Data Processor’s promises regarding third-country transfer were valid Summary A Europe-wide invitation to tender for the procurement European subsidiary would follow instructions from of a digital healthcare patient discharge management the US parent company that violated the law. software system included a criterion that any data • Since the respondents did not have to assume that processing had to be conducted in a data center the personal health data would be transferred to situated in the EEA, and that no subcontractor should a third country, there was no need to conduct a be located in third countries. The tender was won by transfer impact assessment. Company A, which had an EU subsidiary serving as a subcontractor (data processor) and was incorporated • Promises of organizational and technical measures in the US as a parent entity. The complainant, Company to ensure compliance with GDPR provisions when B, which was also a part of the tender process, transferring data to the US are irrelevant in terms argued that company A should be excluded from the of the agreement to process the data exclusively in procurement as its subcontractor posed a potential Germany. risk, in that US governmental bodies could gain access Our remarks to the personal data on the EU servers. • The mere fact that a subsidiary is owned by a US- The Baden-Württemberg Public Procurement Chamber based parent company does not necessarily mean agreed with the complainant, arguing that the use of that the subsidiary would violate GDPR provisions. the subcontractor, and its inherent risk, constituted a However, controllers must ensure that the third- transfer within the meaning of GDPR, Article 44. party processors they engage with, regardless of their ownership structure, can fulfill GDPR The decision was appealed. Additionally, the requirements. In this case, it would be sufficient to Baden-Württemberg DPA criticized the decision, noting implement organizational and technical measures that the decision did not factor in the possibility for to prevent unauthorized third country access. parties to implement technical and organizational • To assess whether you need to conduct a measures to reduce or eliminate risks, such as using transfer impact assessment, and to further your encryption technology, and that equating the risk understanding of the European data transfer of access with actual transmission to be legally regime after Schrems II, see the ComplyCloud questionable. Transfer Roadmap whitepaper on our webpage The Decision Karlsruhe Higher Regional under ‘academy’ -> ‘downloads’-> Transfer Court (OLG Karlsruhe) Roadmap. Please note that this decision was made prior to the The OLG Karlsruhe overturned the decision of the Public EU Commission’s adoption of the EU-U.S. Data Privacy Procurement Chamber, holding that: Framework. The framework solves the challenges of the • Merely being a subsidiary of a US-based company SCHREMS II case and thereby ensures that entities in did not require the respondents to doubt the the EU can transfer personal data to entities in the US fulfilment of the promise of performance. The that comply with the framework without conducting a respondents did not have to assume that the TIA. However, general considerations concerning the US parent company would give instructions that transfer of personal data to other unsafe third countries violated the law and the contract or that the still apply. Published: 07-09-2022 Journal number: Az. 1 VK 23/22 Tags: 06 Transfer to third countries 63