Time and again internationally operating enterprises are endeavouring to find the optimal location for their IT servers. They aim at establishing uniform standards, controlling subsidiaries better or simply saving costs. The server stores technical, commercial, balance sheet and tax relevant data, as well as personal data, i.e. the knowledge and resources of the enterprise. That the transfer of this data entails considerable legal risks, however, is a fact frequently overlooked, despite the threat of serious sanctions.
Under German law, enterprises violating the relevant provisions risk fines of up to EUR 500,000, not to mention forbearance or repatriation claims and damage suits and, for the managers personally, monetary fines or – in extreme cases – prison sentences.
Export control law, in particular, can be an unwelcome eye opener. It regulates every form of transmission of controlled technology and software. If a server with all its data is transferred to a group company in the United States, for example, requires the permission of the export control authorities if this data relates to specific technical knowledge concerning military goods or dual-use goods (i.e. goods which can also be used for civilian purposes). These are defined in the export list contained in the German Foreign Trade Regulations (Außenwirtschaftsverordnung, "AWV"), albeit in many cases unclearly; the exceptions named therein should also not be interpreted too broadly. Subsequent access to the data from the original land of origin and from other countries is likewise deemed an export – pursuant to the law of the new server location.
EU data protection laws regularly treat the intergroup transfer of data as a transfer of data to a third party. To the extent the relocation leads to a change in the company organisation in the sense of the German Shop Constitution Act (Betriebsverfassungsgesetz, "BetrVG"), a shop agreement is re-quired. If the new server location is outside of the EU and European Economic Area (EEA) a reasonable data protection level must be ensured, for example through the conclusion of standard contracts prescribed by the EU.
From the tax perspective, relocations are always problematic if the servers contain accounting data. In this case, an approval by the tax office is required. Cross-border server relocations also regularly trigger the requirement to settle the costs for the cross-border operation at an internal group level (transfer prices). This is subject to special documentation and recording obligations.
A further question which ultimately also arises is whether licence conditions oppose the relocation. Depending on the licensing terms, the software licence may have to be transferred to the new group company which operates the servers – which requires the consent of the manufacturer or re-seller of the software.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
