The Berlin Public Procurement Chamber (VK Berlin) has ruled in an award procedure involving Decision from September 24, 2020 made interesting data protection law statements. The subject of the procurement was telephone interpreting services. The unsuccessful bidder claimed that the award was invalid because the successful bid did not comply with data protection law:
In the opinion of the applicant Data protection requirements for the provision of services despite anonymization/pseudonymization by the defendant. Pseudonymization would not meet the requirements of Art. 32 GDPR. Both the voice and the content of the conversation are personal data.. Initially, the award documents did not contain any specific statements on the data protection requirements for the bidders’ bids, but this did not release the respondent from its responsibility to comply with data protection requirements.
The bid of the defendant was to be excluded due to the lack of encryption.. The respondent had not checked compliance with data protection requirements in the context of the bid evaluation. The respondent should also have selected only those processors in the context of the suitability test that offer sufficient guarantees for compliance with the requirements of the GDPR.
The VK Berlin rejects the complaint of the unsuccessful bidder for the following reasons, among others:
According to Art. 4 No. 1 of the GDPR, personal data is data that enables a natural person to be identified. It is true that the interpreter may be able to recognize where the person to be advised comes from on the basis of the voice. In contrast, identification is not possible on the basis of the voice alone. The fictitious possibility of identification is also not sufficient to qualify a data as personal data, which triggers the obligations under the GDPR (cf. Schild in: BeckOK Datenschutzrecht, Wolff/Brink, 33rd edition, as of 01.08.2020, DS-GVO. Art. 4 marginal no. 18).
The further execution on the “collection” of personal data is also interesting:
Provided that the person to be advised discloses personal data on his/her own initiative, without being asked to do so by the staff of the competent office, it is not a processing of personal data by the defendant or the competent office, which triggers obligations under the GDPR. This is because according to the GDPR, personal data must be protected during processing. According to Art. 4 No. 2 GDPR, processing is any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection or recording. If the person to be advised discloses data of his or her own accord, these data are not collected by the defendant or the responsible office, but they grow to them. This is because the collection requires an active action on the part of the collecting agency (cf. Schild in: BeckOK Datenschutzrecht, Wolff/Brink, 33rd edition, status: 01.08.2020, DSGVO Art. 4 Rn. 35 f.). This so-called imposed information is to be protected by the client only when he wants to process and use it. However, there are no indications in the present case that a processing of such imposed information by the client is intended. Rather, the respondent stated that the persons to be advised usually do not comment at all. Nor was it asserted on the part of the applicant that the respondent or the responsible office intended to process such information. In the opinion of the Board, the transmission via the telephone line does not constitute processing within the meaning of Art. 4 No. 2 GDPR. If the responsible employee makes notes of what is said, he or she is subject to the obligations under data protection law.but not the contractor.
Thus, not only does this “accretion” of data not give rise to a duty to inform, but data protection law is not applicable at all, but the recipient does not use this data willingly.