Database

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

In Greece, the government is considering the possibility of invalidating the national law on data retention (National law 3917/2011), but so far the law is still in force. Data must be retained for a period of 12 months and it needs to be retained within the Hellenic territory.

In Greece, the Law No. 3971/2011 goes further in the implementation of the Data Retention Directive (later annuled by the European Court of Justice) by requiring that retained data on ‘traffic and localisation’ stay ‘within the premises of the Hellenic territory.’ The Law is still in force.

In certain states, public and private hospitals can use IT services external to the hospital only if they obtain prior consent of the subject or if there is prior anonymisation of the patient data.

In general, the collection, use and processing of social data shall be entrusted to public servants who owe their services and loyalty to the state. The use of cloud computing by private entities is subject to certain restrictions. It must ensure the absence of disturbances during the operations, lead to significant cost savings and the major part of the database has to remain with the respective public authority.

The use of Cloud Computing services may – depending on the information stored and the purpose of storing these information – constitute a disclosure of confidential information in violence of professional secrecy in the meaning of Sec. 203 StGB (German Criminal Code).

The professional secrecy includes personal data as well as all facts, which are been obtained for professional reasons. Professionals who are subject to professional secrecy are especially, but not exclusively, lawyers and legal professionals, medical professions, social care, clerical professionals and civil servants.

In general, the storage and processing of public registers / records with sensitive data of citizens (such as records of the tax authority or criminal records or registers of births, marriages and deaths or weapon registers or registers of data of social security institutions) may not be outsourced. Moreover, restrictions on cloud computing may arise from the exclusive access of civil servants to the exercise of sovereign powers, which is granted by the German Costitution (Art. 33(4)).

The requirements vary between different States in Germany. For example, in Brandenburg the authorities which store a register of the residency of Brandenburg’s citizens are only allowed to use private Cloud Computing services which are located in Brandenburg (Sec. 35 BbgMeldeG).

In August 2015, Germany issued nationwide guidelines that prohibit government agencies from using clouds to store sensitive data if the cloud company processes data outside the Germany. Cloud providers could qualify for the "German cloud" certification if their servers and company headquarters are located in Germany. However, the proposal was later withdrawn.

Under Germany’s Telecommunications Act, the government has a right to request data stored by telecommunications companies to advance certain prosecutorial and protective functions.

In June 2017, the German government passed a law to hand police the power to hack into devices belonging to all people suspected of criminal activity and not just those expected of terror offenses. Germany's security forces are able to hack into WhatsApp, Telegram and other encrypted messaging services as of the end of 2017, using a new version of Germany's state spyware, Remote Communication Interception Software (RCIS).

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

In 2010, the German Constitutional court found the implementation of the Directive on Data retention was unconstitutional. Yet, in October 2015, a new data retention law has passed, which will enter into force in 2017. The law provides that telecommunication providers must retain data such as phone numbers, the time and place of communication (except for emails), and the IP addresses for either four or 10 weeks. The data is to be stored in servers located within Germany (§113b).

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

In 2010, the German Constitutional court found the implementation of the Directive on Data retention was unconstitutional. Yet, in October 2015, a new data retention law has passed, which will enter into force in 2017. The law provides that telecommunication providers must retain data such as phone numbers, the time and place of communication (except for emails), and the IP addresses for either four or 10 weeks. The data is to be stored in servers located within Germany (§113b).

According to the German Commercial Code, accounting documents and business letters must be stored in Germany.

Under the Tax Code, all persons and companies liable to pay taxes that are obliged to keep books and records must keep those records in Germany. There are some exceptions for multinational companies.

The Act on Value Added Tax states that invoices must be stored within the country, including when stored electronically. Alternatively, in case of electric storage, they may be stored within the territory of the EU if full online access and the possibility of download are guaranteed. In this case, the entity is obliged to notify the competent tax authority in writing of the location of the electronically stored invoices, and the tax authority may access and download the data.

There is no European prohibition of data transfer, neither has any EU Member State implemented a national prohibition of data transfer. However, the data protection authority (DPA) at the German federal state of Schleswig Holstein has declared in a position paper that all data protection instruments for the transfer of data to the US after the European Court of Justice's Schrems v Facebook judgment are going to be illegal. The DPA it has not taken any action in this regard, but has threatened to do so.

Through a decree amending the Code of Electronic Communications, France has included a “territorial” restriction requiring that the systems for interception of electronic communications must be established in France.