Search
Contact
28.07.2022 | KPMG Law Insights

Procurement Chamber BaWü: Impermissible third-country transfer through the use of the EU subsidiary of a US service provider

Rarely has the decision of a public procurement chamber caused such a stir in such a short time as the decision of the VK Baden-Württemberg of July 13, 2022 (Ref. 1 VK 23/22). The decision, which is not yet final, is not only relevant for award procedures. The statements of the Procurement Chamber can also have an impact on the selection of IT service providers in the area of private law.

The underlying proceedings concerned the procurement of software by a public contracting authority. The customer’s specifications contained the following requirements in particular in the IT security and data protection requirements:

“[…]

– Fulfillment of the requirements from the DS-GVO and the BDSG […]

– Data is processed exclusively in an EU-EEA data center where no subcontractors/group companies are located in third countries.

[…]”

The contract was awarded to a bidder who used a subcontractor based in the EU to provide the server and hosting services. However, this was a subsidiary of a US group. The second-placed bidder has filed an application for review against this. Among other things, the applicant relied on the fact that the use of the data center operator with a US parent company constituted a violation of Article 44 et seq. of the GDPR and thus the requirements of the tender documents were not met.

Use of European subsidiaries of US service providers as third-country transfers

The Procurement Chamber followed the applicant’s view and found:

“The use of X. as a hosting service provider constitutes a transfer within the meaning of Art. 44 et seq. DS-GVO to be seen. […].

The concept of transmission is to be understood in the light of the because [sic!] wording of Art. 44 p. 1 of the GDPR and the instruction set out in Art. 44 p. 2 of the GDPR with regard to the application of the standard and thus to be understood comprehensively: Transfer is any disclosure of personal data to a recipient in a third country or an international organization, irrespective of the nature of the disclosure or the disclosure to a third party […].

An access option – for example by granting access rights – constitutes a latent risk that an unauthorized transfer of personal data can take place without the legal basis for this standardized in the GDPR […].

Measured against these standards, the use of X., a European company whose parent company is the U.S.-based X. lnc. is an impermissible transfer of data to a third country.”

No sufficient compensatory measures to maintain an adequate level of data protection

Furthermore, the Board considered the data protection agreements concluded between the successful bidder and the data center operator as well as the measures provided therein to be insufficient to ensure an adequate level of data protection:

“The commissioning of X. by the Respondent is based, inter alia, on the “X. GDPR DATA PROCESSING ADDENDUM”. Clause 3 of this agreement contains a clause relating to the confidentiality of customer data (“Confidentiality of Costumer Data”). Under this clause, Customer Data may not be accessed, used or disclosed by X. to any third party except as necessary to maintain or provide the Services or to comply with any law or effective and valid order of any governmental authority. […]

Clause 3 and 12.1 of the “X. GDPR DATA PROCESSING ADDENDUM” are designed in the form of general clauses and open up the possibility for both governmental and private bodies outside the EU and in particular in the USA to access data stored by X. in certain situations within the framework of the contractual or legal authorizations applicable in the specific case. […]

After all, the latent risk can materialize at any time. By entering into the agreement with X., the Defendant is in any case partially relinquishing its ability to exert influence with regard to the data entrusted to X.. […]

X.’s assumption of an obligation to challenge overbroad or unreasonable requests by government agencies, including requests that conflict with EU or applicable member state law, does not eliminate the latent risk of access by those same agencies.”

Inadmissibility of the use of EU subsidiaries of a US service provider

Accordingly, the Board concluded that the identified data transfer to the U.S. is unlawful:

“Here, there is no special reason for permission according to Art. 44 et seq. GDPR exists. Thus, an adequacy decision within the meaning of Art. 45 (1) of the GDPR is missing here. Article 46 (2) c), d) of the GDPR also does not apply here. Standard data protection clauses within the meaning of this provision are not suitable to legitimize transfers per se; rather, a case-by-case assessment is required in this respect […]. This leads – as explained – to the assumption of inadmissibility under data protection law. An exceptional circumstance according to Art. 49 DS-GVO is also not given here.”

The argumentation of the Procurement Chamber to assume an inadmissible data transfer to a third country already by the use of a European subsidiary of a US company due to the existence of a “latent danger” is not uncontroversial. Furthermore, for procedural reasons, the Procurement Chamber did not take into account the submission regarding an encryption technology used by the data center operator. Nevertheless, the decision is remarkable. It illustrates that even doubts about compliance with data protection law can present themselves as a real competitive disadvantage. The close temporal connection with the controversial use of a U.S. cloud provider in the context of the online portal for conducting the 2022 census, which is still being investigated by the BfDI, also makes it clear that the topic of third-country transfers – also in the public sector – is gaining increasing attention. The decisions that assume illegality due to a lack of contractual, technical and organizational compensatory measures are beginning to accumulate.

Explore #more

03.09.2025 | In the media

Guest article in the insurance industry: Embedded Insurance – More than just a new sales channel

The insurance industry is facing a paradigm shift. Traditional sales models are increasingly being supplemented by innovative approaches aimed at facilitating access to insurance policies…

03.09.2025 | KPMG Law Insights

Supply Chain Act: reporting obligation no longer applies, sanctions reduced

In the coalition agreement, the coalition partners agreed to abolish the Supply Chain Due Diligence Act (LkSG) as part of the implementation of the European…

29.08.2025 | In the media

Statement by Ulrich Keunecke on the special infrastructure fund in Politico

KPMG Law financial expert Ulrich Keunecke explains how the infrastructure special fund can be leveraged with capital from private investors. You can find the article…

25.08.2025 | Deal Notifications

KPMG Law is advising APELOS on the refinancing and acquisition of a practice group with around 50 practice locations.

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised APELOS Therapie GmbH, a leading therapy practice group in Germany, on the refinancing…

15.08.2025 | In the media

KPMG Law Statement in Die-Stiftung.de on the topic of foundation registers – The long road to digital order

The entry into force of the foundation law reform on July 1, 2023 marks a turning point in the German foundation system. The list of…

14.08.2025 | KPMG Law Insights

Electromobility in logistics – legal challenges

In order to reduce its CO2 emissions, the logistics industry is increasingly turning to electromobility. This is not only due to ESG regulations such as…

07.08.2025 | KPMG Law Insights

NIS2: How energy suppliers must protect themselves against cyber attacks

In July 2025, the Military Counterintelligence Service reported a significant increase in spying attempts and disruptive measures by the Russian secret service, according to media…

06.08.2025 | KPMG Law Insights

Tax havens: When business relationships trigger criminal proceedings

A German tech company had been paying license fees to a contractual partner in Panama for years without ever having any problems. However, few people

06.08.2025 | Deal Notifications

KPMG Law, KPMG in Germany and KPMG in Switzerland advised Bureau Veritas on the acquisition of Dornier Hinneburg and its Swiss subsidiary Hinneburg Swiss

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) together with KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) and KPMG AG Switzerland advised Bureau Veritas Group (Bureau Veritas) on the acquisition…

05.08.2025 | Deal Notifications

KPMG Law advises Athagoras Holding GmbH on the acquisition of IGES Group

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) provided legal advice to Athagoras Holding GmbH, a platform of the Munich-based PE firm Greenpeak Partners, on the acquisition…

Contact

Sebastian Hoegl, LL.M. (Wellington)

Senior Manager
Lawyer
Specialist lawyer for IT law
LL.M. (Wellington)

Heinrich-von-Stephan-Straße 23
79100 Freiburg im Breisgau

Tel.: +49 761 769999-20
shoegl@kpmg-law.com

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49-69-951195770
fheynike@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll