Q&As

In a situation where a customer of a potential outsourcing shares information with a tenderer in an invitation to tender (ITT) so the tender can consider TUPE liabilities or obligations in relation to the salary of the role, average length of service and staff location for the role, is the information likely to be personal data as defined under the General Data Protection Regulation (GDPR)? If so, what provisions should be included in the ITT to protect the customer in view of its obligations under the GDPR?

read titleRead full title
Produced in partnership with Jack Roberts of Shoosmiths
Published on LexisPSL on 19/09/2018

The following TMT Q&A Produced in partnership with Jack Roberts of Shoosmiths provides comprehensive and up to date legal information covering:

  • In a situation where a customer of a potential outsourcing shares information with a tenderer in an invitation to tender (ITT) so the tender can consider TUPE liabilities or obligations in relation to the salary of the role, average length of service and staff location for the role, is the information likely to be personal data as defined under the General Data Protection Regulation (GDPR)? If so, what provisions should be included in the ITT to protect the customer in view of its obligations under the GDPR?

In summary, there is an initial query arising from the above scenario as to whether the information being shared is personal data under the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) regime. If so, then the customer will have a series of additional obligations which it will be required to comply with during the procurement. While these data protection responsibilities will not change or influence any of the obligations on the customer under employment legislation, they will need to be considered alongside the customer’s commercial requirements when establishing the timetable for the procurement.

The first question to consider is whether the information to be shared constitutes personal data under the GDPR and the Data Protection Act 2018. Under Article 4 of Regulation (EU) 2016/679, the GDPR, personal data is information which relates (directly or indirectly) to an identified or identifiable individual. If you can identify an individual directly from the information you are processing, or an individual can be indirectly identified from such information when it is combined with other information, then this could be personal data. Further, an individual must not only be identifiable but the information must also ‘relate to’ them. A party may consider the content of the data, the purpose for processing it and the impact any processing may have on an individual when determining whether it ‘relates to’

Related documents:

Popular documents