Auditors ✓ Lawyers ✓ Tax advisors ✓ and business consultants ✓ : Four perspectives. One solution. Worldwide. Learn …
Auditing and audit-related advice for companies ✓ Experienced auditors ✓ Excellent advice ✓ Tailor-made solutions » …
Our clients entrust us with their most important legal matters. Learn more about our legal services!
Tax laws are complex and dynamic. We face the challenge of tax law together with you - find out more.
Business consulting for companies ✓ Experienced consultants ✓ Excellent advice ✓ Tailor-made solutions » more
Immediate tax investment program – this is the program’s focus
Shared service centers in SMEs: structure for greater efficiency
Pillar 2: Mandatory registration in the UK and discussions in the EU Parliament
EU “Omnibus” Package: Less effort for sustainability reporting?
Baker Tilly starts the year 2025 with 23 new Directors
Challenges in corporate finance: Baker Tilly at Structured FINANCE 2024
Pay slips are purely information documents
Financing and funding: realignment in the coalition agreement
Labor and social law: What the new coalition agreement contains
Public procurement: Legally compliant procurement of cyber insurance
Countdown to September – The EU Data Act and its implications
Procurement law – legal framework for emergency procurements in the event of a cyberattack
Cross-industry expertise for individual solutions ✓ Our interdisciplinary teams combine expertise & market …
Baker Tilly advises biotech startup Real Collagen GmbH investment by US investor
Energy study: Uncertainty slows down investments by industry and utilities in Germany
After ECJ ruling: Financial investors still have no direct access to medical care centers
Risk management ✓ Compliance and controls ✓ Increase and ensure security & conformity ✓ more»
Baker Tilly offers a wide range of individual and innovative consulting services. Find out more!
On February 13, 2023, the Procurement Chamber of the German Federal Cartel Office decided (case no.: VK 2 – 114/22) on the admissibility of a German US subsidiary’s data processing offer.
The respondent published a contract notice via its awarding office for the purpose of conducting an award procedure. The summoned interested party wanted to involve a US enterprises’ German subsidiary as processor in the award procedure. In this context, the summoned party and the processor had contractually assured to exclusively process the data in Germany.
Furthermore, the processor contractually undertook to not comply with the parent company’s instructions to disclose data. The applicant, however, criticized violations of data protection requirements by the respondent. The applicant believed there was a transfer of personal data to the US which was not in compliance with data protection law.
The decision
The Procurement Chamber rejected a violation under public procurement law for reasons of data protection law, since there was no reason for exclusion with regard to the summoned party.
The data were processed exclusively in Germany; therefore, the existence of an adequacy decision for the US was irrelevant. The respondent could rely upon the summoned party’s performance promise since there was no reason to believe that the client would not keep its promise. Furthermore, data access by US authorities to data stored by a company in Germany was not enforceable since the US authorities had no state authority in Germany. The mere fact that the processor was part of a US parent company was not sufficient to assume an increased risk of access by the US authorities. Furthermore, the client could not be forced to release data to the US-domiciled parent company as such transfer was unlawful due to the lack of an adequacy decision.
Therefore, the parent company’s instructions were irrelevant for the summoned party. There was always a general remaining risk that a contractor does not fulfill its obligations. If, however, one were to draw the conclusion on the basis of the legal situation in the US that data protection assurances given are to be regarded as declarations not made, the processor would be held liable for a legal situation abroad. Although the US Cloud Act placed a particular burden on the client, this did not result in an invalidity of the data protection declarations and assurances. Ultimately, the general exclusion from competition constituted a severe and discriminating interference with the companies’ rights.
Practical advice
The decision is to be welcomed. It creates a certain degree of security for companies being part of a US parent company as processors. Insofar, the decision reflects a networked world’s existing reality.
Nevertheless, this does not change the general problems and requirements for data transfers, in particular to the US.
View all news