Search
Contact
28.07.2022 | KPMG Law Insights

Procurement Chamber BaWü: Impermissible third-country transfer through the use of the EU subsidiary of a US service provider

Rarely has the decision of a public procurement chamber caused such a stir in such a short time as the decision of the VK Baden-Württemberg of July 13, 2022 (Ref. 1 VK 23/22). The decision, which is not yet final, is not only relevant for award procedures. The statements of the Procurement Chamber can also have an impact on the selection of IT service providers in the area of private law.

The underlying proceedings concerned the procurement of software by a public contracting authority. The customer’s specifications contained the following requirements in particular in the IT security and data protection requirements:

“[…]

– Fulfillment of the requirements from the DS-GVO and the BDSG […]

– Data is processed exclusively in an EU-EEA data center where no subcontractors/group companies are located in third countries.

[…]”

The contract was awarded to a bidder who used a subcontractor based in the EU to provide the server and hosting services. However, this was a subsidiary of a US group. The second-placed bidder has filed an application for review against this. Among other things, the applicant relied on the fact that the use of the data center operator with a US parent company constituted a violation of Article 44 et seq. of the GDPR and thus the requirements of the tender documents were not met.

Use of European subsidiaries of US service providers as third-country transfers

The Procurement Chamber followed the applicant’s view and found:

“The use of X. as a hosting service provider constitutes a transfer within the meaning of Art. 44 et seq. DS-GVO to be seen. […].

The concept of transmission is to be understood in the light of the because [sic!] wording of Art. 44 p. 1 of the GDPR and the instruction set out in Art. 44 p. 2 of the GDPR with regard to the application of the standard and thus to be understood comprehensively: Transfer is any disclosure of personal data to a recipient in a third country or an international organization, irrespective of the nature of the disclosure or the disclosure to a third party […].

An access option – for example by granting access rights – constitutes a latent risk that an unauthorized transfer of personal data can take place without the legal basis for this standardized in the GDPR […].

Measured against these standards, the use of X., a European company whose parent company is the U.S.-based X. lnc. is an impermissible transfer of data to a third country.”

No sufficient compensatory measures to maintain an adequate level of data protection

Furthermore, the Board considered the data protection agreements concluded between the successful bidder and the data center operator as well as the measures provided therein to be insufficient to ensure an adequate level of data protection:

“The commissioning of X. by the Respondent is based, inter alia, on the “X. GDPR DATA PROCESSING ADDENDUM”. Clause 3 of this agreement contains a clause relating to the confidentiality of customer data (“Confidentiality of Costumer Data”). Under this clause, Customer Data may not be accessed, used or disclosed by X. to any third party except as necessary to maintain or provide the Services or to comply with any law or effective and valid order of any governmental authority. […]

Clause 3 and 12.1 of the “X. GDPR DATA PROCESSING ADDENDUM” are designed in the form of general clauses and open up the possibility for both governmental and private bodies outside the EU and in particular in the USA to access data stored by X. in certain situations within the framework of the contractual or legal authorizations applicable in the specific case. […]

After all, the latent risk can materialize at any time. By entering into the agreement with X., the Defendant is in any case partially relinquishing its ability to exert influence with regard to the data entrusted to X.. […]

X.’s assumption of an obligation to challenge overbroad or unreasonable requests by government agencies, including requests that conflict with EU or applicable member state law, does not eliminate the latent risk of access by those same agencies.”

Inadmissibility of the use of EU subsidiaries of a US service provider

Accordingly, the Board concluded that the identified data transfer to the U.S. is unlawful:

“Here, there is no special reason for permission according to Art. 44 et seq. GDPR exists. Thus, an adequacy decision within the meaning of Art. 45 (1) of the GDPR is missing here. Article 46 (2) c), d) of the GDPR also does not apply here. Standard data protection clauses within the meaning of this provision are not suitable to legitimize transfers per se; rather, a case-by-case assessment is required in this respect […]. This leads – as explained – to the assumption of inadmissibility under data protection law. An exceptional circumstance according to Art. 49 DS-GVO is also not given here.”

The argumentation of the Procurement Chamber to assume an inadmissible data transfer to a third country already by the use of a European subsidiary of a US company due to the existence of a “latent danger” is not uncontroversial. Furthermore, for procedural reasons, the Procurement Chamber did not take into account the submission regarding an encryption technology used by the data center operator. Nevertheless, the decision is remarkable. It illustrates that even doubts about compliance with data protection law can present themselves as a real competitive disadvantage. The close temporal connection with the controversial use of a U.S. cloud provider in the context of the online portal for conducting the 2022 census, which is still being investigated by the BfDI, also makes it clear that the topic of third-country transfers – also in the public sector – is gaining increasing attention. The decisions that assume illegality due to a lack of contractual, technical and organizational compensatory measures are beginning to accumulate.

Explore #more

10.10.2025 | In the media

KPMG Law guest article in NZG: Compliance due diligence in SMEs: Minimum scope and contractual mapping of compliance risks of the target company

In the context of M&A transactions, compliance usually still plays a subordinate role in legal due diligence. The purpose of this article is, on…

10.10.2025 | In the media

KPMG Law honored at the M&A Award Night 2025

KPMG Law has been awarded the “M&A Transaction Advisory” prize at this year’s M&A Award Night of the Bundesverband Mergers & Acquisitions e.V. (BM&A) and…

10.10.2025 | In the media

KPMG Law guest article in CCZ: The guide for compliance management systems in small and medium-sized enterprises (DIN SPEC 91524)

Compliance in SMEs is challenging: the legal responsibility for compliance is undisputed, but the specific tasks are unclear and depend on the specific situation of…

10.10.2025 | KPMG Law Insights

Transformation in legal departments in 2026 – the most important trends and best practices

Three topics in particular are currently driving the transformation of the legal department: AI, the rapid increase in regulation and geopolitical developments. There has always…

08.10.2025 | Deal Notifications

KPMG advised Adiuva Capital GmbH with Fact Books on the sale of KONZMANN Group

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Adiuva Capital GmbH, a Hamburg-based private equity firm (“Adiuva“), in connection with the…

06.10.2025 | KPMG Law Insights

What the Green Claims Directive means for companies – an overview

With the Green Claims Directive, the EU will introduce extensive regulations on the requirements for permissible environmental claims. The aim is to prevent greenwashing so…

03.10.2025 | Deal Notifications

KPMG Law and KPMG support the restructuring of Groupe CAT in Germany

KPMG Law Rechtsanwaltsgesellschaft (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Groupe CAT on comprehensive restructuring measures with a cross-service team. Over a period of…

02.10.2025 | Deal Notifications

KPMG Law advises Epitype GmbH and MDG Molecular Diagnostics Group GmbH on the acquisition of significant assets of oncgnostics GmbH

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) provided comprehensive legal advice to Epitype GmbH, a company of the Dresden-based MDG Group, on the formation and subsequent…

02.10.2025 | In the media

KPMG Law Statement in ZEIT for entrepreneurs: We’ll take the 500 billion!

German construction companies are asking themselves: how quickly will the money come from the government? And they are worried that only the giants will benefit.…

01.10.2025 | KPMG Law Insights

Federal Network Agency reforms special network charges for industry and commerce

The Federal Network Agency is planning a fundamental reform of the special network charges for energy-intensive companies. Any change to the current privilege regime entails…

Contact

Sebastian Hoegl, LL.M. (Wellington)

Senior Manager
Lawyer
Specialist lawyer for IT law
LL.M. (Wellington)

Heinrich-von-Stephan-Straße 23
79100 Freiburg im Breisgau

Tel.: +49 761 769999-20
shoegl@kpmg-law.com

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49-69-951195770
fheynike@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll