Expression of Interest (EOI)

Consultancy service to obtain a local legal opinion on data protection and IT security laws in Rwanda and Burundi 

Reference Number: 83457219

Publication date: 03.01.2024 

1. Introduction

The Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH is a federally owned international cooperation enterprise for sustainable development with worldwide operations. The GIZ Office in Kigali covers GIZ’s portfolio in Rwanda and Burundi. GIZ Rwanda/Burundi implements projects on behalf of the German Federal Ministry for Economic Cooperation and Development, the European Union and other commissioning authorities in the following priority areas: Sustainable Economic Development, Good Governance, Climate, Energy and Sustainable Urban Development, Digitalization and Digital Economy, Mineral Governance, Peace, and Security in the Great Lakes Region.

Together with partners in national governments worldwide as well as with cooperation partners from business, science, and civil society, GIZ works flexibly on effective solutions that offer people perspectives and permanently improve their living conditions.

GIZ’s Headquarters are based in Bonn and Eschborn, with representative offices worldwide in around 120 countries, 80 country offices and over 1,600 project offices/stands. In an increasingly networked and digitalized world, appropriate security mechanisms and security-oriented action by GIZ as an organization and by its employees are indispensable. Due to the often very political working contexts in the projects, GIZ has a particular responsibility to increase its level of data privacy and information security to maintain the trust and to adequately ensure the safety of its clients, partners, and employees.

As a European company, GIZ is subject to the European Law on data protection, namely the EU-General Data Protection Regulation (2016/679, "EU-GDPR") and therefore applies its rules and procedures to all its processing of personal data around the world. At the same time, the local legislation of the countries in which GIZ works together with its local partners must be observed. This extends naturally to legislation on data privacy and data protection as well as information security wherever such legislation exists.

Context 1: Relevant local law with respect to data protection and data privacy

GIZ GmbH, as an internationally operating, non-profit enterprise commissioned by the German Federal Government, is not a corporate group. Therefore, all offices and representations abroad are permanent establishments and not independent branches. Due to the agreements with the partner countries, GIZ is generally subject to different legal requirements than private-sector companies.

To act in a data protection-compliant manner in the respective country in which GIZ often operates as data controller (according to the EU-GDPR), it is necessary to know the local legal provisions and practices that relate to data protection and privacy. The same is required if the partner is the controller of the processing of personal data and must adhere to local law.

On top of that, legal provisions according to national regulations that have higher requirements than EU-GDPR, also have to be adhered to when processing personal data, especially if dealing with personal data of national population.

Of particular importance is the question of the disclosure of personal data to public authorities or authorizing access by such authorities

Context 2: Comparison to EU-GDPR & potential conflicts of law

In order to comply with all local regulations in a partner country, it is necessary to identify commonalities and differences between EU-GDPR and the local legal provisions where the local law requires higher or contradictory standards compared to the EU-GDPR and which are relevant to GIZ’s work. By highlighting the differences, it is also necessary to distinguish between minor discrepancies and major conflicts of law. Depending on their nature, the local regulations can have a vast effect on GIZ’s work in the partner country. In light of the potential conflicts and deviations, a variety of solutions need to be explored with their consequences laid out. Advice on how to resolve potential conflicts and complying with the requirements in the target jurisdiction, as well as the potential consequences of non-compliance, is equally necessary. GIZ needs comprehensive information if legal requirements prevent it from processing personal data in certain situations, to be able to assess consequences for GIZ’s work.

Of particular importance is the question of how the existing legislation is actually implemented in the target jurisdiction – including regulations requiring the disclosure of personal data to public authorities or authorizing access by such authorities.

Context 3: Local laws containing regulations regarding information security and information security management or influencing the same, including the transfer of data (personal and non-personal) to the EEA and other partner countries

Since GIZ is working closely with local data subjects and, in some cases, transfers their personal data outside of the local country (e.g., into the EEA) it is important to assess the applicable local regulations and comply with them before transferring such data outside of their jurisdiction. This is not only relevant for national personnel but also for partners and beneficiaries whose personal data is being processed in GIZ systems (physically located in the EEA). Therefore, it is also pertinent to examine the data transfers of these national’s personal data to the EEA, as far as GIZ processes this data in its systems, and whether there are local laws that could affect the transfer.

As GIZ is acting in the field of international cooperation for sustainable development and international education work, local governments and regulatory authorities are major stakeholders. In this context, data transfers from the partner country to third countries and EEA take place. GIZ is implementing and operating an information security management system (ISMS) to ensure appropriate management and level of information security risks. For this, risk mitigating security controls are determined and implemented.

As local governments and regulatory authorities are major stakeholders of GIZ’s ISMS, identifying and assessing local laws containing regulations regarding information security and information security management or influencing the same, is the key to enable an adequate determination of security controls and ISMS procedures as well as ensuring their compliance with local laws.

For this purpose, these local legal provisions and practices must be identified and assessed to be considered within the ISMS processes.

2. Tasks to be performed by the contractor

The contractor is responsible for providing the following services: There are three tasks to be performed by the contractor which are closely connected in the fields of data privacy, data protection and information security. The overall assignment must be carried out within 6 weeks (42 calendar days) after the contract has been awarded and the contract will cover both countries Rwanda and Burundi. The expected result is a comprehensive and written assessment divided into the three tasks. Additional information in the form of graphs, flow charts or tables are appreciated but not compulsory. There are no milestones, and the contractor is expected to report the results in full after the end of the assignment. And the Report must be in English.

All tasks are structured through guiding questions which are listed in the annex (see Annex    I below for guidance).

Task 1: Relevant local law with respect to data protection and data privacy

The first task is the summary of all applicable data privacy and data protection regulations and their relevance for to GIZ’s work in the country. In addition, the requirements for a data export must be highlighted:

• Determine in how far GIZ is subjected to local data protection laws and other regulations amidst the legal status of GIZ’s offices as dependent establishments with their headquarters based in Germany (EEA)
• Analyze all applicable national and regional legal regimes and practices that may have an impact on the protection of personal data (especially for national personnel, local partners and beneficiaries)
• Include any ongoing changes and drafts for future laws and regulations, if applicable
• Summary of possibilities of lawful access or potential disclosure of data transferred from the EEA into the target jurisdiction by public authorities

Task 2: Comparison to EU-GDPR & potential conflicts of law

The second task involves comparing the local regulations with the EU-GDPR:

• Compilation of an overview comparing the EU-GDPR and applicable local/regional laws on data protection
• Identification of possible discrepancies and potential conflicts of law (EU-GDPR vs. applicable local/regional laws)
• Highlight any prohibitions on processing of personal data according to the national law related to GIZ as a federal public enterprise
• Propose solutions and recommendations for resolving these conflicts as well as name the potential consequences for non-compliance

Task 3: Local laws containing regulations regarding information security and information security management or influencing the same, including the transfer of data into the EEA and other partner countries

The third task is the summary of all applicable regulations regarding information security and information security management or influencing the same and identification of conflicts of law. Examples could be:

• Local laws prohibiting or enforcing the use of cryptographic algorithms
• Reporting obligations to supervising authorities (for example regarding security incidents)
• Sector specific regulations (for example for the local public sector or sectors of critical infrastructure)
• Local laws or regulations indirectly influencing information security controls (e.g., local youth protection laws resulting in content filters for internet access for minor employees)
• Information security in case of data transfer from the partner country to third countries, especially EEA.
• Highlight all necessary steps (if applicable) to transfer data (personal and non-personal) into the EEA and other partner countries.

This includes the following steps:

• Analyze all applicable national and regional legal regimes and practices that may have an impact on information security or information security management.
• Include any ongoing changes and drafts for future laws and regulations, if applicable.
• Compilation of an overview comparing identified and applicable local/regional laws
• Propose solutions and recommendations for resolving these conflicts 

3. Concept

In the tender, the tenderer is required to show how the objectives defined in Chapter 2 (‘Tasks to be performed’) are to be achieved, if applicable under consideration of further method-related requirements (technical-methodological concept)

4. Personnel concept

The tenderer is required to provide a pool of two experts who are suited to perform the tasks described based on their CVs, the range of tasks involved and the required qualifications. Among the two experts, one must be a team leader on basis of general and specific professional experience and be highlighted in the technical proposal.

Qualifications of required experts

Team Leader (Maximum 27 expert days)

• Education: At least university degree in Law or similarly relevant
• Language: Must be proficient in English and French. Language proficiency to be evaluated in the CVs
• General professional experience: 5 years of professional experience in the regulatory compliance sector
• Specific professional experience (2.2.4): 3 years of experience in data privacy and information security compliance.
• Regional experience (2.1.6): 3 years of experience in similar tasks in Rwanda. Proposed expert must be a member of Rwanda Bar Association.
• Professional Certification such as CIPP (Certified Information Privacy), certification by the iapp (The International Association of Privacy Professionals), ISO 27701 LI, ISO 27001 LI are desired

Second Expert (Maximum 15 expert days)

• Education: At least university degree in Law or similarly relevant
• Language: Must be proficient in French. Language proficiency to be evaluated in the CVs
• General professional experience: 3 years of professional experience in the regulatory compliance sector
• Specific professional experience (2.2.4): 2 years of experience in data privacy and information security compliance.
• Regional experience (2.1.6): 3 years of experience in similar tasks in Burundi. Proposed expert must be the member of Burundi Bar Association. 

5. Requirements on the format of the tender

The structure of the tender must correspond to the structure of the ToRs. The tender must be legible (font size 11 or larger) and clearly formulated. It must be drawn up in English.

The complete tender must not exceed 10 pages (excluding CVs). If one of the maximum page lengths is exceeded, the content appearing after the cut-off point will not be included in the assessment. External content (e.g. links to websites) will also not be considered.

The CVs of the personnel proposed in accordance with Chapter 4 of the ToRs must be submitted using the format specified in the terms and conditions for application. The CV shall not exceed 4 pages. They must clearly show the position and job the proposed person held in the reference project/assignments and for how long

As the contract to be concluded is a contract for works, please offer a fixed lump sum price that covers all relevant costs (fees, travel expenses etc.). The price bid will be evaluated on the basis of the specified lump sum price. In addition, please also provide the underlying daily rate. A breakdown of days is not required.

6. Annexes

Annex I: Guiding Structure & Questions

For orientation purposes, the following issues should be answered (other questions that arise should also be dealt with in this context):

Task 1: Relevant local law with respect to data protection and data privacy

Applicable Local Law

• In how far is GIZ subject to local data protection laws and regulations amidst the legal status of GIZ offices as dependent establishments with their headquarters based in Germany (EEA)?
• Are there rules governing or restricting the transfer of personal data out of the country?
• Are there any additional regulations that also apply to data of persons who are not citizens of the country?
• Are there requirements for documenting data protection/ data privacy related processes? 

Existence and Functioning of Supervisory Authorities

• Has an independent supervisory authority been established?
• Are there registration requirements that GIZ would have to observe?
• What are the oversight mechanisms for the approval and review of relevant actions by public authorities?
• Are there legal remedies for data subjects, including effective individual rights and judicial redress?
• Is there any further relevant information regarding public authorities' access to personal data held by GIZ as a federal public utility?

Task 2: Comparison to EU-GDPR & potential conflicts of law

• Are there requirements according to local law that go beyond the provisions of EU-GDPR?
• Are there material conflicts of local law and EU-GDPR, i.e. would GIZ’s compliance with local law jeopardize our compliance with EU-GDPR or vice versa?
• What is the state of enforcement of local data protection legislation through local authorities/courts in the country– please give an overview of the risks and consequences of non-compliance 

Task 3: Local laws containing regulations regarding information security and information security management or influencing the same, including the transfer of data into the EEA and other partner countries.

• Which local laws and sector specific regulations exist requiring specific information security controls (like use of cryptography)?
• Which local laws and sector specific regulations exist requiring compliance to local/national/ sector specific information security standards?
• Which local laws and sector specific regulations exist requiring reporting obligations to supervising authorities?
• How does any of the above identified local laws and sector specific regulations add, contradict or concretize requirements of GIZ and ISO 27001?
• Which local laws and sector specific regulations exist in course of the transfer of data (personal and non-personal) into the EEA and other partner countries? 

Annex II: Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data

Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data | European Data Protection Board (europa.eu)

Annex III: Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR

Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR | European Data Protection Board (europa.eu)

Annex IV – Grid for the technical assessment of bids

Annex V – Template for the Technical Proposal

Annex VI – Template for the Financial Proposal 

7. Submission of offer: The Expression of Interest should contain the following: 

A. Technical Proposal:

• A cover letter expressing your interest in this assignment
• Technical proposal with a brief description of why you would be considered as the most suitable for the assignment, relevant expertise, and a detailed, clear methodology, your approach to complete the assignment, template attached.
• CV of the Consultants proposed
• Company registration certificate (RDB)
• VAT-Registration certificate
• Latest tax clearance certificate if applicable
• Proof of successful completion of related assignments. 

B. Financial Proposal: indicates the all-inclusive daily rate, supported by a breakdown of all costs. The costs must be in RWF and VAT

Please submit electronically your EoI (technical & Financial offer) in 2 separated emails and should be in PDF files to this email ONLY: RW_Quotation@giz.de until latest 18^th January 2024

Please you must write on each email subject this sentence:

83457219 Technical/financial offer, without this sentence, your offer may not be considered

Hard copies are not allowed this time

GIZ reserves all rights

8. List of abbreviations 

EEA:                  European Economic Area

EU:                   European Union 

EU-GDPR:         European General Data Protection Regulation                 

GIZ:                 Deutsche Gesellschaft fuer Internationale Zusammenarbeit GmbH

ISMS:               Information Security Management System

ToRS:              Terms of references