GDPR as a reason for exclusionPublic contracting authorities must issue invitations to tender for the award of services or the purchase of goods in Germany and the EU above specific contract values. Such public invitations to tender are essential in the case of extensive software procurements.
The terms and conditions for awarding contracts distinguish - roughly summarized and simplified - between suitability criteria and evaluation criteria. Suitability criteria are those that every company must fulfill to submit a bid that will be evaluated. On the other hand, evaluation criteria are used to decide who receives the contract from among the offers that meet the suitability criteria (for example, price or quality of service).
The suitability criteria are currently causing headaches for companies with US connections. Citing the General Data Protection Regulation (GDPR), the contracting authorities define such criteria that already exclude them from suitability. This means that the companies cannot even submit a bid. An example of such a condition in a recently published tender in Bavaria:
The condition thus excluded, in particular, those providers from participating in the public tender where (personal) data is technically also stored or processed on servers in the USA. This affects a large number of software and cloud providers. The condition was apparently in line with a decision of the Baden-Württemberg Procurement Chamber, which had ruled in mid-July 2022, roughly summarized, that public bodies were not allowed to consider offers from subsidiaries of US cloud providers. Data was not technically transmitted to the USA in this specific case. Ultimately, this development in the public sector is a consequence of the Schrems II ruling of the European Court of Justice in July 2020, according to which it was considered by some representatives in the public sector to be generally no longer possible to transfer personal data to the USA based on the privacy shield. However, this risk would still exist even in the case of subsidiaries, with potential access by the US secret services, according to the Baden-Württemberg Procurement Chamber (Vergabekammer Baden-Württemberg, the decision of 13.07.2022, ref.: VK 23/2).
"1.1.4: Processing of support and personal data according to DSGVO:
The processing of any personal data of the client, including data stored for support processing (including ticket information), shall be carried out by the contractor in full compliance with the General Data Protection Regulation (GDPR) within the EU and the EEA as well as in states for which an adequacy decision exists following Article 45 GDPR..."
Inadmissible exclusionHowever, a general exclusion for suppliers with a US connection, in particular, should be assessed critically from a legal point of view.
§ Section 97 of the Act against Restraints of Competition (GWB) regulates three central principles of public procurement law in German law, namely
non-discrimination or equal treatment, and
The requirement of non-discrimination for U.S.-based suppliers is essential in such cases. Non-discrimination, in turn, implies that all bidders have the same starting conditions in competition. Thus, contracting authorities may not set eligibility criteria that give a competitive advantage to domestic bidders or disadvantage foreign bidders.
In the case of conditions such as those mentioned above, Section 31 (1) of the Public Procurement Ordinance (VgV) and the obligation of the contracting authority, anchored therein and protecting bidders (Section 97 of the ARC), to draft the specifications within the meaning of Section 121 of the ARC in such a way that they grant all companies equal access to the award procedure and do not unjustifiably impede the opening of the national procurement market to competition could be violated. This obligation finds its roots in Art. 42(2) of the EU Public Procurement Directive, which in turn stipulates that the technical specifications "must give all economic operators equal access to the procurement procedure and must not unjustifiably hinder the opening of public procurement markets to competition."
Minimum requirements such as those mentioned at the outset categorically exclude from the procurement procedure those bidders who process personal data of the contracting authority outside the EU and the EEA, as well as the states for which an adequacy decision, according to Art. 45 GDPR exists. By including such specific provisions, the contracting authority may have opted for a restriction of competition to the detriment of such bidders - and thus violated its legal obligations. Whether this so then requires an examination in the individual case - especially if the bidders have high-security measures, such exclusion does not appear lawful.
Tight deadlines apply to complaints.A company must defend itself against such award conditions by complaining about public procurement law. Only if such a complaint has been raised unsuccessfully can the bidder initiate judicial review proceedings (Section 160 (3GWB)).
Infringements of procurement regulations that are identifiable based on the notice or in the award documents must be notified to the contracting authority no later than the expiry of the deadline for submission of bids. Otherwise, the contracting authority must be notified of procurement regulations violations within ten calendar days of becoming aware of them.
The complaint is not bound to any particular form. For example, a written document is not prescribed by public procurement law; however, if only for evidence reasons, it is advisable to raise the complaint in writing and send it in advance by fax.
The applicant must explain why the tender conditions violate applicable law in the complaint. Even if no particular form is prescribed, sufficient factual and legal reasons must be presented as to why the tender conditions are unlawful.
Important: It is not permissible to wait until a decision on the contract has been awarded to a competitor. § Section 107 (3) ARC stipulates that an application for review is inadmissible insofar as the applicant has already recognized the infringement of procurement regulations during the award procedure and has not immediately reprimanded the contracting authority. The complaint constitutes the mandatory preliminary procedure for a formal review by the Procurement Chamber and the Procurement Senate. The body inviting tender is to be given a last chance to rectify any errors in the award procedure on its initiative. If a company identifies an inadmissible suitability criterion in the award conditions, it must raise a complaint during the ongoing tendering process to protect its rights.
We have also raised objections to inadmissible award conditions on behalf of clients in 2022, and the tender requirements have been rescinded. Such complaints can therefore be successful. It is therefore not surprising that the Stuttgart Higher Regional Court has also overturned the decision of the Baden-Württemberg Procurement Chamber described here (OLG Karlsruhe, the decision of 7.9.2022, ref.: 15 Verg 8/22). It is, therefore, possible for companies with a US connection to defend themselves against unacceptable tender conditions. But there are tight deadlines. A complaint must be filed within ten calendar days of becoming aware of the inadmissibility of the condition. Therefore, please do not hesitate to contact us.
About the authorDennis Hillemann is a partner in Fieldfisher's Hamburg office. He represents companies vis-à-vis public authorities and in court, particularly in the area of privacy litigation.
Sign up to our email digest