According to Royal Decree-Law 14/2019, dated 31 October, on urgent measures for reasons of public safety in the areas of e-government, public sector procurement and telecommunications, the information and communication systems used for collection, storage, processing and management of electoral roll data , as well as data from users of the national health system and data concerning regional taxes, must be located within the EU.

Data transfer restrictions apply where the data recipient is located outside the European Economic Area (EEA). According to the Regulation (EU) 2016/679 of the European Parliament and of the Council, dated of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and the Spanish Organic Act 3/2018, dated 5 December, on Personal Data Protection and Digital Rights Safeguard ("Spanish LOPD"), any transfer of personal data outside the EEA qualifies as an international data transfer and can only be carried out where certain conditions are met (e.g., where the international data transfer is carried out on the basis of an adequacy decision, with appropriate safeguards, consent, etc.). The legal instrument used to carry out an international data transfer in accordance with GDPR will depend on the circumstances of each case and the location of the data recipient.