When hospitals work with external suppliers, whether for software, support services or infrastructure, personal data is often part of the equation. That means GDPR compliance shouldn’t be treated as an afterthought in the procurement process but should be present from the beginning.
This article outlines how hospitals can address GDPR obligations in public tenders and procurement documentation, based on practical legal and contractual requirements.
What should you include and why?
Below, we summarise six key areas that should be covered in your procurement documents to ensure GDPR compliance from the start. These recommendations apply to both public and private healthcare providers issuing tenders where personal data may be processed.
1. Refer to the applicable legislation.
Start your tender specifications by explicitly mentioning the relevant legislation:
- The General Data Protection Regulation (EU 2016/679)
- The Belgian Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data
This makes it clear to bidders that privacy and data protection will be a formal part of the assignment.
2. Clarify how personal data will be processed during the tender procedure.
If bidders need to include personal data in their offer (such as team CVs or references), state how this information will be handled. It’s good practice to:
- Refer to your hospital’s privacy statement
- Include contact details of your Data Protection Officer (DPO)
- Clarify how long the information will be retained and who will access it
3. Include a confidentiality clause.
During the tendering phase, it’s possible that sensitive or confidential information is shared. Hospitals should include a confidentiality clause aligned with Article 18 of the Royal Decree of 14 January 2013, which sets out the general rules for executing public contracts.
4. Ask bidders to provide specific privacy and security information.
When the assignment involves access to or processing of personal data, request:
- A completed checklist of technical and organisational security measures
- A list of any relevant sub-processors (particularly in software or IT contexts)
This gives you early insight into the maturity of a vendor’s data protection practices.
5. Make security a weighted award criterion.
For tenders involving software, platforms or digital systems, it’s recommended to include security as a separate award criterion, ideally accounting for at least 10% of the total score.
This can be assessed via a security checklist or similar structured evaluation. Coordinate with your DPO and ICT team to align scoring criteria.
6. Flag the need for a post-award agreement.
Make it clear that the selected supplier will be required to sign an additional agreement, depending on the nature of the collaboration. This might include:
- A Data Processing Agreement (DPA) if they process data on your behalf
- A Confidentiality Agreement or protocol (for public hospitals)
- A Joint Controller Agreement in case of shared responsibilities
Specifying this up front avoids misunderstandings later in the process.
In Summary.
Public procurement in healthcare frequently involves the processing of personal data. By integrating GDPR-relevant clauses and expectations into your tender documents, hospitals can:
- Ensure GDPR-compliance
- Minimise risk
- Improve vendor accountability from day one
Frequently asked questions
Do all tenders need GDPR clauses?
Only when personal data is processed by the supplier or during the tender process. If personal data is involved (such as staff CVs, software with user data, or patient systems) GDPR clauses are essential.
Who’s responsible for GDPR compliance in procurement?
What type of agreement is needed after awarding the contract?
Should security be part of the award criteria?
Can we reuse a standard DPA template?
Need support drafting privacy-ready tenders or reviewing supplier agreements?
CRANIUM’s consultants can help. Get in touch to strengthen your procurement practices with clear, compliant guidance.
