Database

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

Despite the invalidation of the Directive on Data Retention by the Court of Justice of the European Union on 8 April 2014, the Telecommunication Act still applies in Iceland.

Passed in November 2016, the Investigatory Powers Act requires ISPs and some other communications providers to inform the government in advance of any new services. The law allows the government to issue a technical capacity notice which can include a requirement to make technical changes to software and systems. One of the itemized list of options to be considered is the removal of “electronic protection” on encrypted communications.
This requirement essentially means that UK authorities are allowed to install backdoors into the networks of ISPs, which would allow them to access any data at their discretion.

In November 2015, the Secretary of State for the Home Department presented the 'Draft Investigatory Powers Bill' to the Parliament. Clause 71 of the Bill requires web and phone companies to store records of websites visited by every citizen for 12 months for access by police, security services and other public bodies. The Investigatory Powers Act received Royal Assent in November 2016.

According to the Companies Act 2006, "if accounting records are kept at a place outside the United Kingdom, accounts and returns (...) must be sent to, and kept at, a place in the United Kingdom, and must at all times be open to such inspection".

In the United Kingdom, there are no legal prohibitions on exporting NHS patient data outside the country. However, the NHS and associated institutions are bound by strong legal, ethical and regulatory obligations of confidentiality. The location outside the UK of the data recipient is considered a risk factor by the NHS information governance rules and therefore might result in localisation of data.

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union (ECJ) declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

Despite the ECJ ruling, the law implementing a data retention period of 12 months is still in force in Sweden. After the ruling, there have been some reported cases of companies that did not incur in any enforcement measure for not having stored their data.

The Financial Services Authority requires 'immediate' access to data in its market supervision which, according to business, the supervisory body interprets as been given physical access to servers. Accordingly, Swedish financial services providers are de facto required to maintain all its their records inside Swedish jurisdiction.

In relation to specific government authorities, there are certain provisions which might require the data processed by the authority to be held within Sweden or within the authority. This might affect the supply of cloud computing to public authorities.

In Sweden, documents such as a company’s annual reports, balance sheets and annual financial reports must be physically stored in Sweden for a period of seven years.

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union (ECJ) declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

In Spain, Law 25/2007 relative to retention of data relating to electronic communications networks and public communication, effective from November 2007 is still in place. Such law is only applicable to electronic communications operators and provides for a retention period in respect of traffic data of 12 months from the date on which the communication occurred.

In Spain, cross-border data flows subject to Model Contracts or binding corporate rules require prior authorisation from the Director of the Spanish Data Protection Authority.

The Privacy Act contains a specific requirement for the so-called “traceability of processing of personal data”. It requires that the data controller and data processor enable subsequent determination of when individual personal data were entered into a filing system, used or otherwise processed, and by whom (Art. 24).

In Slovenia, transfers of personal data to non-EEA and non-whitelist countries require the approval of the Commissioner. The approval is issued if the Commissioner establishes that a sufficient level of protection is ensured for the transferring of personal data respectively for the data subjects to which this data relates.

In Romania, any transfer of personal data to any state requires prior notification to the National Supervisory Authority for Personal Data Processing (NSAPDP). Moreover, any transfer of personal data to a recipient state not offering an adequate level of protection needs prior approval.

In Romania, the game server must store all data related to the provision of remote gambling services, including records and identification of the players, the stakes placed and the winnings paid out. Information must be stored using data storage equipment (mirror server) situated on Romanian territory.