Subcontractors & Data Processing in EU Tenders: How to Stay Compliant (and Win) in 2025

Subcontractors & Data Processing in EU Tenders: How to Stay Compliant (and Win) in 2025

• Two rulebooks govern subcontracting in EU tenders: Public procurement law (Directive 2014/24/EU) and data protection law (GDPR). You must satisfy both. [5.][6.]
• Procurement: disclose what you subcontract, name relied-upon entities, submit ESPDs where you rely on capacities, and be ready to replace non-compliant subcontractors. Hard caps on subcontracting (e.g., “max 30%”) are generally unlawful. [5.][7.][8.][9.][10.]
• GDPR: sign Article 28 Data Processing Agreements (DPAs), get prior authorization for any sub-processor, flow down obligations, secure data (Art. 32), and ensure breach notification to the controller without undue delay (Art. 33). [1.][2.][3.][4.]
• Cross-border transfers: use the EU-U.S. Data Privacy Framework or SCCs (2021) plus transfer assessments; keep this aligned with your sub-processor list. [11.][12.][13.][14.]
• 2025 reality: NIS2 drives tougher supply-chain security expectations. Expect cybersecurity questionnaires, incident SLAs, and audit rights. [15.][16.]

---

Why this matters

Most bids today depend on specialized partners—hosting providers, software integrators, or niche consultants. In public tenders, this creates two simultaneous compliance tracks: (1) procurement-law duties around subcontracting and reliance on capacity, and (2) privacy-security duties around processing personal data (including sub-processors). Winning teams align both from day one. [5.][6.][1.][2.]

---

1) The legal baseline in plain English

1.1 Public procurement: subcontracting & “reliance on capacity”

• Declare what you subcontract and, where required, identify subcontractors—especially if the authority must verify exclusion grounds (crime, labor-law breaches, etc.). Authorities may require replacement of a subcontractor that triggers exclusion grounds. Direct payments to subcontractors can be allowed by Member States. [5.][6.][12.][18.]
• Relying on the capacity of other entities (Article 63): if you need another company’s technical/financial capacity to meet selection criteria, you must prove their resources will be at your disposal (e.g., commitment letters). Those relied-upon entities usually submit their own ESPD. [7.][8.]
• No blanket caps on subcontracting: EU case law has struck down general percentage limits (e.g., “max 30%”) as disproportionate. Authorities may, however, ask that critical tasks be performed by the main bidder. [9.][10.][5.]
• Social/environmental/labour law compliance: performance of the contract—including by subcontractors—must respect applicable obligations (Article 18(2)). Expect social clauses and due-diligence style attestations. [6.]

What evaluators look for: a clear work-split, robust capacity proofs, conflict-of-interest hygiene, and credible substitution/oversight mechanisms for subcontractors. [6.][7.]

1.2 GDPR: processors & sub-processors

• Article 28 DPA: every controller ↔ processor relationship needs a contract covering scope, duration, security, assistance, deletion/return, and audit rights. Processors may not appoint a sub-processor without the controller’s specific or general prior authorization and must flow down Article 28 duties. [1.][2.]
• Security (Article 32): “appropriate” technical and organizational measures (encryption, hardening, access control, etc.) proportionate to risk. [3.]
• Breach notifications (Article 33): processors must notify controllers without undue delay; controllers then notify regulators within 72 hours where required. [4.]
• International transfers: for U.S. vendors, use the EU-U.S. Data Privacy Framework (adequacy decision) or SCCs (2021) with a transfer impact assessment and supplementary measures where needed. Keep your sub-processor register in sync with transfers. [11.][12.][13.][14.]

1.3 Cybersecurity obligations are rising (NIS2)

Even if your organization isn’t directly in scope, contracting authorities increasingly mirror NIS2 expectations into tender specs: supply-chain risk management, vendor due diligence, secure development, and incident reporting commitments. Plan for evidence-based answers, not slogans. [15.][16.]

---

2) What EU buyers commonly ask for (and why)

Theme	Typical requirement in tenders	Why it appears
Subcontracting disclosure	% of work outsourced, named subcontractors for critical lots, tasks breakdown	Transparency & oversight of exclusion grounds [5.][6.]
Reliance on capacity	Commitment letters proving availability; separate ESPD for relied-upon entities	Article 63 & ESPD rules [7.][8.]
Replacement clause	Ability/obligation to replace a subcontractor that triggers exclusion grounds	Article 71(6) [5.][12.]
Direct payment	Option for direct payments to subcontractors (Member State choice)	Article 71(3) [18.]
DPA & sub-processor control	Signed Art. 28 DPA, list of sub-processors, change-notification & objection process	GDPR Article 28 [1.][2.]
Security controls	Policy set mapped to Art. 32, sometimes ISO 27001-style evidence	Article 32 (risk-based) [3.]
Incident SLAs	“Notify within X hours; root cause analysis in Y days” (align with Art. 33)	Article 33 & NIS2 influence [4.][15.]
Data transfers	DPF enrollment or SCCs 2021 + TIA & supplementary measures	2023 adequacy + SCCs [11.][13.][14.]
Critical task retention	“Prime must perform critical tasks itself”; no blanket % caps	Case law + Article 63 [9.][5.]
Conflicts of interest	Declarations, ring-fencing of evaluators/team overlap	Article 24 [6.][7.]

---

3) Frequent pitfalls (and how to avoid them)

1. Hidden sub-processors Using a new cloud tool without prior authorization breaches Article 28(2). Maintain one authorised sub-processor register and a notice/objection workflow. [1.][2.]

2. Generic “max 30%” subcontracting caps These are generally unlawful; tailor your approach to critical tasks instead. If the buyer requires a cap, query it with case-law support. [9.][10.]

3. Missing ESPDs for relied-upon entities When you rely on capacity, submit the extra ESPD and commitment letters; otherwise you risk exclusion. [7.][8.]

4. Weak breach playbooks If your processor cannot notify you quickly, you can miss the 72-hour window. Contract clear SLAs and test them. [4.]

5. Transfers left to boilerplate Map data flows; decide DPF vs SCCs + TIA; document supplementary measures (encryption keys, access logging). [11.][13.][14.]

6. No flow-down Your DPA must flow down duties to sub-processors (audit, assistance, deletion). Don’t rely only on a vendor’s certification. [1.][2.]

7. Overlooking NIS2 Even outside scope, buyers expect NIS2-style supply-chain risk control and incident management. Prepare evidence. [15.]

---

4) A practical playbook you can reuse

Pre-bid

• Map workshare: what is subcontracted, what remains “critical tasks” in-house. [5.][9.]
• If you rely on capacity: collect commitment letters and ESPDs for each relied-upon entity. [7.][8.]
• Draft a one-page subcontractor matrix: entity → role → exclusion checks → substitution fallback. [5.][6.]
• Build/refresh your DPA template (Art. 28) with sub-processor list, change-control, audit, and deletion/return. [1.][2.]
• Map data transfers and pick the mechanism: DPF (if available) or SCCs 2021 + TIA. [11.][13.][14.]
• Assemble security evidence mapped to Art. 32 (policy set, penetration test summary, access model, encryption). [3.]
• Prep an incident runbook with notification SLA and contacts. [4.]
• Capture NIS2-aligned supply-chain controls (third-party risk tiers, secure development, vulnerability mgmt). [15.]

Post-award & delivery

• Execute subcontractor agreements with flow-down and right to audit; keep a living sub-processor register. [1.][2.]
• Implement change notifications for new/replacement sub-processors; record objections & outcomes. [1.][2.]
• Track performance & incidents (weekly summaries), and keep evidence for audits ready. [3.][4.]
• If a subcontractor triggers exclusion grounds, replace swiftly per contract. [5.][12.]

---

5) How masernet helps

• Smart clause detection: our models flag Article 71/63 subcontracting duties, Article 28 DPA language, NIS2 clauses, and transfer requirements.
• Detail extraction: auto-pulls the required ESPD exhibits, commitment letters, and sub-processor lists from documents—ready for your bid pack.
• Q&A on documents: ask “Which tasks must remain in-house?” or “Do we need a separate ESPD for X?”—get answers with clause citations.

→ Try masernet now - Find. more information here

---

6) Quick reference table: Procurement subcontractor vs GDPR sub-processor

Topic	Procurement (Directive 2014/24/EU)	GDPR (Processors & Sub-processors)
Core concept	Subcontracting & reliance on capacity	Processing on behalf; sub-processing
Must disclose?	Yes—workshare; relied-upon entities; ESPD where applicable	Yes—authorized sub-processor list and change notifications
Replacement	Buyer can require replacement for exclusion grounds	Controller can object to new sub-processors; vendor must flow down terms
Caps/critical work	No blanket % caps; critical tasks may be reserved	Not applicable
Evidence	ESPD, commitment letters, exclusion checks	DPA (Art. 28), security (Art. 32), breach process (Art. 33)
Cross-border angle	Usually none (except performance conditions)	DPF or SCCs 2021 + TIA & measures

Sources: [5.][7.][8.][9.][10.][1.][3.][4.][11.][13.][14.]

---

FAQ

Do all subcontractors submit an ESPD? Only those you rely on for capacity usually must submit their own ESPD; others only if the buyer requires it. Check the specific ESPD request. [8.][17.]

Can the authority limit subcontracting to a fixed %? A general fixed cap (e.g., “30%”) is typically unlawful under EU law; focus on critical tasks instead. [9.][10.]

Must I name every sub-processor? You need specific or general prior authorization; general authorization typically includes a published list and a change-notice window for objections. [1.][2.]

We use a U.S. cloud—are we okay? If the provider is DPF-certified, you can rely on the adequacy decision. Otherwise, use SCCs (2021) plus a transfer impact assessment and supplementary measures. [11.][13.][14.]

What about NIS2? Even where you’re not directly in scope, buyers may mirror NIS2 Article 21 expectations into contracts—prepare supply-chain controls and incident SLAs. [15.][16.]

Sources

1. GDPR Article 28 (Processor). gdpr-info.eu. (Datenschutz.-Grundverordnung)
2. EDPB Guidelines 07/2020 on the concepts of controller and processor. (EDPB.)
3. GDPR Article 32 (Security of processing). gdpr-info.eu. (Datenschutz.-Grundverordnung)
4. GDPR Article 33 (Breach notification). gdpr-info.eu. (Datenschutz.-Grundverordnung)
5. Directive 2014/24/EU, Article 71 (Subcontracting). legislation.gov.uk. (Legislation. UK)
6. Directive 2014/24/EU (including Article 18(2) and Article 24). EUR-Lex (consolidated & recitals). (EUR.-Lex)
7. Directive 2014/24/EU, Article 63 (Reliance on capacities). EUR-Lex. (EUR.-Lex)
8. European Commission — eESPD FAQ (subcontractors & reliance). (European. Commission)
9. CJEU Vitali C-63/18 (30% cap incompatible). CURIA. (Europäischer. Gerichtshof)
10. CJEU Tim C-395/18 (exclusion re subcontractor; proportionality & self-cleaning). EUR-Lex. (EUR.-Lex)
11. Commission Implementing Decision (EU) 2023/1795 — EU-U.S. Data Privacy Framework (adequacy). EUR-Lex. (EUR.-Lex)
12. European Commission Press Q&A on DPF (context & scope). (European. Commission)
13. Commission Implementing Decision (EU) 2021/914 — SCCs. EUR-Lex. (EUR.-Lex)
14. EDPB Recommendations 01/2020 on supplementary measures (Schrems II). Final version. (EDPB.)
15. NIS2 Directive (EU) 2022/2555 (supply-chain risk management, Article 21). EUR-Lex. (EUR.-Lex)
16. EY insight — NIS2 & supply-chain security (plain-language overview). (EY.)
17. European Commission — ESPD overview/handbook. (Binnenmarkt. und Industrie)
18. EUR-Lex — Note on direct payment to subcontractors via Article 71(3) cross-reference. (EUR.-Lex)