At the latest since the Schrems II ruling, it has become clear that the transfer of data to countries outside the EU (third countries) can be problematic under data protection law. But is the risk of transfer to a third country sufficient? At least this is the opinion of the Baden-Württemberg Procurement Chamber.
You can find out the current status of the debate on data protection law here.
Procurement Chamber: Access risk in the third country is processing in the third country
The Procurement Chamber Baden-Württemberg is of the opinion that a transfer (and thus processing within the meaning of Art. 4 No. 2 GDPR) already exists if there is a risk that the data will be transferred to a third country.
Role of procurement chambers
The public procurement chambers of the federal states are independent supervisory authorities just like the data protection commissioners of the federal states (Section 157 GWB). In this context, public procurement chambers do not have the function of a supervisory authority, but rather act in a court-like manner. They review the award of public contracts if a competitor files a complaint (Section 155 GWB).
Position of the Procurement Chamber
The Baden-Württemberg Procurement Chamber was presented with a case involving the award of a contract for the purchase of software for digital admission management for hospitals. An unsuccessful competitor, which advertised that the data would only be stored on German servers, lodged an appeal. According to the unsuccessful competitor, the competitor that won the bid did not comply with data protection law. He would in fact be using the services of an EU subsidiary of a major US cloud service, which would entail the risk that the parent company would access the data stored in the EU from the US side and that it would then no longer be as secure as required by the GDPR.
The Procurement Chamber agreed with this view and cancelled the award. It stated that the concept of transfer in Art. 4 No. 2 and Art. 44 GDPR is not the same. Rather, a transfer in the sense of processing pursuant to Art. 44 GDPR already exists if there is a risk of transfer to a third country.
In this regard, the Procurement Chamber states: "The concept of transmission is to be interpreted in light of the broad wording of Article 44 p. 1 DS-GVO as well as the instructions laid down in Art. 44 S. 2 of the GDPR with regard to the application of the standard and thus to be understood comprehensively: Transfer means any disclosure of personal data to a recipient in a third country or an international organization, irrespective of the nature of the disclosure, nor of the disclosure to a third party." A disclosure in this sense already exists if there is a possibility that a third country will access, regardless of the actual access.
Data Protection Authority: TOMs are there to minimize risk
Following this decision, the State Data Protection Commissioner has also taken a position on the decision of the Procurement Chamber: He does not agree with the interpretation.
The State Data Protection Commissioner criticizes that the argumentation of the Procurement Chamber overlooks the fact that there are precisely the technical and organizational measures (TOMs) that minimize the demonstrated risk of access (Art. 32 GDPR). These are "effective countermeasures". They could create an optimal level of data protection based on a case-by-case risk assessment.
The main problem with the decision is the different interpretation of the transfer in Art. 4 No. 2 and Art. 44 GDPR. This is neither evident from the wording nor from the recitals.
A blanket exclusion of companies with connections to American service providers is neither elegant nor economical. The view of the Procurement Chamber would only lead to the fact that no American service providers can be used, even if they operate server farms in the EU.
How the debate will ultimately be resolved remains to be seen. The decision of the Procurement Chamber will now be reviewed by the Karlsruhe Higher Regional Court. The opinion of the State Data Protection Commissioner suggests that the court will overturn the decision. There is not yet a blanket ban on transfers, but rather individual case reviews.
Are you looking for professional advice in all areas relating to data protection? Our team of experts will be happy to assist you. Contact us!