Germany: Ruling in Bundeskartellamt procurement case involving a subsidiary of a US parent company

On 13 February 2023, the Procurement Chamber of the German Bundeskartellamt issued a ruling in a procurement case in which a contract was awarded to a German subsidiary of a US parent company. At issue was a challenge to the award based on the potential for the parent company to make personal information processed as part of the contract available to US law enforcement. The ruling stated that the bid could not be rejected on the basis of potential GDPR violations. The Bundeskartellamt emphasised that the mere presence of a US parent company did not automatically expose the German data processing company to the risk of illegal data transfers to the US. Even if the US parent company had jurisdiction over the German subsidiary, any orders issued by the US authorities would not apply to the German company as it is registered in Germany.