DE | EN
Skills
Fields of law
Industries
Debt collection
ISO certifications
Lawyers
Lawyers
Specialist lawyers
Offices
Koblenz
Frankfurt
Bonn
Köln
Saarbrücken
Mainz
Düsseldorf
Wiesbaden
Magazine
Latest
Archive
Events
Logo of caspers mock lawyers, a law firm in Koblenz, Bonn, Frankfurt, Saarbrücken
LawyerDr. jur. Dirk Lindloff, Legal advisor in Koblenz
Magazine
 Our information service for you
Mittwoch, 05.04.2023

Data processing offers by German subsidiaries of US parent companies are not per se inadmissible

German subsidiaries of US parent companies must not be excluded from the award process due to data protection concerns.



from
Dr. jur. Dirk Lindloff
Lawyer
Specialist lawyer for intellectual property law
Specialist lawyer for information technology law

Give me a call: 0261 - 404 99 45
E-Mail:

The General Data Protection Regulation (GDPR) is an EU regulation that came into force in May 2018 and harmonized the rules for the protection of personal data in the EU. The regulation governs the rights of individuals with regard to their personal data and the obligations of companies and organizations when processing personal data.

Data processing in the USA

Since the GDPR came into force, the processing of personal data on servers outside the EU has been a sensitive issue. The regulation stipulates that personal data may only be processed in countries that offer an adequate level of protection for personal data. In practice, this means that personal data may only be stored on servers in countries outside the EU if these countries have an adequate level of data protection. A few years ago, the ECJ ruled that this does not automatically apply to the US and declared the corresponding adequacy decision "Privacy Shield" to be unlawful. If this is not the case, a legal basis for the transfer of personal data must be created.

This has implications for companies that operate in the EU but store their data on servers outside the EU. Subsidiaries of US parent companies are particularly affected, since the US does not have an adequate level of data protection and therefore special precautions must be taken to ensure lawful data transfer.

Subsidiaries process data in the USA

But the discussion goes even further. It is also seen as problematic if the subsidiary in the EU processes the data on servers in the EU, but the parent company is located in the USA.

The background to this is, first of all, the US Cloud Act. According to this, US law takes precedence for global companies with subsidiaries outside the US if there are conflicts with existing local laws at the subsidiary. US courts interpret the concept of being subject to US jurisdiction very broadly. According to this, the presence of a US parent company via a subsidiary outside the US is sufficient, because then it is assumed that the parent company exercises control over the subsidiary. European subsidiaries would not be able to appeal against orders under the Cloud Act.

Also worth mentioning is Section 702 of the Foreign Intelligence Surveillance Act of 1978 (FISA 702) concerning the acquisition of certain foreign information by American intelligence agencies from electronic communications service providers. This term is broadly understood in the United States. It is not possible to defend oneself against such an order with conflicting rights such as the GDPR.

Opinion of the Federal Cartel Office

In February 2023, the Federal Cartel Office (Second Procurement Chamber of the Federal Government, decision of February 13, 2023 - VK 2 - 114/22) announced a decision on the matter. The Federal Cartel Office has ruled that data processing offers from German subsidiaries of US parent companies may not be excluded from procurement procedures on the grounds of data protection concerns. This has implications for the practices of companies and organizations that process personal data.

The Federal Cartel Office's reasoning for this decision is that data processing on servers in the EU by a subsidiary in the EU is not problematic if the parent company is located in the US. According to the offer of the German subsidiary, the commissioned data processing takes place exclusively in Germany, which means that no adequacy finding is required for the US. The German Federal Cartel Office also emphasizes that a kind of arbitrary, compulsory data access by American authorities in Germany is not realizable.

The commissioned data processing in the case in question should be carried out exclusively in Germany, so an adequacy finding for the USA is irrelevant. The promise of performance could be relied upon and there was no reason to believe that the promises would not be kept. It was not possible for American authorities to access the data arbitrarily and forcibly because they had no authority in Germany. It is also not possible for the German contractor to be forced to release data to its parent company in the US, as this would be both contrary to the contract and unlawful.

In the transmission to the American parent company based in the USA, the decisive constellation of a commissioned processing would be a release of data contrary to instructions and thus contrary to the contract in relation to the client. In the case before the second procurement chamber, this would also be a violation of § 80 (2) SGB X. According to this regulation, a data transfer to the American parent company would be unlawful because the data transfer represents a form of processing that is only – 4th variant of § 80 para. 2 SGB X – permissible if an adequacy decision exists for the third country to which the data is transferred. An instruction from the parent company to surrender the data in accordance with § 37 para. 1 GmbHG would thus be irrelevant for the German subsidiary. 

The Federal Cartel Office also believes that if there are general concerns that data would not be secure in the case of commissioned data processing by European subsidiaries of American corporations due to the American legal situation, a separate legal basis would have to be created at the EU level on this topic in order to exclude such companies from the procurement competition.

The EU Commission, on the other hand, is planning a new adequacy decision regarding the comparability of data protection levels in the US, which is expected to come into force in the near future.

Conclusion

The decision of the public procurement tribunal is to be read partially in light of the once again explicitly strict regulations of the SGB X. However, it also contains some arguments that can be applied more generally. Nevertheless, companies should continue to be careful in whom they place their trust, because a well-established legal opinion in favor of the Federal Cartel Office's decision cannot be determined at this time.

The statements represent initial information that was current for the law applicable in Germany at the time of initial publication. The legal situation may have changed since then. Furthermore, the information provided cannot replace individual advice on a specific matter. Please contact us for this purpose.

Contact
+49 261 404 99 0
Cooperation partner
SWBS
DIRO
Links

The translation of the website into the displayed language was automated using artificial intelligence.