Council of State - 251.378: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 56: Line 56:
}}
}}


The Council of State confirmed that a decision of the Flemish Authorities to contract with an EU branch of a US company using AWS cloud services does not breach the GDPR. It stated that neither the Flemish Privacy Commission nor the EDPB oppose to the full encryption of data before they are transferred to the service provider while the encryption keys are kept under full control by the controller. Moreover, the decision to grant the tender to the provider did not breach Articles 28 (choice of processor) and 32 GDPR (obligation to adopt technical and organisational measures).  
The Council of State confirmed that the decision of the Flemish Authorities to contract with an EU branch of a US company using AWS cloud services does not breach the GDPR. The Council of State relied, among other things, on guidance issued by the EDPB and Flemish Supervisory Commission, which mention encryption as a possible supplementary measure for data transfers to the US.  


== English Summary ==
== English Summary ==
Line 63: Line 63:
The Flemish Authorities granted a tender to an EU based-entity of a US company using the AWS cloud services.  
The Flemish Authorities granted a tender to an EU based-entity of a US company using the AWS cloud services.  


A Dutch company which was not chosen by the Flemish Authorities in the tender process challenged this decision before the Council of State on the ground of the violation of the provisions of the GDPR on transfer, since no adequate protection of the data could be afforded in the US. The Dutch company relied in particular on an [https://overheid.vlaanderen.be/sites/default/files/media/VTC/VTC_A_2020_05_advies.pdf opinion] from the Flemish Data Privacy Commission ('Vlaamse Toezichtcommissie voor de verwerking van persoonsgegevens''<nowiki/>''') according to which the use of AWS could not, as a principle, be compliant with the Schrems II ruling and the GDPR
A Dutch company which was not chosen by the Flemish Authorities in the tender process challenged this decision before the Council of State on the basis of the:  


* breach of [[Article 28 GDPR]] (the choice of a the processor does not provide sufficient guarantees)
* violation of the provisions of the GDPR on transfers, since no adequate protection of the data could be afforded in the US. The Dutch company relied in particular on an [https://overheid.vlaanderen.be/sites/default/files/media/VTC/VTC_A_2020_05_advies.pdf opinion] from the Flemish Supervisory Commission ('Vlaamse Toezichtcommissie voor de verwerking van persoonsgegevens''<nowiki/>''') accord''<nowiki/>''ing to which the use of AWS could not be compliant with the Schrems II ruling and the GDPR;
* breach of [[Article 32 GDPR]] (lack of appropriate technical and organisational measures)  
 
* breach of [[Article 28 GDPR]] (the choice of a the processor does not provide sufficient guarantees);
* breach of [[Article 32 GDPR]] (lack of appropriate technical and organisational measures)
* lack of motivation of the decision to grant the tender
* lack of motivation of the decision to grant the tender


Line 72: Line 74:
The Council of State held that:  
The Council of State held that:  


* the EDPB and the Flemish Data Privacy Commission were not opposed to the use of encryption as such and such use could be an adequate supplementary measure to the SCCs in some circumstances;
* the EDPB and the Flemish Supervisory Commission were not opposed to the use of encryption as such, and such use could be an adequate supplementary measure to the SCCs in some circumstances;
* the choice of the processor was not violating Article 28 - the claimant could not demonstrate that the controller and processor did not implement the necessary technical and organisation measures;
* the choice of the processor was not violating Article 28 - the claimant could not demonstrate that the controller and processor did not implement the necessary technical and organisation measures;
* the decision was sufficiently motivated.
* the decision was sufficiently motivated.


== Comment ==
== Comment ==
The EDPB Guidelines on supplementary measures only address encryption when it comes to data 'in transit' or 'data at rest', not to access to data 'in use,' which seems to be the case in this decision.   
The EDPB Guidelines and an opinion by the Flemish Supervisory Commission on supplementary measures, only address encryption when it comes to data 'in transit' or 'data at rest', not to access to data 'in use,' which seems to be the case in this decision.   


Also, it remains to be seen how the processing agreement will be drafted and the encryption will be used in practice to see whether it is compliant with the SCHREMS II ruling and Chapter V of the GDPR.  
Also, it remains to be seen how the processing agreement will be drafted and the encryption will be used in practice to see whether it is compliant with the SCHREMS II ruling and Chapter V of the GDPR.  

Latest revision as of 15:34, 1 September 2021

Council of State - 251.378
Courts logo1.png
Court: Council of State (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 28(1) GDPR
Article 28(3) GDPR
Article 32 GDPR
Article 45 GDPR
Article 46 GDPR
Decided: 19.08.2021
Published:
Parties: BV QARIN ROTTERDAM, MOBILITY CENTRAL, VLAAMSE GEMEENTSCHAP
National Case Number/Name: 251.378
European Case Law Identifier:
Appeal from:
Appeal to: Not appealed
Original Language(s): Dutch
Original Source: Raad van State (in Dutch)
Initial Contributor: n/a

The Council of State confirmed that the decision of the Flemish Authorities to contract with an EU branch of a US company using AWS cloud services does not breach the GDPR. The Council of State relied, among other things, on guidance issued by the EDPB and Flemish Supervisory Commission, which mention encryption as a possible supplementary measure for data transfers to the US.

English Summary

Facts

The Flemish Authorities granted a tender to an EU based-entity of a US company using the AWS cloud services.

A Dutch company which was not chosen by the Flemish Authorities in the tender process challenged this decision before the Council of State on the basis of the:

  • violation of the provisions of the GDPR on transfers, since no adequate protection of the data could be afforded in the US. The Dutch company relied in particular on an opinion from the Flemish Supervisory Commission ('Vlaamse Toezichtcommissie voor de verwerking van persoonsgegevens') according to which the use of AWS could not be compliant with the Schrems II ruling and the GDPR;
  • breach of Article 28 GDPR (the choice of a the processor does not provide sufficient guarantees);
  • breach of Article 32 GDPR (lack of appropriate technical and organisational measures)
  • lack of motivation of the decision to grant the tender

Holding

The Council of State held that:

  • the EDPB and the Flemish Supervisory Commission were not opposed to the use of encryption as such, and such use could be an adequate supplementary measure to the SCCs in some circumstances;
  • the choice of the processor was not violating Article 28 - the claimant could not demonstrate that the controller and processor did not implement the necessary technical and organisation measures;
  • the decision was sufficiently motivated.

Comment

The EDPB Guidelines and an opinion by the Flemish Supervisory Commission on supplementary measures, only address encryption when it comes to data 'in transit' or 'data at rest', not to access to data 'in use,' which seems to be the case in this decision.

Also, it remains to be seen how the processing agreement will be drafted and the encryption will be used in practice to see whether it is compliant with the SCHREMS II ruling and Chapter V of the GDPR.

The decision is not yet published on the Council of State website but should be available soon. Automated translation of the decision is provided hereunder.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

COUNCIL OF STATE, DEPARTMENT OF ADMINISTRATIVE JURISDICTION

PRESIDENT OF THE XIIth HOLIDAY ROOM

JUDGMENT
no . 251.378 of 19 August 2021 in case A. 234.221/X11-9119

With regard to : 1. the BV QARIN             

2. ROTTERDAM BV MOBILITY CENTRAL RMC assisted and represented by attorneys William Timmermans and Lies Vanquathem office account in 1000 Brussels Havenlaan 86 C / 414 on which residence is chosen from :

The Flemish Region assisted and well represented by lawyers Kris Wauters and Tess Van Gaal office account in 1170 Brussels Terhulpsestecnweg 187 at whose residence is chosen

Intervening party :

BV VIAVAN TECHNOLOGIES assisted and represented by attorneys Frank Judo and S arah Van Den Brande office account in 1000 Brussels Empereur 3 with whom domicile is elected



I. Object of the claim

1. The claim, instituted on 3 August 2021, extends to the             

suspension in case of extreme urgency of the implementation of "the award decision of 16 July 2021 of [the Flemish Region] whereby the public contract for the establishment and operation of the Mobility Center within the framework of the Decree on basic accessibility is awarded to the private company Via Van Technologies [ . . .

XII-91 19-1/20
II. Course of the proceedings

2. The defendant has filed a note.             

With a petition dated 10 August 2021, the BV Viavan Technologies asked to intervene in the administrative summary proceedings.

The parties have been summoned to the hearing, which took place on August 17, 2021, at 10:00 AM.

Chamber President Eric Brewaeys has reported.

Attorney W illiam Timmermans and attorney Gerrit Vandendriessche, deputy attorney Lies Vanquathem, appearing before the applicants, attorneys Kris Wauters, Tess Van Gaal and Michiel Van Lerbeirghe, appearing before the defendant, and attorney Frank Judo and attorney Etienne Kairis, deputy lawyer Sarah Van Den Brande, appearing before the intervening party, have been heard.

First auditor-head of the department Ann Eylenbosch has given advice in agreement with this judgment.

The provisions on the use of languages, contained in Title VI, Chapter II, of the Laws on the Council of State, coordinated on January 12, 1973, have been applied.

111. Facts

3. On 2 April 2021, the defendant awarded the public contract for the first time to the BV ViaVan Technologies (hereinafter: Viavan).

By judgment no. 250,599 of 12 May 2021, the Council, at the request of the applicants, suspends the implementation of that first award decision. The foregoing facts are set out in this judgment.

After this suspension judgment, the defendant will withdraw the first award decision of April 2, 2021 on 16 July 2021. On the same date, it again awarded the contract to ViaVan.

This is the contested decision.

On 19 July 2021, the requesting parties will be notified of the award decision by email.

IV. Intervention

4. Viavan Technologies BV appears to benefit from the contested decision and has an interest in the claim being dismissed. Its request to intervene must therefore be granted.

V. Confidentiality of Documents

5. Both the requesting parties and the defendant request that a number of documents be treated as confidential.

In the current state of the proceedings, requests for confidential treatment of these documents can be granted.

The documents for which confidential treatment is requested are filed separately, their confidentiality is expressly indicated and mentioned in the inventory and the reasons for that request are reflected in the application and the note. At the formal level, therefore, there is nothing to prevent the Council of State from responding to the requested confidential treatment.

In any event, it can be pointed out that the foregoing does not prevent the Council of State from taking into account the confidential documents lodged in its assessment of the pleas put forward.

XII-91 19-3/20
*BJIVLDBFJ-BEGEFEV$


The documents designated as confidential will be included separately in the file for the time being.

VI. Admissibility of the claim

6. For the time being, there is no need to rule on the admissibility objections raised by the intervening party. An examination of and a ruling on those objections would be necessary only if the basic conditions for granting the claim for suspension are met, which, as will be shown below, is not the case.

VII. Suspension conditions

7. From the combination of article 17, §§ 1 and 4, of the coordinated laws on the Council of State and article 15 of the law of 17 June 2013 'relating to the motivation, information and remedies with regard to public contracts, certain contracts for works, supplies and services and concessions', it is only necessary to examine whether at least one serious plea is raised or whether there is an apparent illegality capable of justifying the annulment of the contested decision.

VIII. Research of the resources

A. First plea

Statement of the means

8. A first plea is based on the violation of Article 28. I and 28.3, Article 32 and Article 44 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 'on the protection of natural persons in connection with the processing of personal data and regarding the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation or AVG)', of the advice of the Flemish Supervisory Commission (VTC) no. 2020/05 of September 8, 2020 'on Information Security and GDPR Compliance 4 Platforms



Education - Amazon Web Services (AWS) "of Article 38 of the Law of 17 June 2016 on public procurement 'of aftikel 76 hct Royal Decree of 18 april 2017 instead ing procurement in the classical sector " and of the principle ' patere legem quam ipse fecisti '.

The applicants themselves summarize this plea as follows:

"Because the defendant has chosen to award the contract to ViaVan Technologies BV, a subsidiary of an American entity Via Transportation Inc. (sole shareholder), which is relying on the strength of the American company River North Transit LLC USA, and which, according to the award decision, will use AWS (which stands for Amazon Web Services, also an American company) for the execution of the contract

That in the context of the dczc assignment , personal data will be processed on a large scale, namely everything that is necessary so that users of the Mobility Center can move from location A and to B (address, time, identification data, etc.), including username, lo gin, banking information for billing;

That, in the context of this assignment, special categories of personal data relating to these users will also be processed, including data about any physical limitations of a user ( health data), personal data of vulnerable data subjects (minors) and unique identification numbers (ie national register number), which means that the requirements for technical and organizational measures to ensure data security are even higher than usual (Article 32 GDPR);

That according to the specifications, the defendant will be the controller and the successful tenderer will be the processor within the meaning of the GDPR;

That the award of the contract by the defendant to ViaVan results in the defendant, as controller, transferring personal data of users of the Mobility Center to recipients in the United States who are subject to the so-called FISA legislation of the US, in particular the recipients AWS, Via Transportation Inc. and possibly River North Transit LLC;

While, first part, Article 44 of the GDPR requires that any transfer of personal data to a third country can only take place if there is a ground for the transfer under Articles 45 to 50 GDPR•,



That under the Schrems II judgment of the Court of Justice , is for data transfers of personal data to recipients in the United States subject are at the FIS A- law , no valid transfer land more available is ( under the standard conditions );

That the defendant, by awarding the contract to ViaVan, as controller, cannot meet the requirement of a valid ground for transfer as stated in Article 44 of the GDPR;

That Article 28.1 of the GDPR also obliges the defendant (as controller) to only work with processors 'who provide adequate guarantees regarding the application of appropriate technical and organizational measures to ensure that the processing complies with the requirements of this Regulation'; that the defendant is thus under an obligation under Union law to rely only on processors and sub-processors who provide adequate guarantees;

That the chosen writer as processor is not allowed to transfer personal data to a third country on the basis of Article 44 of the GDPR, unless on the basis of a valid reason for transfer;

That, in view of the absence of a valid transfer ground for transfers by the tenderer to the United States, the tender of the successful tenderer cannot thus be in compliance with the GDPR;

That the requirement of compliance with the GDPR by the tenderer for this contract should be regarded as a minimum requirement of the specifications ; whereas tenders which do not meet that requirement are substantially irregular and should be rejected;

That the defendant had to reject this offer on the basis of Article 28.1 of the GDPR in the absence of adequate guarantees for compliance with the GDPR , and in accordance with the specifications and the provisions and principles referred to in the plea;

While the second part, Article 32 of the GDPR requires that the controller and the processor take appropriate technical and organizational measures to ensure the security of the processing taking into account the risks;

That this concerns a large-scale transfer of personal data to the same non-European cloud provider, while it is not proven that the data protection of the country of the recipient (the US) of the data is comparable to the European one;

That pursuant to the aforementioned advice from the VTC, no measures are available to ensure the security of the processing of personal data

*BJIVLDBFJ-BE GEFEV$

as is intended here to ensure that the processing of data for this contract as proposed by the successful tenderer is contrary to the GDPR;

That the defendant was required to reject the successful tenderer's tender in accordance with the tender specifications and the provisions and principles referred to in the plea;

While third part, Article 28.1 of the GDPR obliges the defendant to work only with processors 'who provide adequate guarantees regarding the application of appropriate technical and organizational measures'; that Article 28.3 of the GDPR obliges the defendant to regulate the processing by the processor (here: the successful tenderer) 'in a contract or other legal act under Union or Member State law binding the processor towards the controller' and that that agreement must, inter alia, provide that the processor can only communicate personal data to third countries on the instructions of the controller and that it 'takes all measures required in accordance with Article 32' (these are the appropriate technical and organizational measures);

That the mere completion of a questionnaire by the successful tenderer with regard to the (possible) transfer to the US (Annex Vl.6 to the specifications) is not equivalent to the contractual obligation for the successful tenderer to continue to apply all these measures and to be enforced during the execution of the assignment;

That the specifications expressly show that no processing agreement will be divested, since the specifications expressly stipulate that the provisions regarding the processing of personal data in these specifications replace such a processing agreement; that the successful tenderer will therefore also not assume such a contractual obligation when a processor agreement is canceled;

That, even in the hypothesis that a processing agreement would still be concluded within the meaning of Article 28.3 of the GDPR (quod non according to the specifications), that agreement will in no case be able to comply with the GDPR because the defendant is unable to fulfill the required can instruct the chosen tenderer to transfer personal data to the US because there is no valid ground for transfer for the US;

That the tender of the successful tenderer, with regard to the possible transfer to the US, may thus not be in accordance with the GDPR, so that the defendant had to reject that tender, in accordance with the GDPR and in accordance with the specifications and the provisions and principles cited in the plea".



XII-91 19- 1 / 21


Judgement

First part

9. In the judgment No . 250 599 of 12 May 2021 has dc Council of State already prima facie established the "(d) e chosen bidder ( ...), A full subsidiary ( appears ) to be of Via Transportation Inc., based in the US, for the uitvoerin g of the command appears to want to use Amazon Web Services (AWS)". Also was set to "(u) it on the dc command applicable specifications with no . AB / 2019/05 appears to the implementation of the contract under more the processing of personal data in large scale implies . As is also apparent from Annex V1.4 at the specifications will this include more also the processing of sensitive personal data include such health data (disability, allergies ), as well as from data from vulnerable stakeholders ( gelatinized windows in connection with social support of individuals , relations with other persons than relatives ) and of unique identification numbers ( bank account number , credit card number )."                  

10. At first sight, the current case can also be assumed to be a "transfer" of personal data within the scope of the GDPR. Consequently, this transfer must be covered by a valid transfer mechanism provided for in Articles 45, 46 and 49 GDPR. The applicants refer to the Schrems II judgment of the Court of Justice of 16 July 2020, C-311/18, to contest the existence of a valid transfer mechanism.             

11. In this judgment, the Court of Justice ruled on the validity of two well-defined transfer mechanisms in case of transfers of personal data from the EU/EEA to the US. It was more certain about the validity of:             



a. the so-called " standard conditions ", adopted by the European Commission in the decision of the European Commission of 5 february i 2010 " on the standard contractual clauses for the transfer of personal data to in third countries based processors under Directive 95/46 / EC of the European Parliament and the Council ' ( hereinafter : MCB decision ) OJL . 39 of February 12 , 2010, p. 5-10 . At present the implementing (EU) 2021/194 of the Commission of 4 June 2021 ' on standard rules for the transfer of personal data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and the Council ", PB 7 June 2021) which an instrument is for adequate safeguards within the meaning of Article 46.2.c AVG;             

b. the so-called "privacy shield" decision ( hereinafter : the Privacy Child Decree ), adopted by the European Commission in the Implementing Regulation of the Eur opean Commission on 12 July 2016 in accordance with Council Directive of 95/46 / EC European Parliament and the Council " on the appropriateness of by the EU-US privacy shield afforded protection " Pb.L . 207 of August 1 , 2016, p. 1-112.) To a specific ADEQ uaatheidsregeling for the US in the life called within the meaning of Article 45.1 AVG.             

12. The Court ruled that the US legal system (particularly Section 702 FISA and EO 12333) does not provide an adequate level of protection broadly comparable to the level of protection afforded in the EU. Both tools are used by the US government to give US intelligence agencies access to data of foreign origin, including personal data, processed by private companies that fall within the scope of this legislation.

The Court ruled that the Privacy Shield decision is invalid. This decision can therefore no longer be used to legitimize transfers of personal data to the United States. In addition, the Court noted that the invalidity of the Privacy Shield decision does not create a legal vacuum for transfers of personal data.

XII-9119-9/20
However, as regards the validity of the MCA decision and thus the standard provisions, the Court expressly finds that they remain valid:

"148. It follows that the MCA Decision provides for effective mechanisms to ensure in practice that transfers of personal data to a third country based on the standard data protection clauses set out in the Annex to that decision are suspended or prohibited where the recipient of the transfer who does not comply with or is unable to comply with any provisions.

149. In the light of the foregoing, the answer to the seventh and eleventh questions is that the review of the MCA decision in the light of Articles 7, 8 and 47 of the Charter has disclosed no factor of such a kind as to invalidate that decision. can affect.”

13. To the extent that the applicants argue that the Standard Clauses are invalid because of the lack of enforceable rights and effective remedies in the US legal system and that the only reason the Court of Justice did not also annul the MCA decision was because those provisions apply to transfers to any third country, in contrast to the EU-US Privacy Shield decision, which was limited to transfers to the US, it seems sufficient at this stage of the proceedings to refer to the Schrems II judgment that the validity of this standard ing has confirmed.             

14. Although in its judgment the Court considers that it is the task of the controller or processor to verify in each individual case whether the standard clauses can be complied with when transferring to a third country and that, if it is established that the standard clauses are not can be complied with in view of the law in the country of destination, the controller or processor considers what additional measures can be taken to fill the identified gaps.             

15. Following the Schrems II judgment, the European Data Protection Board also published two sets of recommendations in November 2020: 1) Recommendations 01/2020 of 10 November 2020 'on measures to complement transfer instruments to ensure compliance with the             

XII-91
 


level of protection of personal data in the Union' and its update of 18 June 2021 and 2) Recommendations 02/2020 of 10 November 2020 'on the European essential guarantees for surveillance measures'. These recommendations provide controllers and processors who wish to transfer personal data to third countries with the necessary tools to analyze the law, in particular the law relating to surveillance measures, in that third country to verify whether any access to personal data can be considered a legitimate interference and to identify the measures that these controllers and processors can take in addition to a transfer mechanism such as the standard clauses , to provide appropriate safeguards.

16. The applicants' assertion that no additional measure is conceivable that would allow to remedy the inadequate level of data protection in the US , including encryption or pseudonymisation, seems to ignore in general the way in which those measures can be taken. be implemented. It seems possible to infer from the file that neither the VTC nor the European Data Protection Committee as such oppose full encryption of data before they are placed with the service provider and that the encryption keys are kept under full control by the Flemish professional body . It appears from the file that the successful tenderer provides an extensive set of guarantees.              

17. The requesting parties thus do not demonstrate with the required seriousness that as soon as there is a transfer of personal data to an entity in the US, the GDPR will be violated because no valid transfer mechanism is available and the processor in any case no appropriate guarantees can provide that can remedy an insufficient level of data protection in the country of destination.             

The first part is not serious.

Second part

18. Article 32 AVG provides to the controller and the processor appropriate technical and organizational measures to take to one of the risk adjusted security to ensure and this re drawing into "the state of the art , the implementation , and the nature , the scope , context and the processing purposes and the terms of likelihood and severity varying risks for the rights and freedoms of individuals . " '             

19. The advice of the VTC of 8 September 2020 is an advice without binding force, in which very specific situations were dealt with. The advice starts with the following caveat: "The request for advice concerns four concrete cases. The VTC requests that the VTC be returned to for other cases". This appears to undermine the applicants' contention that the VTC intended to give a general scope to its opinion of 8 September 2020. Insofar as the requesting parties draw arguments from the content of this advice, including the assessment they make on the basis of the risk matrix, included in the advice of 8 September 2020, the part is not serious in any way.             

The second part is not serious.

Third part

20. A Article 28.3 of the AVG determines that the processing by a processor is controlled by a contract or other legal act, under the European Union law or law which the member state of the processor with respect to the data controller binds. That agreement or legal act stipulates, among other things, that the processor takes all measures required in accordance with Article 32 of the GDPR, i.e. the appropriate technical and organizational measures to ensure a level of security appropriate to the risk .             

21. The requesting parties do not make prima facie plausible, nor can it be seen spontaneously why the data protection specifications would preclude additional contractual             

XII-91 19-12/20
arrangements between the defendant as controller and the successful tenderer as processor if necessary to meet the requirement of Article 28 of the GDPR.

22. To the extent that the applicants dispute that the defendant cannot in any event give the required instructions to the chosen registrant to transfer personal data to the US because there is no valid ground for transfer for the US, reference is made to the assessment of the first part.

The third part is not serious.

The first plea, taken as a whole, is not serious.

B. Second plea

Statement of the means

23. A second plea has been raised alleging infringement of Articles 28 and 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to data protection processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR), Articles 4 and 38 of the Law of 17 June 2016 'on public procurement', Articles 4, 8 0 and 5 , 9 0 of the law of 17 June 2013 'on the motivation, information and remedies regarding public contracts, certain works, supply and service contracts and concessions', articles 2 and 3 of the law of 29 July 1991 'on the explicit justification of the administrative acts ', article 76, §1 of the royal decree of 18 April 2017 'public procurement contracts in the classical sectors', the patere legem quam ipse fecisti principle, the principle of due care and the substantive duty of motivation as general principles of good administration.

They themselves summarize this plea as follows:

Because, first part, the defendant has not carefully investigated why the selected tenderer can and will comply with the GDPR in the context of this assignment;

That the defendant has limited itself to mere statements and to presenting a brief overview of the investigation by the Data Protection Officer/DPO, including the statement: 'the transfer to countries outside the EEA may well play a role here , but there is no indication at the moment. notes that this transfer could not be made in accordance with the applicable transfer mechanisms' (see page 5 of the contested decision);

That the contested decision does not address the issue of transferring personal data to the US, as in the case of ViaVan; that the contested decision does not answer essential questions regarding the GDPR compliance of this offer, namely: (i) is there a transfer to countries outside the EEA, and (ii) if so , to which countries (US, other ?) and (iii) on the basis of which GDPR-compliant transfer mechanism does this transfer take place?;

That the investigation was carried out carelessly and that the stated motives are incorrect in law;

That at least the formal obligation to state reasons has been violated;

While the requirement of mandatory compliance with the GDPR by the contractor follows not only from the GDPR, but also from the detailed specifications regarding compliance with the GDPR by the tenderers;

That the considerations of the contested decision are apparently insufficient if it has already been established in advance that personal data will be transferred to the US, as in the case of ViaVan; that, also in view of the intervening suspension judgment of your Council, the defendant had to at least unequivocally examine the following questions carefully and answer satisfactorily with regard to the tender submitted by the successful tenderer: (i) is there a transfer to countries outside the EEA, and (ii) if so, to which countries (US, other?) and (iii) on the basis of which GDPR-compliant transfer mechanism is this transfer made?; that this apparently did not happen;

That the defendant was required to carefully check the compatibility of the offers with the GDPR and to express the results of this regularity check in the contested decision;

XII-91 19-14/20
XII-91 19- 1 / 21

*BJIVLDBFJ-BEGEFEV$


That the reasons put forward must be legally correct and that the reasons must be sufficient;

And because, second part, the defendant has not assessed the tenders of the tenderers with regard to compliance with the GDPR in the context of the sub-award criterion 'ICT Architecture' and has not assessed ViaVan's offer as ' unsatisfactory' or as 'moderate' in the field of the sub-award criterion 'ICT Architecture' and has not rejected this offer,

While it can be deduced from the specifications that if the tender is assessed with an insufficient or moderate score on one of the award criteria, such as the sub-award criterion 'ICT Architecture', this implies that the tender does not meet the minimum requirements of the specifications and is therefore considered should be regarded as substantially irregular,

That such evaluation of the award criteria should be distinguished from the general evaluation of the regularity of tenders,

That ViaVan's offer cannot comply with the AVG, so that that offer had to be assessed as 'inadequate' or as 'moderate' in terms of the sub-award criterion 'ICT Architecture' and therefore had to be rejected,


That at least the contested decision does not show why this has not happened.”

Judgement

First part

24. The contested decision contains the following passage concerning the "substantive regularity" of the tenders:             

“5.1 Material regularity

In general, when examining the various tenders submitted in detail, the evaluation team does not find any deviations from the essential tender specifications. There are no elements in the tenders which give one or the other tenderer a discriminatory advantage, distort competition, prevent the tenderer's tender from being assessed or compared with other tenders, or the tenderer's undertaking to makes the assignment to be performed under the conditions set non-existent, incomplete or uncertain. The assessment committee also checked whether there was any reason to declare one of the offers substantially irregular on the basis of one of the presumptions stated in Article 76, § 1, paragraph 3 of the Royal Decree of Placement. This is not the case. Furthermore , there are no non-substantial irregularities. This therefore gives the following result:

A further separate investigation took place with regard to the guarantees offered by the various offers regarding compliance with the provisions of Regulation (EU) 2016/679 and the law of 30 July 2018 on the protection of natural persons with regard to to the processing of personal data, published in BS on September 5, 2018. In that context, the specifications have given the contracting authority a right to 'exclude' the tenderer, so that the contracting authority can reject the tender in the event of an irregularity.

The aforementioned investigation was carried out by the Data Protection Officer/DPO within the Mobility & Public Works Department, in consultation with his team. In the first place, he finds that the various tenderers have correctly and completely completed all the documents that made it possible to examine the safeguards relating to the processing of personal data . More specifically, this concerns the appendix with the personal data to be processed, the appendix with minimum measures (appendix 4.B.), the appendix with regard to the investigation of the data centers and cloud suppliers concerned and the appendix with regard to possible transfer to countries outside the Netherlands. the EEA (Annex V1.6.). At this stage, no additional information was required in light of the investigation that could and should now be conducted.

After a thorough examination of all submitted BAFOs regarding the material regularity of the tenders, the Data Protection Officer /DPO concludes that all tenders can offer the minimum guarantees regarding the protection of personal data. It is not possible to anticipate all hypotheses regarding the processing of personal data, which may or may not arise at the start of the execution of the assignment. In concrete terms, the following findings arise from the investigation of the Data Protection Officer / DPO • -ViaVan Technologies BV: its answers can be found in appendix 4.B. demonstrate that its tender more than satisfies the minimum measures, as a result of which its tender with regard to material regularity scores better than what the specifications require. The answers regarding the infrastructure used point to very decent safeguards regarding the protection of personal data, thus also demonstrating a material regularity that goes beyond what the specifications require. Mog ily plays it transfers to countries outside the EEA, but there is no indication at this time that this transfer would be done in accordance with applicable transfer mechanisms. The tenderer makes an important statement about this: 'ViaVan Technologies , BV will monitor compliance with any binding guidelines of the Contracting Authority and/or a competent authority.' An examination of the information in the offer does not permit any other decision at this time ."

25. The applicants cannot draw any arguments from the first award decision, which, having regard to its withdrawal, must be regarded as never having existed.             

26. Furthermore, the defendant seems to have explicitly included the GDPR issue in its regularity check. It was assisted by the Data Protection Officer who, with knowledge of the various offers and therefore with knowledge of the links with the US , examined the safeguards with regard to the processing of personal data provided by the various tenderers in their solution for the mobility center. . The Data Protection Officer, supported at first sight by the defendant, has not identified any irregularities in the processing of personal data.             


It is also apparent from the statement of reasons that the Data Protection Officer and subsequently the defendant, also considered the issue of transfers and compatibility with the GDPR, despite the initial use of the word "possible". It was also established to this extent that at the time of the award there were no reasons to believe that the transfer could not take place in accordance with the applicable transfer mechanisms. The reasons given do not allow to assume that this conclusion is based solely on the statement of the successful tenderer that he will "monitor compliance with any binding guidelines of the Contracting Authority and/or a competent authority ".

27. By thus expressing the results of the regularity check in the decision, the defendant appears to have adequately complied with the considerations of judgment No 250.599.             

28. The fact that the defendant, despite the suggestion made in the suspension judgment no. 250,599, has not also invoked the VTC does not detract from all this and does not appear to be relevant             

XII-91 19- 1 / 21


negligence, certainly not in light of the defendant's statement that an opinion from the VTC was not possible within an acceptable period of time.

29. Finally, inasmuch as the applicants complain about a lack of adequate formal statement of reasons, it is not apparent what interest they have in this complaint. In any case, the stated reasons allowed them to deduce from this that the defendant was of the opinion that, inter alia, the selected tenderer provided adequate guarantees that can ensure a GDPR-compliant performance of the service. The first plea, in which the applicants argue that the successful tenderer cannot in any event provide such guarantees , shows prima facie that the reasons given have given the applicants sufficient opportunity to defend themselves against the decision taken.             

The first part is not serious.

Second part

30. From the in th t specifications announced method of evaluation of the award criteria seems to need to be derived in that , if the offer in any one of the award criteria , including the subgunningscriterium "ICT Architecture " with an insufficient or inadequate is assessed , di t implies in that the tender does not complies with the minimum requirements of the specifications and therefore as substantial irregular must be considered .             

31 to the extent that the requesting party under this second part again arguments draw from the first gu nningsbeslissing , is repeated to this view on the repeal thereof , must be deemed never to have existed .

32. Furthermore, similar to the requesting parties the alleged negligent investigation to be suspended in the absence of a final " Insufficient oende " or " moderate " the subgunningscriterium "IT Architecture ". The circumstance which the requesting parties are expected in this final because in their opinion the selected tenderer a secure processing and storage of data does not guarantee , does not at first sight plausible to the defendant party to review element "AVG Processes " as incorrectly not or wrong way would have involved in its assessment of the subgunningscriterium "iT Architecture ". In the context of the regularity check, the defendant has ruled that all tenders can offer the minimum guarantees with regard to the protection of personal data.

The second part is not serious.

The second plea, taken as a whole, is not serious.

IX. Decision

33. Neither plea has been proven serious. The claim for suspension in case of extreme urgency must therefore be rejected.

DECISION

1. The request of the BV Viavan Technologies to intervene is granted.                 

2. The Council of Dismisses the claim.                 

3. The applicants are ordered to pay the costs of the claim for suspension in the case of extreme urgency, estimated at a roll-call fee of 400 euros, each half, a contribution of 20 euros and a legal compensation of 700 euros, which is due to the defendant.                 

The intervening party is covered by the costs of the intervention, estimated at a rollover fee of 150 euros.

XII-91 19-19/20
This judgment was rendered in Brussels, in open court on the nineteenth of August two thousand and twenty-one, by the Council of State, XIIth Holiday Chamber, composed of:

*BJIVLDBFJ-BEGEFEV$


Eric Brewaeys , assisted by

chamber president ,

Silja Doms ,

clerk .

the clerk

the chairman

              Eric Digital             

Digital

signed

signed

Brewae by Eric

DO S by Silja Doms

Brewaeys

(signature)

              YS (Signature)             

( Sign Date:

19/08/2021 hour ) 1 + 02'00 '                           

Date: (Signatu2021.08.19

Silja Doms

+02'001

i Brewaeys

XII-91 19-20/20
*BJIVLDBFJ-BEGEFEV$