Schrems II does not automatically make any award to a US cloud partner irregular — if the DPO has analysed the data flow concretely, the award stands
The Council of State rejects the second suspension request against the award of the Flemish Mobility Centre to ViaVan (subsidiary of a US parent, using AWS) because, after a first suspension, the Flemish Region extended its motivation with a concrete review by its Data Protection Officer, and the bidders' contention that no supplementary GDPR measure could ever cure the situation — not even encryption with key control retained in-house — is not credible.
What happened?
On 2 April 2021, the Flemish Region awarded the public contract for the Flemish Mobility Centre (a basic-accessibility decree implementation) to ViaVan Technologies BV — a wholly-owned subsidiary of US-based Via Transportation Inc., relying for execution on US-based River North Transit LLC and on Amazon Web Services. By Council of State ruling 250.599 of 12 May 2021, this first award was suspended. The Court found prima facie that ViaVan was a US subsidiary using AWS, that the contract involved large-scale processing of personal data — including health data, vulnerable-persons data and unique identifiers — and that the contracting authority had failed to motivate how the bid could be GDPR-compliant given the Schrems II ruling that invalidated the Privacy Shield. After the ruling, the Flemish Region withdrew the first decision on 16 July 2021 and re-awarded to ViaVan the same day. The new motivation included an extensive 'Material Regularity' section setting out a separate review by the DPO of the Mobility & Public Works department. The DPO concluded that all bidders had correctly completed the relevant annexes (personal data to be processed, minimum measures, datacentres/cloud providers, extra-EEA transfer) and that all bids could meet the minimum guarantees. For ViaVan specifically: 'Transfer outside the EEA may be at issue here, but nothing currently indicates that such transfer cannot occur in line with the applicable transfer mechanisms.' Qarin and RMC filed a second extreme-urgency suspension request on 3 August 2021. Their first plea attacked GDPR compliance in three branches: lack of valid post-Schrems II transfer mechanism, inadequate Article 32 security measures, missing Article 28.3 processor agreement. Their second plea argued the contracting authority failed to mark the 'ICT Architecture' sub-criterion as 'insufficient' or 'average' — which under the tender would have triggered substantial irregularity. The Council rejected both pleas. Schrems II invalidated the Privacy Shield but explicitly confirmed the Standard Contractual Clauses remain valid. EDPB Recommendations 01/2020 and 02/2020 set out supplementary measures — full encryption with in-house key control among them. The general claim that no measure can cure the inadequate US protection level disregards how such measures actually work. The Article 32 plea relied on a VTC opinion limited by its terms to four specific cases. Article 28.3 imposes no bar on additional contractual arrangements. The second plea fell because the GDPR review was demonstrably integrated through the DPO. Suspension request rejected, costs awarded.
Why does this matter?
Since Schrems II (July 2020), every award to a US cloud partner — or to a European supplier using AWS, Google Cloud or Azure — sits under the shadow of GDPR irregularity. Competitors can invoke that shadow to challenge awards. This ruling gives contracting authorities a workable path: (1) have your DPO review the bid concretely against data-processing annexes; (2) embed that review explicitly in the award decision motivation; (3) address the specific case of extra-EEA transfer. Following these steps lets you defeat suspension requests — even when the winner has a US parent. For competitors, the corollary: a generic 'Schrems II = impossible' attack no longer works; you must show that in this specific case no supplementary measure can help — increasingly hard with encryption-plus-internal-key-management. A first suspension ruling is no free pass: after a proper redo and adequate motivation, the same award may survive a second round.
The lesson
Contracting authority: when awarding a contract involving personal-data processing by an entity with (possible) transfer to the US or another third country, your GDPR analysis must be part of your regularity review and your award motivation — not just a matter for the execution phase. Work through your DPO, use annexes where the bidder describes safeguards by category (datacentres, transfers, minimum measures), and embed the DPO conclusion in the motivation. Bidder: structure your GDPR technical annex so a DPO can cite it — that is your best defence against competitor challenges.
Ask yourself
Imagine you are awarding an IT contract centred on personal-data processing. Test your motivation: (1) is the 'extra-EEA transfer' issue explicitly addressed? (2) Does the motivation mention the DPO's opinion by name? (3) Are concrete safeguards cited (encryption, key management, SCCs, supplementary measures)? Three 'yes' answers means you meet the standard set by this ruling. One 'no' is an exposed nerve a competitor can press during an extreme-urgency challenge.
About this database
The Council of State (Raad van State / Conseil d'État) is Belgium's supreme administrative court. In disputes over public procurement — from contract awards to tenderer exclusions — the Council of State is the final arbiter. The rulings in this database are summarised by TenderWolf in plain language, with practical lessons for tenderers and contracting authorities. View all rulings →