Schrödinger's data
Do you know Schrödinger's cat? It's rather grim, and fortunately a thought experiment, but it boils down to this: A cat is in a box. You cannot see the cat. Inside the box is a substance that will be released at an unknown moment, which will cause the cat to die. The cat is then both dead and alive as long as the box remains closed.
What does that have to do with data?
We all know by now (I hope) that America has legislation that allows them to request data regardless of the country where it is stored. They do this without the intervention of European judges. You can also replace the word America with China and probably quite a few other countries. For now, America.
So the question is: Should I ensure that data, and in particular personal data, is not with an American supplier? Or does America already have the data and is it too late?
The answer is easy if you don't care at all, but then you wouldn't be reading this. The answer is more difficult if you process personal data of customers. Because then you decide that it's okay for America to have that personal data when you choose an American supplier.
Let's assume you have decency and don't find it okay. A healthy attitude in my opinion.
Do you assume that America does not have your data yet? For example, because you think your supplier will notify you when they receive a request for delivery? Because they have promised that after all.
Bad news, because such a request comes with an NDA. In other words, they are not allowed to let you know.
Does America have your data or not? Schrödinger's data, then. You don't know. And that is precisely what is forbidden. You should know that.
Conclusion
Just remove it, or better yet, don't put it there at all. Besides that it is not compliant with GDPR, it is of course a risk with NIS2. From that moment on, a director is jointly liable for, among other things, data breaches. Not knowing where personal data is stored is a data breach. You could easily have a customer who strongly disagrees with it. And then a 100% European supplier is not that expensive at all.
Just a quick note
Before he comes back: Can you give a concrete example where it was a problem that a government knew too much?
As is often the case with information. Just after it is too late, we understand that it would have been better if we hadn't shared it.
The childcare benefits scandal is an example of how things can go wrong with data. Also, a conviction that is legal in the Netherlands may be illegal in another country.
But why would they request that data?
Information is important. In the search for terrorists, you can never have enough of it. The database of, for example, Loket contains personal data (the entire payroll administration) of 1.5 million people. Handy, right?
It's not strange if you now think: "But how did we arrange that?". Know that we are happy tohelp.