28.07.2022 | KPMG Law Insights

Procurement Chamber BaWü: Impermissible third-country transfer through the use of the EU subsidiary of a US service provider

Rarely has the decision of a public procurement chamber caused such a stir in such a short time as the decision of the VK Baden-Württemberg of July 13, 2022 (Ref. 1 VK 23/22). The decision, which is not yet final, is not only relevant for award procedures. The statements of the Procurement Chamber can also have an impact on the selection of IT service providers in the area of private law.

The underlying proceedings concerned the procurement of software by a public contracting authority. The customer’s specifications contained the following requirements in particular in the IT security and data protection requirements:


– Fulfillment of the requirements from the DS-GVO and the BDSG […]

– Data is processed exclusively in an EU-EEA data center where no subcontractors/group companies are located in third countries.


The contract was awarded to a bidder who used a subcontractor based in the EU to provide the server and hosting services. However, this was a subsidiary of a US group. The second-placed bidder has filed an application for review against this. Among other things, the applicant relied on the fact that the use of the data center operator with a US parent company constituted a violation of Article 44 et seq. of the GDPR and thus the requirements of the tender documents were not met.

Use of European subsidiaries of US service providers as third-country transfers

The Procurement Chamber followed the applicant’s view and found:

“The use of X. as a hosting service provider constitutes a transfer within the meaning of Art. 44 et seq. DS-GVO to be seen. […].

The concept of transmission is to be understood in the light of the because [sic!] wording of Art. 44 p. 1 of the GDPR and the instruction set out in Art. 44 p. 2 of the GDPR with regard to the application of the standard and thus to be understood comprehensively: Transfer is any disclosure of personal data to a recipient in a third country or an international organization, irrespective of the nature of the disclosure or the disclosure to a third party […].

An access option – for example by granting access rights – constitutes a latent risk that an unauthorized transfer of personal data can take place without the legal basis for this standardized in the GDPR […].

Measured against these standards, the use of X., a European company whose parent company is the U.S.-based X. lnc. is an impermissible transfer of data to a third country.”

No sufficient compensatory measures to maintain an adequate level of data protection

Furthermore, the Board considered the data protection agreements concluded between the successful bidder and the data center operator as well as the measures provided therein to be insufficient to ensure an adequate level of data protection:

“The commissioning of X. by the Respondent is based, inter alia, on the “X. GDPR DATA PROCESSING ADDENDUM”. Clause 3 of this agreement contains a clause relating to the confidentiality of customer data (“Confidentiality of Costumer Data”). Under this clause, Customer Data may not be accessed, used or disclosed by X. to any third party except as necessary to maintain or provide the Services or to comply with any law or effective and valid order of any governmental authority. […]

Clause 3 and 12.1 of the “X. GDPR DATA PROCESSING ADDENDUM” are designed in the form of general clauses and open up the possibility for both governmental and private bodies outside the EU and in particular in the USA to access data stored by X. in certain situations within the framework of the contractual or legal authorizations applicable in the specific case. […]

After all, the latent risk can materialize at any time. By entering into the agreement with X., the Defendant is in any case partially relinquishing its ability to exert influence with regard to the data entrusted to X.. […]

X.’s assumption of an obligation to challenge overbroad or unreasonable requests by government agencies, including requests that conflict with EU or applicable member state law, does not eliminate the latent risk of access by those same agencies.”

Inadmissibility of the use of EU subsidiaries of a US service provider

Accordingly, the Board concluded that the identified data transfer to the U.S. is unlawful:

“Here, there is no special reason for permission according to Art. 44 et seq. GDPR exists. Thus, an adequacy decision within the meaning of Art. 45 (1) of the GDPR is missing here. Article 46 (2) c), d) of the GDPR also does not apply here. Standard data protection clauses within the meaning of this provision are not suitable to legitimize transfers per se; rather, a case-by-case assessment is required in this respect […]. This leads – as explained – to the assumption of inadmissibility under data protection law. An exceptional circumstance according to Art. 49 DS-GVO is also not given here.”

The argumentation of the Procurement Chamber to assume an inadmissible data transfer to a third country already by the use of a European subsidiary of a US company due to the existence of a “latent danger” is not uncontroversial. Furthermore, for procedural reasons, the Procurement Chamber did not take into account the submission regarding an encryption technology used by the data center operator. Nevertheless, the decision is remarkable. It illustrates that even doubts about compliance with data protection law can present themselves as a real competitive disadvantage. The close temporal connection with the controversial use of a U.S. cloud provider in the context of the online portal for conducting the 2022 census, which is still being investigated by the BfDI, also makes it clear that the topic of third-country transfers – also in the public sector – is gaining increasing attention. The decisions that assume illegality due to a lack of contractual, technical and organizational compensatory measures are beginning to accumulate.

Explore #more

13.06.2024 | Press releases

Handelsblatt and Best Lawyers honor KPMG Law Experts

Best Lawyers has once again identified the best commercial lawyers in Germany for 2024 exclusively for Handelsblatt. A total of 28 lawyers were honored by…

27.05.2024 | KPMG Law Insights

Agreement on ecodesign regulation: products to become more sustainable

After lengthy negotiations, the Council and Parliament of the European Union reached a provisional agreement on the Ecodesign Regulation on the night of December 5,…

22.05.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

17.05.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: When the family business is to be sold

Around 38,000 family businesses are currently handed over each year. In most cases, the change of ownership takes place within the family. But more and…

03.05.2024 | KPMG Law Insights

Doubts about inability to work? What employers can do

The certificate of incapacity for work (AU certificate) serves as proof of incapacity for work due to illness. However, only if the certificate meets certain…

27.03.2024 | KPMG Law Insights

EU Buildings Directive: life cycle greenhouse potential becomes relevant

On March 12, 2024, the EU Parliament approved the amendment to the EU Buildings Directive. The directive obliges member states and, indirectly, building owners and…

19.03.2024 | Business Performance & Resilience, KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

The EU member states agreed on the CSDDD, the EU Supply Chain Directive, on March 15, 2024. Germany abstained from the vote. Negotiators from the…

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | Business Performance & Resilience, PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…


Sebastian Hoegl, LL.M. (Wellington)

Senior Manager
Specialist lawyer for IT law
LL.M. (Wellington)

Heinrich-von-Stephan-Straße 23
79100 Freiburg im Breisgau

tel: +49 761 769999-20

Francois Heynike, LL.M. (Stellenbosch)

Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

tel: +49-69-951195770

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.