liability clauses which purported to protect a Processor from any liability for its GDPR breaches (on the grounds that this would be to undermine the purpose of the new legislation). The new PPN amplifies this with drafting suggestions for liability clauses to ensure a Controller is able to recover the full costs of civil data protection claims or regulatory fines issued by the ICO, where the breach was the Processor’s fault.
  • The original PPN acknowledged that in some cases there could be Joint Controllers and explained that there would need to be a transparent agreement between these Controllers as to how the arrangement is to work; the new PPN expands on this with more detail of the features you should include in such an arrangement with a Joint Controller.
  • The new PPN also addresses the question of expired/ legacy contracts, where personal data is still being processed (e.g. stored) by a Processor, even though the contract has expired. The PPN reminds us that data being processed like this after today will become subject to the GDPR and this means the Controller must decide whether the data must be retained or deleted. A Processor who has been instructed to delete by the Controller but continues to process, will be in breach of the GDPR.
  • The model clauses contain an obligation on the supplier to adopt “protective measures” to protect against data loss. The new PPN has amended this slightly to confirm that the Controller is not obliged to approve the “protective measures” of the Supplier (although it may reject these, acting reasonably). This is to address to concerns raised by Controllers that (1) they would not have the resources to check adequacy of protective measures in each case and (2) that any such approval would amount to a ‘blessing’ of a Processor whose protective measures turn out be insufficient in the event.
  • In terms of procurement procedures, the new PPN contains guidance on additional questions and due diligence for new procurements (including a new standard SQ question) and a suggested model question for the ITT/award stage. The standard SQ will be updated in due course but this hasn’t been done as yet. This means that in the interim period, you will need to add the model clauses/suggestions in the PPN to Selection Questionnaires/ITTs.

There is a fair amount to get to grips with here! If you need more information/guidance about the GDPR generally, please take a look at our GDPR Hub where you can find free-to-access resources and, if needed, contact one of our data protection law specialists for an initial chat about your query.

Posted by Jenny Beresford-Jones, Mills & Reeve LLP


Contact Us

The Procurement Portal aims to provide a "one stop shop" for procurement law queries and advice.

Click here to email our team with your query.

Managing and mitigating procurement risk course

This updated course is great for anyone who wants to make informed judgments around procurement risk and be able to handle potentially contentious issues with confidence.

You can access our updated course here.

Subscribe by email

> Subscribe to our blog updates by email

The "FeedBurner" subscription service is provided by a third party and Mills & Reeve LLP therefore accepts no responsibility or liability for this service. Please also refer to our full terms and conditions.

Procurement FAQs

We have over 100 questions and answers on a host of topics, from advertisement to managing a procurement challenge.

> Click here to find out more