> It followed that company A's service qualified as an unlawful transfer of data to a third country because their parent company was located in the US, violating relevant data protection law (Article 44 GDPR).

> The Chamber explained that a transfer in this context must also be assumed when data can be accessed from a third country, regardless of whether this actually takes place. The fact that the physical location of the server that provides such access was located in the EU was irrelevant.

I think this is an interpretation of GDPR that most companies are not prepared for. You could write an implementation that restricts access to EU data, but if the parent company is not in EU, I guess the implementation could always be changed to allow access. Ergo, GDPR violation?