Search
Contact
28.07.2022 | KPMG Law Insights

Procurement Chamber BaWü: Impermissible third-country transfer through the use of the EU subsidiary of a US service provider

Rarely has the decision of a public procurement chamber caused such a stir in such a short time as the decision of the VK Baden-Württemberg of July 13, 2022 (Ref. 1 VK 23/22). The decision, which is not yet final, is not only relevant for award procedures. The statements of the Procurement Chamber can also have an impact on the selection of IT service providers in the area of private law.

The underlying proceedings concerned the procurement of software by a public contracting authority. The customer’s specifications contained the following requirements in particular in the IT security and data protection requirements:

“[…]

– Fulfillment of the requirements from the DS-GVO and the BDSG […]

– Data is processed exclusively in an EU-EEA data center where no subcontractors/group companies are located in third countries.

[…]”

The contract was awarded to a bidder who used a subcontractor based in the EU to provide the server and hosting services. However, this was a subsidiary of a US group. The second-placed bidder has filed an application for review against this. Among other things, the applicant relied on the fact that the use of the data center operator with a US parent company constituted a violation of Article 44 et seq. of the GDPR and thus the requirements of the tender documents were not met.

Use of European subsidiaries of US service providers as third-country transfers

The Procurement Chamber followed the applicant’s view and found:

“The use of X. as a hosting service provider constitutes a transfer within the meaning of Art. 44 et seq. DS-GVO to be seen. […].

The concept of transmission is to be understood in the light of the because [sic!] wording of Art. 44 p. 1 of the GDPR and the instruction set out in Art. 44 p. 2 of the GDPR with regard to the application of the standard and thus to be understood comprehensively: Transfer is any disclosure of personal data to a recipient in a third country or an international organization, irrespective of the nature of the disclosure or the disclosure to a third party […].

An access option – for example by granting access rights – constitutes a latent risk that an unauthorized transfer of personal data can take place without the legal basis for this standardized in the GDPR […].

Measured against these standards, the use of X., a European company whose parent company is the U.S.-based X. lnc. is an impermissible transfer of data to a third country.”

No sufficient compensatory measures to maintain an adequate level of data protection

Furthermore, the Board considered the data protection agreements concluded between the successful bidder and the data center operator as well as the measures provided therein to be insufficient to ensure an adequate level of data protection:

“The commissioning of X. by the Respondent is based, inter alia, on the “X. GDPR DATA PROCESSING ADDENDUM”. Clause 3 of this agreement contains a clause relating to the confidentiality of customer data (“Confidentiality of Costumer Data”). Under this clause, Customer Data may not be accessed, used or disclosed by X. to any third party except as necessary to maintain or provide the Services or to comply with any law or effective and valid order of any governmental authority. […]

Clause 3 and 12.1 of the “X. GDPR DATA PROCESSING ADDENDUM” are designed in the form of general clauses and open up the possibility for both governmental and private bodies outside the EU and in particular in the USA to access data stored by X. in certain situations within the framework of the contractual or legal authorizations applicable in the specific case. […]

After all, the latent risk can materialize at any time. By entering into the agreement with X., the Defendant is in any case partially relinquishing its ability to exert influence with regard to the data entrusted to X.. […]

X.’s assumption of an obligation to challenge overbroad or unreasonable requests by government agencies, including requests that conflict with EU or applicable member state law, does not eliminate the latent risk of access by those same agencies.”

Inadmissibility of the use of EU subsidiaries of a US service provider

Accordingly, the Board concluded that the identified data transfer to the U.S. is unlawful:

“Here, there is no special reason for permission according to Art. 44 et seq. GDPR exists. Thus, an adequacy decision within the meaning of Art. 45 (1) of the GDPR is missing here. Article 46 (2) c), d) of the GDPR also does not apply here. Standard data protection clauses within the meaning of this provision are not suitable to legitimize transfers per se; rather, a case-by-case assessment is required in this respect […]. This leads – as explained – to the assumption of inadmissibility under data protection law. An exceptional circumstance according to Art. 49 DS-GVO is also not given here.”

The argumentation of the Procurement Chamber to assume an inadmissible data transfer to a third country already by the use of a European subsidiary of a US company due to the existence of a “latent danger” is not uncontroversial. Furthermore, for procedural reasons, the Procurement Chamber did not take into account the submission regarding an encryption technology used by the data center operator. Nevertheless, the decision is remarkable. It illustrates that even doubts about compliance with data protection law can present themselves as a real competitive disadvantage. The close temporal connection with the controversial use of a U.S. cloud provider in the context of the online portal for conducting the 2022 census, which is still being investigated by the BfDI, also makes it clear that the topic of third-country transfers – also in the public sector – is gaining increasing attention. The decisions that assume illegality due to a lack of contractual, technical and organizational compensatory measures are beginning to accumulate.

Explore #more

11.10.2024 | In the media

Guest article in the Asset Management Guide 2024: The Fund Market Strengthening Act – Flexibilization and Debt Fund reloaded

On August 5, 2024, the Federal Ministry of Finance published the draft bill for the Act to Strengthen the German Fund Market and Implement Directive…

04.10.2024 | In the media

Guest article in Bauunternehmer on the topic: “Competition is better for climate protection than rigid requirements”

Regulation is one of the main cost drivers in construction.
However, instead of rigid specifications, sustainability targets and climate protection can be better achieved through…

04.10.2024 | Deal Notifications

KPMG Law advises the HWP Handwerkspartner Group on the acquisition of Manfred Teckenburg Elektroanlagen

KPMG Law carried out a comprehensive legal due diligence for the HWP Handwerkspartner Group on the acquisition of Teckenburg Elektroanlagen and supported the purchase agreement…

04.10.2024 | Deal Notifications

KPMG Law and KPMG advise the Forterro Group on the acquisition of alltrotec

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised the Forterro Group on the due diligence, structuring and implementation of the acquisition…

04.10.2024 | Deal Notifications

KPMG Law and KPMG advise HWP Handwerkspartner Group on the acquisition of Elektro Fastabend Group

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) have jointly advised the HWP Handwerkspartner Group (HWP) on the acquisition of Fastabend Elektro-Gebäudetechnik…

02.10.2024 | Deal Notifications

KPMG Law advises the GOLDBECK Group on the acquisition of a majority stake in the Schalm Group

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) advised the HWP Handwerkspartner Group on the acquisition of the Schalm Group.
KPMG Law conducted a comprehensive legal due…

27.09.2024 | Deal Notifications

KPMG Law advises Munich Airport on the sale of a majority stake in Cargogate Munich Airport GmbH and the creation of a new cargo joint venture.

KPMG Law advised Flughafen München GmbH (FMG) on the sale of 74.9 percent of the shares in its subsidiary Cargogate Munich Airport GmbH (Cargogate) to…

27.09.2024 | Deal Notifications

KPMG Law and KPMG advise the GOLDBECK Group on the acquisition of Weiser GmbH Brandschutz & Technik

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) jointly advised the GOLDBECK Group on the acquisition of Weiser GmbH Brandschutz & Technik.…

25.09.2024 | In the media

Guest article in Wirtschafts Woche on the topic of data protection: Employers are liable for their works councils

Companies collect and store personal and sometimes sensitive employee data: age, length of service, salary, sick days and much more.
According to European and German…

22.09.2024 | In the media

PMN Awards 2024 – Konstantin von Busekist honored as Managing Partner of the Year

For the 16th time, the PMN Awards shine a spotlight on outstanding law firm innovations and management achievements.
On September 18, the Professional Management Network,…

Contact

Sebastian Hoegl, LL.M. (Wellington)

Senior Manager
Lawyer
Specialist lawyer for IT law
LL.M. (Wellington)

Heinrich-von-Stephan-Straße 23
79100 Freiburg im Breisgau

tel: +49 761 769999-20
shoegl@kpmg-law.com

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

tel: +49-69-951195770
fheynike@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll