Law: Act 90/2018 on Privacy and Processing of Personal Data ('the Act') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')
Regulator: Icelandic data protection authority ('Persónuvernd')
Summary: Iceland is a European Economic Area ('EEA') member, but is not an EU Member State. The GDPR applies in the EEA by virtue of Decision No. 154/2018 of the EEA Joint Committee, and was implemented in Iceland by the Act. The transitional provisions of the Act state that all rules and regulations which have been issued under the old Law 77/2000 on the Protection of Privacy as Regards the Processing of Personal Data will continue to be valid as long as they do not infringe the Act and the GDPR. Persónuvernd is an active regulator that has issued several guidelines on the GDPR and data processing in Iceland.