Database

The Accounting Act requires that a copy of the accounting records in kept within Finland. Alternatively, the records can be stored in another EU country if a real-time connection to the data is garanteed.

Since 2011, the Danish Data Protection authority has ruled in several cases against processing of local authorities' data in third countries without using standard contractual clauses. This is the result of a strict interpretation of the European Directive 95/46/EC. Therefore, services such as Dropbox, Google Apps and Microsoft's Office 365 cannot be used by local authorities unless they have signed an agreement with the processor based on standard contractual clauses.

The basis for the Audit Act (section 45) is that financial records for governamental institutions must be stored in Denmark. This applies to both physical appendixes and digital data. This regulation means that financial records may be stored on a server abroad provided that an exact copy of the records is made on a monthly basis at a minimum. Such copy must be placed on a server in Denmark or in paper.

The basis of the Bookkeeping Act (section 12) is that financial records must be stored in Denmark or in the Nordic countries. This applies to both physical appendixes and digital data. Hence, if financial records are stored on a server physically placed outside Denmark a complete copy must be kept in Denmark.

In Bulgaria, an applicant for a gaming license must assure that all data related to operations in Bulgaria is stored on a server located in the territory of Bulgaria. Moreover, the applicant has to assure that the communication equipment and the central computer system of the organizer are located within the EEA or in Switzerland.

With respect to income tax, except in case of exception granted by the administration, the books and documents must be kept at the disposal of the tax administration in the office, agency, branch or other professional or private premises of the taxpayer where they have been kept, prepared or sent.

With respect to VAT, invoices received and copies of invoices issued by the taxpayer must be stored in Belgium or in another EU member state under certain conditions. Invoices must be stored either in electronic or paper format (Article 60, § 3 of the VAT Code).

Article 463 of the Companies Code requires that the Company register of shareholders and register of bonds must be kept at the registered office of the company. Since 2005, it is possible to keep the registers in electronic format as long as they are accessible at the registered office of the company.

Pursuant to Law 1266 of 2008, personal data may not be transferred outside of Colombia to countries which do not comply with the adequate standards of data protections. This restriction does not apply in the following cases:
- when there is an express authorisation by the data dubject;
- when the information relates to medical data as required by issues of health and public hygiene;
- for banking operations; and
- for operations carried out in the context of international conventions which Colombia has ratified.

It has been reported that Colombia's National Protection Office (NPO) is considering data localisation or other barriers to data flows as part of a cloud services procurement project for government agencies. Early drafts show the NPO is considering a vague “adequacy” assessment to decide which countries provide adequate data protection. The NPO has reportedly prepared a draft list of “adequate” countries without detailing how these countries were assessed.

Section 12 of the Data Protection Act of Argentina (Law 25,326) prohibits the transfer of personal data to countries that do not have an adequate level of protection in place. According to Regulation No. 60-E/2016, the list of countries with adequate levels of data protection includes the European Union and the European Economic Area, Switzerland, Guernsey and Jersey, the Isle of Man, the Faroe Islands, Canada (only private sector), New Zealand, Andorra and Uruguay. The prohibition does not apply to transfers of data made: (i) for international judicial cooperation; (ii) for healthcare or anonymised personal data for the purpose of an epidemiological survey; (iii) for stock exchange or banking transfers; (iv) when subject to an international treaty to which the Argentine Republic is a signatory; (v) for international cooperation between intelligence agencies in the fight against organised crime, terrorism and drug trafficking; or (vi) where the data subject has expressly consented to the assignment.

Regulation No. 60-E/2016 also provides model contract language for international data transfers to countries that do not provide adequate levels of protection. The Regulation also requires notification to the Dirección Nacional de Protección de Datos Personales (DNPDP) when contracts are used other than those provided in the Regulation. This acts as a de facto registration requirement for some international data transfers, which has been reported as cumbersome.

A Draft Personal Data Protection Law would require that certain public sector data be stored locally. This requirement extends to public institutions and to private-sector companies that provide services for governmental entities, and would furthermore prohibit federal government entities from contracting with any service provider that may allow other international governmental agencies or organizations to access the data concerned.

The Council of State recently announced that it is in the process of drafting the Personal Information Protection Act. According to the draft, the Act would require specific consent by the data subject before an overseas transfer is executed.

Thailand does not have any general statutory law governing data protection or privacy. However, the Constitution does recognize the protection of privacy rights and some laws in some specific areas do provide a certain level of protection against any unauthorised collection, processing, disclosure and transfer of personal data.

The Financial Supervisory Commission (FSC) established stringent rules for processing of personal financial information off-shore. Yet, on May 2014, the requirements that both local and foreign banks establish standalone onshore data centers were lifted.

There is no consent requirement for transfer in third countries, but the data subject has to be notified in advance that his/her personal data is being transferred to another country.

Yet, according to Article 21 of the Personal Data Protection Act (PDPA), the international transmission of personal information can be interrupted by the central competent government authority if the transmission involves major national interests or if the country receiving personal information lacks adequate data protection laws.