Database

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

The law on data retention is still in force in Portugal. The retention period is 12 months.

In Portugal, all transfer of data outside the EU must be notified and, except when directed to whitelisted countries or when using model contracts, they have to be authorized by the relevant Commission. The Portuguese Data Protection Authority (DPA) also issued on 10 November 2015 specific guidelines on Intra‑Group Agreements ("IGA") involving transfers of personal data to non-EEA countries. The DPA considers that such transfers depend on prior authorisation from the DPA for the purposes of assessing if IGAs contain sufficient guarantees that the personal data transferred continues to benefit from the same level of protection as in the EEA countries.

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union (ECJ) declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

In Poland, the national law is still in force despite the ECJ ruling invalidating the Data Retention Directive. The data retention period is 24 months.

According to the Polish Gambling Act, any entity organizing gambling activities is obliged to archive in real time all data exchanged between such entity and the users in an archive device located in Poland.

Another restriction is the requirement that the equipment (servers) for processing and storing information and data regarding the bets and their participants must be installed and kept on the territory of a member state of the EU or EFTA.

Locatisation requirements apply to public records that have to be stored in archives in specific locations in the Netherlands. This applies both to paper and electronic records.

In Malta, the legislation prescribes that a transfer of personal data to another country constitutes processing and as such must be notified to the Commissioner’s Office.

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union (ECJ) declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

Despite the ECJ ruling, the Maltese law on data retention still applied. It specifies one year of data rentention for fixed, mobile and internet telephony data, and six months for internet access and internet email.

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

In Luxembourg, the data retention period is six months and the legislation is still in force. However, the Government has shown intention to comply.

According to the Circular CSFF 12/552, financial institutions in Luxembourg are required to process their data within the country. Processing abroad is exceptionally permitted for an entity of the group to which the institution belongs or with explicit consent.

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union (ECJ) declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

In Lithuania, a data retention period of six months still applies despite the the ECJ ruling.

An Italian court convicted three Google Inc. executives (Google's senior vice president and chief legal officer, its chief privacy counsel and the company's former chief financial officer) to a six-month jail sentence for violation of data protection laws by allowing a video of students bullying a disabled boy to air on the Google Video site. The prosecutors argued that because Google handled user data — and used content to generate advertising revenue — it was a content provider, not a service provider, and therefore broke Italian privacy law. The Court of Appeals of Milan on 21 December 2012 ruled that “no crime has been committed” and exonerated the three executives.

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union (ECJ) declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

In Italy, the Directive has been implemented through an amendment to the Privacy Code effective as of August 2009 and still applying today. Under the Privacy Code, providers of a public communications network or a publicly available electronic communications service must retain "telephone traffic data" and "electronic communications traffic data" for 24 months or 12 months, respectively, for law enforcement purposes. A 30 day retention period applies in case of data related to unsuccessful calls processed on a provisional basis.

Article 39 of the Presidential Decree no. 633 of 1972 states state electric archives related to accounting data for VAT declarations might be kept in a foreign country only if some kind of convention has been concluded between Italy and the receiving country governing the exchange of information in the field of direct taxation. Therefore, such limitation does not apply intra-EU.

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union (ECJ) declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

In Ireland, the Communications (Retention of Data) Act 2011 requiring 13 to 25 months data retention is still in force notwithstanding the ECJ ruling.

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union (ECJ) declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

The Hungarian Act on Electronic Communications requires 12 months retention for all data which are not calls. Hungary legislation is still in force despite the ECJ ruling.