Database

The Guidelines on Point-of-Sale Card Acceptance Services require IT infrastructure for payment processing to be located domestically. All Point-of-Sale and ATM domestic transactions need to be processed through local switches and it is forbidden to route transactions outside the country for processing.

At the beginning of 2014, the National Information Technology Development Agency (NITDA) released guidelines on Nigerian content development in information and communications technology.

One of the requirements imposes that "Data and Information Management Firms" host government data locally within the country and shall not for any reason host any government data outside the country without an express approval from NITDA and the Secretary of Federal Government.

Another requirement imposes that all ICT companies host their subscriber and consumer data locally.

Under a draft Personal Data Protection Bill, processing of personal data can only be done with a free, informed, specific and clear consent of the data subject which is capable of being withdrawn. For "senstive personal data", a subset of of personal data including passwords, financial data, and health data, among other, explicit consent is required. The bill defines explicit consent as consent that must be specific, having regard to whether the data principal can choose to not consent to certain purposes of processing of their personal data.

The bill does not apply to anonymsed data, but does apply to data processors not present within India, so long as they have a connection to any business in India.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules provide that cross-border data flows of sensitive personal data or information can be made:
- provided that such transfer is necessary for the performance of a lawful contract between the body corporate (or any person acting on its behalf) and the provider of information, or
- provided that such transfer has been consented to by the provider of information.

In April 2018, the Royal Bank of India (RBI) issued a one-page directive stating that, within six months, all payment data held by payment companies should be held in local facilities. The Directive noted that this would help the RBI gain "unfettered supervisory access" to transaction data, which it needs to ensure proper monitoring.

Following a negative response from international payment companies such as MasterCard, Visa and American Express, the RBI has proposed to ease this restriction, so as to allow payment firms to store data offshore, as long as a copy was kept in India. In is not clear when the RBI's position will be clarified.

A draft Personal Data Protection Bill would require one copy of all personal data to which the law applies to be stored on a server located in India. The bill also gives the Indian government the authority to classify information as "critical personal data," which may only be stored within India. This would broadly apply to any data, "collected, disclosed, shared, or otherwise processed within the territory of India," meaning, for example that it could capture all personal data provided by foreign entities to Indian IT companies for processing, even if such foreign entities do not process Indian citizens' data.

The bill does not apply to anonymsed data, but does apply to data processors not present within India, so long as they have a connection to any business in India.

In 2015, India’s Ministry of Electronics and Information Technology (MEITY) issued guidelines for a cloud computing empanelment process under which cloud computing service providers may be provisionally accredited as eligible for government procurements of cloud services. The guidelines require such providers to store all data in India to qualify for the accreditation.

India’s National Data Sharing and Accessibility Policy requires that “non-sensitive data available either in digital or analog forms but generated using public funds” must be stored within the borders of India. The policy states that data belongs to the "agency/department/ministry/entity which collected them and reside in their IT enabled facility.”

The Protection of Privacy Regulations of 2001 permit transfers to: EU Member States; other signatories of Council of Europe Convention 108; and a country “which receives data from Member States of the European Community, under the same terms of acceptance”. Transfers to other countries are permitted:
- subject to data subject consent;
- from an Israeli corporate parent to a foreign subsidiary; or
- provided the data importer enters into a binding agreement with the data exporter to comply with Israeli legal standards concerning the storage and use of data.

Furthermore, the Privacy Protection Regulations (Data Security) 5777-2017 stipulate that engaging an outsourced data processing provider requires pre-engagement due-diligence review of the risks entailed in the engagement. The contractual engagement shall address issues such as the purposes for which the data will be used, the type of data processing to be performed, the period of engagement and return of the data upon conclusion of the engagement.

According to the Companies Act 2006, "if accounting records are kept at a place outside the United Kingdom, accounts and returns (...) must be sent to, and kept at, a place in the United Kingdom, and must at all times be open to such inspection".

In the United Kingdom, there are no legal prohibitions on exporting NHS patient data outside the country. However, the NHS and associated institutions are bound by strong legal, ethical and regulatory obligations of confidentiality. The location outside the UK of the data recipient is considered a risk factor by the NHS information governance rules and therefore might result in localisation of data.

The Financial Services Authority requires 'immediate' access to data in its market supervision which, according to business, the supervisory body interprets as been given physical access to servers. Accordingly, Swedish financial services providers are de facto required to maintain all its their records inside Swedish jurisdiction.

In relation to specific government authorities, there are certain provisions which might require the data processed by the authority to be held within Sweden or within the authority. This might affect the supply of cloud computing to public authorities.

In Sweden, documents such as a company’s annual reports, balance sheets and annual financial reports must be physically stored in Sweden for a period of seven years.

In Spain, cross-border data flows subject to Model Contracts or binding corporate rules require prior authorisation from the Director of the Spanish Data Protection Authority.