DSK publishes decision on access by third country public authorities to data processed by processors in the EEA

Catharina Glugla, Nigel Parker
Allen & Overy LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Allen & Overy LLP

The German Data Protection Conference of supervisory authorities (DSK) issued a decision on how to evaluate the risk of personal data being accessed by non-EEA public authorities, or by a parent company, when processed by a processor in the EEA (on 3 February 2023).

The DSK explained that the mere possibility of a processor's parent company or a public authority in a non-EEA country ordering the processor to transfer or disclose personal data does not constitute a data transfer under Article 44 of the GDPR. However, if such instruction is possible, it can imply that controllers will not be able to regard this processor as meeting the criteria of Art. 28(1) GDPR, unless the processor implements suitable technical and organisational measures to ensure its compliance with the GDPR (especially regarding the prohibition of processing personal data without or contrary to the controller's instruction). For example, unless additional safeguards are put in place, EEA subsidiaries of third country companies would not qualify as GDPR-compliant processors where third country laws or practices would mandate personal data processing that violates EU law.

The DSK stated that controllers must assess and document all the relevant factors in each case to determine whether the processor or the data it processes are subject to the non-EEA country's laws or practices and whether the processor still provides sufficient safeguards to meet requirements of Article 28(1) GDPR. The DSK provided a helpful checklist for this assessment that draws on the EDPB Recommendations 01/2020 and includes other questions, such as:

  • how the third country parent company and EEA subsidiary guarantee to resolve any conflicts between the requirements of the third country law and the GDPR, and whether they can realistically uphold such guarantees;
  • whether the processor has a history of breaching data protection law;
  • the severity and likelihood of sanctions for violations of the EU law and the law of the third country; and
  • whether appropriate technical and organisational measures can effectively prevent data transfers that contravene the GDPR.

Read the decision here (only in Germany).

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Allen & Overy LLP | Attorney Advertising

Written by:

Allen & Overy LLP
Allen & Overy LLP
Contact
more
less

Allen & Overy LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide