VK Baden-Württemberg - 1 VK 23/22

From GDPRhub
Revision as of 10:03, 10 August 2022 by ManTechnologist (talk | contribs) (+ Parties, docket, appeal)
VK Baden-Württemberg - 1 VK 23/22
Courts logo1.png
Court: VK Baden-Württemberg (Germany)
Jurisdiction: Germany
Relevant Law: Article 44 GDPR
§ 57(1)(4) VgV
Decided: 13.07.2022
Published:
Parties: Pflegeplatzmanager GmbH[1]
N. N.
National Case Number/Name: 1 VK 23/22
European Case Law Identifier:
Appeal from:
Appeal to: Appealed[2]
OLG Karlsruhe (Germany)
Original Language(s): German
Original Source: Rewis (in German)
Initial Contributor: n/a

The Procurement Chamber Baden-Württemberg held that a company had to be excluded from a public procurement procedure, as its offer violates the GDPR, because compliance with data protection law was a requirement of the tender. The Chamber held that the offer containted an unlawful transfer of customer data to a third country (their parent company located in the US), as it could be acced by the parent company.

English Summary

Facts

The case concerns a decision by the Vergabekammer Baden-Württemberg ("Procurement chamber Baden-Wuerttemberg"), the administrative authority that reviews the public procurement procedures.

A public authority issued a Europe-wide invitation to tender for the procurement of software for digital management via an open procedure. The criteria contained, among other things, requirements for data protection and IT security. The public authority received offers from company A and company B.

Company A is a subsidiary of an undertaking located in the US, however its servers are located in the EU. Company A included clauses in its offer stating that it would not disclose customer data to any third party, except as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body.

After reviewing the offers, the public authority issued a decision where it awarded the contract to Company A, as their evaluation of the price was the most economical. Company B challenged this decision. It argued that company A had made illegal changes to the tender documents, and should have therefore been excluded from the procedure pursuant to §57(1)(4) VgV.

Holding

The Procurement Chamber noted that a procurement is illegal if the company deviates from its initial offer (§57(1)(4) VgV). This can be either formally (changing the wording), but also by making material changes (deviating from the procurement's specifications), resulting in an offer for a different service than the one tendered out.

In this regard, the Chamber pointed out that compatibility with relevant data protection law (in the present case: the GDPR) was a requirement of the tender. Therefore, Company A's procurement would be illegal - as Company B argued - if it was incompatible with the GDPR.

The Chamber found that, contrary to what Company A stated in their offer, did disclose customer data to a third party, more specifically, one in a third county (its parent company in the US). Therefore, a transfer pursuant to Article 44 GDPR would take place. The Chamber explained that a transfer in this context must also be assumed when data can be accessed from a third country, regardless of whether this actually takes place. The fact that the physical location of the server was located in the EU that provided such access was irrelevant.

The Chamber followed that for transfers to third countries, a valid transfer mechanism must be present. However there was no adequacy decision, no exemption under Article 49 GDPR and furthermore the SCCs did not suffice. For the latter, the data importer's contractual duty to "contest state surveillance requests that go to far" and the used encryption did not remove the risk of state surveillance (so no supplementary measures). The Procurement Chamber thus held that there was no valid transfer mechanism present pursuant to Article 44 GDPR.

Therefore, the Chamber held that company A illegaly changed the procurement within the meaning of §57(1)(4) VgV by violating Article 44 GDPR. Consequently, Company A had to be excluded from the procedure.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Decision of the Public Procurement Tribunal

1. The 1st and 2nd defendants are obliged to return the award procedure to the status prior to the evaluation of the bids if the intention to procure continues and to repeat the evaluation of the bids in compliance with the legal opinion of the Public Procurement Tribunal.

2. The 1st and 2nd defendants as well as the respondent shall each bear one third of the costs of the proceedings as joint and several debtors as well as the expenses of the applicant necessary for the appropriate prosecution.

3. It is declared necessary for the applicant to call in a representative for the proceedings.

4. The costs of the proceedings incurred by the Public Procurement Tribunal are set at € 2,850.00.

Reasons

I.

1. By contract notice dated 03.11.2021, the respondents issued a Europe-wide invitation to tender for the procurement of software for digital [...] management in an open procedure. The applicant and the Invitee, among others, each submitted a bid in response to the original tender documents. The Invitee defended itself against the decision of the respondents to award the contract to the applicant's bid by raising a complaint. By e-mails dated 12.01.2022, the respondents informed the bidders that the award procedure had been reset to the status prior to the dispatch of the award documents and at the same time announced the provision of adjusted award documents. In a message dated 23.02.2022 via the award platform, the respondents informed the bidders that access to the new tender documents had now been activated and that the tender would be conducted in the form of an open procedure.

2. In the document "Procurement Documents", the respondents specified the award criteria and their weighting in section 2.13. The award criteria were set out in the document "Procurement Documents":

	"(...)

	a) Total price (net) 65%.

		- Price for licences and software maintenance (net) 

		- Price for services (net)

		- Price for debts (net)

	b) Quality of services offered 35%

		- Software design

		- SLA

		- Data protection and IT security requirements

	(...)"


3. In the specifications, the respondents specified the following "IT security and data protection requirements", among others, in section 2.8:

	"(...)

	- Compliance with the requirements of the DS-GVO and the BDSG (...)

	- Data is processed exclusively in an EU-EEA data centre where no sub-service providers/group companies are located in third countries.

	(...)"


4. In the price sheet, the respondents requested information on the cost calculation. The bidders were to indicate the net prices for the "one-off costs for the implementation of the digital [...] management software", the "running costs over 5 years", the "total costs for the interface to the digital fileing system (...)" and the "requirement items". For the one-off costs for the implementation, there is the addition: '(the costs do not flow into the evaluation)'.

5 Both the Applicant and the Invitee each re-submitted a bid.

6. In its offer, the Invitee specified X., established in [country in EU]. [...] (hereinafter: X.) as a subcontractor for the provision of the server and hosting service. X. is a subsidiary of the US-based X. Inc.; the physical location of its servers is in Germany. In connection with the engagement of X., the Invitee enters into the "X. GDPR DATA PROCESSING ADDENDUM" and the "SUPPLEMENTARY ADDENDUM TO X. GDPR DATA PROCESSING ADDENDUM".

7. In the "X. GDPR DATA PROCESSING ADDENDUM" the following clauses, among others, can be found:

	"(...)

	3. Confidentiality of Customer Data. X. will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order).

	( ...)

	12. Transfer of Personal Data.

	12.1 Regions. Customer can specify the location(s) where Customer Data will be processed within the X. Network (each a "Region'), including Regions in the EEX. Once Customer has made its choice, X. will not transfer Customer Data from Customer's selected Region(s) except as necessary to provide the Services initiated by Customer, or as necessary to comply with the law or binding order of a governmental body.

	(...)"


8. In the "SUPPLEMENTARY ADDENDUM TO X. GDPR DATA PROCESSING ADDENDUM", section 1.2. contains the following clause, among others:

	"If compelled to disclose Customer Data to Requesting Party, X. will:

	(...)

	(b) challenge any overboard.or inappropriate Requet (including where such Request conflicts with the law of the European Union or applicable Member State law)."

9. By letter dated 04.05.2022, the respondents informed the applicant that they intended to award the contract to the respondent's bid: The respondents gave the following reasons:

	"In the economic evaluation according to the evaluation criteria of the tender documents, your bid was not the most economical in the evaluation of the price.

	In the overall evaluation of price and performance, your bid was ranked second."

10. By letter of 04.05.2022, the applicant objected to the decision of the respondents. The applicant complained that the invitee was to be excluded from the tender evaluation because it had made changes to the tender documents. With its bid, it had violated mandatory legal requirements of the GDPR, which were part of the tender documents. In addition, the invitee processed personal data on servers to which third countries had access, which did not comply with the requirements of the tender documents.

11. [...]

12. Furthermore, the invitee was to be excluded because it had submitted an inadmissible below-cost bid. A proper price check by the respondents had not taken place. Finally, the price evaluation was discriminatory and non-transparent because the one-off costs for the implementation of the software were not taken into account.

13. Thereupon, the respondents rejected the complaints by letter dated 09.05.2020.

14. By lawyer's letter of 12.05.2022, the applicant noted that the respondents had not addressed its objections in their rejection and stated that it therefore maintained its objections. In addition, it complained that the reasoning of the preliminary information letter had been insufficient, that the tender evaluation had been erroneous and that the documentation of the award procedure had been insufficient.

In its application dated 13 May 2022, the applicant submits that the application for review is admissible and well-founded. With regard to admissibility, the applicant argues that it is entitled to file an application because it expressed its interest in the contract by submitting a bid and its bid would have been awarded the contract if the bids had been correctly examined and evaluated. With regard to the merits of the application for review, the applicant argues that the invitee should be excluded from the award procedure because the invitee's bid violates central legal provisions on data protection due to the use of X. and as a subcontractor and therefore does not comply with the requirements of the award documents. Specifically, the applicant is of the opinion that the bid of the invitee does not comply with the data protection requirements of the award documents because, contrary to the requirements defined in section 2.8 of the specifications, the invitee uses X., a data centre operator whose group company is located in third countries. The use of X. also did not meet the requirements of the tender documents, as it violated Article 44 et seq. of the Data Protection Regulation (GDPR). DS-GVO and thus the requirements of the DS-GVO are not fulfilled, contrary to the requirements of the tender documents. This is because there is already an inadmissible transfer of personal data to the USA and thus to a third country. Irrespective of the geographical storage of the data, personal data is accessible or retrievable from a third country. Due to the access rights granted on the basis of the "US surveillance law", there was at least a latent risk that a transfer of personal data to the USA would take place that was not permitted under the GDPR. This already falls under the concept of transfer in Art. 44 et seq. GDPR. Furthermore, a transfer within the meaning of Art. 44 et seq. DSGVO because the contractual conditions of X. were a direct basis for an active transfer of data to the USA. In particular, the transfer of personal data to the third country USA, which is inadmissible in principle, is not legitimised by an adequacy decision, an appropriate guarantee or by the existence of any other exceptional circumstance. Furthermore, the applicant submits that it assumes that the invitee has provided the information specified as a subcontractor and has thus provided incorrect information in the tender. The applicant submits that the tender submitted by the invitee is an unlawful underbid. It assumes that a proper price clarification with regard to the bid of the Invitee was not carried out or at least not carried out properly. The applicant believes that the non-inclusion of the one-off costs for the software implementation is inadmissible under public procurement law. Furthermore, the applicant submits that the preliminary information letter of 04.05.2022 sent by the respondents to the applicant was insufficient, in particular due to the lack of explanations on the award criterion quality of the services offered and due to the lack of information on the respective scores achieved. Against this background, the applicant also argues that the tender evaluation was carried out incorrectly. Finally, the applicant submits that the award procedure was insufficiently documented.

15. In its application dated 13 May 2022, the applicant submits that the application for review is admissible and well-founded. With regard to admissibility, the applicant argues that it is entitled to file an application because it expressed its interest in the contract by submitting a bid and its bid would have been awarded the contract if the bids had been correctly examined and evaluated. With regard to the merits of the application for review, the applicant argues that the invitee should be excluded from the award procedure because the invitee's bid violates key legal provisions on data protection due to the use of X and as a subcontractor and therefore does not comply with the requirements of the award documents. Specifically, the applicant is of the opinion that the bid of the invitee does not comply with the data protection requirements of the award documents because, contrary to the requirements defined in section 2.8 of the specifications, the invitee uses X, a data centre operator whose group company is located in third countries. The use of X does not meet the requirements of the tender documents, depending on this, because it violates Art. 44 et seq. DS-GVO and thus the requirements of the DS-GVO are not fulfilled, contrary to the requirements of the tender documents. This is because there is already an inadmissible transfer of personal data to the USA and thus to a third country. Irrespective of the geographical storage of the data, personal data is accessible or retrievable from a third country. Due to the access rights granted on the basis of the "US surveillance law", there was at least a latent risk that a transfer of personal data to the USA would take place that was not permitted under the GDPR. This already falls under the concept of transfer in Art. 44 et seq. GDPR. Furthermore, a transfer within the meaning of Art. 44 et seq. DSGVO because the contractual terms of X were a direct basis for an active transfer of data to the USA. In particular, the transfer of personal data to the third country USA, which is inadmissible in principle, is not legitimised by an adequacy decision, an appropriate guarantee or by the existence of any other exceptional circumstance. Furthermore, the applicant submits that it assumes that the invitee has provided the information specified as a subcontractor and has thus provided incorrect information in the tender. The applicant submits that the tender submitted by the invitee is an unlawful underbid. It assumes that a proper price clarification with regard to the bid of the Invitee was not carried out or at least not carried out properly. The applicant believes that the non-inclusion of the one-off costs for the software implementation is inadmissible under public procurement law. Furthermore, the applicant submits that the preliminary information letter of 04.05.2022 sent by the respondents to the applicant was insufficient, in particular due to the lack of explanations on the award criterion quality of the services offered and due to the lack of information on the respective scores achieved. Against this background, the applicant also argues that the tender evaluation was carried out incorrectly. Finally, the applicant submits that the award procedure was insufficiently documented.

16 In addition to its application for review, the applicant states in its submission of 17 June 2022 that its legal opinion that the invitee must be excluded from the award procedure is supported by the exclusion in another award procedure [...]. The invitee had taken action against this exclusion in the context of a review procedure. Due to lack of prospects of success, the invitee withdrew its application for review. The exclusion of the invitee from the award procedure there due to violations of data protection law was therefore final. Its submission was not made in the dark, because due to the design of the software of the invitee it had to be "necessarily assumed" that the same errors were also contained in the present bid of the invitee. [...] With regard to the disputed concept of transmission, the applicant submits that the mere possibility of access already constitutes data processing, and thus a transmission within the meaning of Art. 44 et seq. GDPR. With regard to its complaint of an incorrect evaluation of the bids, the applicant submits that it is apparent from the inspection of the files granted that the bids were not evaluated on the basis of the criterion of quality and its sub-criteria.

17.17 In written submissions dated 05.07.2022 and 11.07.2022, which have not been omitted, the applicant made an additional legal submission on the term "transmission". A distinction had to be made between the term "transmission" within the meaning of Article 4 no. 2 of the GDPR and the term "transfer" within the meaning of Article 44 et seq. of the GDPR. GDPR had to be differentiated. Due to the different regulatory purposes, the term "transmission" cannot be interpreted uniformly. The term "transfer" in the context of Article 44 et seq. of the GDPR must be interpreted broadly in order to ensure the most effective protection against circumvention. Therefore, an - albeit hypothetical - possibility to access personal data from a third country already constitutes a transfer within the meaning of Art. 44 et seq. GDPR.

18. By application for review dated 13.05.2022, the applicant has requested:

	1. It is established that the applicant's rights have been violated.

	2. The respondents are obliged to award the contract only after repeating the examination and evaluation of the bids and after issuing a complete letter of preliminary information pursuant to Section 134 (1) GWB, taking into account the legal opinion of the Procurement Chamber and the bid of the applicant.

	3. In the alternative: The respondents are obliged to take other appropriate measures to prevent infringements of the applicant's rights.

	4. The applicant is to be granted access to the contract award file.

	5. The involvement of the applicant's counsel is declared necessary pursuant to Section 182 (4) GWB.

	6. The respondents are ordered to pay the costs of the proceedings, including the costs of the applicant's appropriate legal action.

19. In their response of 20.05.2022, the respondents requested that the application for review be dismissed:

	1. The application for review is dismissed.

	2. Access to the contract award file is prohibited.

	3. The procurement chamber declares it necessary to call in the representatives of the respondents.

	4. The applicant shall bear the costs of the proceedings and the expenses necessarily incurred by the respondents.

20. In their response of 20.05.2022, the respondents argue that the application for review should be rejected in its entirety. With regard to admissibility, the respondents argue that the allegation of an inadmissible price evaluation as well as the allegation of an incorrect tender evaluation is precluded and thus inadmissible. With regard to the merits, the respondents submit that the invitee cannot be excluded. A violation of central provisions on data protection by the invitee through its bid due to the use of X was not to be assumed. The services provided by X are exclusively provided in Germany, there is no data processing in a third country. Rather, the bid of the invitee complied with the requirements of the tender documents and, in particular, with the data protection requirements of the GDPR. With regard to the applicant's allegation that the invitee had provided incorrect information on the subcontractors used, the respondents submit that this is a complaint in the dark. The respondents counter the allegation of inadequate price information by stating that they had fully complied with their obligation to provide information as contracting authorities and that this had also been adequately documented. With regard to the allegation of an insufficient advance information letter, the respondents submit that the applicant was informed of the reasons for the intended non-inclusion. The applicant was informed that its tender was not the most economical in the category of price and that it came second in the overall evaluation of price and performance. This sufficiently constituted a practicable justification.

21. In their statement of 27 June 2022, the respondents additionally submit that the applicant's allegation that the invitee had made incorrect statements regarding the use of [...] and had not indicated that it was using them as subcontractors should be rejected. The information was not incorrect and the accusation could not justify exclusion. The provision of services by [...] or the possible provision of services by [...] was not part of the scope of procurement requested in the award procedure. Therefore, there were no specifications in this regard in the tender documents, and the information provided could not justify a deviation anyway.

22. In its written submission of 25.05.2022, the Invitee requested:

	1. to reject the application for review 

	2. to grant the Invitee access to the contract award file pursuant to Section 165 (1) of the GWB, 

	3. order the applicant to pay the costs of the review proceedings, including the expenses incurred by the invitee for the purpose of pursuing the legal action,

	4. declare it necessary for the invitee to call in a representative for the proceedings.

23. In its submission of 25 May 2022, the invitee argues that the application for review is already partially inadmissible and unfounded with regard to all alleged infringements of public procurement law. It agrees with the respondents with regard to the partial inadmissibility of the application for review and additionally states that there is already a lack of standing with regard to the contested letter of preliminary information and the contested documentation. It is not apparent how this would affect the applicant's chances of being awarded the contract. With regard to the merits of the application for review, the invitee submits that both the involvement of X in the provision of services and, with regard to the cooperation with [...], it is fully ensured that the invitee complies with all conditions of execution on data protection. By using the services of X, there was already no transfer of data to a third country, so there was no breach of Art. 44 et seq. DS-GVO had been committed. The applicant fails to recognise that a transfer always presupposes and constitutes data processing. A theoretical possibility of access does not constitute processing; in particular, a purely hypothetical latent risk of transmission is not sufficient. In the absence of processing of personal data, there was no transmission here. Irrespective of this, a transfer of personal data to a third country was permissible due to the use of standard contractual clauses. X concluded standard contractual clauses with its customers via the X GDPR DATA PROCESSING ADDENDUM. The SUPPLEMENTARY ADDENDUM TO X GDPR DATA PROCESSING ADDENDUM, which contains supplementary provisions, implements the "further measures" required by the ECJ. The accusation of data processing that is inadmissible under data protection law through the use of [...] is a reproach in the dark. The same applies to the allegation of missing information on subcontractors.

24. In its submission of 27 June 2002, the invitee additionally argues that the invitee's bid should not be excluded because the form of service provision offered by the invitee violates the requirement contained in section 21 of the specifications, which is also contained in section 2.8 of the specifications. This requirement was not a mandatory requirement of the defendants. The addition "B" indicates that the criterion is exclusively an evaluation criterion.

25. In written submissions of 1 July 2022, 6 July 2022 and 12 July 2022, which were not omitted, the invitee made additional legal submissions on the concept of transmission. This did not already include a theoretical legal authorisation of state authorities in a third country. The storage of data on the servers of a European company located in Europe could not constitute disclosure or making available to a recipient in a third country, as the necessary direct reference to a third country was lacking. The mere theoretical possibility of making use of powers of intervention, if necessary, does not fulfil any of the facts mentioned in Art. 4 No. 2 of the GDPR.

26. By decision of 18 May 2022, the [...] was invited to the proceedings. On 13 June 2022, the Public Procurement Tribunal granted the applicant and the invitee access to the award files as requested - limited to the subject matter of the proceedings - insofar as no confidential parts of the files were concerned. In the oral proceedings on 29 June 2022, the parties had the opportunity to present their positions and to discuss them comprehensively with the Procurement Chamber. The five-week period pursuant to Section 167 (1) sentence 1 GWB was extended until 15 July 2022 by order of the chairperson. For further details, reference is made to the submitted pleadings including annexes and the documentation of the respondents, which was available to the Procurement Chamber.

II.

27. The application for review is admissible with regard to the complaint that the use of X violates Art. 44 et seq. GDPR, which is why the invitee's bid should be excluded, is admissible and well-founded.

28. 1. The application for review is admissible in part.

29. a. The review procedure for the award of public contracts is admissible. Pursuant to Sections 155, 156 (2) GWB, the award of public contracts is subject to review by the public procurement tribunals. The respondents are contracting authorities pursuant to §§ 98, 99 no. 2 a) GWB.

30. b. The threshold value pursuant to Sections 196 (1), 2 No. 1 GWB has been reached. The local and subject-matter jurisdiction of the Public Procurement Chamber Baden-Württemberg results from Section 159 (3) GWB, Section 1 VNPVO.

31. c. The applicant has partially fulfilled its obligation to complain pursuant to Section 160 (3) sentence 1 GWB.

32. aa. The complaint regarding the non-inclusion of the costs for the implementation of the software in the price evaluation is precluded pursuant to Section 160 (3) sentence 1 no. 3 GWB. The applicant should have raised the. The applicant should have raised the complaint with the respondents by the expiry of the deadline for submission of bids on 25.03.2022. Pursuant to Section 160 (3) sentence 1 no. 3 GWB, the application for review is inadmissible if the contracting authority is not notified of recognisable breaches of procurement law on the basis of the award documents at the latest by the expiry of the deadline for submitting applications or bids. A breach of procurement law is recognisable if the underlying facts are apparent from the tender documents and could have been recognised as a breach of procurement law by a bidder with average competence and exercising the usual diligence when reviewing and processing the tender documents. The recognisability refers both to the factual circumstances justifying the infringement of procurement law and to the infringement of procurement law as such. The bidder with average knowledge and exercising the usual diligence must be able to recognise the breach of procurement law without special legal advice (OLG Karlsruhe, decision of 15.01.2022, 15 Verg 12/20, not published). In this context, it can be expected that the bidder knows the relevant procurement rules, carefully reads the tender documents and investigates inconsistencies and contradictions (OLG Karlsruhe, decision of 05.05.2021, 15 Verg 4/21, not published). Merely a comprehensive knowledge of the procurement rules on which the procedure is based, in particular of the literature or procurement law case law on the legal provisions, is not to be expected from the participants in a procurement procedure (OLG Karlsruhe, order of 15.01.2022, 15 Verg 12/20, not published; OLG Düsseldorf, order of 01.06.2016, Verg 6/16, juris, marginal no. 36).

33. Insofar as the applicant complains that the information on price evaluation in the tender documents (as of 23 February 2022), p. 12 f., 19, and in the price sheet (as of 23 February 2022) is contradictory and that a failure to take into account the one-off implementation costs is inadmissible under procurement law, the alleged breach of procurement law was directly apparent from the tender documents. An average bidder wants and must be able to recognise which criteria are used to determine the most economical bid. Any inconsistencies and contradictions in the information on the evaluation of the award criterion price are already apparent to an average bidder by reading the tender documents. It follows directly from the tender documents (p. 19) and the "price sheet" that the one-off costs for the implementation of the software are not included in the evaluation and which individual prices or price components are relevant to the evaluation. The fact that the applicant had dealt with the evaluation matrix in detail during the bidding phase is shown by its bidder question of 03.03.2022, which contains two questions on individual price components relevant to evaluation. Nevertheless, the applicant did not raise the complaint regarding the non-inclusion of the costs for the implementation of the software in the price evaluation until its letter of 09.05.2022, i.e. after the expiry of the bid deadline on 25.03.2022.

34. bb. The claim that the tender evaluation was carried out incorrectly was raised by the applicant out of hand.

35. The applicant's arguments do not meet the requirements for a proper complaint within the meaning of Section 160 (3) sentence 1 GWB.

36. Since a bidder naturally has only limited insight into the course of the award procedure, it may assert in the award review procedure what it may reasonably believe to be probable or possible on the basis of its - often only limited - level of information, for example when it is a matter of breaches of the award procedure that take place exclusively_ in the sphere of the awarding authority or concern the bid of a competitor (OLG Karlsruhe, order of. 21.05.2021, 15 Verg 4/21, juris, marginal no. 28; OLG Düsseldorf, decision of 13.04.2011, VII-Verg 58/10, juris, marginal no. 53; OLG Frankfurt, decision of 09.07.2010, 11 Verg 5/10, juris, marginal no. 51; OLG Dresden, decision of 6 June 2002, WVerg 4/02, juris, marginal no. 18 f.). However, if the violation of public procurement law does not completely elude the applicant's possibility of insight, the applicant must at least present factual connecting factors or indications that give rise to a sufficient suspicion of a specific violation of public procurement law (OLG Karlsruhe, order of. 21"05.2021, 15 Verg 4/21, juris, marginal no. 28; OLG Düsseldorf, order of 16.08.2019, VII-Verg 56/18, juris; OLG Munich, order of 11.06.2007, Verg 6/07, juris, marginal no. 31 ). A minimum level of substantiation must be complied with; mere suppositions regarding possible breaches of contract are not sufficient (OLG Karlsruhe, decision of 21 May 2021, 15 Verg 4/21, juris, marginal no. 28; OLG Brandenburg, decision of 29 May 2012, Verg W 5/12, juris, marginal no. 4; OLG Munich, decision of 2 August 2007, Verg 7/07, juris, marginal no. 15 f.).

37. The applicant's allegation is that the applicant should have received the highest score in all award criteria. The respondents had focused solely on price. It is clear from the preliminary information letter that the other award criterion, quality, and its sub-criteria were not included in the evaluation. It had to be assumed that the tender evaluation had been carried out incorrectly and that there had thus been a violation of § 58 VgV.

38. In the preliminary information letter of 04.05.2022, the respondents justify the non-inclusion of the applicant's bid with the fact that it was "not the most economical" bid in the evaluation of the price. The fact that the respondents did not base their decision solely on the award criterion is evident from the fact that the evaluation was carried out by means of a "profitability assessment in accordance with the evaluation criteria of the tender documents" and that the applicant's bid was ranked second "in the overall evaluation of price and performance". Consequently, the allegation that the evaluation was only carried out on the basis of the award criterion price is not substantiated. It is pure conjecture.

39. In any case, this complaint would be unfounded, because there is no violation of § 58 VgV. The respondents took the total net price into account with 65% and the quality of the services offered with 35% in their bid evaluation. Contrary to the applicant's assumption, the verifying test was not taken into account as an award criterion. Instead, it served the purpose of proving the fulfilment of the award criterion "quality" (cf. Burgi, Vergaberecht, 3rd ed. 2021, § 17, marginal no. 4a). In the course of the overall evaluation, the respondents came to the conclusion that the invitee was ranked first and thus submitted the most economical bid.

40. [...]

41. ee. In all other respects, the applicant has properly fulfilled its obligation to complain.

42. d. The applicant is only entitled to file a complaint pursuant to Section 160 (2) GWB with regard to the complaints concerning the use of X and the complaint of insufficient price clarification.

43. Pursuant to Section 160 (2) GWB, any enterprise having an interest in the public contract and claiming a violation of its rights under Section 97 (6) GWB due to non-compliance with procurement rules is entitled to file an application. It must be shown that the company has suffered or is in danger of suffering damage as a result of the alleged violation of the public procurement rules.

44. aa. The applicant's complaint that it was insufficiently informed about the reasons why its bid was not to be considered is inadmissible. This is because the applicant could not have suffered any damage as a result of a possible breach of the defendants' duty under Section 134 (1) GWB to inform the applicant of the reasons why its bid was not to be considered (cf. OLG -Karlsruhe, order of 6 June 2019, 15 Verg 8/19, juris, para. 31). Pursuant to Section 135 (1) no. 1, (2) GWB, the consequence of a breach of the duty to inform is the nullity of the contract concluded by the contracting authority with the contractor who submitted the most economically advantageous tender after the evaluation carried out. However, the respondents have not yet concluded a contract with the invitee, because the applicant partially complained about alleged violations of public procurement law in due time and, after the complaint was rejected, initiated the review proceedings (cf. OLG Karlsruhe, loc. cit.). Thus, the purpose of Section 134 (1) GWB to ensure effective primary legal protection (cf. Dreher/Hoffmann, in: Beck VergabeR, 4th ed. 2022, GWB Section 134, para. 12 f.) is fulfilled with the filing of the application for review by the applicant.

45. bb. Insofar as the applicant complains about violations of documentation obligations pursuant to Section 8 VgV, it lacks the right to file an application pursuant to Section 160 (2) GWB - with the exception of the complaint about the insufficient documentation of a price clarification - due to the lack of proof of damage. The applicant has not shown how any documentation deficiencies had a concrete negative impact on its legal position in the award procedure (see Müller, in: MüKoEuWettbR, 4th ed. 2022, VgV § 8, marginal no. 49). 

46. cc. With regard to the complaints concerning the use of X and the complaint of insufficient price information, the applicant is entitled to file an application. It has sufficiently demonstrated its interest in the contract by submitting a bid and its damage in the form of a worsening of its chances of being awarded the contract (cf. Horn/Hofmann, in: Beck VergabeR, 4th ed. 2022, GWB § 160 nos. 26, 33).

47. e. The applicant filed the application for review within the time limit pursuant to Section 160 (3) no. 4 GWB. It filed the application with the Procurement Chamber on 13 May 2022, i.e. within 15 calendar days after the respondents' notification on 10 May 2022 that they did not intend to remedy the complaint.

48. The application for review is well-founded. The applicant's rights have been infringed by the decision of the respondents to award the contract to the invitee, section 168(1) sentence 1 GWB. The invitee is to be excluded from the award procedure pursuant to section 57 (1) no. 4 VgV, as the invitee's bid violates Art. 44 et seq. GDPR and thus does not comply with the requirements of the tender documents.

49. a. It cannot be established that the decision of the respondents not to reject the award to the invitee's bid because of an unusually low price was erroneous. 

50. Pursuant to § 60 (3) sentence 1 VgV, the contracting authority may reject the award of a tender if it cannot satisfactorily clarify the low level of the price or costs offered after the examination pursuant to paragraphs 1 and 2. A claim of a bidder to the exclusion of a bid of a competitor that appears to be unusually low can only be considered in cases of discretionary reduction to zero (Steck, in: ZiekowNöllink, 4th ed. 2020, VgV § 60 marginal no. 30 f.).

51. The bids of the invitee and the applicant are so close to each other that the threshold of 20% is not exceeded (cf. Lausen, in: Beck VergabeR,3rd ed. 2019, VgV § 60 marginal no. 11 ). Nevertheless, the respondents carried out an examination of the invitee's bid pursuant to § 60 (2) VgV. By letter of 06.04.2022, they requested the invitee to disclose the cost calculation and to clarify the difference between the current bid price of 25.03.2022 and the (initial) bid of 01.12.2021, as well as to explain how it would ensure that the services would be performed in accordance with the contract without any subsequent price adjustment. Thereupon, the invitee commented in a letter dated 08.04.2022 and explained the appropriateness of its own pricing, in particular it commented on the securing of financing and the performance of the contractual services over the entire term of the contract. In addition, it justified the price difference between its current bid and the bid it had submitted before the award procedure was postponed. The explanations of the invitees satisfied the respondents. 

52. Based on the examination of the documents submitted and the explanations of the invitee with the result that the price, in the opinion of the respondents, does not prevent proper performance of the contract, it can remain open whether the invitee is able to cover its costs with the price offered or for what acceptable - reasons it may have offered its services at a price that does not cover its costs, which would not per se lead to an unreasonable price-performance ratio (cf. OLG Karlsruhe, order of 09.07.2021, 15 Verg 5/21, not published). For it is not evident that the discretion granted to the respondents pursuant to Section 60 (3) sentence 1 VgV was so limited that they would have had to exclude the invitee's bid (ibid.). The fact that the invitee's bid is allegedly inadequate is irrelevant. In principle, a bidder is free in its calculation; a contracting authority is not obliged to accept only adequate or cost-covering prices and to protect bidders from loss-making transactions (ibid.). The decisive factor must be whether the contracting authority has doubts about the proper performance of the service (ibid.) The applicant has also not specifically explained or been able to explain for which reasons of price calculation the invitee cannot be in a position to execute a contract with the respondents.

53. b. The invitee's bid is to be excluded from the award procedure pursuant to Section 57 (1) No. 4 VgV, as it violates Art. 44 et seq. GDPR and thus does not comply with the requirements of the tender documents. Pursuant to Section 57 (1) No. 4 VgV, tenders are excluded if changes or additions have been made to the tender documents. An amendment to the tender documents is deemed to have been made if the enterprise deviates from the specifications of the tender documents in terms of content and, as a result, offers an aliud, i.e. a service other than the one tendered for (Pauka/Krüger, in: MüKoEuWeitbR, 4th ed. 2022, VgV § 57, marginal no. 23). The term "amendment" does not require that the company formally changes the wording of the tender documents, e.g. by additions or deletions (ibid.).

54. The invitee has amended the tender documents within the meaning of Section 57 (1) No. 4 GWB in such a way that - contrary to what was required in the invitation to tender - it does not offer to provide services that are compatible with the applicable data protection law.

55. The use of X's services violates applicable data protection law, as it is considered unlawful data processing pursuant to Art. 44 et seq. GDPR, it qualifies as an illegal transfer of data to a third country.

56. According to Art. 44 S. 1 of the GDPR, any transfer of personal data which are already being processed or which are to be processed after their transfer to a third country or an international organisation is only permissible if one of the specific grounds for authorisation in Art. 44 et seq. DS-GVO exist (cf. Paal/Kumkar, MMR 2020, 733, 734 ). Accordingly, a data transfer to a third country and to foreign organisations is permissible in particular if the Commission has determined the adequate level of protection of the third country in a decision (so-called adequacy decision, cf. Art. 45 (1) of the GDPR), if the controller or processor has provided appropriate safeguards for the protection of personal data (Art. 46 (1) of the GDPR) or if an exceptional circumstance of Art. 49 of the GDPR exists (Paal/Kumkar, MMR 2020, 733, 734).

57. The use of X as a hosting service provider is a transfer within the meaning of Art. 44 et seq. DS-GVO.

58. The term "transfer" is not defined as such in the GDPR (Beck, in: BeckOK DatenschutzR, 40th ed. 01.11.2021, GDPR Art. 44, para. 14). It is mentioned in the examples of processing listed in Art. 4(2) GDPR. According to this, "processing" includes, among other things, "disclosure by transmission". However, the GDPR does not equate "disclosure by transmission" within the meaning of Art. 4(2) GDPR and "transmission" within the meaning of Art. 44 et seq. (Pauly, in: Paal/Pauly, DS-GVO, 3rd ed. 2021, DS-GVO Art. 44, para. 3).

59. Data are not "transferred" to a processor who is a "recipient" within the meaning of Art. 4 No. 9 GDPR, but not a third party within the meaning of Art. 4 No. 10 GDPR; instead, they are "disclosed" to him (Pauly, in: Paal/Pauly, GDPR, op. cit.). Since Art. 44 et seq. GDPR speak exclusively of a "transfer" and not of a "transfer to a third party", Art. 44 et seq. GDPR also apply to the disclosure of personal data to a processor in a third country (Pau/y, in: Paal/Pauly, DS-GVO, op. cit.).

60. The term "transfer" is to be understood in the light of the broad wording of Art. 44 S. 1 of the GDPR and the requirements set out in Art. 44 S. 2 of the GDPR with regard to the application of the regulation and thus to be understood comprehensively: A transfer is any disclosure of personal data to a recipient in a third country or an international organisation, whereby neither the type of disclosure nor the disclosure to a third party is relevant (Pauly, in: Paal/Pauly, DS-GVO, 3rd ed. 2021, DS-GVO Art. 44, marginal no. 4; Wissenschaftlicher Dienst des Deutschen Bundestags, DSGVO und Nutzung US-amerikanischer CloudDienste, WO 3- 3000 - 102/21, p. 8 f.).

61. A disclosure that can be taken into account in this context is also to be assumed if personal data is posted on a platform that can be accessed from a third country, regardless of whether the access actually takes place (Pau/y, in: Paal/Pauly, DS-GVO, 3rd ed. 2021, DS-GVO Art. 44, marginal no. 5; Schröder, in: Kühling/Buchner, DS-GVO BDSG, 3rd ed. 2020, DS-GVO Art. 44, marginal no. 16). It is irrelevant whether the server through which the data is made accessible is located within the EU (ibid.; similarly, VG Wiesbaden, decision of 01.12.2021 - 6 L 738/21.WI, BeckRS 2021, 37288, marginal no. 40, which in the case it decided simply referred to the location of the company's headquarters in the USA). Such an understanding is argued for by Art. 44 p. 2 GDPR: A possibility of access - for example by granting access rights - constitutes a latent risk that an unauthorised transfer of personal data may take place without the legal basis for this as standardised in the GDPR (Beck, in: BeckOK DatenschutzR, 40th ed. 01.11.2021, GDPR Art. 44, para. 15).

62. Measured against these standards, the invitee's intended use of X., a European company whose parent company is X Inc. based in the USA, leads to an impermissible transfer of data to a third country.

63. The invitee's commissioning of X is based, inter alia, on the "X. GDPR DATA PROCESSING ADDENDUM". Clause 3 of this agreement contains a clause dealing with the confidentiality of customer data. Under this clause, Customer Data may not be accessed, used or disclosed by X to any third party except as necessary to maintain or provide the Services or to comply with any law or valid and enforceable governmental order. Under clause 12.1 there is a clause dealing with the transfer of personal data and according to which customer data will not be transferred out of the chosen region unless this is necessary to provide the service or to comply with a lawful or legally enforceable order of a governmental authority. That the contract "X. GDPR DATA PROCESSING ADDENDUM" supplementing the "SUPPLEMENTARY ADDENDUM TO X GDPR DATA PROCESSING ADDENDUM" contains in clause 1.2.a. a clause according to which X undertakes to challenge any overly broad or unreasonable request by a governmental authority, including such requests that are in conflict with EU law or the applicable law of the member states.

64. Paragraphs 3 and 12.1 of the "X. GDPR DATA PROCESSING ADDENDUM" are designed in the form of general clauses and open up the possibility for both governmental and private bodies outside the EU, and in particular in the USA, to access data stored by X in certain situations within the framework of the contractual or legal authorisations applicable in the specific case. The data protection provided by the implementation of these clauses in the "X. GDPR DATA PROCESSING ADDENDUM" is sufficient, according to the applicable data protection principles, to affirm a transfer that is impermissible under data protection law. In this respect, it does not matter whether and how obvious the occurrence of the circumstances laid down in the two clauses, which are necessary for access in the individual case, is. After all, the latent risk can materialise at any time. By entering into the agreement with X, the invitee is at least partially relinquishing its ability to influence the data entrusted to it.

65. It is irrelevant here where X's servers are physically located. The clause in clause 1.2.a. of the "SUPPLEMENTARY ADDENDUM TO X GDPR DATA PROCESSING ADDENDUM" also does not render the agreement - and in particular the provisions in clauses 3 and 12.1 of the "X. GDPR DATA PROCESSING ADDENDUM" do not cease to apply. The assumption of an obligation by X. to challenge excessively broad or unreasonable requests by state authorities, including such requests that are in conflict with EU law or the applicable law of the member states, does not eliminate the latent risk of access by these same authorities. The same applies to the encryption technology used by the invitee, whereby the statements made by the invitee and respondents on the concrete design of the encryption technology must in any case be disregarded in the review proceedings. This is because pleadings submitted by parties to the review proceedings on the condition that they are not to be disclosed in whole or in part to the other parties (so-called "blackened" documents) do not become part of the files of the Public Procurement Tribunal. With regard to the fundamental right to a fair hearing (Art. 103 (1) GG) of the other parties, these documents are not taken into account in the proceedings and decision of the Public Procurement Tribunal (cf. KG, decision of 18 May 2022, Verg 7/21, IBRRS 2022, 1906).

66. In this case, there is no special reason for permission according to Art. 44 ff. GDPR exists. Thus, there is no adequacy decision within the meaning of Article 45 (1) of the GDPR. Article 46 (2) (c), (d) of the GDPR also does not apply here. Standard data protection clauses within the meaning of this provision are not suitable to legitimise transfers per se; rather, a case-by-case assessment is required (Jungkind/Raspe/Schramm, NZG 2020, 1056, 1057; Pauly, in: Paal/Pauly, DS-GVO, 3rd ed. 2021, DS-GVO Art. 46, para. 12a et seq.) This leads - as explained - to the assumption of inadmissibility under data protection law. An exceptional circumstance pursuant to Article 49 of the GDPR does not apply here either.

67. c. Moreover, the invitee's bid is not to be excluded pursuant to Section 57 (1) No. 4 VgV because the form of service provision offered by the invitee violates Clause 21 of the specifications. Clause 21 of the service specifications sets out a requirement for data protection and IT security and stipulates that data must be processed exclusively in an EU or EEA data centre where no sub-service providers or group companies are located in third countries. According to the specifications, this requirement is merely an evaluation criterion and not an exclusion criterion. It is true that the invitee uses the servers of X., a subsidiary of X., which is based in the USA, for the provision of the service; however, the non-fulfilment does not constitute a reason for exclusion pursuant to Section 57 (1) no. 4 VgV. This is because item 21 of the bill of quantities is not a requirement that can be deviated from. Consequently, an amendment of the tender documents is excluded from the outset due to the lack of specifications in this respect. The non-fulfilment of clause 21 is only reflected in the evaluation.

III.

68. [...]