Time and again internationally operating enterprises are
endeavouring to find the optimal location for their IT servers.
They aim at establishing uniform standards, controlling
subsidiaries better or simply saving costs. The server stores
technical, commercial, balance sheet and tax relevant data, as well
as personal data, i.e. the knowledge and resources of the
enterprise. That the transfer of this data entails considerable
legal risks, however, is a fact frequently overlooked, despite the
threat of serious sanctions.
Under German law, enterprises violating the relevant provisions
risk fines of up to EUR 500,000, not to mention forbearance or
repatriation claims and damage suits and, for the managers
personally, monetary fines or – in extreme cases
– prison sentences.
Export control law, in particular, can be an unwelcome eye
opener. It regulates every form of transmission of controlled
technology and software. If a server with all its data is
transferred to a group company in the United States, for example,
requires the permission of the export control authorities if this
data relates to specific technical knowledge concerning military
goods or dual-use goods (i.e. goods which can also be used for
civilian purposes). These are defined in the export list contained
in the German Foreign Trade Regulations
(Außenwirtschaftsverordnung, "AWV"), albeit in many
cases unclearly; the exceptions named therein should also not be
interpreted too broadly. Subsequent access to the data from the
original land of origin and from other countries is likewise deemed
an export – pursuant to the law of the new server
EU data protection laws regularly treat the intergroup transfer
of data as a transfer of data to a third party. To the extent the
relocation leads to a change in the company organisation in the
sense of the German Shop Constitution Act
(Betriebsverfassungsgesetz, "BetrVG"), a shop agreement
is re-quired. If the new server location is outside of the EU and
European Economic Area (EEA) a reasonable data protection level
must be ensured, for example through the conclusion of standard
contracts prescribed by the EU.
From the tax perspective, relocations are always problematic if
the servers contain accounting data. In this case, an approval by
the tax office is required. Cross-border server relocations also
regularly trigger the requirement to settle the costs for the
cross-border operation at an internal group level (transfer
prices). This is subject to special documentation and recording
A further question which ultimately also arises is whether
licence conditions oppose the relocation. Depending on the
licensing terms, the software licence may have to be transferred to
the new group company which operates the servers – which
requires the consent of the manufacturer or re-seller of the
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Turkey's main regulation regarding advertisements, the Regulation on Commercial Advertisement and Unfair Commercial Practices was amended with another regulation published on the Official Gazette of 4 January 2017, effective immediately.
The European Commission's DSM strategy was originally published in May 2015 with the aim of developing the EU's digital economy by creating a free and secure DSM...
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).