At the latest since the Schrems II ruling, it has become clear that the transfer of data to countries outside the EU (third countries) can be problematic under data protection law. But is the risk of transfer to a third country sufficient? At least this is the opinion of the Baden-Württemberg Procurement Chamber.
You can find out the current status of the debate on data protection law here.
Procurement Chamber: Access risk in the third country is processing in the third country
The Baden-Württemberg Public Procurement Chamber is of the opinion that a transfer (and thus processing within the meaning of Art. 4 No. 2 GDPR) already exists if there is a risk that the Data to a third country be transmitted.
Role of procurement chambers
The public procurement chambers of the federal states are independent supervisory authorities just like the data protection commissioners of the federal states (Section 157 GWB). In this context, public procurement chambers do not have the function of a supervisory authority, but rather act in a court-like manner. They review the award of public contracts if a competitor files a complaint (Section 155 GWB).
Position of the Procurement Chamber
The Baden-Württemberg Procurement Chamber was presented with a case involving the award of a contract for the purchase of software for digital admission management for hospitals. An unsuccessful competitor, which advertised that the data would only be stored on German servers, lodged an appeal. According to the unsuccessful competitor, the competitor that won the bid did not comply with data protection law. He would in fact be using the services of an EU subsidiary of a major US cloud service, which would entail the risk that the parent company would access the data stored in the EU from the US side and that it would then no longer be as secure as required by the GDPR.
The Procurement Chamber agreed with this view and cancelled the award. It stated that the concept of transfer in Art. 4 No. 2 and Art. 44 GDPR is not the same. Rather, a transfer in the sense of processing pursuant to Art. 44 GDPR already exists if there is a risk of transfer to a third country.
In this regard, the Procurement Chamber states: "The term 'transfer' must be interpreted in the light of the wording of Art. 44 p. 1 GDPR and the instructions set out in Art. 44 p. 2 GDPR with regard to the application of the standard and must therefore be interpreted comprehensively: Transfer means any disclosure personal data to a recipient in a third country or an international organization, whereby neither the type of disclosure nor the disclosure to a third party is relevant." Disclosure in this sense already exists if there is a possibility that a third country may have access, regardless of actual access.
Data Protection Authority: TOMs are there to minimize risk
Following this decision, the State Data Protection Commissioner has also taken a position on the decision of the Procurement Chamber: He does not agree with the interpretation.
The State Data Protection Commissioner criticizes the fact that the reasoning of the awarding chamber overlooks the fact that it is precisely the technical and organizational measures (TOMs) that minimize the identified risk of access (Art. 32 GDPR). These are "effective countermeasures". They could create an optimal level of data protection based on a case-by-case risk assessment.
The main problem with the decision is the different interpretation of the transfer in Art. 4 No. 2 and Art. 44 GDPR. This is neither evident from the wording nor from the recitals.
A blanket exclusion of companies with connections to American service providers is neither elegant nor economical. The view of the Procurement Chamber would only lead to the fact that no American service providers can be used, even if they operate server farms in the EU.
And now?
How the debate will ultimately be resolved remains to be seen. The decision of the Procurement Chamber will now be reviewed by the Karlsruhe Higher Regional Court. The opinion of the State Data Protection Commissioner suggests that the court will overturn the decision. There is not yet a blanket ban on transfers, but rather individual case reviews.
Are you looking for professional advice in all areas relating to data protection? Our team of experts will be happy to assist you. Contact us!