Court case 15 Verg 8/22 – Court Ruling (Germany, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court case involved a tender for digital software where one bidder claimed another violated GDPR by allowing data access from outside the EU. The court found that theoretical access by third countries does not automatically mean a GDPR violation. This case shows the complexity of data transfer rules under GDPR, especially concerning international data access.
What happened
A bidder in a software tender claimed another bidder violated GDPR by allowing potential data access from third countries.
Who was affected
Companies involved in the tender process for digital discharge management software.
What the authority found
The court found that the possibility of third-country access did not constitute a GDPR violation if proper safeguards were in place.
Why this matters
This case highlights the importance of understanding GDPR's data transfer rules and ensuring proper safeguards are in place when data might be accessed internationally.
GDPR Articles Cited
The respondents issued a Europe-wide invitation to tender for the procurement of a digital discharge management software. One of the exclusion criteria ("A-Criteria") was the software-related compliance with a GDPR draft contract. Additionally, the fact that the data is exclusively processed in an EEA data centre where no subcontractors / group companies are located in third countries, was designed as an evaluation criteria ("B-Criteria"). Both the applicant and the interested third party submitted a bid. The respondents awarded the contract to the third party. The applicant complained that the interested third party should have been excluded from the tender evaluation because, among other things, their bid violated the mandatory legal requirements of the GDPR by processing personal data on servers to which third countries had access. They used A. S.à.r.l. as a subcontractor. The agreement between the third party and A. S.à.r.l. in implementation Article 28 GDPR allowed A. S.à.r.l. to disclose personal data processed on behalf of the customer without or contrary to the customer's instructions and to transfer such data to a third country if this were necessary to comply with laws or binding orders issued by a state authority. Moreover, a supplementary addendum to the agreement stated that A. S.à.r.l. would challenge any unreasonable request by a governmental body. This would already show that A. S.à.r.l. assumed that it would be subject to a request for surrender by the US authorities. The respondent and the interested third party argued to the contrary that the bid did not constitute an infringement against the GDPR since a theoretical possibility of access by the third country did not constitute a transfer of personal data. Moreover, the defendant used standard contractual clauses and implemented the supplementary provisions required by the ECJ under the Schrems II case law through further agreements with A. S.à.r.l.. The procurement chamber agreed with the applic
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 15 Verg 8/22 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 15 Verg 8/22 - Germany (2022). Retrieved from cookiefines.eu
Last updated: