Cloud services from US subsidiaries contradict GDPR
According to a recent ruling by the Public Procurement Chamber of Baden-Württemberg, German data is no longer considered protected, even on the European servers of European subsidiaries of American companies. If the judgment is confirmed by the higher regional court, it would have an enormous impact on the procurement of cloud services.
In the case examined by the Baden-Württemberg Public Procurement Chamber (VK BW), the contracting authority put the procurement of software, licenses and support out to tender. The decision fell on a subsidiary of a US company located in the EU. A competing provider in the award procedure initiated a review procedure with the accusation that the offer of the company to be awarded the contract was not GDPR-compliant. After a thorough examination of the case, VK BW agreed with the applicant, Pflegeplatzmanager GmbH.
Specifically, VK BW states in its decision that the company that was to be awarded the contract changed the contract documents in such a way that – contrary to what was requested by the client – it does not offer any service provision that is compatible with the applicable data protection law. In two contractual clauses, the US subsidiary promises not to give third parties access to the data and not to transfer data from Europe to other regions – unless the company has to comply with the law or a binding order from a government agency. According to the VK BW, these addendums to the contract are designed as general clauses and open up the possibility for public and private bodies outside the EU to access the stored data in certain situations.
As Stephan Schuldt (lawyer at the law firm Gruendelpartner, which represents Pflegepartnermanager GmbH) on Twitter announced, one of the Complained parties Complained immediately. The decision of the VK BW is therefore not yet final, but the matter goes to the Higher Regional Court (OLG) Karlsruhe. Should the Higher Regional Court confirm the decision of the VK BW, this would have an enormous impact on the procurement of cloud services. US companies and their subsidiaries in Europe would then contradict per se from future award procedures.
Source: Behörden Spiegel