No exclusion from the award procedure in case of a data processing offer submitted by a German US subsidiary
On February 13, 2023, the Procurement Chamber of the German Federal Cartel Office decided (case no.: VK 2 – 114/22) on the admissibility of a German US subsidiary’s data processing offer.
The respondent published a contract notice via its awarding office for the purpose of conducting an award procedure. The summoned interested party wanted to involve a US enterprises’ German subsidiary as processor in the award procedure. In this context, the summoned party and the processor had contractually assured to exclusively process the data in Germany.
Furthermore, the processor contractually undertook to not comply with the parent company’s instructions to disclose data. The applicant, however, criticized violations of data protection requirements by the respondent. The applicant believed there was a transfer of personal data to the US which was not in compliance with data protection law.
The Procurement Chamber rejected a violation under public procurement law for reasons of data protection law, since there was no reason for exclusion with regard to the summoned party.
The data were processed exclusively in Germany; therefore, the existence of an adequacy decision for the US was irrelevant. The respondent could rely upon the summoned party’s performance promise since there was no reason to believe that the client would not keep its promise. Furthermore, data access by US authorities to data stored by a company in Germany was not enforceable since the US authorities had no state authority in Germany. The mere fact that the processor was part of a US parent company was not sufficient to assume an increased risk of access by the US authorities. Furthermore, the client could not be forced to release data to the US-domiciled parent company as such transfer was unlawful due to the lack of an adequacy decision.
Therefore, the parent company’s instructions were irrelevant for the summoned party. There was always a general remaining risk that a contractor does not fulfill its obligations. If, however, one were to draw the conclusion on the basis of the legal situation in the US that data protection assurances given are to be regarded as declarations not made, the processor would be held liable for a legal situation abroad. Although the US Cloud Act placed a particular burden on the client, this did not result in an invalidity of the data protection declarations and assurances. Ultimately, the general exclusion from competition constituted a severe and discriminating interference with the companies’ rights.
The decision is to be welcomed. It creates a certain degree of security for companies being part of a US parent company as processors. Insofar, the decision reflects a networked world’s existing reality.
Nevertheless, this does not change the general problems and requirements for data transfers, in particular to the US.