On February 3, 2023, the German Data Protection Conference (DSK) issued a compelling statement regarding third country public authorities’ access to personal data processed by an EU/EEA-based subsidiary of a third country-based parent company. Contrary to the decision made by the Public Procurement Chamber Baden-Württemberg earlier in 2022, the DSK declared that potential direction from foreign governments and parent companies does not equate to a data transfer based on Article 44 et seq. of the GDPR.
When evaluating a processor’s trustworthiness under Article 28(1), the DSK stated that all individual factors must be taken into consideration. Importantly, they clarified that if there is risk that third-country law and/or practices may require unlawful processing under EU law by the EU/EEA-based subsidiary of a third country-based parent company, reliability cannot solely be achieved through the subsidiary’s status as an EU/EEA-based processor; additional security measures must compensate for this weakness or deficiency.