VK Baden-Württemberg - 1 VK 23/22
VK Baden-Württemberg - 1 VK 23/22 | |
---|---|
Court: | VK Baden-Württemberg (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 44 GDPR § 57(1)(4) VgV |
Decided: | 13.07.2022 |
Published: | |
Parties: | Pflegeplatzmanager GmbH[1] RKH Regionale Kliniken Holding und Services GmbH, formerly Regionale Kliniken Holding RKH GmbH[2] Kreiskliniken Reutlingen GmbH[2] |
National Case Number/Name: | 1 VK 23/22 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Appealed[3] OLG Karlsruhe (Germany) |
Original Language(s): | German |
Original Source: | GDPRhub (Scan of the original) (in German) |
Initial Contributor: | n/a |
The Procurement Chamber of Baden-Württemberg held that a company had to be excluded from a public procurement procedure, as its offer violated the GDPR. This is because compliance with data protection law was a requirement of the tender. The Chamber held that the offer contained an unlawful transfer of customer data to a third country (their parent company located in the U.S.), as it could be accessed by the parent company.
English Summary
Facts
The case concerned a decision by Vergabekammer Baden-Württemberg (Procurement Chamber Baden-Württemberg), the administrative authority that reviews public procurement procedures.
A publicly owned company (Regionale Kliniken Holding RKH GmbH, today RKH Regionale Kliniken Holding und Services GmbH), owned only by municipalities and regional authorities and therefore subject to public procurement law, invited tenders for the procurement of software for digital administration in an open procedure throughout Europe.[4] The criteria contained, among other things, requirements for data protection and IT security.
The publicly owned company received offers from company A and company B (Pflegeplatzmanager GmbH)[5].
Company A used the services of company C (Amazon Web Services EMEA S.à r.l.)[6] a subsidiary of company D (Amazon Web Services, Inc.) based in the United States, as a sub-processor. Its servers were located in the EU. Company C included clauses in its offer stating that it would not disclose customer data to any third party, except as necessary to maintain or provide the services, or as necessary to comply with the law or a valid and binding order of a governmental body.
After reviewing the offers, the publicly owned company issued a decision where it awarded the contract to Company A, as their evaluation of the price was the most economical. Company B challenged this decision. It argued that company A had made illegal changes to the tender documents, and should have therefore been excluded from the procedure pursuant to § 57(1)(4) VgV.
Holding
The Procurement Chamber noted that a procurement is illegal if the company deviates from its initial offer (§ 57(1)(4) VgV). This can be either formally (changing the wording), but also by making material changes (deviating from the procurement's specifications), resulting in an offer for a different service than the one publicly tendered. In this regard, the Chamber pointed out that compatibility with relevant data protection law (in the present case: the GDPR) was a requirement of the tender. Therefore, Company A's procurement would be illegal - as Company B argued - if it was incompatible with the GDPR.
The Chamber found that, contrary to what Company A stated in their offer, it did disclose customer data to a third party. More specifically, it disclosed customer data to a third party in a third country (its parent company in the U.S.). Therefore, a transfer pursuant to Article 44 GDPR would take place. The Chamber explained that a transfer in this context must also be assumed when data can be accessed from a third country, regardless of whether this actually takes place. The fact that the physical location of the server that provided such access was located in the EU was irrelevant.
The Chamber followed that for transfers to third countries, a valid transfer mechanism must be present. However there was no adequacy decision, no exemption under Article 49 GDPR and furthermore the SCCs did not suffice. For the latter, the data importer's contractual duty to "contest state surveillance requests that go too far" and the used encryption did not remove the risk of state surveillance (hence, there were no supplementary measures). The Procurement Chamber thus held that there was no valid transfer mechanism present pursuant to Article 44 GDPR.
Therefore, the Chamber held that company A illegally changed the procurement within the meaning of §57(1)(4) VgV by violating Article 44 GDPR. Consequently, Company A had to be excluded from the procedure.
Comment
LfDI
On 15 August 2020 the competent LfDI (Baden-Württemberg) issued a statement regarding the case.[7] The LfDI notes that the decision is qualified and of importance beyond the initial case. However, it should be viewed critically:
On the one hand, the subject of the proceedings was clauses which, in the view of the Public Procurement Tribunal, still fell short of the requirements of the currently applicable standard data protection clauses. Here, the Procurement Chamber does not seem to have consistently succeeded in accessing the relevant contractual clause in each case. This is not surprising given the complexity of the regulations to be included. Clauses on the prohibition of data transfers that do not leave it to the data exporter to assess which requests by (third) state authorities go too far and which do not provide for a (final instance) challenge of all state requests without exception do appear to be problematic. However, the Procurement Chamber does not go into this in detail. On the other hand, the equation of access risk and transmission (as a form of processing under Art. 4 No. 2 of the GDPR) made by the Procurement Chamber is legally doubtful. The decision states: "The latent risk of access caused by the implementation of these clauses ... is sufficient according to the applicable principles of data protection law to affirm a transfer that is impermissible under data protection law. In this respect, it does not matter whether and how obvious the occurrence of the circumstances laid down in the two clauses, which are necessary for access in the individual case, is. After all, the latent risk can materialise at any time." The fact that a risk of access easily fulfils an element of transfer can be disputed with good reasons. The fact that the GDPR has introduced a "risk-based approach" in favour of data controllers is repeatedly argued by interested parties (and not very convincingly in this sweeping manner). However, the fact that this approach is now likely to be reversed at the expense of controllers and processors is equally unconvincing. Moreover, this argument overlooks the fact that effective countermeasures exist against such access risks in the form of so-called "technical-organisational measures", which can ultimately exclude any risk. However, this very aspect was not considered at all by the Procurement Chamber; in particular, the encryption technology used by the co-bidder was not examined further for reasons of procurement procedure law.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Public Procurement Chamber Baden-Württemberg Regional Council Karlsruhe 1 VK 23/22 Decision In the award review proceedings of the company XXX - Applicant - Agent for the proceedings: XXX against XXX - defendant to 1) - and XXX - defendant to 2) - and Agents: XXX Other parties XXX - invitees - the Agent for the proceedings: XXX concerning the award procedure "Software for Digital Discharge Management, reference number of the notice: 2021-20-WEI-OV the Public Procurement Tribunal, through the chairperson XXX, the full-time assessor XXX and the honorary assessor XXX, decided on 13.07.2022 at the oral hearing of 29.06.2022: 1. The defendants (1) and (2) are obliged to return the award procedure to the status prior to the evaluation of the bids if the intention to procure continues and to repeat the evaluation of the bids in compliance with the legal opinion of the Procurement Chamber. 2. The defendants (1) and (2) as well as the invitee shall bear the costs of the proceedings jointly and severally as well as the expenses of the applicant necessary for the appropriate prosecution of the action, each in the amount of one third. 3. It is declared necessary for the applicant to engage the services of a legal representative. 4. The costs of the proceedings incurred by the Public Procurement Tribunal are set at 2,850.00 €. Reasons I. By contract notice dated 03.11.2021, the respondents issued a Europe-wide invitation to tender for the procurement of software for digital discharge management in an open procedure. The applicant and the invitee, among others, each submitted a bid in response to the original tender documents. The invitee defended itself against the decision of the respondents to award the contract to the applicant's bid by lodging a complaint. By e-mails dated 12.01.2022, the respondents informed the bidders that the award procedure had been reset to the status prior to the dispatch of the award documents and at the same time announced the provision of adjusted award documents. In a message dated 23.02.2022 via the award platform, the respondents informed the bidders that access to the new tender documents had now been activated and that the tender would be conducted in the form of an open procedure. In the document "Award Documents", the respondents specified the award criteria and their weighting under section 2.13: "(...) a) Total price (net): 65% - Price for licences and software maintenance (net) - Price for services (net) - Price for debts (net) b) Quality of services offered 35% - Software design - SLA - Data protection and IT security requirement (...)" In the specifications, the Respondents specified in Clause 2.8, inter alia, the following "IT Security and Data Protection Requirements": "(...) - Fulfilment of the requirements from the DS-GVO and the BDSG (....) - Data is processed exclusively in an EU-EEA data centre where no sub-service providers / group companies are located in third countries. (..)" In the price sheet, the defendants requested information on the cost calculation. The bidders were to indicate the net prices for the "one-off costs for the implementation of the digital discharge management software", the "[running costs over 5 years", the "total costs interface to the digital file (...)" and the "requirement items". Regarding the one-off costs for the implementation, there is the addition: "(the costs are not included in the evaluation)". Both the applicant and the invitee submitted a new bid. In its bid, the invitee specified A (...), located in XXX (EU Member State), as a subcontractor for the provision of the server and hosting service. A is a subsidiary of the US-based B; the physical location of its servers is in Germany. In connection with the engagement of A, the invitee concludes a "(...) GDPR Data Processing Addendum" and the "Supplementary Addendum (...)" with A. The "(...) GDPR Data Processing Addendum" contains, inter alia, the following clauses: "(...) 3. Confidentiality of Customer Data. X. will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). ( ...) 12. Transfer of Personal Data. 12.1 Regions. Customer can specify the location(s) where Customer Data will be processed within the X. Network (each a "Region'), including Regions in the EEX. Once Customer has made its choice, X. will not transfer Customer Data from Customer's selected Region(s) except as necessary to provide the Services initiated by Customer, or as necessary to comply with the law or binding order of a governmental body. (...)" In the "Supplementary Addendum (...)", the following clause can be found under point (...): "If compelled to disclose Customer Data to Requesting Party, X. will: (...) (b) challenge any overboard.or inappropriate Requet (including where such Request conflicts with the law of the European Union or applicable Member State law)." By letter dated 04.05.2022, the respondents informed the applicant that they intended to award the contract to the respondent's bid: The respondents gave the following reasons: "In the economic evaluation according to the evaluation criteria of the tender documents, your bid was not the most economical in the evaluation of the price. In the overall evaluation of price and performance, your bid was ranked second." By letter dated 04.05.2022, the applicant objected to the decision of the respondents. The applicant complained that the invitee should be excluded from the tender evaluation because it had made changes to the tender documents. With its bid, it had violated mandatory legal requirements of the GDPR, which were part of the tender documents. In addition, the invitee processed personal data on servers to which third countries had access, which did not comply with the requirements of the tender documents. The invitee was also to be excluded because it had indicated company C as a subcontractor in its tender, although it actually used company D as a subcontractor. Furthermore, the invitee was to be excluded because it had submitted an inadmissible under-cost bid. A proper price check by the respondents had not taken place. Finally, the price evaluation was discriminatory and non-transparent because the one-off costs for the implementation of the software were not taken into account. Thereupon, the defendants rejected the objections by letter of 09.05.2020. In a lawyer's letter dated 12 May 2022, the applicant noted that the defendants had not addressed its objections in their rejection and stated that it therefore maintained its objections. In addition, it complained that the reasoning of the preliminary information letter had been insufficient, that the tender evaluation had been faulty and that the documentation of the award procedure had been inadequate. In its application of 13.05.2022, the applicant submits that the application for review is admissible and well-founded. With regard to admissibility, the applicant argues that it is entitled to file an application because it expressed its interest in the contract by submitting a bid and its bid would have been awarded the contract if the bids had been correctly examined and evaluated. With regard to the merits of the application for review, the applicant argues that the invitee should be excluded from the award procedure because the invitee's bid violates key statutory provisions on data protection due to the use of A and C as subcontractors and therefore does not comply with the requirements set out in the award documents. Specifically, the applicant is of the opinion that the invitee's bid does not comply with the data protection requirements of the award documents because, contrary to the requirements defined in section 2.8 of the specifications, the invitee uses A, a data centre operator whose group company is located in third countries. Irrespective of this, the use of A does not meet the requirements of the tender documents because it violates Art. 44 et seq. DS-GVO and thus the requirements of the DS-GVO are not fulfilled, contrary to the requirements of the tender documents. This is because there is already an unlawful transfer of personal data to the USA and thus to a third country. Irrespective of the geographical storage of the data, there is an accessibility or retrievability of personal data from a third country. Due to the access rights granted on the basis of the "US surveillance law", there was at least a latent risk that a transfer of personal data to the USA would take place that was not permitted under the GDPR. This already falls under the concept of transmission in Art. 44 et seq. GDPR. Furthermore, a transfer within the meaning of Art. 44 et seq. DS-GVO because A's contractual conditions were a direct basis for an active transfer of data to the USA. In particular, the transfer of personal data to the third country USA, which is inadmissible in principle, is not legitimised by an adequacy decision, an appropriate guarantee or by the existence of any other exceptional circumstance. Furthermore, the applicant submits that it assumes that the invitee indicated C as a subcontractor and thus provided incorrect information in the offer. The applicant submits that the invitee's bid is an unlawful underbid. It assumes that a proper price clarification with regard to the invitee's bid was not carried out or at least not carried out properly. The applicant believes that the non-inclusion of the one-off costs for the software implementation is inadmissible under public procurement law. Furthermore, the applicant submits that the preliminary information letter of 04.05.2022 sent by the defendants to the applicant is inadequate, in particular due to the lack of explanations on the award criterion quality of the services offered and due to the lack of information on the respective scores achieved. Against this background, the applicant also argues that the tender evaluation was carried out incorrectly. Finally, the applicant submits that the award procedure was insufficiently documented. In addition to its application for review, the applicant states in its submission of 17 June 2022 that its legal opinion that the invitee must be excluded from the award procedure is supported by the exclusion in another award procedure of a supra-regional health insurance company. The invitee had taken action against this exclusion in the context of a review procedure. The invitee withdrew its application for review due to the lack of prospects of success. The exclusion of the invitee from the award procedure there due to violations of data protection law was therefore final. Its submission was not made in the dark, because due to the design of the invitee's software, it was "necessarily to be assumed" that the same errors were also contained in the invitee's present bid. In addition, the applicant submits that "apparently" a so-called "transfer impact assessment" is regularly used in connection with the involvement of C in the provision of services and that this document is "apparently" written in English. This violated the requirements of the tender documents that the tender be written exclusively in German. With regard to the disputed concept of transfer, the applicant argues that the mere possibility of access constitutes data processing, and thus a transfer within the meaning of Art. 44 et seq. GDPR. With regard to its allegation of incorrect information on subcontractors, the applicant claims that it must be assumed that the invitee did not specify company E in its offer, although it would include it in the provision of services. With regard to its claim of incorrect tender evaluation, the applicant submits that it is apparent from the inspection of files granted that the tenders were not evaluated on the basis of the criterion of quality and its sub-criteria. In written submissions of 05.07.2022 and 11.07.2022, which have not been omitted, the applicant made additional legal submissions on the term "transfer". A distinction had to be made between the term "transmission" within the meaning of Article 4 no. 2 of the GDPR and the term "transfer" within the meaning of Article 44 et seq. of the GDPR. GDPR had to be differentiated. Due to the different regulatory purposes, the term "transmission" cannot be interpreted uniformly. The term "transfer" in the context of Art. 44 et seq. GDPR had to be interpreted broadly in order to ensure the most effective possible protection against circumvention. Therefore, an - albeit hypothetical - possibility of accessing personal data from a third country already constitutes a transfer within the meaning of Article 44 et seq. of the GDPR. GDPR. In its application for review dated 13 May 2022, the applicant requested that the following be stated 1. the applicant's rights are found to have been violated. 2. the respondents are found to have violated their rights. 2. the defendants are obliged to award the contract only after repeating the examination and evaluation of the bids and after issuing a complete letter of preliminary information pursuant to Section 134 (1) GWB, taking into account the legal opinion of the Procurement Chamber and the bid of the applicant. In the alternative: The defendants are obliged to take other appropriate measures to prevent infringements of the applicant's rights. 3. 3. The applicant shall be granted access to the contract award file. 4. The involvement of the applicant's legal representatives is declared necessary pursuant to Section 182 (4) GWB. 5. The defendants are ordered to pay the costs of the proceedings, including the costs of the applicant's appropriate legal action. In their response of 20.05.2022, the defendants have requested that: 1. the application for review is dismissed. 2. Access to the contract award file is prohibited. 3. The procurement chamber declares it necessary to call in the defendants' counsel. 4. the applicant shall bear the costs of the proceedings and the expenses necessarily incurred by the defendants. In their response of 20.05.2022, the defendants submit that the application for review should be rejected in its entirety. With regard to admissibility, the defendants argue that the allegation of an inadmissible price evaluation as well as the allegation of an incorrect bid evaluation is precluded and thus inadmissible. With regard to the merits, the defendants submit that the invitee cannot be excluded. A violation of central provisions on data protection by the invitee through its bid due to the use of A was not to be assumed.... The services were provided by A exclusively in Germany; there was no data processing in a third country. Rather, the invitee's bid complied with the requirements of the tender documents and, in particular, with the data protection requirements of the GDPR. With regard to the applicant's allegation that the invitee had provided incorrect information on the subcontractors used, the defendants submit that this is a complaint in the dark. The defendants counter the allegation of insufficient price information by stating that they had fully complied with their obligation to provide information as contracting authorities and that they had adequately documented this. With regard to the allegation of an insufficient advance information letter, the defendants submit that the applicant had been informed about the reasons for the intended non-inclusion. The applicant was informed that its tender was not the most economical in the category of price and that it came second in the overall evaluation of price and performance. This sufficiently constituted a practicable justification. | In their written statement of 27 June 2022, the defendants additionally submit that the applicant's allegation that the invitee had made incorrect statements regarding the use of C and had not stated that it used E as a subcontractor should be rejected. The information was not incorrect and the accusation could not justify exclusion. The provision of services by C or the possible provision of services by E was not part of the scope of procurement requested in the award procedure. Therefore, there were no specifications in this regard in the tender documents, and the information provided could not justify any deviation. The invitee has requested by written statement dated 25.05.2022: 1. to reject the application for review, 2. to grant the invitee access to the contract award file pursuant to Section 165 (1) GWB, 3. order the applicant to pay the costs of the review proceedings, including the expenses of the invitee necessary for the appropriate legal prosecution, 4. declare that it is necessary for the invitee to appoint a representative. In its submission of 25 May 2022, the invitee argues that the application for review is already partially inadmissible and unfounded with regard to all alleged infringements of public procurement law. It agrees with the defendants with regard to the partial inadmissibility of the application for review and additionally states that it already lacks standing to file an application with regard to the contested letter of preliminary information and the contested documentation. It is not apparent how this would affect the applicant's chances of being awarded the contract. With regard to the merits of the application for review, the invitee submits that both the involvement of A in the provision of services and, with regard to the cooperation with C on transactional emails, it is fully ensured that the invitee complies with all conditions of execution on data protection. By using the services of A, there was already no transfer of data to a third country, so there was no breach of Art. 44 et seq. DS-GVO had been committed. The applicant fails to recognise that a transfer always presupposes and constitutes data processing. A theoretical possibility of access does not constitute processing; in particular, a purely hypothetical latent risk of transmission is not sufficient. In the absence of processing of personal data, there was no transmission here. Irrespective of this, a transfer of personal data to a third country was permissible due to the use of standard contractual clauses. A concludes standard contractual clauses with its customers via the "(...) GDPR Data Processing Addendum". The "Supplementary Addendum (...)", which contains additional provisions, implements the "further measures" required by the ECJ. The accusation of 'inadmissible data processing under data protection law' through the use of C was a reproach in the dark. The same applied to the allegation of missing information on subcontractors. In its submission of 27 June 2022, the invitee additionally argues that the invitee's bid should not be excluded because the form of service provision offered by the invitee violates the requirement contained in section 21 of the specifications, which is also contained in section 2.8 of the specifications. This requirement was not a mandatory requirement of the defendants. The addition "B" indicates that the criterion is exclusively an evaluation criterion. In written submissions of 01.07.2022, 06.07.2022 and 12.07.2022, which were not omitted, the invitee made additional legal submissions on the concept of transmission. This did not already include a theoretical legal authorisation of state authorities in a third country. The storage of data on the servers of a European company located in Europe could not constitute disclosure or making available to a recipient in a third country, as the necessary direct connection to the third country was lacking. The mere theoretical possibility of making use of powers of intervention, if necessary, does not fulfil any of the facts mentioned in Art. 4 No. 2 of the GDPR. By decision of 18.05.2022, XXX was invited to participate in the proceedings. On 13 June 2022, the Public Procurement Tribunal granted the applicant and the invitee access to the award files as requested - limited to the subject matter of the proceedings - insofar as no confidential file components were affected. In the oral proceedings on 29.06.2022, the parties had the opportunity to present their positions and to discuss them comprehensively with the Procurement Chamber. The five-week period pursuant to Section 167 (1) sentence 1 GWB was extended until 15.07.2022 by order of the chairperson. For further details, reference is made to the submitted pleadings including annexes and the documentation of the defendants, which was available to the Procurement Chamber. II. The application for review is admissible with regard to the complaint that the use of A violates Art. 44 et seq. GDPR, which is why the invitee's bid should be excluded, is admissible and well-founded. 1. (1) The application for review is partially admissible. a. The award review proceedings are admissible. Pursuant to §§ 155, 156 para. 2 GWB the award of public contracts is subject to review by the public procurement tribunals. The defendants are contracting authorities pursuant to §§ 88 98, 99 no. 2 a) GWB. b. The threshold value pursuant to Sections 106 (1), 2 No. 1 GWB has been reached. The local and subject-matter jurisdiction of the Public Procurement Tribunal Baden-Württemberg results from Section 159 (3) GWB, Section 1 VNPVO. c. The applicant has partially fulfilled its obligation to raise a complaint pursuant to Section 160 (3) sentence 1 GWB. aa. The complaint regarding the non-inclusion of the costs for the implementation of the software in the price evaluation is precluded under Section 160 (3) sentence 1 no. 3 GWB. The applicant should have raised the objection with the defendants by the expiry of the deadline for submission of bids on 25 March 2022. Pursuant to Section 160 (3) sentence 1 no. 3 GWB, the application for review is inadmissible if the contracting authority is not notified of recognisable breaches of procurement law on the basis of the award documents at the latest by the expiry of the deadline for submitting applications or bids. A breach of procurement law is recognisable if the underlying facts are apparent from the tender documents and could have been recognised as a breach of procurement law by a bidder with average competence and exercising the usual diligence when reviewing and processing the tender documents. The recognisability refers both to the factual circumstances justifying the infringement of procurement law and to the infringement of procurement law as such. The bidder with average knowledge and exercising the usual diligence must be able to recognise the breach of procurement law without special legal advice (OLG Karlsruhe, decision of 15.01.2022, 15 Verg 12/20, not published). In this context, it can be expected that the bidder knows the relevant procurement rules, carefully reads the tender documents and investigates inconsistencies and contradictions (OLG Karlsruhe, decision of 05.05.2021, 15 Verg 4/21, not published). Merely a comprehensive knowledge of the award rules underlying the procedure, in particular the literature. or public procurement law case law on the. legal provisions, is not to be expected from the participants in an award procedure (OLG Karlsruhe, order of 15.01.2022, 15 Verg 12/20, not published; OLG Düsseldorf, order of 01.06. 2016, Verg 6/16, juris, marginal no. 36). Insofar as the applicant complains that the information on price evaluation in the tender documents (as of 23.02.2022), p. 12 f., 19, and in the price sheet (as of 23.02.2022) is contradictory and that a non-consideration of the one-off implementation costs is inadmissible under procurement law, the alleged breach of procurement law was directly apparent from the tender documents. An average bidder wants and must be able to recognise which criteria are used to determine the most economical bid. Any inconsistencies and contradictions in the information on the evaluation of the award criterion price are already apparent to an average bidder by reading the tender documents. From the tender documents (p. 19) and the "price sheet", it is immediately clear that the one-off costs for the implementation of the software are not included in the evaluation and which individual prices or price components are relevant to the evaluation. The fact that the applicant had dealt with the evaluation matrix in detail during the bidding phase is shown by its bidder question of 03.03.2022, which contains two questions on individual price components relevant to evaluation. Nevertheless, the applicant did not raise the complaint regarding the non-inclusion of the costs for the implementation of the software in the price evaluation until its letter of 09.05.2022, i.e. after the expiry of the bid deadline on 25.03.2022. bb. The claim that the tender evaluation was carried out incorrectly was raised by the applicant out of hand. The applicant's argument does not meet the requirements for a proper complaint within the meaning of Section 160 (3) sentence 1 of the ARC. 1 of the GWB. Since a bidder naturally has only limited insight into the course of the award procedure, it may assert in the award review procedure what it may reasonably believe to be probable or possible on the basis of its - often only limited - level of information, for example if it is a matter of infringements of the award procedure that take place exclusively in the sphere of the awarding authority or concern the bid of a competitor (OLG Karlsruhe, order v. 21.05.2021, 15 Verg 4/21, juris, marginal no. 28; OLG Düsseldorf, order of 13.04.2011, VIl-Verg 58/10, juris, marginal no. 53; OLG Frankfurt, order of 09.07.2010, 11 Verg 5/10, juris, marginal no. 51; OLG Dresden, order of 6 June 2002, WVerg 4/02, juris, marginal no. 18 f.). However, the applicant must - if the violation of public procurement law does not completely elude its possibility of insight - at least present factual connecting factors or indications that give rise to a sufficient suspicion of a specific violation of public procurement law (OLG Karlsruhe, order of. 21.05.2021, 15 Verg 4121, juris, marginal no. 28; OLG Düsseldorf, order of 16.08.2019, VIl-Verg 56/18, juris; OLG Munich, order of 11.06.2007, Verg 6/07, juris, marginal no. 31). A minimum level of substantiation must be observed; mere presumptions regarding possible infringements of the award procedure are not sufficient (OLG Karlsruhe, decision of 21.05.2021, 15 Verg 4/21, juris, marginal no. 28; OLG Brandenburg, decision of 29.05.2012, Verg W 5/12, juris, marginal no. 4; OLG Munich, decision of 02.08.2007, Verg 7/07, juris, marginal no. 15 f.). The applicant's allegation is that the applicant should have been awarded the highest number of points in all award criteria. The defendants had based their decision solely on price. It is clear from the preliminary information letter that the other award criterion, quality, and its sub-criteria were not included in the evaluation. It had to be assumed that the tender evaluation had been carried out incorrectly and that there had thus been a violation of § 58 VgV. In the preliminary information letter of 04.05.2022, the defendants justify the non-inclusion of the applicant's bid with the fact that it was not the "most economical" bid in the evaluation of the price. The fact that the defendants did not base their decision solely on the award criterion is evident from the fact that the evaluation was carried out by means of an "economic efficiency analysis according to the evaluation criteria of the tender documents" and that the applicant's bid was ranked second "in the overall evaluation of price and performance". Consequently, the allegation that the evaluation was only carried out on the basis of the award criterion price is not substantiated. It is pure conjecture. In any case, this complaint would be unfounded, because there is no violation of § 58 VgV. The defendants took into account 65% of the total net price and 35% of the quality of the services offered in their tender evaluation. Contrary to the applicant's assumption, the verifying test was not taken into account as an award criterion, but served the purpose of proving the fulfilment of the award criterion "quality" (cf. Burgi, Vergaberecht, 3rd ed. 2021, § 17, marginal no. 4a). In the course of the overall evaluation, the defendants came to the conclusion that the invitee ranked first and thus submitted the most economical bid. cc. The applicant also made the complaint that the invitee had specified C as a subcontractor in its bid and had thus provided incorrect information and violated mandatory legal requirements of the GDPR. To the extent that the applicant states in its complaint of 09.05.2022 that it had become aware from a review procedure initiated by the invitee that the invitee had indicated company C as a subcontractor in its bid in the award procedure at issue there, although it had used company D, it merely conjectures. Nothing else follows from the formulations in the applicant's application for review of 13 May 2022, in which it argues, with reference to review proceedings before the Federal Public Procurement Tribunal, that it is to be assumed that the invitee indicated C as a subcontractor in the context of the contested award procedure. This does not constitute a sufficiently substantiated submission either. On the one hand, the applicant does not explain how it claims to have known that the invitee submitted a bid in the award procedure that was the subject of the review proceedings before the Vergabekammer Bund that included C as a subcontractor or that the invitee actually cooperated with D. On the other hand, the applicant does not explain how it claims to have known that the invitee actually cooperated with D in the award procedure that was the subject of the review proceedings before the Vergabekammer Bund. This is because oral hearings before the Public Procurement Tribunals are not open to the public (cf. Section 68 VwVfG) and a final decision has not been rendered in these review proceedings, even the costs order had not yet been served at the time of the request for review and the applicant's written submission of 17 June 2022. On the other hand, the applicant does not sufficiently substantiate why the use of D should be the invitee's constant practice. The applicant's general statement in the application for review that the design of the invitee's software provides for the use of the same subcontractors for all contracts also does not contain any factual connecting factors or indications that give rise to a sufficient suspicion of a specific infringement of procurement law. dd. The complaint of non-compliance with the specifications regarding the language of the bid, which was raised for the first time in the context of the review proceedings in the written statement of 17 June 2022, also constitutes a complaint in the dark. The complaint does not contain any actual facts or indications that give rise to sufficient suspicion of a specific violation of procurement law. The fact that the submission that the invitee had violated the requirement to draft the bid exclusively in German is merely a presumption is finally apparent from the wording of the written statement of 17 June 2022. When the applicant submits that, in connection with the use of C, a "transfer impact assessment" was enclosed with the bid which was "apparently" written in English, it expresses that it is raising the complaint in the dark. The same applies to the complaint, also raised in this context, that the invitee did not specify E as a subcontractor in its bid, although it used E in the document "transfer impact assessment". ee. In all other respects, the Applicant has properly fulfilled its obligation to raise a complaint. d. The applicant is only entitled to file a complaint pursuant to Section 160 (2) GWB with regard to the complaints concerning the use of A and the complaint of insufficient price clarification. Pursuant to Section 160 (2) GWB, any company that has an interest in the public contract and claims a violation of its rights pursuant to Section 97 (6) GWB due to non-compliance with procurement rules is entitled to file an application. In doing so, it must be shown that the company has suffered or is threatened with suffering damage as a result of the alleged violation of the procurement rules. aa. The applicant's complaint that it was insufficiently informed about the reasons for which its bid was not to be considered is inadmissible. This is because the applicant could not have suffered any damage as a result of a possible breach of the defendants' duty under Section 134 (1) GWB to inform the applicant of the reasons why its bid was not to be considered (cf. OLG Karlsruhe, order of 6 June 2019, 15 Verg 8/19, juris, para. 31). Pursuant to Section 135 (1) no. 1, (2) GWB, the consequence of a breach of the duty to inform is the nullity of the contract concluded by the contracting authority with the contractor who submitted the most economically advantageous tender after the evaluation carried out. However, the defendants have not yet concluded a contract with the invitee, because the applicant partially complained about alleged violations of public procurement law in due time and initiated the review proceedings after the complaint was rejected (cf. OLG Karlsruhe, loc. cit.). Thus, the purpose of Section 134 (1) GWB to ensure effective primary legal protection (cf. Dreher/Hoffmann, in: Beck VergabeR, 4th ed. 2022, GWB Section 134, para. 12 et seq.) is fulfilled with the filing of the application for review by the applicant. bb. Insofar as the applicant complains about violations of documentation obligations pursuant to Section 8 VgV, it lacks the right to file an application pursuant to Section 160 (2) GWB - with the exception of the complaint about the insufficient documentation of a price clarification - due to the lack of proof of damage. The applicant has not shown how any documentation deficiencies had a concrete negative impact on its legal position in the award procedure (see Müller, in: MüKoEuWettbR, 4th ed. 2022, VgV § 8, marginal no. 49). cc. With regard to the objections concerning the use of A and the objection of insufficient price clarification, the applicant is entitled to file an application. It has sufficiently demonstrated its interest in the contract by submitting a bid and its damage in the form of a deterioration of its chances of being awarded the contract (cf. Horn/Hofmann, in: Beck VergabeR, 4th ed. 2022, GWB § 160, paras. 26, 33). e. The applicant filed the application for review within the time limit pursuant to Section 160 (3) no. 4 GWB. It filed the application with the Procurement Chamber on 13 May 2022, i.e. within 15 calendar days after the defendants' notification on 10 May 2022 that they did not intend to remedy the complaint. 2. (2) The application for review is well-founded. The defendants' decision to award the contract to the invitee violated the applicant's rights, 8&168Abs. 1S.1GWB. The invitee is to be excluded from the award procedure pursuant to section 57(1) no. 4 VgV because the bid of the. Due to the use of A, the invitee's bid violates Art. 44 et seq. GDPR and thus does not comply with the requirements of the tender documents. a. It cannot be established that the decision of the defendants not to reject the award to the invitee's bid on the grounds of an abnormally low price was erroneous. Pursuant to § 60 (3) sentence 1 VgV, the contracting authority may refuse to award a contract to a tender if it cannot satisfactorily clarify the low level of the price or costs offered after the examination pursuant to paragraphs 1 and 2. A claim of a bidder to the exclusion of a bid of a competitor that appears to be unusually low can only be considered in cases of discretionary reduction to zero (Steck, .in: 'Ziekow/Völlink, 4th ed. 2020, VgV § 60 margin no. 30 f.). The bids of the invitees and the applicant are so close to each other that the threshold of 20% is not exceeded (cf. Lausen, in: Beck VergabeR, 3rd ed. 2019, VgV 8 60 marginal no. 11). Nevertheless, the defendants carried out an examination of the invitee's bid pursuant to Section 60 (2) VgV. By letter of 06.04.2022, they requested the invitee to disclose the cost calculation and to clarify the difference between the current bid price of 25.03.2022 and the (initial) bid of 01.12.2021, as well as to explain how it would ensure that the services would be performed in accordance with the contract without any subsequent price adjustment. Thereupon, the invitee commented in a letter dated 08.04.2022 and explained the appropriateness of its own pricing, in particular it commented on the securing of financing and the performance of the contractual services over the entire term of the contract. In addition, it justified the price difference between its current bid and the bid it had submitted before the award procedure was postponed. The explanations of the invitees satisfied the defendants. Based on the examination of the documents submitted and the explanations of the defendants with the result that the defendants are convinced that the price does not prevent proper performance of the contract, it can remain open whether the defendants can cover their costs with the price offered or for which - acceptable - reasons they may have offered their services at a price that does not cover the costs, which would not per se lead to an unreasonable price-performance ratio (cf. OLG Karlsruhe, order of 09.07.2021, 15 Verg 5/21, not published). For it is not evident that the discretion granted to the defendants pursuant to Section 60 (3) sentence 1 VgV was so limited that they would have had to exclude the invitee's bid (ibid.). The fact that the invitee's bid is allegedly inadequate is irrelevant. In principle, a bidder is free in its calculation; a contracting authority is not obliged to accept only adequate or cost-covering prices and to protect bidders from loss-making transactions (ibid.). The decisive factor is whether the contracting authority has doubts as to the proper performance of the service (ibid.) The applicant has also not specifically explained or been able to explain for what reasons the invitee cannot be in a position to execute a contract with the defendants. b. The invitee's bid is to be excluded from the award procedure pursuant to Section 57 (1) No. 4 VgV, as it violates Art. 44 et seq. GDPR and thus does not comply with the requirements of the tender documents. Pursuant to Section 57 (1) No. 4 VgV, tenders are excluded if changes or additions have been made to the tender documents. An amendment to the tender documents is deemed to have been made if the enterprise deviates from the specifications of the tender documents in terms of content and, as a result, offers an aliud, i.e. a service other than the one tendered for (Pauka/Krüger, in: MüKoEuWettbR, 4th ed. 2022, VgV § 57, marginal no. 23). The term "amendment" does not require that the company formally changes the wording of the tender documents, e.g. by additions or deletions (ibid.). The invitee has amended the tender documents within the meaning of Section 8 57 (1) no. 4 GWB in such a way that - contrary to what was required in the invitation to tender - it does not offer a service provision that is compatible with the applicable data protection law. The use of A's services violates applicable data protection law, as it is considered unlawful data processing pursuant to Art. 44 et seq. GDPR, it qualifies as an unlawful transfer of data to a third country. According to Art. 44 S. 1 of the GDPR, any transfer of personal data that are already being processed or are to be processed after their transfer to a third country or an international organisation is only permissible if one of the special grounds for permission of Art. 44 et seq. DS-GVO exist (cf. Paal/Kumkar, MMR 2020, 733, 734). Accordingly, a data transfer to a third country and to foreign organisations is permissible in particular if the Commission has determined the adequate level of protection of the third country in a decision (so-called adequacy decision, cf. Art. 45 (1) GDPR), if the controller or processor has provided appropriate safeguards for the protection of personal data (Art. 46 (1) GDPR) or if an exceptional circumstance of Art. 49 GDPR exists (Paal/Kumkar, MMR 2020, 733, 734). The use of A as a hosting service provider constitutes a transfer within the meaning of Art. 44 et seq. GDPR. The term "transfer" is not defined as such in the GDPR (Beck, in: BeckOK DatenschutzR, 40th ed. 01.11.2021, GDPR Art. 44, para. 14). It is mentioned in the examples of processing listed in Art. 4(2) GDPR. According to this, "processing" includes, among other things, "disclosure by transmission". However, the GDPR does not equate "disclosure by transmission" within the meaning of Art. 4(2) GDPR and "transmission" within the meaning of Art. 44 et seq. GDPR (Pauly, in: Paal/Pauly, DS-GVO, 3rd ed. 2021, DS-GVO Art. 44, marginal no. 3). To a processor who is a "recipient" within the meaning of Art. No. 9 of the GDPR, but not a third party within the meaning of Art. 4 No. 10 of the GDPR, data is not "transferred", but instead "disclosed" to him (Pauly, in: Paal/Pauly, DS-GVO, loc. cit.). Since Art. 44 et seq. GDPR speak exclusively of a "transfer" and not of a "transfer to a third party", Art. 44 et seq. GDPR also apply to the disclosure of personal data to a processor in a third country (Pauly, in: Paal/Pauly, DS-GVO, op. cit.). The concept of transfer is to be understood in the light of the broad wording of Art. 44 S. 1 of the GDPR and the requirements set out in Art. 44 S. 2 of the GDPR with regard to the application of the provision and thus to be understood comprehensively: Transfer is any disclosure of personal data to a recipient in a third country or an international organisation, whereby neither the type of disclosure nor the disclosure to a third party is relevant (Pauly, in: Paal/Pauly, DS-GVO, 3rd ed. 2021, DS-GVO Art. 44, marginal no. 4; Wissenschaftlicher Dienst des Deutschen Bundestags, GDPR und Nutzung US-amerikanischer Cloud-Dienste, WD 3 - 3000 - 102/21, p. 8 f.). A disclosure that can be taken into account in this context is also to be assumed if personal data is posted on a platform that can be accessed from a third country, regardless of whether the access actually takes place (Pauly, in: Paal/Pauly, DS-GVO, 3rd ed. 2021, DS-GVO Art. 44, marginal no. 5; Schröder, in: Kühling/Buchner, DS-GVO BDSG, 3rd ed. 2020, DS-GVO Art. 44, marginal no. 16). In this context, it is irrelevant whether the server through which the data is made accessible is located within the EU (ibid.; similarly, VG Wiesbaden, decision of 01.12.2021 - [6 L 738/21.W], BeckRS 2021, 37288, marginal no. 40, which in the case it decided simply referred to the location of the company headquarters in the USA). Such an understanding is argued for by Art. 44 p. 2 GDPR: A possibility of access - for example by granting access rights - constitutes a latent risk that an unauthorised transfer of personal data may take place without the legal basis for this as standardised in the GDPR (Beck, in: BeckOK DatenschutzR, 40th ed. 01.11.2021, GDPR Art. 44, para. 15). Measured against these standards, the invitee's intended use of A, a European company whose parent company is the US-based B, leads to an impermissible transfer of data to a third country. The invitee's engagement of A is based, inter alia, on the "(...) GDPR Data Processing Addendum". This agreement contains under clause (...) a clause dealing with the confidentiality of customer data (,..."). Under this clause, Customer Data may not be accessed, used or disclosed by A to any third party except as necessary to maintain or provide the Services or to comply with any law or valid and enforceable order of any governmental authority. Under clause (...) there is a clause dealing with the transfer of personal data and according to which customer data will not be transferred out of the chosen region unless this is necessary to provide the service or to comply with a lawful or legally enforceable order of a governmental authority. The "Supplementary Addendum (...)" supplementing the "(...) GDPR Data Processing Addendum" contract contains a clause in clause (...). according to which A undertakes. to challenge any overly broad or unreasonable request by a governmental authority, including such requests that are in conflict with EU law or applicable member state law. Clause (...) and (...) of the "(...) GDPR Data Processing Addendum" are drafted in the form of general clauses and open up the possibility for both governmental and private bodies outside the EU, and in particular in the USA, to access data stored by A in certain situations within the framework of the contractual or legal authorisations applicable in the specific case. The latent risk of access caused by the implementation of these clauses in the "GDPR Data Processing Addendum" is sufficient according to the applicable data protection principles to affirm a transfer that is impermissible under data protection law. In this respect, it does not matter whether and how obvious the occurrence of the circumstances laid down in the two clauses, which are necessary for access in the individual case, is. After all, the latent risk can materialise at any time. By entering into the agreement with A, the invitee is at least partially relinquishing its ability to influence the data entrusted to it. It is irrelevant here where A's servers are physically located. The clause in clause (...) of the "Supplementary Addendum (...)" does not remove the inadmissibility of the agreement under data protection law - and in particular the provisions in clauses (...) and (...) of the "(...) GDPR Data Processing Addendum". A's assumption of an obligation to challenge overly broad or unreasonable requests by government agencies, including requests that conflict with EU law or applicable member state law, does not eliminate the latent risk of access by those same agencies. The same applies to the encryption technology used by the invitee, whereby the statements of the invitee and defendants on the concrete design of the encryption technology must in any case be disregarded in the review proceedings. This is because pleadings submitted by parties to the review proceedings on the condition that they are not to be disclosed in whole or in part to the other parties (so-called "redacted" documents) do not become part of the files of the Public Procurement Tribunal. In view of the fundamental right to a fair hearing (Article 103(1) of the Basic Law) of the other parties, these documents are not taken into account in the proceedings and decision of the Procurement Chamber (cf. KG, decision of 18 May 2022, Verg 7/21, IBRRS 2022, 1906). | Here, there is no special ground for permission pursuant to Art. 44 et seq. DS-GVO exists. Thus, there is no decision on proportionality within the meaning of Art. 45 (1) of the GDPR. Article 46 (2) (c), (d) of the GDPR also does not apply here. Standard data protection clauses within the meaning of this provision are not suitable to legitimise transfers per se; rather, a case-by-case assessment is required (Jüngkind/Raspe/Schramm, NZG 2020, 1056, 1057; Pauly, in: Paal/Pauly, DS-GVO, 3rd ed. 2021, DS-GVO Art. 46, marginal no. 12a et seq.). This leads - as explained - to the assumption of inadmissibility under data protection law. An exceptional circumstance pursuant to Art. 49 of the GDPR is also not given here. c. Furthermore, the invitee's bid is not to be excluded pursuant to § 57 (1) no. 4 VgV because the form of service provision offered by the invitee violates section 21 of the specifications. Clause 21 of the specifications sets out a requirement for data protection and IT security and stipulates that data must be processed exclusively in an EU or EEA data centre where no sub-service providers or group companies are located in third countries. According to the specifications, this requirement is merely an evaluation criterion and not an exclusion criterion. It is true that the invitee uses the servers of A, a subsidiary of B, which is based in the USA, for the provision of the service; however, the non-fulfilment does not constitute a reason for exclusion pursuant to Section 57 (1) no. 4 VgV. This is because item 21 of the bill of quantities is not a requirement that can be deviated from. Consequently, an amendment of the tender documents is excluded from the outset due to the lack of specifications in this respect. The non-fulfilment of clause 21 is only reflected negatively in the evaluation. III. The decision on the procedural fees is based on Section 182 (1), (2) and (3) GWB. In determining the procedural costs pursuant to Section 182 (1) GWB in conjunction with Sections 3 and 9 VwKostG, a fee in the amount of € 2,850.00 is deemed appropriate, based on the fee framework of Section 182 (2) GWB, taking into account the staff and material expenses of the Board as well as the economic importance of the order, in accordance with the fee table of the Federal Government. The defendants 1) and 2) as well as the invitee shall bear the costs of the proceedings as joint and several debtors. Pursuant to Section 182 (3) sentence 1 GWB, a party shall bear the costs if it is unsuccessful in the proceedings. Pursuant to Section 182 (3) sentence 2 GWB, several parties liable for costs are jointly and severally liable. The defendants 1) and 2) as well as the invitee are to be unsuccessful to the same extent because they have all applied for the rejection of the application for review. This has the consequence pursuant to 8 182 para. 3S. 1 and 2 GWB, the defendants and the invitee are jointly and severally liable for the fees and expenses of the Public Procurement Tribunal. In contrast, Section 182 (4) GWB, which is to be applied in this respect, does not provide for joint and several liability for the reimbursement of the applicant's necessary expenses incurred in the proceedings before the Public Procurement Tribunal (see BGH, decision of 26 September 2006, X ZB 14/06, NVwZ 2007, 240, 246). With regard to the necessary expenses, costs can only be borne "insofar as" a party is unsuccessful (Section 182 (4) sentence 1 GWB). This means that the contracting authority and the invitee supporting it in the review proceedings before the Public Procurement Tribunal are liable for the costs of the winning bidder only as partial debtors (cf. BGH loc. cit.). Since the defendants and the invitee opposed the application for review with identical legal protection objectives and largely identical grounds, they must therefore bear the applicant's expenses necessary for the appropriate prosecution in the proceedings before the Public Procurement Tribunal in equal shares (cf. BGH loc. cit.), i.e. one third each. Pursuant to § 80.3 sentence 2 VwVfG, it must also be determined (cf. § 182.4 sentence 1 GWB) that the involvement of the applicant's representative in the review proceedings before the Public Procurement Tribunal was necessary. The involvement of an authorised representative by the applicant was to be declared necessary, since an applicant may regularly use a procedural representative for the review proceedings (Krohn, in: Beck VergabeR, 4th ed. 2022, GWB § 182, marginal no. 63; VK Baden-Württemberg, decision of 05.08.2021, 1 VK 37/21, juris, marginal no. 123). An exception to this principle is not evident in the present case. Pursuant to Section 182 (4) sentence 5 GWB, a separate cost determination procedure does not take place. IV. Notice of appeal An immediate appeal against this decision of the Procurement Chamber is admissible. It must be filed in writing within a period of two weeks, commencing with the notification of this decision, with the Karlsruhe Higher Regional Court, Hoffstraße 10, 76133 Karlsruhe. The grounds for the appeal must be stated at the same time as the appeal is filed. The statement of grounds for appeal must contain a declaration of the extent to which the decision of the Public Procurement Tribunal is contested and a different decision is requested. The facts and evidence on which the appeal is based shall be stated. The appeal shall be filed with the court as an electronic document. This must be provided with a qualified electronic signature of the responsible person or signed by the responsible person and submitted by a secure means of transmission. This does not apply to annexes attached to preparatory pleadings. If transmission as an electronic document is temporarily not possible for technical reasons, transmission shall remain admissible in accordance with the general provisions. The notice of appeal must be signed by a lawyer. This shall not apply to appeals filed by legal persons under public law. The appellant shall inform the other parties to the proceedings by sending a copy of the notice of appeal. The immediate appeal shall have suspensive effect against the decision of the Public Procurement Tribunal. The suspensive effect shall cease two weeks after expiry of the time limit for appeal. If the Public Procurement Tribunal has rejected the request for review, the court of appeal may, at the request of the appellant, extend the suspensive effect until the decision on the appeal. XXX XXX XXX
References
- ↑ https://gruendelpartner.de/newsroom/gruendelpartner-erwirkt-weitreichende-entscheidung-zur-unzulaessigkeit-von-cloud-und-it-dienstleistungen-durch-us-tochterunternehmen-in-deutschland/
- ↑ 2.0 2.1 https://ausschreibungen-deutschland.de/843547_Software_fuer_Digitales_EntlassmanagementReferenznummer_der_Bekanntmachung_2021-20-WEI-OV_2021_Ludwigsburg
- ↑ https://twitter.com/SchuldtStephan/status/1552910583003058176
- ↑ https://ausschreibungen-deutschland.de/843547_Software_fuer_Digitales_EntlassmanagementReferenznummer_der_Bekanntmachung_2021-20-WEI-OV_2021_Ludwigsburg
- ↑ https://gruendelpartner.de/newsroom/gruendelpartner-erwirkt-weitreichende-entscheidung-zur-unzulaessigkeit-von-cloud-und-it-dienstleistungen-durch-us-tochterunternehmen-in-deutschland/
- ↑ The decision was pulished via rewis.io. The used clauses are unique to AWS.
- ↑ https://www.baden-wuerttemberg.datenschutz.de/stellungnahme-zum-beschluss-der-vergabekammer-bw/