Explore the Norwegian Personal Data Act (DPA) in this comprehensive guide. Learn how it aligns with GDPR, its impact on businesses, and essential compliance requirements for data protection in Norway.
While the European Union's General Data Protection Regulation (GDPR) has set a global standard, Norway, as a member of the European Economic Area (EEA), has its own comprehensive data protection law: the Norwegian Personal Data Act (DPA).
Explore more privacy compliance insights and best practices
This blog post serves as your guide to the Norwegian DPA, exploring its key provisions, its alignment with the GDPR, and its practical implications for businesses operating in Norway. Whether you're a Norwegian company or an international organization with operations in Norway, understanding the DPA is crucial for ensuring compliance and safeguarding the privacy of your customers and employees.
The Norwegian Personal Data Act, also known as the Law on the Processing of Personal Data, is a crucial piece of legislation that regulates data protection in Norway. Enacted on June 15, 2018, this Act aligns with the General Data Protection Regulation established by the European Union.
This Act, along with Regulation 0563/2018 on the Processing of Personal Data, includes specific national variations and additions to the GDPR. The Norwegian data protection authority, Datatilsynet, is responsible for enforcing data protection law in Norway.
While Norway is not a member of the European Union, it is part of the European Economic Area, which allows for cooperation and alignment with EU regulations. When the GDPR was incorporated into the EEA agreement, the GDPR became applicable in Norway in July 2018.
Judgments from the Court of Justice of the European Union (CJEU) also do not directly apply in Norway. However, Datatilsynet takes into account practices from the CJEU, the European Data Protection Board (EDPB), and other national supervisory authorities when making decisions. Datatilsynet consistently conducts its supervisory activities and issues significant decisions to ensure data protection compliance in Norway.
The Norwegian Personal Data Act, along with the GDPR, imposes specific requirements on businesses operating in Norway, regardless of their location within the EU/EEA.
If your business processes personal data in connection with activities related to offering goods or services to individuals in Norway or monitoring their behavior within the country, then the Act applies to your business.
Furthermore, even if your business is not physically established in Norway but operates in locations where Norwegian law applies by international law, such as Svalbard and Jan Mayen, the Act and GDPR regulations still extend to your data processing activities.
Similar to the GDPR, the Personal Data Act defines personal data as any information relating to an identified or identifiable natural person. This includes any information that can directly or indirectly identify an individual, such as name, identification number, location data, or online identifier.
The Act also defines sensitive personal data as personal data that reveals:
Like the GDPR, the Personal Data Act distinguishes between the terms data controller and data processor. The data controller decides on the personal data, while the data processor acts on behalf of the data controller. The data processor can therefore only process personal data according to instructions from the data controller.
Data controllers and data processors are subject to different requirements. It is the data controller who has the overall responsibility for processing personal data in line with the regulations. The data processor shall only process personal data on behalf of the controller. The data processor nevertheless has independent duties.
If the business is a data processor, you need a data processor agreement, while if the business is an independent data controller, you need a basis for processing to hand over the information.
Under the Norwegian Personal Data Act, which implements the EU GDPR, consent is one of the lawful bases for processing personal data, but it is not the only one. The Act allows for personal data to be processed without the data subject's consent in certain circumstances :
The Act also allows for the processing of personal data without consent for archival purposes in the public interest, or for statistical, scientific or historical research purposes.
Yes, you need a privacy policy. The Personal Data Act requires organizations to be transparent about how they process personal data. This includes providing information to individuals about the processing, such as the purposes, legal basis, and recipients of the data. A privacy policy is a common way to fulfill this transparency requirement.
The data subject rights under the Norwegian Personal Data Act are largely aligned with the rights outlined in the GDPR:
The Norwegian Personal Data Act aligns with the GDPR, meaning you must respond to data subject requests within 30 days (extendable to 60 days in complex cases).
You must verify the identity of the requester, understand the specific right being exercised (access, rectification, erasure, etc.), and provide the requested information or action within the timeframe.
You must also communicate with the data subject about the progress and outcome of their request and keep detailed records of all requests and responses.
The Norwegian DPA's international data transfer requirements are largely aligned with the GDPR.
Both regulations emphasize the need for adequate safeguards, legal bases for transfers, and transparency.
Data transfers are allowed to countries with adequate data protection or with appropriate safeguards like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
In case of a data breach, the Norwegian DPA requires you to notify the Datatilsynet and, in some cases, affected individuals about breaches that pose a "high risk" to individuals.
Notifications must be made within 72 hours of becoming aware of the breach and include specific details about the breach.
Conducting a Data Protection Impact Assessment (DPIA) is required in certain situations under the Norwegian Personal Data Act and the guidelines issued by the Norwegian Data Protection Authority.
Specifically, the Datatilsynet has provided a DPIA Blacklist that outlines the types of processing operations that require a DPIA. These include:
If your processing activities fall under any of these categories, it is likely that you would need to conduct a DPIA to comply with the Norwegian Personal Data Act and the Datatilsynet's guidelines.
Under Norwegian law, certain organizations are required to appoint a Data Protection Officer (DPO) to oversee data protection compliance. The DPO is responsible for ensuring that data processing activities align with legal requirements, conducting impact assessments, and serving as a point of contact for data subjects. Their role is instrumental in upholding the principles of data protection within organizations.
The Norwegian DPA's enforcement and penalties are closely aligned with the GDPR.
The Norwegian Data Protection Authority (Datatilsynet) has powers to monitor, issue warnings and orders, and impose fines (up to €20 million or 4% of global turnover) for breaches.
