Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Iceland - Data Protection Overview
Back

Iceland - Data Protection Overview

November 2021

1. Governing Texts

While Iceland is a European Economic Area ('EEA') member, it is not an EU Member State. The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') applies in the EEA by virtue of Decision No. 154/2018 of the EEA Joint Committee, and was implemented into Icelandic law. The transitional provisions state that all rules and regulations which have been issued under the old Law 77/2000 on the Protection of Privacy as Regards the Processing of Personal Data will continue to be valid as long as they do not infringe current data protection legislation. Iceland has an active data protection authority.

1.1. Key acts, regulations, directives, bills

The GDPR was implemented in Iceland with Act 90/2018 on Privacy and Processing of Personal Data ('the Act') which came into force on 15 July 2018.

1.2. Guidelines

The Icelandic data protection authority ('Persónuvernd') has issued guidelines and formats in relation to the Act and the GDPR:

  • Guidelines on data protection officers ('DPOs') (only available in Icelandic here);
  • Data Protection Officers ('the Persónuvernd FAQs') (only available in Icelandic here);
  • Guidelines on personal data breaches (only available in Icelandic here);
  • Guidelines for processors of personal data (only available in Icelandic here);
  • Guidelines on consent (only available in Icelandic here);
  • Guidelines on records of processing activities (only available in Icelandic here);
  • Guidelines on Data Protection Impact Assessments ('DPIAs') (only available in Icelandic here);
  • Questions and answers on DPIAs and prior consultation (only available in Icelandic here);
  • Guidelines on security of personal data (only available in Icelandic here);
  • Template for a data processing agreement (only available to download in Icelandic here);
  • Template for a record of processing activities for controllers (only available to download in Icelandic here); and
  • Template for a record of processing activities for processors (only available to download in Icelandic here).

1.3. Case law

Since the Act entered into force, there has not been any case law issued under the Act's scope. See section on enforcement decision below.

2. Scope of Application

2.1. Personal scope

According to Article 7 of the Act, the Act and the GDPR apply to the processing of personal data of Icelandic data subjects.

According to Article 4 of the Act and the GDPR does not apply to how a natural person uses their own personal data that concern their family's private affairs or is solely intended for private purposes.

Moreover, the Act shall apply to the processing of personal data of deceased natural persons, where appropriate, for a five-year period from their deaths or longer, when this concerns personal data which is fair and reasonable to keep confidential.

2.2. Territorial scope

According to Article 7 of the Act, the Act and the GDPR apply to the processing of personal data in relation to the function of controllers or processors established in Iceland, regardless of whether the processing itself is carried out in the EEA or not. Moreover, the Act and the GDPR apply to the processing of personal data of data subjects in Iceland carried out within the function of controllers or processors not established in the EEA or when the processing is related to:

  • the offering of goods or services to such data subjects in the EEA, irrespective of whether a payment is required of the data subject; or
  • the monitoring of their behaviour as far as their behaviour takes place within that area.

Under certain cases, controllers or the processors may have to designate a representative within the EEA or in a Member State of the Convention establishing the European Free Trade Association, with the exceptions provided for in Article 27 of the GDPR. In that case, the provisions of the Act concerning controllers or processors shall apply to the representative, as further stipulated in Article 27 of the GDPR.

2.3. Material scope

According to Article 4 of the Act, the Act and the GDPR apply to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

Furthermore, the Act and the GDPR shall not apply to the processing of personal data by the judiciary in the performance of its judicial tasks, nor to processing of personal data in relation to the function of the Althingi , which is the Parliament, and its bodies and investigative bodies, nor to the State and for law enforcement purposes.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

Persónuvernd is the independent supervisory authority responsible for implementing and enforcing the provisions of the Act and the GDPR.

3.2. Main powers, duties and responsibilities

Persónuvernd monitors compliance with the Act and the GDPR. It handles complaints lodged by data subjects, organisations, or associations, and can also consider cases on its own initiative.

The decisions made by Persónuvernd are final and may not be brought before any other administrative authority. The decisions, however, can be brought before the courts, and complaints concerning the administration of Persónuvernd can be addressed to the Parliamentary Ombudsman.

The other main responsibility of Persónuvernd is to promote public awareness and understanding of the risks, rules, safeguards, and rights in relation to the processing of personal data. Persónuvernd also advises the Parliament, the Government of Iceland, and other institutions on legislative and administrative measures relating to the processing of personal data. Persónuvernd cooperates with other supervisory authorities with a view to ensuring the consistency and enforcement of the GDPR and monitor relevant developments insofar as they have an impact on the protection of personal data.

Persónuvernd can request police assistance if anyone seeks to hinder it in its monitoring capacity. If processing activities are discovered to be in violation of the provisions of the Act, the GDPR, or any administrative rules which are issued according to the Act, Persónuvernd can assign to the Chief of Police the task of temporarily halting the operations of the party in question and sealing its place of operation without delay.

4. Key Definitions

Data controller: The natural or legal person, public authority, or other body which determines, alone or jointly with others, the purposes and means of the processing of personal data (Article 3(6) of the Act).

Data processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller (Article 3(7) of the Act).

Personal data: Information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person (Article 3(2) of the Act).

Sensitive data:  According to Article 3(3) of the Act, the following data qualifies as sensitive:

  • personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
  • data concerning health; that is, personal data related to the physical or mental health of a natural person, including the provision of healthcare services, and data on any drug, alcohol, or substance consumption;
  • data on a natural person's sex life or sexual orientation;
  • personal data relating to the inherited or acquired genetic characteristics of a natural person which gives unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question; and
  • personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data, on the condition that the data is used for the purpose of uniquely identifying a natural person.

Health data: Health means personal data related to the physical or mental health of a natural person, including the provision of healthcare services, and data on any drug, alcohol or substance consumption (Article 3(3)(a) of the Act).

Biometric data: Biometric data means personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data, on the condition that the data is used for the purpose of uniquely identifying a natural person (Article 3(3)(e) of the Act).

Pseudonymisation: The Act does not define pseudonymisation.

5. Legal Bases

5.1. Consent

There are no national law variations.

5.2. Contract with the data subject

There are no national law variations.

5.3. Legal obligations

There are no national law variations.

5.4. Interests of the data subject

There are no national law variations.

5.5. Public interest

According to Article 31 of the Act, Persónuvernd may require controllers to consult with, and obtain prior authorisation from Persónuvernd, in relation to processing activities carried out by a controller for the purpose of performing of a task in the public interest which may carry a specific risk of contravening the rights and freedoms of data subjects. In addition, Persónuvernd has issued an updated set of rules on such prior authorisation (only available in Icelandic here).

Where personal data are processed for archiving purposes in the public interest, the rights referred to in Articles 15, 16, 18, 19, 20, and 21 of the GDPR do not apply, insofar as such rights are likely to render impossible or seriously impair the achievement of the specific purposes (Article 18(3) of the Act, and Article 89(3) of the GDPR).

5.6. Legitimate interests of the data controller

There are no national law variations.

5.7. Legal bases in other instances

There are no national law variations. However, see section on the right to object/opt-out below for rules on direct marketing.

6. Principles

There are no national law variations.

7. Controller and Processor Obligations

7.1. Data processing notification

In general, there are no requirements in the Act in relation to any notification or registration to Persónuvernd. However, according to Article 37(7) of the GDPR, the controller or the processor must communicate the contact details of the DPO to Persónuvernd.

According to Article 15 of the Act, a permit issued by Persónuvernd is required to collect and register financial and credit standing data of companies, and other legal persons, for the purpose of disclosing such information to others.

According to Article 31 of the Act, Persónuvernd may require controllers to consult with, and obtain prior authorisation from Persónuvernd, in relation to processing activities carried out by a controller for the purpose of performing of a task in the public interest may carry a specific risk of contravening the rights and freedoms of data subjects. In addition, Persónuvernd has issued an updated set of rules on such prior authorisation (only available in Icelandic here). However, Persónuvernd may suspend such authorisation requirement once general rules and security standards have been implemented with regards to the aforementioned processing.

The Minister of Justice has issued a list of tariffs (only available in in Icelandic here) requiring controllers to pay a fee to Persónuvernd for its regulatory activities, authorisations or other services (Article 40 of the Act).

7.2. Data transfers

There are no national law variations.

7.3. Data processing records

There are no national law variations.

7.4. Data protection impact assessment

According to Article 29(2) of the Act, Persónuvernd shall make public a list of the kind of processing operations which are subject to the requirement for a DPIA ('the DPIA Blacklist'). By Public Notice No. 337/2019 the DPIA Blacklist was made public by Persónuvernd (only available in Icelandic here).

According to Article 29(3) of the Act Persónuvernd may make public a list  of the kind of processing operations which are not subject to the requirement for a DPIA. Up to date, such a list has not been published by Persónuvernd.

Where a DPIA reveals that the processing would result in a high risk in the absence of measures to mitigate the risk, the controller shall consult Persónuvernd. Within a period of up to eight weeks after the receipt of the request for consultation, Persónuvernd should provide written advice to the controller and, if applicable, to the processor. This period can be extended by six weeks (Article 30 of the Law).

DPIA Blacklist

The controller can consider that a processing meeting two criteria would require a DPIA to be carried out. However, in some cases, a data controller can consider that a processing meeting only one of these criteria requires a DPIA.

The Iceland Blacklist provides the following criterions on the types of processing operations requiring a DPIA:

  • data collected via third parties in conjunction with at least one other criterion;
  • systematic monitoring, including camera surveillance, on a large scale, in areas accessible by the public;
  • camera surveillance in schools or kindergartens during opening hours;
  • processing of personal data for the purpose of evaluating learning, coping and well-being in schools or kindergartens;
  • processing of biometric data for identification purpose in conjunction with at least another criterion;
  • processing of genetic data in conjunction with at least another criterion;
  • processing of personal data involving measures for systematic monitoring of employee activities;
  • processing of personal data using innovative technology in conjunction with at least one other criterion;
  • processing of personal data to systematically monitor proficiency, skills, scores, mental health and development;
  • processing of personal data without consent for scientific or historical purpose in conjunction with at least one other criterion;
  • processing personal data with the purpose of providing services or developing products for commercial use that involve predicting working capacity, economic status, health, personal preferences or interests, trustworthiness, behaviour, location or route in conjunction with at least one other criterion;
  • processing of sensitive or highly personal data on a large scale for training of algorithms;
  • collection of personal data on a large scale through the use of internet of things solutions or welfare technology solutions; and
  • data processing that in itself prevents data subjects from exercising a right or using a service or a contract in conjunction with one other criterion.

7.5. Data protection officer appointment

It is recommended that organisations performing tasks in the public interest, such as public transport, housing agencies, road construction, and energy suppliers, as well as organisations undertaking extensive processing of personal information should appoint a DPO (the Persónuvernd FAQs).

The same requirements still apply to organisations who choose to appoint a DPO, even if the appointment is not mandatory.

Qualifications

It is not required that the appointed DPO be a lawyer, nevertheless they should have a thorough understanding of the privacy policy and other laws relating to the data processing (the Persónuvernd FAQs).

Role

According to Article 36 of the Act, a DPO may not disclose any information brought to his or her knowledge in the course of his or her work and covered by the obligation of professional secrecy. Such obligation shall, however, no longer apply if the data subject has given his or her consent for lifting professional secrecy, and if it is necessary in regard to the function of the DPO.

A breach by a natural person of professional secrecy pursuant to Article 36 of the Act is punishable by fines or imprisonment of up to one year (cf. Article 48(3) of the Act).

The DPO must have the necessary facilities and resources to carry out their work, such as (the Persónuvernd FAQs):

  • active support of senior officers;
  • sufficient time to carry out the project;
  • sufficient financial support, work facilities and subordinates;
  • formal status as a privacy officer;
  • access to support services within the organisation; and
  • continuous training and education.

Location

A DPO must at least be located within the EEA, regardless of whether the data processing is located there. However, it cannot be excluded that in situations where they do not have an establishment in the EEA, a DPO may be able to carry out its activities more effectively if located outside the EEA (the Persónuvernd FAQs).

7.6. Data breach notification

The obligation to notify the data subject of a data breach does not apply (Article 17(7) of the Act and Article 23 of the GDPR):

  • if national security interests prevail; or
  • when preventing, investigating, or prosecuting criminal offences.

7.7. Data retention

According to Article 14 of the Act, any material collected through surveillance shall be deleted when there are no longer objective grounds to keep it. Persónuvernd has issued Rules on Electronic Surveillance No. 837/2006 (only available in Icelandic here) ('the Rules'). Article 7 of the Rules has further rules on data retention where it is stipulated that personal data, collected by electronic surveillance, cannot be retained for a longer period of time than 90 days unless otherwise provided for by law. This does however not apply to personal data collected by logging or stored in backup files. Neither does it apply to data to be used for the purposes of existing legal proceedings.

7.8. Children's data

According to Article 10(5) of the Act, in relation to the offer of information society services directly to a child, the processing of personal data of a child (under 13 years old) is subject to parental (or a legal representative's) consent.

7.9. Special categories of personal data

Article 11 of the Act refers to special requirements for the processing of sensitive personal data. Under the Act, sensitive personal data is given the same meaning as special categories of data, and is defined in Article 9 of the GDPR and Article 3(3) of the Act. Persónuvernd is tasked with making decisions on any disputes concerning whether personal data falls within the definition of sensitive personal data.

The processing of personal data relating to criminal convictions and offences should not be carried out by official authorities, unless such processing is necessary for the execution of their legal activities. Such personal data should not be disclosed without the unambiguous consent of the data subject, or unless such disclosure is pursued as a legitimate interest of the official authority, or is necessary for the execution of the authority's legal activities, or for the execution of an official task which has been assigned to a private party (Article 12(1) and (2) of the Act).

Private parties are not allowed to process personal data relating to criminal convictions and offences unless they have obtained the unambiguous consent of the data subject, or the processing is necessary to safeguard the legitimate interests of the respective official authority or the private party, and such interests are not overridden by fundamental rights and freedom of the data subject (Article 12(3) of the Act). The same applies to the disclosure of personal data where the data subject is to give an unambiguous consent to such disclosure unless the processing is necessary to safeguard legitimate interests of the official authority or the private party in question and legitimate interests of the secrecy of the personal data or the data subject do not prevail (Article 12(4) of the Act).

The Director of Public Prosecution has issued rules on the national criminal records (only available in Icelandic here).

Persónuvernd has issued Rules on the Safety of the Processing of Personal Data in relation to Scientific Research in the Health Sector No. 622/2020 (only available in Icelandic here). Furthermore, Persónuvernd has issued Rules on the Safety and the Retention of Biological Specimen in Biological Specimen Banks No. 920/2019 (only available in Icelandic here).

7.10. Controller and processor contracts

There are no national law variations.

8. Data Subject Rights

8.1. Right to be informed

According to Article 17(2) of the Act, the data subject's rights to information and access to their personal data do not apply if vital interests of other individuals, the data subject himself/herself included, prevail.

Similarly, the information and access right of data subjects can be further restricted by a provision of an act of law, such as provisions to ensure public security, national defence, state security, professional secrecy, substantial public interests, or to facilitate investigation and prosecution of a criminal offence (Article 17(4) of the Act).

According to Article 19 of the Act, public authorities can transfer personal data between each other, if necessary, in relation to their legal activities without having to inform the data subject of such processing. This is an exception to the obligation to inform the data subject of any further processing of personal data for a purpose other than which the personal data were collected (Articles 13(3) and 14(4) of the GDPR).

The information right of data subjects can be restricted by a provision of an act of law, such as provisions to ensure public security, national defence, state security, professional secrecy, substantial public interests, or to facilitate investigation and prosecution of a criminal offence (Article 17(4) of the Act).

8.2. Right to access

The access right of data subjects can be restricted by a provision of an act of law, such as provisions to ensure public security, national defence, state security, professional secrecy, substantial public interests, or to facilitate investigation and prosecution of a criminal offence (Article 17(4) of the Act).

8.3. Right to rectification

There are no national law variations.

8.4. Right to erasure

There are no national law variations.

8.5. Right to object/opt-out

The National Registry of Iceland ('Registers Iceland') maintains a registry of those individuals who object to their names being used for marketing purposes. The Minister, in cooperation with Persónuvernd, issues further rules on Registers Iceland and what information may be registered within it.

Controllers engaged in direct marketing, and those who use a list of names, addresses, email addresses, phone numbers and similar data, or disclose them to a third party in connection with a similar enterprise, must, prior to using lists of such information, compare it with Registers Iceland, in order to prevent direct mail from being sent to, or phone calls being made to, those who have objected to it. Persónuvernd can make exemptions from this duty in special cases (Article 21(2) of the Act).

The controller's name should be prominently displayed on the outgoing targeted mail, with information on where those who object to receiving such targeted mail and phone calls can turn to. The recipient of targeted mail is entitled to know the origin of the data that is the basis for the mailing or phone call. This does not apply to the controller's marketing of his own products and services using his own customer list, provided that it is stated, on the material which is sent out, where it is sent from. If targeted mail is sent by electronic means, the targeted nature of the mail must be made clear as soon as the mail (Article 21(4) of the Act).

The controller may submit lists of a company's members, employees, or customers for marketing purposes, if such disclosure is based on the data subjects' consent or if the following conditions are met:

  • such disclosure does not include any sensitive personal data;
  • each of the data subjects has, before the disclosure, been given an opportunity to object to data relating to him/her appearing on the disclosed list;
  • such disclosure is not in violation of the rules or codes of the association in question; and
  • the controller examines if any of the data subjects has registered their objection with Registers Iceland, and data relating to the individual in question has subsequently been erased from Registers Iceland, before disclosing the list of information (Article 21(5) of the Act). 

8.6. Right to data portability

There are no national law variations.

8.7. Right not to be subject to automated decision-making

There are no national law variations.

8.8. Other rights

There are no national law variations.

9. Penalties

If instructions given Persónuvernd under Articles 42 (6), (7), or (9) of the Act are not observed, it can decide to impose daily fines upon the recipient of its instructions, until it concludes that the necessary improvements have been made. Fines of up to ISK 200,000 (approx. €1,360) may be imposed for each day that Persónuvernd's instructions go unobserved (Article 45(1) of the Act).

If Persónuvernd's decision to impose daily fines is referred to the courts, then the fines will not begin to accrue until a final judgement has been rendered. Daily fines are deposited to the State Treasury and may be enforced without prior judgement (Article 45(2) of the Act).

Instances of non-compliance with an order issued by Persónuvernd, as referred to in Article 46(2) of the Act, are subject to administrative fines from ISK 100,000 (approx. €680) to ISK 1.2 million (approx. €8,160), or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Instances of non-compliance with an order by Persónuvernd as referred to in Article 46(3) of the Act, are subject to administrative fines from ISK 100,000 (approx. €680) to ISK 2.4 million (approx. €16,330), or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Persónuvernd's right to impose administrative fines according to the Act expires when five years have passed from the date the alleged violation in question came to an end. The limitation period expires when Persónuvernd notifies the party of the initiation of an investigation into the alleged violation (Article 46(7) of the Act).

9.1 Enforcement decisions

Persónuvernd has on four occasions imposed administrative fines pursuant to Article 46 of the Act and Article 83 of the GDPR. In a decision from March 2020 (only available in Icelandic here), the National Center of Addiction Medicine was ordered to pay ISK 3 million (approx. €20,400) as a result of a security breach which involved their clinical records to be processed unlawfully.

In another case from March 2020 (only available in Icelandic here), a teacher at a grammar school sent sensitive personal data of students to irrelevant third parties. Persónuvernd imposed administrative fines of ISK 1.3 million (approx. €8,840) on the grammar school. 

In June 2021, Persónuvernd issued a decision (only available in Icelandic here) in which it imposed an administrative fine of ISK 5 million (approx. €34,000) on an ice-cream shop in relation to a CCTV surveillance in the shop. An employee filed a complaint regarding a CCTV surveillance in the back of the shop where employees changed clothes. Persónuvernd concluded that the surveillance did not fulfil the general rules of lawfulness of processing of personal data. The surveillance in the room in question was thought to breach the rule of proportionality under the Act. Furthermore, the controller did not fulfil the duty to provide necessary information to the employees regarding the surveillance. The severity of the breach and the decision to impose an administrative fine was inter alia based on the fact that some employees where minors and that the ice-cream shop had not been cooperative during the investigation of the case.

In April 2021, Persónuvernd issued a decision (only available in Icelandic here) in which it imposed administrative fines of ISK 3.5 million (approx. €23,800) on a company that operates an information system for schools in relation to a security breach. The breach involved unauthorised access to personal data of 424 students within the system.

Persónuvernd has issued several other decisions (only available in Icelandic here).