German Data Protection Conference of supervisory authorities (DSK) issued a decision on how to assess the risk of personal data being accessed by non-EEA third parties such as governments or private companies.
According to the DSK, the mere possibility of a processor's parent company or a public authority in a non-EEA country ordering the processor to transfer or disclose personal data does not constitute a data transfer under Article 44 of the GDPR. They further explained that unless additional safeguards are implemented, EEA subsidiaries of third country companies will not qualify as GDPR-compliant processors.