You Use A US-based Sub Processor, You Lose, German Court says
If you use a U.S.-based sub processor (even for data processed in the EU), you lose, the German administrative court of Wiesbaden said in an interim decision.
Even if the server is possibly located in the EU, the US company has access to it and the U.S. Cloud Act applies. Therefore, personal data is risk of unauthorized access, which constitutes a breach of confidentiality in accordance with Article 32 (1) (b) GDPR.
The Court also considered Art 49 derogations, but decided, based on the facts, they weren’t met.