Database

The General Data Protection Regulation prohibits the retention of records containing personal data for a period longer than is necessary for achieving the purposes for which the personal data were collected or subsequently processed.

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

The Cyprus Supreme Court decided on 1 February 2011 that some of the provisions of Law 183 (I)/2007 implementing of the EU Data Retention Directive are unlawful. However, most of the provisions of the Directive still apply.

In Bulgaria, an applicant for a gaming license must assure that all data related to operations in Bulgaria is stored on a server located in the territory of Bulgaria. Moreover, the applicant has to assure that the communication equipment and the central computer system of the organizer are located within the EEA or in Switzerland.

With respect to income tax, except in case of exception granted by the administration, the books and documents must be kept at the disposal of the tax administration in the office, agency, branch or other professional or private premises of the taxpayer where they have been kept, prepared or sent.

With respect to VAT, invoices received and copies of invoices issued by the taxpayer must be stored in Belgium or in another EU member state under certain conditions. Invoices must be stored either in electronic or paper format (Article 60, § 3 of the VAT Code).

Article 463 of the Companies Code requires that the Company register of shareholders and register of bonds must be kept at the registered office of the company. Since 2005, it is possible to keep the registers in electronic format as long as they are accessible at the registered office of the company.

Contrary to the standard definition of personal data, the definition of personal data under the Austrian Data Protection Authority extends to data relating to both individuals and legal entities. Austria is one of the few countries to extend local data protection law to legal entities.

The Law No. 8968 for the Protection in the Handling of the Personal Data of Individuals published in March 2013 requires data controllers to provide an all-access “Super User” account to the data protection authority - Prodhab.

The Law No. 8968 for the Protection in the Handling of the Personal Data of Individuals published in March 2013 introduced a period of five days for notifying data subjects affected by a data breach and to conduct an exhaustive investigation to determine the extent of the breach and implement the corresponding corrective and preventive measures. Data controllers are also obliged to notify Prodhab - the Costa Rican data protection authority.

The Law No. 8968 for the Protection in the Handling of the Personal Data of Individuals published in March 2013 requires that personal data that could affect the data subject may not be retained for longer than 10 years after the facts to which they pertain occurred, except as specified by law or an agreement between the parties.

A breach the provisions of Laws 1266 and Law 1581 can result in penalties of up to 2,000 Minimum Monthly Legal Wages (approx. 670.000 USD) for each case and sanctions that include the temporary or permanent closure of the professional or commercial activities of the subject who breached the data protection regime.

Article 4 of Decree 1704 states that communications providers must retain and store for a period of 5 years subscribers personal information (identity, address, localization), which must be available to the Attorney General or any competent authority at any time and in real time.

Pursuant to Law 1266 of 2008, personal data may not be transferred outside of Colombia to countries which do not comply with the adequate standards of data protections. This restriction does not apply in the following cases:
- when there is an express authorisation by the data dubject;
- when the information relates to medical data as required by issues of health and public hygiene;
- for banking operations; and
- for operations carried out in the context of international conventions which Colombia has ratified.

It has been reported that Colombia's National Protection Office (NPO) is considering data localisation or other barriers to data flows as part of a cloud services procurement project for government agencies. Early drafts show the NPO is considering a vague “adequacy” assessment to decide which countries provide adequate data protection. The NPO has reportedly prepared a draft list of “adequate” countries without detailing how these countries were assessed.

It has been reported that Argentina's requirement that databases of sensitive information must be encrypted is overly prescriptive. This restriction is due to be eliminated by a Draft Personal Data Protection Law currently being considered by the Argentinian Parliament