Data Privacy and Cybresecurity

GDPR Guide to National Implementation: Norway

A practical guide to national GDPR compliance requirements across the EEA

Article
|
19 min read

Norway

In this chapter:

Q1/ Applicable legislation

Q2/ Personal data of deceased persons

Q3/ Legal bases for processing

Q4/ Consent of children

Q5/ Processing of sensitive personal data

Q6/ Data relating to criminal offences or convictions

Q7/ Exemptions

Q8/ Restrictions on data subjects’ rights

Q9/ Joint controllership

Q10/ Processor

Q11/ Data protection Impact Assessments

Q12/ Prior authorisation and public interest

Q13/ DPOs

Q14/ International data transfers

Q15/ DPAs

Q16/ Claims by not-for-profit bodies

Q17/ Administrative fines, penalties and sanctions

Q18/ Freedom of expression and information

Q19/ National identification numbers

Q20/ Processing in the context of employment

Q21/ Other material derogations

Q22/ Current legal challenges

Q23/ Enforcement

Q24/ Regulatory Guidance

———

[back to top of page]

 

 

Q1/ Applicable legislation

(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?

New legislation has been passed.

———

(b) Relevant legislation includes:

  • The Norwegian Data Protection Act (the “Act”)
    • Date in force: 20 July 2018
    • Link: see here
       
  • Regulation on employers right to access email and other 
    electronically stored material
    • Date in force: 20 July 2018
    • Link: see here

———

(c) What is the status of national pre-GDPR data protection law?

The relevant pre-GDPR legislation has been repealed in full.

———

[back to top of page]

 

 

Q2/ Personal data of deceased persons

Does national law make specific rules regarding the processing of personal data of deceased persons?

There are no specific rules governing this issue.

———

[back to top of page]

 

 

Q3/ Legal bases for processing

(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?

There are no specific rules governing this issue.

———

(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?

The DPA may authorise processing of sensitive personal data where the processing is necessary due to substantial public interest. In addition, the Ministry of Government Administration and Reform (the “Ministry”), the body under which the DPA operates, has the power to enact provisions which specify instances in which such processing may take place. No such regulation has been enacted to date.

———

(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?

Substantial registers of criminal convictions can only be processed by a public authority. Where criminal data are processed for scientific or historical research purposes under a public authority’s control, the public authority has a duty to consult the DPO or someone who fulfils the requirements in Arts. 37(5)-(6) & 38(3) GDPR. The duty to consult does not apply if an Impact Assessment has been performed.

Public authorities may exchange personal data when it is necessary in order to prevent, detect or sanction work related crime. This does not apply to sensitive personal data unless the Ministry has issued regulation which gives public authorities a legal basis to exchange personal data. Exchange of personal data may not take place if it is prohibited by statutory law or any statutory duty of confidentiality applies.

———

(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?

There are no specific additional criteria governing this issue.

———

[back to top of page]

 

 

Q4/ Consent of children

At what age can a child give their consent to processing in relation to ISS?

13 years of age.

———

[back to top of page]

 

 

Q5/ Processing of sensitive personal data

(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?

All sensitive personal data can be processed if the data subject’s valid consent has been obtained.

———

b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:

(i) Employment, social security and/or social protection law

Employees’ sensitive personal data can only be processed if it is necessary to perform obligations or exercise rights in the field of employment.

(ii) Substantial public interest

The DPA may authorise the processing of sensitive personal data where the processing is necessary due to substantial public interest. In addition, the Ministry, which oversees the operation of the DPA, has the power to specify instances in which such processing may take place. No such regulation has been enacted to date.

(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services

There are no specific rules on processing this category of data.

(iv) Public interest in the area of public health

There are no specific rules on processing this category of data.

(v) Archiving purposes, scientific or historical research purposes or statistical purposes

Processing may take place without the consent of the data subject if the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) GDPR, as long as the public interest in the processing clearly exceeds the disadvantages for the data subject, and only after consultation with the DPO.

The obligation to consult with the DPO also applies to the processing of sensitive personal data for scientific or historical research purposes based on the data subjects’ consent. If consent has been obtained, the public in the processing does not have to exceed the disadvantages for the data subject.

———

(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?

There are no specific rules on processing this category of data.

———

[back to top of page]

 

 

Q6/ Data relating to criminal offences or convictions

Under what conditions does national law permit the processing of personal data relating to criminal convictions?

The processing of personal data relating to criminal offences (pursuant to the Art. 10 GDPR) may only take place in the following circumstances:

  • the provisions in Art. 9(2)(a), (c), (d), (e) or (f) GDPR are met;
  • such data may only be processed in relation to employment when it is necessary to perform obligations or exercise rights in the field of employment;
  • both the DPA and the Ministry may authorise processing when it is necessary due to substantial public interests; or
  • such data may be processed without the data subject’s consent if the processing is necessary for archive purposes in the public interest, scientific or historical research purposes or for statistical purposes, as long as society’s interest in the processing clearly exceeds the disadvantages for the data subject.

The obligation to consult with the DPO also applies to the processing of criminal data for scientific or historical research purposes based on the data subject’s explicit consent.

In addition, see Q3(c) above.

———

[back to top of page]

 

 

Q7/ Exemptions

(a) Does national law specify exemptions to a data subject’s right to erasure?

There are no specific exemptions to the right to erasure.

———

(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?

See Q8 below.

———

(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?

There are no specific exemptions to the right to not be subject to automated individual decision-making.

———

[back to top of page]

 

 

Q8/ Restrictions on data subjects’ rights

Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?

The right to information under Arts. 13-15 GDPR is restricted where:

  • the information is of importance for Norway’s foreign policy interests or national defence and security interests, as long as the data can be withheld under certain sections of the Norwegian Public Act;
  • it is necessary to withhold the information for the purposes of prevention, investigation, disclosure and legal prosecution of criminal offences;
  • disclosure of the information is inadvisable due to the impact on the data subject’s own health or because of the relationship with persons close to the data subject (however, the information may still be disclosed to representatives of the data subject); ……the right of information is exempted by law, or any statutory duty of confidentiality applies;
  • the information is strictly internal (e.g., a public body’s case preparation); or
  • disclosure would be contrary to obvious and fundamental private or public interests.

The duty to inform the data subject in case of a data breach under Art. 34 GDPR is restricted where:

  • the information is of importance for Norway’s foreign policy interests or national defence and security interests, as long as the data can be withheld under certain sections of the Norwegian Public Act;
  • it is necessary to withhold the information for the purposes of prevention, investigation, disclosure and legal prosecution of criminal offences; or
  • the right of information is exempted in statutory law or any statutory duty of confidentiality applies.

In addition, the Ministry has the right to enact provisions which further restrict the rights of data subjects. No such regulation has been enacted to date.

The right to information is also restricted when personal data is processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes insofar as providing access would require a disproportional effort or is likely to make impossible or seriously impair the purpose of the processing.

The right to rectification or limitation of the processing is restricted when personal data is processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes insofar as this is or is likely to make impossible or seriously impair the purpose of the processing.

———

[back to top of page]

 

 

Q9/ Joint controllership

Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?

There are no additional rules on apportionment of liability between joint controllers.

———

[back to top of page]

 

 

Q10/ Processor

In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?

There are no additional pieces of legislation.

———

[back to top of page]

 

 

Q11/ Impact Assessments

Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?

The DPA has issued a list of circumstances in which an Impact Assessment is required. The list is approved by the European Data Protection Board, and can be found at datatilsynet.no (see here).
datatilsynet.no/globalassets/global/regelverk/veiledere/dpia-veileder/dpialist280119.pdf

———

[back to top of page]

 

 

Q12/ Prior authorisation and public interest

Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?

The Ministry has the power to enact provisions which require prior authorisation or consultation. However, no such legislation has yet been enacted.

———

[back to top of page]

 

 

Q13/ DPOs

(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?

Currently DPOs are only mandatory in the circumstances set out in Art. 37(1) GDPR.

———

(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?

The duty of confidentially applies to information relating to:

  • a data subject’s personal relationships;
  • technical facilities, production methods, business analyses and calculations and business secrets if the information is such that others may exploit it in their own business;
  • security measures in accordance with Art. 32 GDPR; and
  • notifications from individuals of violations of the Act.

———

[back to top of page]

 

 

Q14/ International data transfers

(a) Does national law make specific rules about transfers of personal data from public registers?

Norwegian law makes no specific rules about transfers of personal data from public registers. However, public archives cannot be stored outside of Norway.

———

(b) Does national law restrict the transfer of specific categories of personal data to third countries?

Data transfers are not subject to restrictions beyond those set out in the GDPR.

———

[back to top of page]

 

 

Q15/ DPAs

(a) Details of the DPA(s).

  • Name of DPA: Datatilsynet

———

(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?

There is only one DPA.

———

(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?

There is only one DPA.

———

(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?

The DPA does not have additional powers.

———

(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?

The Norwegian Privacy Appeals Board handles complaints concerning the decisions of the DPA, and has full competence to make new decisions in individual cases.

———

(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?

The DPA may obtain information from controllers or processors without regard to confidentiality. However, where the information is necessary for national security, diplomacy, foreign policy or other vital national security interests, access may be restricted.

———

[back to top of page]

 

 

Q16/ Claims by not-for-profit bodies

Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?

There are no not-for-profit bodies that are specifically mandated to bring such claims.

———

[back to top of page]

 

 

Q17/ Administrative fines, penalties and sanctions

(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?

The DPA may impose fines on public authorities.

———

(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?

If an order from the DPA is not complied with, the DPA may impose a coercive fine for each day of the non-compliance. Additionally, anyone liable for damages under Art. 82 GDPR may also be required to pay reasonable compensation for non-pecuniary damages.

———

[back to top of page]

 

 

Q18/ Freedom of expression and information

(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?

In order to balance against the right to freedom of expression and information, the processing of personal data solely for journalistic purposes, or with view to academic, artistic or literary expressions, is governed only by Arts. 24, 26, 28-29, 32 & 40-43 GDPR (in addition to certain national complementary provisions). No other provisions of the GDPR will apply to the processing of such personal data.

———

(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?

See Q18(a) above.

———

[back to top of page]

 

 

Q19/ National identification numbers

Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?

Processing national identity numbers and other unique identifiers may only take place when there is an objective need for certain identification and the method of processing used is necessary to achieve such identification. The Ministry has the right to enact regulations on the use of personal identification numbers and other identifiable means of identification. However, no such regulations have been issued to date.

The DPA has also stated that the processing of national identification numbers should be processed with the same security as for sensitive personal data. Thus, encryption must be used during electronic transfer of national identification numbers.

———

[back to top of page]

 

 

Q20/ Processing in the context of employment

(a) For what purposes can employees’ personal data in the employment context be processed under national law?

Employees’ sensitive personal data can only be processed if it is necessary to perform obligations or exercise rights in the field of employment.

A company’s access to employees’ email accounts, etc., is only permitted:

  • when it is necessary to safeguard the company’s business or other legitimate interests; or
  • where there are suspicions that the employee’s use of the email account or other electronic equipment constitutes a material breach of the employee’s obligations or may provide grounds for notice or dismissal. There are several procedural requirements that need to be complied with in such cases, including a duty to notify the employee and the employee’s right to be present during the review.

CCTV (including the use of fake equipment) must only be used when necessary to prevent hazardous situations, and for the purposes of ensuring the safety of employees and others, or when there is a specific need for the surveillance. There are several additional requirements, including that information on the surveillance must be provided clearly.

———

(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?

There are no specific safeguards of this nature.

———

[back to top of page]

 

 

Q21/ Other material derogations

Are there any other material derogations from, or additions to, the GDPR under national law?

The GDPR does not apply to law enforcement activities which are instead subject to the Law Enforcement Act. The GDPR also does not apply to areas of law that are outside the scope of EU law, such as national security, and does not apply to purely personal or household activity.

———

[back to top of page]

 

 

Q22/ Current legal challenges

Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?

There are currently no legal challenges ongoing.

———

[back to top of page]

 

 

Q23/ Enforcement

Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?

The DPA issued a fine to the municipality of Bergen of NOK 1.6 million (approx. €163,000) for lack of security of personal data in the municipality’s school system. The fine was issued because the username and password of more than 35,000 pupils (mainly minors) were made available to all pupils and employees in the school system.

The DPA has also issued a notification of a fine to the municipality of Oslo of NOK 2 million (approx. €207,000) for lack of security of personal data in an app used and developed by the municipality’s school department for communication between pupil’s parents and the school. The notification was sent because of three matters: (i) parents could send messages using a free text field and thus share sensitive personal data, (ii) a security vulnerability made it possible to view and change personal data of more than 63,000 pupils, and (iii) lack of vulnerability testing before the app was launched led to well known public vulnerabilities present in the app.

———

[back to top of page]

 

 

Q24/ Regulatory Guidance

Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?

The following guidance has been issued by the DPA:

  • Mandatory Impact Assessments: The DPA has issued a list (datatilsynet.no/globalassets/global/regelverk/veiledere/dpia-veileder/dpialist280119.pdf) of activities which triggers a mandatory Impact Assessment. The list is based on the WP29s analysis in the Guidelines on Data Protection Impact Assessment (WP248) and the criteria set out in the guidelines;
  • Artificial intelligence and privacy: The DPA has issued a report (datatilsynet.no/globalassets/global/om-personvern/rapporter/pa-parti-med-teknologien.pdfee here) on the challenges related to artificial intelligence and big data, with a particular focus on the four principles of (i) fairness and discrimination, (ii) purpose limitation, (iii) data minimisation, (iv) transparency and the right to information;
  • Use of target advertising by political parties: The DPA has issued a report (datatilsynet.no/globalassets/global/om-personvern/rapporter/pa-parti-med-teknologien.pdf) on the use of adtech, and how political parties use and should use target advertisement during the course of the election campaign. The report also addresses several general issues that are applicable for all companies;
  • Privacy by design and default: The DPA has issued guidance (datatilsynet.no/en/regulations-and-tools/guidelines/data-protection-by-design-and-by-default/) on software development, and the steps to take during the process in order to ensure compliance with the GDPR;
  • Legal bases: The DPA has issued guidance (see here (only in Norwegian)) on their understanding of the different legal bases in order to legally process personal data; and
  • Data portability: The DPA has issued guidance (see here (only in Norwegian)) of their understanding of the data subjects’ right of data portability.

———

[back to top of page]

 

 

Wiersholm contributors

Rune Opdahl

Rune Opdahl
Partner, Wiersholm
T +47 210 210 79
E rop@wiersholm.no

Rune Opdahl is a partner and head of Wiersholm’s data protection team. Rune specialises in data protection/ privacy law, intellectual property law, marketing law and contract law.

Rune is ranked as one of Norway’s most prominent experts on intellectual property law and TMT by Chambers and Partners and The Legal 500. He is also ranked as one of the top 10 lawyers overall and as leading in intellectual property and media law in the The Norwegian Financial Daily’s annual lawyers survey.

Fredrik Wiker

Fredrik Wiker
Associate, Wiersholm
T +47 210 212 37
E frwi@wiersholm.no

Fredrik Wiker is an associate and part of Wiersholm’s data protection team. Fredrik specialises in technology, intellectual property and data protection/privacy law, and advises multinational clients on all aspects within these fields.

———

[back to top of page]

 

 

Other chapters

———

See also:

Our Global Data, Privacy & Cybersecurity Practice »

GDPR Handbook: Unlocking the EU General Data Protection Regulation »

———

[back to top of page]

 

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP

 

Top