Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Norway - Data Protection Overview
Back

Norway - Data Protection Overview

June 2021

1. Governing Texts

Norwegian data protection is governed by the Law on the Processing of Personal Data (Personal Data Act) of 15 June 2018 (only available in Norwegian here) ('the Act'), which implements the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Act and Regulation 0563/2018 on the Processing of Personal Data (only available in Norwegian here) contain certain specific national variations and additions to the GDPR. The Norwegian data protection authority ('Datatilsynet') enforces data protection law.

As Norway is an EEA country, judgments from the Court of Justice of the European Union ('CJEU') are not directly applicable in Norway. However, Datatilsynet refers to practices from the CJEU, the European Data Protection Board ('EDPB'), and other national supervisory authorities in its decisions. In 2020 and 2021, Datatilsynet increased its supervisory activity significantly and issued more decisions than in previous years.

1.1. Key acts, regulations, directives, bills

The GDPR was adopted in the EEA by the EEA Joint Committee through Decision 154/2018 of the EEA Joint Committee of 6 July 2018. As noted above, the Act implements the GDPR by reference to its incorporation into the Agreement on the European Economic Area ('the EEA Agreement'), together with a limited number of provisions complementing the GDPR. The Act, along with the GDPR, entered into force on 20 July 2018.

1.2. Guidelines

The Datatilsynet has published guidelines on the following issues (only available in Norwegian here):

  • information and transparency;
  • legal basis for processing;
  • processor and controller;
  • data processing agreements;
  • codes of conduct;
  • Data Protection Impact Assessments ('DPIAs');
  • software development with Privacy by Design and by Default;
  • fundamental privacy principles;
  • the right to data portability;
  • artificial intelligence and privacy;
  • privacy at work;
  • camera surveillance;
  • drones;
  • tracking in public spaces;
  • sound recording;
  • internal audit and information security;
  • FinTech and privacy;
  • information and marketing of political messages;
  • digital services and consumers' privacy;
  • transfer to third countries; and
  • COVID-19.

1.3. Case law

There are currently no enforcement practices in relation to the GDPR from the Supreme Court of Norway ('the Supreme Court'). However, enforcement of the previous law may still be instructive.

Ruling HR-2019-1226-A of 26 June 2019 sets out that the retention of the DNA profile of a man who had been sentenced to imprisonment for tax fraud in the DNA identity register was valid and not a breach of the European Convention on Human Rights. It was also mentioned that the Norwegian rules allow deletion after an individual assessment and that detailed provisions on, among other things, access, blocking, transparency, and storage give the necessary privacy guarantees.

Ruling HR-2017-833-A of 26 April 2017 (only available in Norwegian here) sets out that the copyright owner of movies was not entitled to obtain the identity behind IP addresses used to download such movies using Bit Torrent networks. The Supreme Court found that the data subjects' privacy interests outweighed the interest of the copyright owner.

Ruling HR-2013-00234-A of 31 January 2013 (only available in Norwegian here) established that an employer's use of GPS data as evidence in a dismissal case was incompatible with the purpose for which the data was originally collected and thus in breach of personal data regulations.

2. Scope of Application

2.1. Personal scope

There are no national law variations from the GDPR.

2.2. Territorial scope

Both the GDPR and the Act apply to the processing of personal data in connection with activities of businesses to a controller or processor in Norway, regardless of whether the processing takes place within the EU/EEA. Additionally, the regulations apply to the processing of personal data of data subjects in Norway, where such processing activities are related to:

  • the offering of goods or services, irrespective of whether payment from the data subject is required, to such data subjects in Norway; or
  • the monitoring of their behaviour, as far as their behaviour takes place within Norway.

Both the GDPR and the Act also apply to the processing of personal data by a controller not established in Norway, but in a place where Norwegian law applies by virtue of public international law. As such, both the GDPR and the Act apply in Svalbard and Jan Mayen. However, for Svalbard, Article 56 and Chapter VII of the GDPR do not apply.

2.3. Material scope

In addition to the scope of application set out in the GDPR, both the GDPR and the Act do not apply:

  • when it is otherwise set out in law;
  • for the processing of personal data by a natural person in the course of a purely personal or household activity; and
  • for cases that are brought before certain dispute resolution bodies as set out in Section 2(2)(b) of the Act.

Notably, Article 56 and Chapter VII of the GDPR only apply within the scope of the EEA Agreement.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

Datatilsynet is the independent supervisory authority, financed by the Government of Norway ('the Government') (Section 20 of the Act).

3.2. Main powers, duties and responsibilities

Datatilsynet acts as a supervisory body, ensuring compliance with privacy regulations through information, dialogue, complaints handling, and inspections. Datatilsynet also acts as the main authority on the interpretation of provisions of privacy regulations, takes part in the public debates, and provides guidance and advice to authorities, companies, organisations, and individuals on data protection.

4. Key Definitions

Data controller: There are no national law variations from the GDPR.

Data processor: There are no national law variations from the GDPR.

Personal data: There are no national law variations from the GDPR.

Sensitive data: There are no national law variations from the GDPR.

Health data: There are no national law variations from the GDPR.

Biometric data: There are no national law variations from the GDPR.

Pseudonymisation: There are no national law variations from the GDPR.

5. Legal Bases

5.1. Consent

There are no national law variations from the GDPR, with the exception of children's consent and for certain other purposes as set out in section on children's data below.

5.2. Contract with the data subject

There are no national law variations from the GDPR.

5.3. Legal obligations

There are no national law variations from the GDPR.

5.4. Interests of the data subject

There are no national law variations from the GDPR.

5.5. Public interest

Pursuant to Section 7 of the Act, Datatilsynet may give permission, or the Government may adopt regulations, for the processing of the categories of personal data mentioned in Article 9(1) of the GDPR if it is necessary for the purpose of important public interests. No such regulations are currently adopted.

Pursuant to Section 8 of the Act, processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes is recognised within the definition of public interest under Article 6(1)(e) of the GDPR.

5.6. Legitimate interests of the data controller

There are no national law variations from the GDPR.

5.7. Legal bases in other instances

Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes

Pursuant to Sections 9 and 11 of the Act, special categories of personal data and criminal conviction data may be processed without consent for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, provided that the benefits for the society clearly exceed the detriment to the data subject. Such types of processing are also subject to exemptions from the right to information (see section on the right to be informed below) exemptions from the right to restriction which apply equally to the right to rectification (see section 8.8. below).

As mentioned in section on public interest above, such types of processing are also recognised within the definition of public interest.

Use of national identity numbers and other unique means of identification

Pursuant to Section 12 of the Act, the processing of national identity numbers and other unique identifiers (e.g. fingerprints) may take place where there is an objective need for certain identification, and the method is necessary to achieve such identification. The Act also contains a provision permitting the Government to adopt a regulation on the use of national identity numbers and other unique means of identification.

Employer's access to employee e-mails and other electronically stored materials

Pursuant to Sections 9-5 of the Working Environment Act 2005 ('the Working Environment Act') and the Email Monitoring Regulation, a company's access to an employee's email account, etc. is only permitted if it is either necessary to safeguard the company's business or other legitimate interests, or in case of justified suspicions that the employee's use of the email account or other electronic equipment constitutes a material breach of the employee's obligations or may provide grounds for notice or dismissal. The Email Monitoring Regulation provides several requirements in relation to the above, including a duty to notify the employee and the employee's right to be present during a review, etc.

Video surveillance

Pursuant to Sections 9-5 of the Working Environment Act and Regulation 1107/2018 on camera surveillance in the workplace (only available in Norwegian here) ('the Camera Surveillance Regulation'), video surveillance of employees (including the use of fake equipment) must only be performed when such measures are objectively justified by circumstances relating to the undertaking and it does not involve undue strain on the employees. In addition, video surveillance of office premises that are frequently occupied by a limited circle of people must only be performed when necessary to prevent hazardous situations and to safeguard the safety of the employees and others, or when there is a specific need for such surveillance. The Camera Surveillance Regulation provides several requirements in relation to the above, including a duty to clearly provide information on the surveillance.

Pursuant to Section 31 of the Act, if video surveillance is in breach of the GDPR or the Act, the same applies to the use of fake equipment or signs that gives the impression that the area is video monitored.

Combating work-related crime

Pursuant to Section 12(a) of the Act, public authorities may surrender personal data other than special categories of personal data and data that is subject to a duty of confidentiality to each other when this is necessary to prevent, uncover, forestall, or sanction work-related crime.

Direct marketing

Pursuant to Section 15 of the Marketing Control Act 2009, consent is not required for direct marketing via electronic communication to a business' existing customers if the business has received the customers' electronic address in connection with a sale, and the marketing only relates to the business' own goods or services or otherwise corresponds to those on which the customer relationship is based. Nevertheless, the company must have a legal basis under Article 6 of the GDPR for any processing of personal data in relation to marketing.

6. Principles

There are no national law variations from the GDPR.

7. Controller and Processor Obligations

7.1. Data processing notification

Pursuant to Section 14 of the Act, there is no general requirement for companies to notify or register with Datatilsynet prior to the processing of personal data. However, the Act makes a provision for regulations on consultation with and approval from Datatilsynet (see, for example, Section 6.1 of the Act on the processing of special categories of personal data).

7.2. Data transfers

There are no national law variations from the GDPR. However, Section 13 of the Act gives the Government the right to adopt regulations regarding the transfer of personal data to third countries or international organisations.

7.3. Data processing records

There are no national law variations from the GDPR.

7.4. Data protection impact assessment

As noted in section on data processing notification above, the Act contains a provision permitting the Government to adopt a regulation on a more extensive obligation to consult with and obtain prior authorisation from Datatilsynet (Section 14 of the Act).

Datatilsynet has published a blacklist, which is a list of processing operations that will always require a DPIA. The list is based on the EDPB's guidelines and is approved.

7.5. Data protection officer appointment

Pursuant to the preparatory works of the Act, the expression 'public authority or body' in Article 37(1)(a) of the GDPR must refer to the central or local government bodies covered by Section 1(1) of the Act of 10 February 1967 relating to procedure in cases concerning the public administration (as amended) ('the Public Administration Act').

Section 19 of the Act contains a provision permitting the government to adopt a regulation on the obligation to appoint a data protection officer ('DPO').

The DPO is subject to a duty of confidentiality pursuant to Section 18 of the Act and must be registered with Datatilsynet.

7.6. Data breach notification

Section 16 of the Act stipulates that exemptions may be made to the obligation to notify affected data subjects under Article 34 of the GDPR provided that this would reveal information:

  • of importance to Norway's national security interests or the defence of the country;
  • that must be kept secret for the purpose of the prevention, investigation, detection, and prosecution of criminal offenses; and
  • that is subject to a statutory obligation of professional secrecy (which must, if relevant, be explained to the data subject).

According to the same provision, the Government is permitted to adopt a regulation on breach notification obligations.

7.7. Data retention

There are no national law variations from the GDPR.

7.8. Children's data

The age of consent in relation to information society services is 13 years (Section 5 of the Act).

7.9. Special categories of personal data

Pursuant to Sections 6 and 11 of the Act, processing of special categories of personal data and criminal conviction data is permitted when the processing is necessary to perform obligations or exercise rights in the field of employment.

Pursuant to Sections 7 and 11 of the Act, special categories of data and criminal conviction data may also be processed upon permission from Datatilsynet, if found to be necessary for important public interests, or upon the Government's adoption of a regulation found to be necessary in relation to important public interests.

Section 11 of the Act sets out that processing of criminal conviction data, pursuant to Article 10 of the GDPR, must generally be conducted in accordance with Article 9(2) of the GDPR (subject to certain exceptions and additional national provisions when not processed by public authorities).

Special categories of personal data and criminal conviction data may be processed for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, provided that the benefits for the society clearly exceed the detriment to the data subject (Section 9 of the Act).

7.10. Controller and processor contracts

There are no national law variations from the GDPR.

8. Data Subject Rights

8.1. Right to be informed

Section 16 of the Act provides exemptions from the right of information where:

  • the information is of importance to national security interests or the defence of the country;
  • the information must be kept secret for the purpose of the prevention, investigation, detection, and prosecution of criminal offences;
  • it is considered inadvisable for the data subject to gain knowledge of the information out of consideration for the health of the person concerned or for the relationship to persons close to the person concerned;
  • the information is subject to a statutory obligation of professional secrecy (which must, if relevant, be explained to the data subject);
  • the information is solely found in texts drawn up for internal preparatory purposes and which have not been disclosed to other persons; or
  • disclosure of the information would be in conflict with obvious and fundamental private and public interests.

Section 16 of the Act also contains a provision permitting the Government to adopt a regulation on exemptions and terms for access and information.

Pursuant to Section 17 of the Act, the right of access does not apply to the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, insofar as this requires a disproportionate effort or is likely to make impossible or seriously impair the purpose of the processing, provided that the processing does not produce legal effects or direct actual effects for the data subject.

8.2. Right to access

Section 16 of the Act provides exemptions from the right of access where:

  • the information is of importance to national security interests or the defence of the country;
  • the information must be kept secret for the purpose of the prevention, investigation, detection, and prosecution of criminal offences;
  • it is considered inadvisable for the data subject to gain knowledge of the information out of consideration for the health of the person concerned or for the relationship to persons close to the person concerned;
  • the information is subject to a statutory obligation of professional secrecy (which must, if relevant, be explained to the data subject);
  • the information is solely found in texts drawn up for internal preparatory purposes and which have not been disclosed to other persons; or
  • disclosure of the information would be in conflict with obvious and fundamental private and public interests.

8.3. Right to rectification

Section 17(2) of the Act provides exemptions from the right of rectification and limitation where the processing is performed for the purposes of archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR, insofar that the rectification is likely to seriously impede the purpose of the processing. However, this exemption does not apply if the processing has legal effects or direct factual effects for the data subject.

8.4. Right to erasure

There are no national law variations from the GDPR.

8.5. Right to object/opt-out

There are no national law variations from the GDPR.

8.6. Right to data portability

There are no national law variations from the GDPR.

8.7. Right not to be subject to automated decision-making

There are no national law variations from the GDPR.

8.8. Other rights

Exemptions from the right to restrict processing may be made when personal data is processed for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, insofar as this is likely to make impossible or seriously impair the purpose of the processing, provided that the processing does not produce legal effects or direct actual effect (Section 17 of the Act).

9. Penalties

Pursuant to Section 26 of the Act, Article 83(4) of the GDPR also applies to violations of Articles 10 (i.e. processing of personal data relating to criminal convictions and offences) and 24 (i.e. responsibility of the controller) of the GDPR. Additionally, Datatilsynet may fine public authorities pursuant to Article 83(7) of the GDPR.

In accordance with Section 29 of the Act, Datatilsynet may impose daily fines if its decision is not complied with.

If found liable for damages in accordance with Article 82 of the GDPR, damages for non-economic loss may also be imposed pursuant to Section 30 of the Act.

9.1 Enforcement decisions

There are some enforcement practices in relation to the GDPR from Datatilsynet.

From January to May 2021, four different businesses were fined for illegal video surveillance and sharing of video surveillance with third parties. Datatilsynet concluded that the businesses did not have a legitimate interest under Article 6 of the GDPR to process the personal data in connection with the surveillance. The fine level varied from €3,500 up to €40,000.

In May 2021, the Norwegian Olympic and Paralympic Committee and Confederation of Sports was fined €125,000 for publicly publishing the personal data of 3.2 million citizens online in 87 days, in connection with an error during the testing of a cloud solution. There were no indications that any third parties had accessed the data.

In January and February 2021, two businesses were fined for illegally forwarding the e-mails of an employee on sick leave and a previous employee. Datatilsynet found that the businesses had no legal basis to forward the e-mails and that the forwarding was in breach of Regulation 1108/2018 on Employer's Access to Emails and Other Electronically Stored Material (only available in Norwegian here) ('the Email Monitoring Regulation') (see also section on legal bases in other instances below) and issued two fines of €40,000 and €20,000.

In January 2021, a business was fined €7,500 for performing a single credit rating without a legal basis. The purpose of the credit rating, in this case, was private and without any connection to any relevant purpose which could legitimise such credit rating.

In September 2020, the Municipality of Bergen was fined €300,000 for insufficient technical and organisational measures to ensure information security in a communication system used by a school, pupils, and parents. The use of the system involved a risk of the personal data related to pupils with a secret address, and a list containing such information was shared with the parents of one class.

In July 2020, Datatilsynet temporarily banned the processing of personal data in the first version of the Norwegian app 'Smittestopp' which was developed by the Norwegian Institute of Public Health to help prevent COVID-19 from spreading. Datatilsynet claimed that the processing of location data and other personal data to such a large extent as in this app was disproportionate compared to the users' fundamental privacy rights. All personal data was deleted, and a new version of the app was released.

In December 2019, the Education Department of the Municipality of Oslo was fined €203,000 for insufficient technical and organisational measures to ensure information security. The lack of sufficient security measures led to unauthorised users gaining access to as many as 63,000 students' personal data on a mobile messaging app developed for schools in Oslo.

In October 2019, the Municipality of Oslo was fined €50,000 for storing personal data about patients outside of the municipality's journal system, from 2007 until 2018. When determining the size of the fine, it was among other things decisive that the breach mostly had taken place when the GDPR was not yet in effect and that the fine level was much lower prior to the GDPR, with a maximum fine level of €100,000.

In March 2019, the Municipality of Bergen was fined €170,000 for computer files with usernames and passwords of over 35,000 user accounts being unprotected and easily accessible due to a lack of sufficient security measures. The aggravating factors considered were that the incident affected a large number of persons, who were mostly children. Additionally, the municipality had been warned previously that their security measures were inadequate and failed to act on such warning.