Norwegian Data Protection Act:A Guide to Personal Data Processing in Norway

What is the Norwegian Personal Data Act?

The Norwegian Personal Data Act, also known as the Law on the Processing of Personal Data, is a crucial piece of legislation that regulates data protection in Norway. Enacted on June 15, 2018, this Act aligns with the General Data Protection Regulation established by the European Union.

This Act, along with Regulation 0563/2018 on the Processing of Personal Data, includes specific national variations and additions to the GDPR. The Norwegian data protection authority, Datatilsynet, is responsible for enforcing data protection law in Norway.

While Norway is not a member of the European Union, it is part of the European Economic Area, which allows for cooperation and alignment with EU regulations. When the GDPR was incorporated into the EEA agreement, the GDPR became applicable in Norway in July 2018.

Judgments from the Court of Justice of the European Union (CJEU) also do not directly apply in Norway. However, Datatilsynet takes into account practices from the CJEU, the European Data Protection Board (EDPB), and other national supervisory authorities when making decisions. Datatilsynet consistently conducts its supervisory activities and issues significant decisions to ensure data protection compliance in Norway.

Does the Act apply to my business?

The Norwegian Personal Data Act, along with the GDPR, imposes specific requirements on businesses operating in Norway, regardless of their location within the EU/EEA.

If your business processes personal data in connection with activities related to offering goods or services to individuals in Norway or monitoring their behavior within the country, then the Act applies to your business.

Furthermore, even if your business is not physically established in Norway but operates in locations where Norwegian law applies by international law, such as Svalbard and Jan Mayen, the Act and GDPR regulations still extend to your data processing activities.

What is personal data and sensitive data according to the Norwegian Personal Data Act?

Similar to the GDPR, the Personal Data Act defines personal data as any information relating to an identified or identifiable natural person. This includes any information that can directly or indirectly identify an individual, such as name, identification number, location data, or online identifier.

The Act also defines sensitive personal data as personal data that reveals:

1. Racial or ethnic origin
2. Political opinions
3. Religious or philosophical beliefs
4. Trade union membership
5. Genetic data
6. Biometric data for the purpose of uniquely identifying a natural person
7. Data concerning health
8. Data concerning a natural person's sex life or sexual orientation

What are the duties of data controllers and data processors?

Like the GDPR, the Personal Data Act distinguishes between the terms data controller and data processor. The data controller decides on the personal data, while the data processor acts on behalf of the data controller. The data processor can therefore only process personal data according to instructions from the data controller.

Data controllers and data processors are subject to different requirements. It is the data controller who has the overall responsibility for processing personal data in line with the regulations. The data processor shall only process personal data on behalf of the controller. The data processor nevertheless has independent duties.

If the business is a data processor, you need a data processor agreement, while if the business is an independent data controller, you need a basis for processing to hand over the information.

Do we need to consent to process personal data?

Under the Norwegian Personal Data Act, which implements the EU GDPR, consent is one of the lawful bases for processing personal data, but it is not the only one. The Act allows for personal data to be processed without the data subject's consent in certain circumstances :

• If the processing is necessary for the performance of a contract to which the data subject is a party, or for the purposes of pre-contractual measures taken at the data subject's request.
• If the processing is necessary for compliance with a legal obligation to which the controller is subject.
• If the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
• For special categories of personal data (sensitive data), consent or other specific conditions under the Act must be met, such as if the processing is necessary for the establishment, exercise or defense of legal claims.

The Act also allows for the processing of personal data without consent for archival purposes in the public interest, or for statistical, scientific or historical research purposes.

Do we need a privacy policy?

Yes, you need a privacy policy. The Personal Data Act requires organizations to be transparent about how they process personal data. This includes providing information to individuals about the processing, such as the purposes, legal basis, and recipients of the data. A privacy policy is a common way to fulfill this transparency requirement.

What are data subject rights?

The data subject rights under the Norwegian Personal Data Act are largely aligned with the rights outlined in the GDPR:

• Right to Access: Individuals have the right to obtain confirmation from the data controller whether personal data concerning them is being processed and, if so, to access that data. This includes information about the purpose of processing, the categories of data processed, the recipients of the data, and the retention period.
• Right to Rectification: Individuals have the right to request the rectification of inaccurate personal data concerning them.
• Right to Erasure (Right to be Forgotten): Individuals have the right to request the erasure of their personal data under certain circumstances, such as when the data is no longer necessary for the original purpose, consent is withdrawn, or the data is processed unlawfully.
• Right to Restriction of Processing: Individuals have the right to request the restriction of processing their personal data under certain circumstances, such as when the accuracy of the data is contested, the processing is unlawful, or the data is no longer needed for the original purpose.
• Right to Data Portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to Object: Individuals have the right to object to the processing of their personal data based on legitimate interests, direct marketing, or profiling.
• Right to Withdraw Consent: Individuals have the right to withdraw their consent to the processing of their personal data at any time.
• Right to Lodge a Complaint: Individuals have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) if they believe their data subject rights have been violated.

How to respond to data subject requests

The Norwegian Personal Data Act aligns with the GDPR, meaning you must respond to data subject requests within 30 days (extendable to 60 days in complex cases).

You must verify the identity of the requester, understand the specific right being exercised (access, rectification, erasure, etc.), and provide the requested information or action within the timeframe.

You must also communicate with the data subject about the progress and outcome of their request and keep detailed records of all requests and responses. 

What are the international data transfer requirements?

The Norwegian DPA's international data transfer requirements are largely aligned with the GDPR.

Both regulations emphasize the need for adequate safeguards, legal bases for transfers, and transparency.

Data transfers are allowed to countries with adequate data protection or with appropriate safeguards like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). 

What are the data breach requirements?

In case of a data breach, the Norwegian DPA requires you to notify the Datatilsynet and, in some cases, affected individuals about breaches that pose a "high risk" to individuals.

Notifications must be made within 72 hours of becoming aware of the breach and include specific details about the breach.

Do we need to conduct DPIA?

Conducting a Data Protection Impact Assessment (DPIA) is required in certain situations under the Norwegian Personal Data Act and the guidelines issued by the Norwegian Data Protection Authority.

Specifically, the Datatilsynet has provided a DPIA Blacklist that outlines the types of processing operations that require a DPIA. These include:

1. Data collected via third parties in conjunction with at least one other criterion.
2. Processing of biometric data for identification purposes in conjunction with at least one other criterion.
3. Processing of genetic data in conjunction with at least one other criterion.
4. Processing of personal data using innovative technology in conjunction with at least one other criterion.
5. Processing of personal data involving measures for systematic monitoring of employee activities.
6. Processing of personal data without consent for scientific or historical purpose in conjunction with at least one other criterion.
7. Processing of location data in conjunction with at least one other criterion.
8. Processing of personal data for the purpose of evaluating learning, coping, and improving well-being in schools or kindergartens.
9. Systematic monitoring, including camera surveillance, on a large scale in areas accessible by the public.
10. Camera surveillance in schools or kindergartens during opening hours.
11. Processing of sensitive or highly personal data on a large scale for training of algorithms.
12. Processing of personal data to systematically monitor proficiency, skills, scores, mental health, and development.
13. Processing personal data with the purpose of providing services or developing products for commercial use that involve predicting working capacity, economic status, health, personal preferences or interests, trustworthiness, behavior, location, or route.
14. Collection of personal data on a large scale through the use of 'Internet of Things' solutions or welfare technology solutions.

If your processing activities fall under any of these categories, it is likely that you would need to conduct a DPIA to comply with the Norwegian Personal Data Act and the Datatilsynet's guidelines.

Do we need a DPO?

Under Norwegian law, certain organizations are required to appoint a Data Protection Officer (DPO) to oversee data protection compliance. The DPO is responsible for ensuring that data processing activities align with legal requirements, conducting impact assessments, and serving as a point of contact for data subjects. Their role is instrumental in upholding the principles of data protection within organizations.

Enforcement and penalties

The Norwegian DPA's enforcement and penalties are closely aligned with the GDPR.

The Norwegian Data Protection Authority (Datatilsynet) has powers to monitor, issue warnings and orders, and impose fines (up to €20 million or 4% of global turnover) for breaches.