Spanish DPA: Public Bodies Must Consider Privacy by Design in Public Contracts
Public administrations must take data protection by design into account in public contracts and that requirement isn't fulfilled by simply including generic clauses regarding General Data Protection Regulation (GDPR) obligations, Spain's data protection agency said Wednesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Data protection by design and default is not only a mandatory requirement but is also an ethical and quality standard that must permeate all the actions of public administrations," the DPA said. It's about reducing limitations of rights, anticipating risks and establishing an organizational culture that promotes data protection as an added and intrinsic value to all activities related to personal data processing, it said.
The data controller must carry out a regulatory impact assessment to determine data protection requirements by design, and propose measures to minimize any impacts and specific risks identified, it said. These must be incorporated into the technical specifications in public tenders, it said.