On February 3, 2023, the German Data Protection Conference (“Datenschutzkonferenz”, “DSK”) published its decision, dated January 31, 2023, on the data protection assessment of access possibilities for third country public authorities to personal data processed by an EU/EEA-based subsidiary of a third country-based parent company pursuant to Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).
Firstly, the DSK states – deviating from a decision of the Public Procurement Chamber Baden-Württemberg in July 2022 – that the mere risk that third country public authorities or a third country-based parent company of an EU/EEA-based company could instruct it to transfer personal data to a third country does not constitute a data transfer within the meaning of Art. 44 et seq GDPR.
However, the DSK highlights that the controller must take this risk into account when assessing the processor’s reliability pursuant to Art. 28(1) GDPR. The DSK takes the view that the reliability assessment of an EU/EEA-based processor with a parent company in a third country requires an assessment of all circumstances of the individual case. The relevant criteria for the assessment include, for example, the risk that the third country-based parent company will instruct the EU/EEA-based subsidiary to transfer personal data to a third country, or assurances given by the third country-based parent company as to how it will deal with conflicts between EU law and law of the third country and whether the EU/EEA-based processor and the third country-based parent company can comply with these assurances. It’s also necessary to assess whether and if so, to what extent the EU/EEA-based processor and/or the data it processes are covered by third-country law obligations and/or practices. If the EU/EEA-based processor and/or the data it processes are covered by the third-country law and/or practices, it needs to be assessed whether the EU/EEA-based processor provides sufficient guarantees to prevent processing operations that are unlawful under the standards of the GDPR or the applicable Member State law, in particular processing without or against the instructions of the controller based on obligations under third country law.
The DSK noted that, if there is risk that third-country law and/or practices may require unlawful processing under EU law by the EU/EEA-based subsidiary of a third country-based parent company, such processing by the subsidiary as a EU/EEA-based processor is not in itself sufficient to achieve reliability under Article 28(1) of the GDPR. If no guarantees can be provided, this shortcoming must be compensated for by additional technical and/or organizational measures. With regard to appropriate measures, the DSK refers to the recommendations of the European Data Protection Board (“EDPB”) on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, dated June 2021, which should be applied accordingly.
The DSK concludes the decision by announcing that it will promote further discussion of this issue in the EDPB.