VK Baden-Württemberg - 1 VK 23/22: Difference between revisions
m (ManTechnologist moved page VK Baden-Württemburg - Az. 1 VK 23/22 to VK Baden-Württemberg - 1 VK 23/22: Typo & Styleguide) |
No edit summary |
||
Line 61: | Line 61: | ||
|}} | |}} | ||
The Procurement Chamber Baden-Württemberg held that a | The Procurement Chamber Baden-Württemberg held that a company had to be excluded from a public procurement procedure, as its offer violates the GDPR, because compliance with data protection law was a requirement of the tender. The Chamber held that the offer containted an unlawful transfer of customer data to a third country (their parent company located in the US), as it could be acced by the parent company. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The case concerns a decision by the Vergabekammer Baden-Württemberg ("Procurement chamber Baden-Wuerttemberg"), the administrative authority that reviews the public procurement procedures. | The case concerns a decision by the Vergabekammer Baden-Württemberg ("Procurement chamber Baden-Wuerttemberg"), the administrative authority that reviews the public procurement procedures. | ||
A public authority issued a Europe-wide invitation to tender for the procurement of software for digital management via an open procedure. The criteria contained, among other things, requirements for data protection and IT security. The public authority received offers from company A and company B. | |||
Company A is a subsidiary of an undertaking located in the US, | Company A is a subsidiary of an undertaking located in the US, however its servers are located in the EU. Company A included clauses in its offer stating that it would not disclose customer data to any third party, except as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body. | ||
After reviewing the offers, the public authority issued a decision where it awarded the contract to Company A, as their evaluation of the price was the most economical. Company B challenged this decision. It argued that company A had made illegal changes to the tender documents, and should have therefore been excluded from the procedure pursuant to §57(1)(4) VgV. | |||
=== Holding === | |||
The Procurement Chamber noted that a procurement is illegal if the company deviates from its initial offer (§57(1)(4) VgV). This can be either formally (changing the wording), but also by making material changes (deviating from the procurement's specifications), resulting in an offer for a different service than the one tendered out. | |||
In this regard, the Chamber pointed out that compatibility with relevant data protection law (in the present case: the GDPR) was a requirement of the tender. Therefore, Company A's procurement would be illegal - as Company B argued - if it was incompatible with the GDPR. | |||
The Chamber found that, contrary to what Company A stated in their offer, did disclose customer data to a third party, more specifically, one in a third county (its parent company in the US). Therefore, a transfer pursuant to [https://gdprhub.eu/Article%2044%20GDPR Article 44 GDPR] would take place. The Chamber explained that a transfer in this context must also be assumed when data ''can'' be accessed from a third country, regardless of whether this actually takes place. The fact that the physical location of the server was located in the EU that provided such access was irrelevant. | |||
The Chamber | The Chamber followed that for transfers to third countries, a valid transfer mechanism must be present. However there was no adequacy decision, no exemption under Article 49 GDPR and furthermore the SCCs did not suffice. For the latter, the data importer's contractual duty to "contest state surveillance requests that go to far" and the used encryption did not remove the risk of state surveillance (so no supplementary measures). The Procurement Chamber thus held that there was no valid transfer mechanism present pursuant to [https://gdprhub.eu/Article%2044%20GDPR Article 44 GDPR]. | ||
Therefore, the Chamber held that company A changed the | Therefore, the Chamber held that company A illegaly changed the procurement within the meaning of §57(1)(4) VgV by violating [https://gdprhub.eu/Article%2044%20GDPR Article 44 GDPR]. Consequently, Company A had to be excluded from the procedure. | ||
== Comment == | == Comment == |
Revision as of 09:17, 10 August 2022
VK Baden-Württemberg - Az. 1 VK 23/22 | |
---|---|
Court: | VK Baden-Württemberg (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 44 GDPR §57(1)(4) VgV |
Decided: | 13.07.2022 |
Published: | |
Parties: | |
National Case Number/Name: | Az. 1 VK 23/22 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | Rewis (in German) |
Initial Contributor: | n/a |
The Procurement Chamber Baden-Württemberg held that a company had to be excluded from a public procurement procedure, as its offer violates the GDPR, because compliance with data protection law was a requirement of the tender. The Chamber held that the offer containted an unlawful transfer of customer data to a third country (their parent company located in the US), as it could be acced by the parent company.
English Summary
Facts
The case concerns a decision by the Vergabekammer Baden-Württemberg ("Procurement chamber Baden-Wuerttemberg"), the administrative authority that reviews the public procurement procedures.
A public authority issued a Europe-wide invitation to tender for the procurement of software for digital management via an open procedure. The criteria contained, among other things, requirements for data protection and IT security. The public authority received offers from company A and company B.
Company A is a subsidiary of an undertaking located in the US, however its servers are located in the EU. Company A included clauses in its offer stating that it would not disclose customer data to any third party, except as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body.
After reviewing the offers, the public authority issued a decision where it awarded the contract to Company A, as their evaluation of the price was the most economical. Company B challenged this decision. It argued that company A had made illegal changes to the tender documents, and should have therefore been excluded from the procedure pursuant to §57(1)(4) VgV.
Holding
The Procurement Chamber noted that a procurement is illegal if the company deviates from its initial offer (§57(1)(4) VgV). This can be either formally (changing the wording), but also by making material changes (deviating from the procurement's specifications), resulting in an offer for a different service than the one tendered out.
In this regard, the Chamber pointed out that compatibility with relevant data protection law (in the present case: the GDPR) was a requirement of the tender. Therefore, Company A's procurement would be illegal - as Company B argued - if it was incompatible with the GDPR.
The Chamber found that, contrary to what Company A stated in their offer, did disclose customer data to a third party, more specifically, one in a third county (its parent company in the US). Therefore, a transfer pursuant to Article 44 GDPR would take place. The Chamber explained that a transfer in this context must also be assumed when data can be accessed from a third country, regardless of whether this actually takes place. The fact that the physical location of the server was located in the EU that provided such access was irrelevant.
The Chamber followed that for transfers to third countries, a valid transfer mechanism must be present. However there was no adequacy decision, no exemption under Article 49 GDPR and furthermore the SCCs did not suffice. For the latter, the data importer's contractual duty to "contest state surveillance requests that go to far" and the used encryption did not remove the risk of state surveillance (so no supplementary measures). The Procurement Chamber thus held that there was no valid transfer mechanism present pursuant to Article 44 GDPR.
Therefore, the Chamber held that company A illegaly changed the procurement within the meaning of §57(1)(4) VgV by violating Article 44 GDPR. Consequently, Company A had to be excluded from the procedure.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Since a bidder naturally has only limited insight into the course of the award procedure, he may claim in the award review procedure what he can honestly consider to be likely or possible on the basis of his - often only limited - level of information, for example when it comes to award violations that exclusively_ play in the sphere of the awarding authority or concern the offer of a competitor (OLG Karlsruhe, decision of May 21, 2021, 15 Verg 4/21, juris, para. 28; OLG Düsseldorf, decision of April 13, 2011, VII-Verg 58/10 , juris, para. 53; OLG Frankfurt, decision of July 9th, 2010, 11 Verg 5/10, juris, para. 51; OLG Dresden, decision of June 6, 2002, WVerg 4/02, juris, para. 18 f. ). However, if the violation of public procurement law is not completely beyond his ability to inspect, the applicant must at least present actual connecting facts or indications that justify a reasonable suspicion of a specific violation of public procurement law (OLG Karlsruhe, decision of May 21, 2021, 15 Verg 4/21, juris, para 28; Düsseldorf Higher Regional Court, decision of August 16, 2019, VII-Verg 56/18, juris; Munich Higher Regional Court, decision of June 11, 2007, Verg 6/07, juris, para. 31). A minimum of substantiation must be observed; Pure assumptions about possible award violations are not sufficient (OLG Karlsruhe, decision of May 21, 2021, 15 Verg 4/21, juris, para. 28; OLG Brandenburg, decision of May 29, 2012, Verg W 5/12, juris, para. 4; Munich Higher Regional Court, decision of August 2, 2007, Verg 7/07, juris, para. 15 f.).