Yes. If data contains personal data, any transfer to a third country outside the European Economic Area that is not deemed to provide an adequate level of data protection by the European Commission generally requires that the data exporter ensure an adequate level of data protection consistent with Article 44 of the EU General Data Protection Regulation ("GDPR") on transfers.

Jurisdictions that are subject to an adequacy decision from the European Commission and deemed to provide an adequate level of protection are currently: Andorra, Argentina, Canada, Switzerland, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, Japan, New Zealand, the republic of Korea, the United Kingdom and Uruguay.

If the transfer of personal data from the EU is to a jurisdiction which is not deemed to be “adequate” for the purposes of the GDPR, additional steps may be required such as entering into EU Standard Contractual Clauses, and conducting an assessment of the laws and practices of that third jurisdiction in relation to whether those laws/practices would impinge on the effectiveness of the Standard Contractual Clauses. There are also other alternative transfer tools under the GDPR such as Binding Corporate Rules.

Besides the restrictions described above on the flow of personal data outside the EU, there are no other rules obliging an entity to localize data inside of France.