As we have seen in our previous blogs, GDPR and eCommerce are very serious topics in 2022. In today's blog, we will speak about a piece of news that recently came to the attention of everyone. 

For starters, a publicly owned company, Regionale Kliniken Holding RKH GmbH, known as an RKH Regionale Kliniken Holding und Services GmbH, was owned only by municipalities and regional authorities, which are subject to public procedure in Europe. Among other details, the criteria contained requirements for data protection and IT security. According to the Procurement Chamber of Baden- Württemberg, a company had to be excluded from a public procurement procedure, as its offer violated the GDPR.

Why did this happen?

As we all know, GDPR compliance is a requirement of the eCommerce industry. Therefore, the German chamber admitted that the offer contained an unlawful transfer of customer data to a third country (their parent company was located in the US) because it could have been accessed by the parent company. 

Moreover, the company which was inviting the tenders accepted offers from two different companies, companies A and B.Company A used the services of a third company,  Company C, Amazon Web Services EMEA, based in the United States, as a sub-processor, with its servers located in the EU. Company C incorporated clauses in its offer stating that it would not disclose customer data to any third party except for maintaining or providing the services necessary to comply with the law or valid order of a governmental body.

After checking the offers, the publicly owned company decided that company A should be awarded the contract, as their evaluation of the price was more cost-effective. Moreover, company A had made illegal changes to the documents and should have been excluded from the procedure pursuant.

Moreover, the Procurement Chamber considered that the procurement was illegal if the company was deviating from its initial offer. This could have been formally or making material changes, resulting in an offer for a different service than the one which was publicly offered. In this matter, the Chamber agreed that compatibility with eCommerce data protection law, in this case, the GDPR, was a requirement of the contract. Nevertheless, company A´s procurement is illegal- as Company B stated- if it was unsuited with the GDPR requirements. On top of this, the Chamber discovered that, contrary to what company agreed to in its offer, it disclosed customer information to a third- party.

Furthermore, it disclosed customer data to a third party in a third country, under the shape of a transfer pursuant to Article 44 GDPR. Also, the chamber explained that a transfer must be assumed when data can be accessed from a third country, whether this takes place or not.

Moreover, the physical location of the server which contributed  to such access was located in the EU was not relevant.In addition, the Chamber considered that for transfers to third countries, a valid transfer mechanism should be implemented.
Nevertheless, company A was held responsible for illegally changing the procurement, violating Article 44 GDPR and had to be excluded from the procedure.
To conclude, you must be very careful at respecting the GDPR. As per our today's GDPR topic today, a company should not transfer data to a third-party company. International transfers can be made if the Chapter is compiled with by the controllers and processors concerned. Always keep up with the Kooomo Blog to be updated with the latest GDPR news.