Data protection rules for EU institutions and bodies and their impact on contracts

New data protection rules applied to procurement

The way EU institutions and bodies are dealing with personal data has changed due to Regulation (EC) 45/2001 being replaced by a new a data protection Regulation for EU institutions and bodies (hereinafter referred to as the ‘the EU DPR’). The new rules are set out in Regulation (EU) 2018/1725, applicable as of 11 December 2018 and fully aligned with the General Data Protection Regulation (GDPR) which entered into force on 25 May 2018 for the EU Member States.

Eurofound has updated accordingly the contract templates to be used as part of any procurement documentation. The changes focus on the contractual clauses related to the protection of personal data. The aim is to build a contractual framework which would enable Eurofound to retain control with a view to fulfilling its legal obligations and ensuring compliance with the EU DPR.

Eurofound reserves also the right to translate the data protection obligations referred to above into exclusion, selection or award criteria when launching a procurement procedure on a case-by-case basis.

General information regarding the processing of personal data in the context of Eurofound procurement procedure and the management of contracts is provided in the privacy statement on Eurofound website.

If you have any queries regarding protection of personal data, you may contact the Data Protection Officer of Eurofound via e-mail (

Further information on the changes introduced by the new EU DPR and their impact on contracts

Enforced accountability requirements, stricter conditions for obtaining data subject’s consent, privacy by design and by default, revised documentation process (‘records’), new obligations for controllers to carry out Data Protection Impact Assessments (DPIAs) and prior consultation of the European Data Protection Supervisor (EDPS) in the case of high-risk processing operations, mandatory notification of personal data breaches and new corrective powers for the EDPS in the form of administrative fines are some of the main aspects of the new data protection rules for EU institutions (EUIs).

In addition to the main novelties outlined above, the EU DPR has introduced significant changes with regard to outsourcing of personal data processing. These modifications affect not only the new contracts but may also have an impact on the existing ones.

Regulation (EC) 45/2001 [1] had already established conditions under which Eurofound, like any other EUIs, responsible for the processing operation (‘data controller’) could assign another external person or entity (EU body or private company) the task of processing personal data on its behalf (‘the data processor’ [2]). In practical terms, this relationship covers situations where Eurofound outsources certain activities to external contractors (e.g. event organisation, external experts, online services, online collaborative platforms, etc.).

The general rule is that the controller, i.e. Eurofound, remains responsible for the processing of personal data, even if the processing is outsourced. This rule remains unchanged after the entry into force of the EU DPR.

According to the EU DPR [3], the following shall be compulsory elements of all contracts (or other legally binding acts) between the controller (Eurofound) and its processors:

Description of the processing

  • the subject matter and duration of the processing;
  • the nature and purpose of the processing;
  • the type of personal data and categories of data subjects; and
  • the obligations and rights of the controller.

Minimum obligations for processors

  • only act on the written instructions of the controller (Eurofound);
  • ensure that people processing the data are subject to a duty of confidentiality;
  • take appropriate measures to ensure the security of processing (e.g. data protection by design and by default);
  • only engage sub-contractors with the prior written consent of Eurofound and by way of a written contract setting out that the same data protection obligations apply to the subcontractor as to the processor;
  • assist Eurofound in responding to requests for exercising the rights of people whose personal data is processed under the new Regulation;
  • assist Eurofound in meeting its obligations in relation to:
    • the security of processing
    • the notification of personal data breaches (e.g. through a contractual obligation to report immediately a personal data breach to the controller) and
    • data protection impact assessments;
  • assist Eurofound in demonstrating compliance with the new Regulation;
  • delete or return all personal data to Eurofound as requested at the end of the contract;
  • ensure data portability;
  • submit to audits and inspections, conducted by Eurofound or another auditor mandated by the institution;
  • inform Eurofound immediately if the instruction provided infringes the new Regulation or other data protection law of the EU or of a Member State.


  1. ^ Article 23 of Regulation (EC) 45/2001.
  2. ^ Under Article 3(12) of Regulation (EU) 2018/1725, ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  3. ^ Article 29 of Regulation (EU) 2018/1725.