BV QARIN ROTTERDAM, MOBILITY CENTRAL, VLAAMSE GEMEENTSCHAP – Court Ruling (Belgium, 2021)

The Flemish Authorities granted a tender to an EU based-entity of a US company using the AWS cloud services. A Dutch company which was not chosen by the Flemish Authorities in the tender process challenged this decision before the Council of State on the basis of the: * violation of the provisions of the GDPR on transfers, since no adequate protection of the data could be afforded in the US. The Dutch company relied in particular on an [https://overheid.vlaanderen.be/sites/default/files/media/VTC/VTC_A_2020_05_advies.pdf opinion] from the Flemish Supervisory Commission ('Vlaamse Toezichtcommissie voor de verwerking van persoonsgegevens) according to which the use of AWS could not be compliant with the Schrems II ruling and the GDPR; * breach of Article 28 GDPR (the choice of a the processor does not provide sufficient guarantees); * breach of Article 32 GDPR (lack of appropriate technical and organisational measures) * lack of motivation of the decision to grant the tender The Council of State held that: * the EDPB and the Flemish Supervisory Commission were not opposed to the use of encryption as such, and such use could be an adequate supplementary measure to the SCCs in some circumstances; * the choice of the processor was not violating Article 28 - the claimant could not demonstrate that the controller and processor did not implement the necessary technical and organisation measures; * the decision was sufficiently motivated.