VK Baden-Württemberg - 1 VK 23/22
| VK BaWü - Az. 1 VK 23/22 | |
|---|---|
 | |
| Court: | VK BaWü (Germany) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 44 GDPR §57(1)(4) VgV |
| Decided: | 13.07.2022 |
| Published: | |
| Parties: | |
| National Case Number/Name: | Az. 1 VK 23/22 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | Rewis (in German) |
| Initial Contributor: | n/a |
The Procurement Chamber Baden-Württemberg held that a transfer in the meaning of Article 44 GDPR constitutes any disclosure of personal data to a recipient in a third country or an international organization, irrespective of the nature of the disclosure, or the disclosure to a third party.
English Summary
Facts
The case concerns a decision by the Vergabekammer Baden-Württemberg ("Procurement chamber Baden-Wuerttemberg"), the administrative authority that reviews the procurement procedure.
On 3.11.2021, the defendant issued a Europe-wide invitation to tender for the procurement of software for digital management via an open procedure. The award criteria contained, among other things, requirements for data protection and IT security.
The defendant received offers from respondent A and respondent B. Respondent A is a subsidiary of an undertaking located in the US, with servers that are located in the EU. Furthermore, respondent A included clauses in the offer that stated, among other things, that it will not access or use, or disclose customer data to any third party, except as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body.
On 04.05.2022, the defendant informed the respondents that that the contract be awarded to the bid of respondent A on the grounds that the evaluation of the price was not the most economical. Respondent B challenged the decision by the defendant, arguing that respondent A had made illegal changes to the tender documents and had violated the GDPR.
Holding
The procurement chamber held that the bid of respondent A is to be excluded from the award procedure pursuant to §57(1)(4) VgV, which excludes bids for which additions have been made, as it violates Article 44 GDPR. An amendment in the meaning of §57(1)(4) VgV does not require that the respondent formally changes the wording of the tender document but exists already if the company deviates from the specifications of the tender documents in terms of content and as a result offers an a different service than the one tendered out. Respondent A has changed the tender documents in the sense of §57(1)(4) VgV that it, other than required in the tender, does not offer a service compatible with data protection law.
The concept of transfer in the meaning of Art. 44 GDPR
The procurement chamber specifies that the GDPR does not deliver a definition of the concept of transfer of Article 44 GDPR. Even though Article 4(2) GDPR refers to the "disclosure by transmission", the GDPR does not assume an equivalence of "disclosure by transmission" and "transfer" in Article 44 GDPR. The procurement chamber holds that the concept of transfer of personal data in the meaning of Article 44 GDPR has to be interpreted as any disclosure of personal data to a recipient in a third country or an international organization, irrespective of the nature of the disclosure, or the disclosure to a third party. A disclosure in this context can be assumed if personal data is posted on a platform that can be accessed from a third country, regardless of whether the access actually takes place.
The latent risk of access of customer data brought about by the clauses provided by respondent A in the offer are sufficient to constitute a transfer that is inadmissible under the GDPR. Therefore, the physical location of the servers of respondent A are irrelevant to assess compliance with the GDPR, even though they are situated in the EU.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Since a bidder naturally has only limited insight into the course of the award procedure, he may claim in the award review procedure what he can honestly consider to be likely or possible on the basis of his - often only limited - level of information, for example when it comes to award violations that exclusively_ play in the sphere of the awarding authority or concern the offer of a competitor (OLG Karlsruhe, decision of May 21, 2021, 15 Verg 4/21, juris, para. 28; OLG Düsseldorf, decision of April 13, 2011, VII-Verg 58/10 , juris, para. 53; OLG Frankfurt, decision of July 9th, 2010, 11 Verg 5/10, juris, para. 51; OLG Dresden, decision of June 6, 2002, WVerg 4/02, juris, para. 18 f. ). However, if the violation of public procurement law is not completely beyond his ability to inspect, the applicant must at least present actual connecting facts or indications that justify a reasonable suspicion of a specific violation of public procurement law (OLG Karlsruhe, decision of May 21, 2021, 15 Verg 4/21, juris, para 28; Düsseldorf Higher Regional Court, decision of August 16, 2019, VII-Verg 56/18, juris; Munich Higher Regional Court, decision of June 11, 2007, Verg 6/07, juris, para. 31). A minimum of substantiation must be observed; Pure assumptions about possible award violations are not sufficient (OLG Karlsruhe, decision of May 21, 2021, 15 Verg 4/21, juris, para. 28; OLG Brandenburg, decision of May 29, 2012, Verg W 5/12, juris, para. 4; Munich Higher Regional Court, decision of August 2, 2007, Verg 7/07, juris, para. 15 f.).
