Data protection in Norway: overview
A Q&A guide to data protection in Norway.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
The main law which regulates the collection and use of personal data is the Personal Data Act (PDA). The Personal Data Regulation (PDR) sets out more detailed regulations on certain topics covered by the PDA. Directive 95/46/EC on data protection (Data Protection Directive) has been implemented in Norway through the PDA and the PDR.
Although the PDA and the PDR are the most important general laws for collection and use of personal data, provisions governing the collection and use of personal data are also implemented in other laws, including:
The Health Register Act.
The Health Research Act.
The Bio Bank Act.
The Police Register Act.
The Schengen Information Systems Act.
The National Register Act.
The Penal Register Act.
These Acts are not discussed further in this article.
Scope of legislation
The PDA and the PDR apply to data controllers and data processors. "Controller" is defined as the person who determines the purpose and which means are to be used in the processing of personal data (section 2, no. 4, PDA). "Processor" is defined as the person who processes personal data on behalf of the controller (section 2, no. 5, PDA).
Personal data is defined as any information and assessments that may be linked to a natural person (section 2, no. 1, PDA). The definition of personal data is broad and covers any reference to a natural person, even a reference to a natural person solely in his capacity as representative of a legal entity.
The PDA and the PDR apply to all types of processing of personal data which is performed by automatic means or which forms part of, or is intended to form part of, a personal data filing system. "Processing" is defined as any use of personal data, such as collection, recording, alignment, storage and disclosure or a combination of such uses (section 2, no. 2, PDA).
In addition, the PDA and the PDR have specific regulations for, among others:
Transfer of personal data to third countries.
Rectification of deficient personal data.
Specific obligations towards the data subjects (such as providing access to certain information).
Obligations to give notification and obtain a licence from the Data Inspectorate (see Question 7).
Employers' rights to access their employees' e-mail.
The PDA applies to data controllers who are established in Norway (section 4, first paragraph, PDA). It also applies to controllers who are established in states outside the territory of the European Economic Area (EEA) if the controllers make use of equipment in Norway, except where that equipment is used only to transfer personal data through Norway (section 4, second paragraph, PDA).
Some types of data processing require notification to the Data Inspectorate, and others require a licence from the Data Inspectorate before processing takes place (see box, The regulatory authority). However, there are some types of personal data processing which are exempt from these requirements, such as:
The processing of personal data concerning customers, subscribers and suppliers (as part of the administration and fulfilment of contractual obligations) (section 7-7, PDR).
Employers' standard processing of personal data relating to current or former employees, personnel, representatives, temporary manpower and applicants for a position (section 7-16, PDR).
Notification is required for the processing of personal data in relation to, among other things:
Compliance with legislation to combat money laundering.
Notification must be made no later than 30 days before the commencement of processing (section 31, second paragraph, PDA). A third party (such as a law firm) can submit the notification on behalf of the controller. Notification to the Data Inspectorate can either be submitted electronically or by filling out a notification form. There are no notification fees.
After notification is made, the Data Inspectorate confirms that it has received the notification, and records it in a database. The Data Inspectorate does not approve or otherwise authorise data processing. However, the Data Inspectorate may conduct random checks following notification.
Obtaining a licence
A licence from the Data Inspectorate is generally required for the processing of sensitive personal data (section 33, PDA). Controllers in certain business sectors are obligated to obtain a licence, including:
Providers of telecommunication services for the purpose of customer administration, invoicing and the provision of services in connection with the subscriber's use of the telecommunications network.
Providers of insurance services for the purpose of customer administration, invoicing and the implementation of insurance contracts.
Banks and financial institutions for the purpose of customer administration, invoicing and the implementation of banking services.
(Other licensing obligations are contained in the PDR.)
If a licence is required for the contemplated processing, a detailed application must be submitted to the Data Inspectorate. This is a more complicated and time-consuming process than submitting a notification. If necessary, the Data Inspectorate can impose conditions for processing in the licence, where this is necessary to limit the disadvantages that the processing would otherwise cause the data subjects (section 35, PDA).
Main data protection rules and principles
Main obligations and processing requirements
The main obligations imposed on data controllers to ensure data is processed properly include (section 11, PDA):
Processing personal data in accordance with sections 8 and 9 of the PDA (that is, there is a legal basis for processing).
Using personal data only for purposes that are compatible with the original purpose of the collection and objectively justified by the activities of the controller (unless the consent of the data subject is obtained for the new purpose).
Ensuring personal data is adequate, relevant and not excessive in relation to the purpose of the processing.
Ensuring personal data is accurate, up-to-date and not stored longer than is necessary for the purpose of the processing.
Personal data can only be processed if at least one of the following applies (section 8, PDA):
The data subject gives his consent.
The processing is required by law.
The processing is necessary:
to fulfil an agreement with the data subject or to take steps at the request of the data subject before entering such an agreement;
for the controller to comply with a legal obligation;
to preserve the data subject's vital interests;
to perform a task in the public interest;
to exercise public authority; or
for the controller (or a third party to whom the data is transferred) to preserve a legitimate interest which exceeds the interest of the data subject's right to privacy.
Consent is defined as a freely given, specific and informed declaration by the data subject to the effect that he agrees to the processing of personal data relating to him (section 2, no. 7, PDA).
Minors who have reached the age of 15 can generally give consent themselves. The consent of those under 15 must generally be provided by parents or other guardians.
See Question 9.
Special rules apply for the processing of sensitive personal data. In addition to the rules set out in section 8 of the PDA (see Questions 9 and 10), sensitive personal data can only be processed if at least one of the following applies (section 9, PDA):
The data subject consents.
There is statutory authority for the processing.
The processing is necessary to protect the vital interests of the data subject and the data subject is unable to provide her consent.
The processing is limited to personal data the data subject has volunteered, which is in the public domain.
The processing is necessary:
to establish, invoke or defend a legal claim;
for the controller to perform or exercise his work obligations or rights;
for, on the condition that the personal data is processed by healthcare personnel under a confidentiality obligation: preventive medical treatment, medical diagnosis, medical care or patient treatment; or administration of healthcare services.
for historical, statistical or scientific purposes, if society's interest in the processing clearly outweighs the disadvantages for the individual.
In addition, a licence from the Data Inspectorate is generally required for the processing of sensitive personal data (section 33, PDA) (see Question 7, Obtaining a licence).
Rights of individuals
At the point of collection the controller must, on its own initiative, inform the data subject of (section 18, PDA):
The name and address of the controller and, if applicable, its representative.
The purpose of the processing.
Whether the data will be disclosed and the identity of the recipient(s), if applicable.
The fact that the provision of data is voluntary.
Any other information that will enable the data subject to exercise his rights pursuant to the PDA in the best possible way, including information on the right to demand access to data (section 18, PDA) and the right to demand that data be rectified (sections 27 and 28, PDA).
Notification of the data subject is not required if there is no doubt that the data subject already has the above information.
Data subjects have the following rights, among others, under the PDA:
Right of access (section 18).
Right to information:
when data is collected from persons other than the data subject (section 20);
in connection with the use of personal profiles (section 21); and
regarding automated decisions (section 22).
Right to demand human verification of automated decisions (section 25).
Right to demand rectification of deficient personal data (section 27).
A data subject can demand that data which is strongly disadvantageous to the data subject must be blocked or erased if this is both (section 28, PDA):
Not contrary to another statute than the PDA.
Justifiable, on the basis of an overall assessment of, among other factors:
the needs of other persons for documentation;
the interests of the data subject;
cultural historical interests; and
the resources required to carry out the demand.
Furthermore, if the data subject withdraws his consent, the controller must cease the processing and delete the personal data, unless the controller can establish that it has another legal basis for the continued processing of the personal data (sections 8 and 9, PDA) (see Questions 9 to 11).
The controller must ensure that personal data is not stored longer than is necessary to carry out the purpose of the processing (section 28, PDA).
When processing personal data, the controller and the processor must ensure there is satisfactory data security, using planned and systematic measures that deal with issues surrounding confidentiality, integrity and accessibility (section 13, paragraph 1, PDA). The controller and processor must document the data system and the security measures adopted.
Furthermore, the controller must establish and maintain such planned and systematic measures as are necessary to fulfil the PDA requirements, including measures to ensure the quality of personal data. The controller must document these measures (section 14, PDA).
Chapter 2 of the PDR contains detailed provisions regarding data security. The main content of the mandatory security measures are:
Security objectives: the purpose of the processing and the general guidelines for use of information technology must be described in security objectives (section 2-3).
Regular reviews: the use of the information system must be reviewed on a regular basis to consider whether it is appropriate considering the needs of the enterprise, and whether the security strategy provides for adequate security (section 2-3).
Personal data overview: an overview of the kinds of personal data that is processed must be maintained and criteria for acceptable risk associated with the processing must be established (section 2-4).
Risk assessment: to determine the probability and consequences of breaches of security, the controller must carry out a risk assessment (section 2-4).
Security audits: security audits of the use of the information system must be carried out regularly (section 2-5).
Discrepancies: unforeseen use of the information system surfacing from a security audit must be treated as a "discrepancy" (section 2-6) (see Question 16).
Configuration: the information system must be configured so as to achieve adequate data security (section 2-7).
Authorisation: the controller must register authorised uses of the information system (section 2-8).
Staff confidentiality: the data controller's staff must be subject to a duty of confidentiality, in relation to personal data, where confidentiality is necessary (section 2-9).
Unauthorised access: measures must be taken to prevent unauthorised access to:
equipment that is used to process personal data (section 2-10); and
personal data concerning which confidentiality is necessary, or which is of significance for data security (section 2-11).
Encryption or other protection: personal data transferred electronically by means of a transfer medium beyond the physical control of the data controller must be encrypted or protected in another manner when confidentiality is necessary (section 2-11).
Access: measures must be taken to secure access to personal data where accessibility is necessary and to other data of significance for data security (section 2-12).
Unauthorised changes: measures must be taken to prevent unauthorised changes in personal data where integrity is necessary, and to other data of significance for data security (section 2-13).
Unauthorised use: security measures must prevent unauthorised use of the information system and make it possible to detect attempts at such use (section 2-14).
Documentation: routines for using the information system and other data of significance for data security must be documented. The documentation must be stored for at least five years from the time the document was replaced by a newer, more current version (section 2-16).
Security breaches and any use of the information system that is contrary to established routines are considered to be a discrepancy (section 2-6, PDR). The data controller/processor must take steps to re-establish the normal state of affairs, eliminate the cause of the discrepancy and prevent its recurrence.
If the discrepancy has resulted in the unauthorised disclosure of personal data concerning which confidentiality is necessary, the Data Inspectorate must be notified (section 2-6, third paragraph, PDR). The PDA does not explicitly state that the data subjects must be notified, but notification may be ordered by the Data Inspectorate or (depending on the type of data security breach) be necessary for the controller to fulfil the information requirements set out in the PDA.
Processing by third parties
A processor cannot process personal data in any way other than that which is agreed in writing with the controller, including transferring that data to another person for storage or manipulation. If the data processor is established outside the EEA and the parties use the EU's standard contractual clauses, the Data Inspectorate must approve the transfer agreement for a controller-controller transfer, whereas a controller-processor transfer requires notification to the Data Inspectorate only (see Question 23).
The processing agreement must also state that the processor undertakes to carry out the security measures set out in section 13 and chapter 2 of the PDR (see Question 15).
Electronic communications networks cannot be used for the storage of information on the user's communications equipment or to obtain access to such information, unless the user is both (section 7-3, Ecom Regulations):
Informed by the controller in accordance with the PDA, including providing information on the purpose of the processing.
Given an opportunity to object to the processing.
However, this does not apply to technical storage or access to information, which is either:
Exclusively for the purpose of transmitting or facilitating the transmission of communications on an electronic communications network.
Necessary to provide an information society service at the user's expressed request.
Marketing communications cannot be directed at natural persons, in the course of trade and without the prior consent of the recipient, using electronic methods of communication which permit individual communication, such as electronic mail, telefax or automated calling systems (section 15, Marketing Control Act) (MCA). However, consent is not required for marketing either:
Where the natural person is contacted orally by telephone.
By means of electronic mail, where there is an existing customer relationship and the contracting trader has obtained the electronic address of the customer in connection with a sale. However, for this exemption to apply:
marketing can only relate to the trader's own goods, services or other products corresponding to those on which the customer relationship is based; and
the customer must be given a simple and free opportunity to opt out of receiving such communications both when the electronic address is obtained and at the time of all subsequent marketing communications.
International transfer of data
Transfer of data outside the jurisdiction
Personal data can be transferred to countries which ensure an adequate level of data protection if the PDA's general requirements for processing of personal data are met. Countries which have implemented the Data Protection Directive are regarded as having an adequate level of protection (section 29, PDA).
Personal data can also be transferred to countries that do not ensure an adequate level of protection if one of the following conditions are met (section 30, PDA):
The data subject consents.
There is an obligation on the controller to transfer data pursuant to an international agreement or as a result of its membership of an international organisation.
The transfer is necessary:
under an agreement with the data subject;
for performing tasks at the request of the data subject before entering an agreement;
for the conclusion or performance of an agreement with a third party in the interest of the data subject;
to protect the vital interests of the data subject; or
to establish, exercise or defend a legal claim.
The transfer is necessary or legally required to protect an important public interest.
There is statutory authority for requiring data from a public register.
Even if the above conditions are not fulfilled, the Data Inspectorate may allow transfers if the controller provides adequate data protection safeguards, such as transfers:
Subject to the EU Model Clauses (available in Decision 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries) and notified by the Data Inspectorate before the transfer (see Question 23). The transfer of personal data to processors established in third countries based on EU Model Clauses requires prior approval by the Data Inspectorate before the transfer.
Transfers pursuant to Binding Corporate Rules approved by the Data Inspectorate.
To an entity part of the EU/US Privacy Shield.
There is no explicit requirement to store any type of information inside the jurisdiction. However, on basis of particular risk assessments one may be obliged not to store sensitive personal data outside the jurisdiction. Additionally, there are some sector specific regulations (such as accounting regulations) that require storage in Norway. One can apply with the applicable governmental body to store such information outside Norway.
Data transfer agreements
Data transfer and processing agreements are used frequently. Controllers can only transfer information to processors pursuant to a written agreement between the processor and the controller (see Question 17). The Data Inspectorate has issued guidelines on what these agreements must contain to be valid. In practice, the Data Inspectorate generally approves agreements containing the EU Model Clauses (see Question 20) and it is expected that the Data Inspectorate will approve transfer to US entities part of the Privacy Shield.
The data transfer agreement is not itself sufficient to legitimise transfer. The general requirements for processing data must also be satisfied (see Questions 9 to 11).
The Data Inspectorate does not usually need to approve the following types of transfer agreements:
Transfers inside the EEA.
Transfers to countries ensuring an adequate level of protection.
Transfers pursuant to Binding Corporate Rules approved by the Data Inspectorate.
Transfers to processors located outside the EEA based on EU Model Clauses (notification obligation only).
Transfer to processors based in the US that are part of the EU/US Privacy shield (most likely notification obligation only).
See Question 20.
All other transfer agreements must be approved by the Data Inspectorate.
Enforcement and sanctions
The Data Inspectorate is responsible for enforcement of the PDA. Its decisions can be appealed to the Privacy Appeals Board (Personvernnemnda). If the Data Inspectorate becomes aware that a controller is in breach of the PDA it may, among others:
Issue either or both of:
an order requiring the controller to rectify the position.
For severe breaches, hand the matter over to the prosecutor who can issue fines or proceed with the matter before the courts.
The Data Inspectorate actively enforces the PDA and the PDR. In addition to corrective orders, the Data Inspectorate may impose coercive fines which run from the expiry of the time limit set for compliance to the day of compliance.
The Data Inspectorate can also issue data offence fines up to a maximum of ten times the National Insurance Basic Amount, which is about EUR100,000 (NOK900,000) (as at 1 June 2016).
Physical persons can only be fined for deliberate or negligent violations. Breaches of certain provisions conducted with gross negligence or intent may be subject to additional fines from the police. In particularly severe circumstances, jail sentences of up to three years may be imposed.
The controller must also compensate damage suffered as a result of the failure to process personal data in accordance with the PDA, unless the damage is not due to the controller's error or neglect.
The regulatory authority
The Data Inspectorate (Datatilsynet)
Main areas of responsibility. The Data Inspectorate is responsible for:
Keeping a systematic, public record of all processing that is reported or for which a licence has been granted.
Dealing with applications for licences, receiving notifications and assessing whether orders should be made.
Verifying that statutes and regulations which apply to the processing of personal data are complied with, and that errors or deficiencies are rectified.
Keeping itself informed of, and providing information on:
general national and international developments in the processing of personal data;
the problems related to such processing.
Identifying risks to protection of privacy, and providing advice on ways of avoiding or limiting such risks.
Providing advice and guidance in matters relating to protection of privacy and the protection of personal data to persons who are planning to process personal data, and developing systems for such processing (such as assisting the drafting of codes of conduct for various sectors).
On request or on its own initiative, giving its opinion on matters relating to the processing of personal data.
DLA Piper Norway
Qualified. Norway, 2001
Areas of practice. Information and IT law; data protection law; commercial law.