Database

In Slovenia, transfers of personal data to non-EEA and non-whitelist countries require the approval of the Commissioner. The approval is issued if the Commissioner establishes that a sufficient level of protection is ensured for the transferring of personal data respectively for the data subjects to which this data relates.

In Romania, any transfer of personal data to any state requires prior notification to the National Supervisory Authority for Personal Data Processing (NSAPDP). Moreover, any transfer of personal data to a recipient state not offering an adequate level of protection needs prior approval.

In Romania, the game server must store all data related to the provision of remote gambling services, including records and identification of the players, the stakes placed and the winnings paid out. Information must be stored using data storage equipment (mirror server) situated on Romanian territory.

In Portugal, all transfer of data outside the EU must be notified and, except when directed to whitelisted countries or when using model contracts, they have to be authorized by the relevant Commission. The Portuguese Data Protection Authority (DPA) also issued on 10 November 2015 specific guidelines on Intra‑Group Agreements ("IGA") involving transfers of personal data to non-EEA countries. The DPA considers that such transfers depend on prior authorisation from the DPA for the purposes of assessing if IGAs contain sufficient guarantees that the personal data transferred continues to benefit from the same level of protection as in the EEA countries.

According to the Polish Gambling Act, any entity organizing gambling activities is obliged to archive in real time all data exchanged between such entity and the users in an archive device located in Poland.

Another restriction is the requirement that the equipment (servers) for processing and storing information and data regarding the bets and their participants must be installed and kept on the territory of a member state of the EU or EFTA.

Locatisation requirements apply to public records that have to be stored in archives in specific locations in the Netherlands. This applies both to paper and electronic records.

According to the Circular CSFF 12/552, financial institutions in Luxembourg are required to process their data within the country. Processing abroad is exceptionally permitted for an entity of the group to which the institution belongs or with explicit consent.

Article 39 of the Presidential Decree no. 633 of 1972 states state electric archives related to accounting data for VAT declarations might be kept in a foreign country only if some kind of convention has been concluded between Italy and the receiving country governing the exchange of information in the field of direct taxation. Therefore, such limitation does not apply intra-EU.

In Greece, the Law No. 3971/2011 goes further in the implementation of the Data Retention Directive (later annuled by the European Court of Justice) by requiring that retained data on ‘traffic and localisation’ stay ‘within the premises of the Hellenic territory.’ The Law is still in force.

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

In 2010, the German Constitutional court found the implementation of the Directive on Data retention was unconstitutional. Yet, in October 2015, a new data retention law has passed, which will enter into force in 2017. The law provides that telecommunication providers must retain data such as phone numbers, the time and place of communication (except for emails), and the IP addresses for either four or 10 weeks. The data is to be stored in servers located within Germany (§113b).

According to the German Commercial Code, accounting documents and business letters must be stored in Germany.

Under the Tax Code, all persons and companies liable to pay taxes that are obliged to keep books and records must keep those records in Germany. There are some exceptions for multinational companies.

The Act on Value Added Tax states that invoices must be stored within the country, including when stored electronically. Alternatively, in case of electric storage, they may be stored within the territory of the EU if full online access and the possibility of download are guaranteed. In this case, the entity is obliged to notify the competent tax authority in writing of the location of the electronically stored invoices, and the tax authority may access and download the data.

There is no European prohibition of data transfer, neither has any EU Member State implemented a national prohibition of data transfer. However, the data protection authority (DPA) at the German federal state of Schleswig Holstein has declared in a position paper that all data protection instruments for the transfer of data to the US after the European Court of Justice's Schrems v Facebook judgment are going to be illegal. The DPA it has not taken any action in this regard, but has threatened to do so.

A ministerial circular dated 5 April 2016 on public procurement states that it it illegal to use a non "sovereign" cloud for data produced by public (national and local) administration: all data from public administrations has to be considered as archives and therefore stored and processed in France.