Implementing the GDPR in Norway: Draft for new Personal Data Act in Norway

Last week, the new Personal Data Act for implementing the GDPR in Norway was published. Norway has taken a similar approach to eg. Ireland, in translating the GDPR into Norwegian, but there are also some additional regulations proposed, which are specific to Norway.

The specific regulations for Norway, in addition to the provisions under the GDPR, are proposed in the new Personal Data Act and include regulation based on leverage given in the GDPR and the continuance of some Norwegian legislation from before the GDPR. These are:

  • Sensitive data. As a general rule, use of “sensitive data” (special categories of personal data) will be prohibited, however it is proposed that the Data Inspectorate may authorize the processing of sensitive personal data where the processing is in the public interest.
  • Use of personal ID number. The rights regarding processing of ID number for physical persons and other national identification numbers are continued as under the previous act, meaning that personal ID number may only be used where there are reasonable grounds to require proper identification and the use of personal ID number is necessary for such identification.
  • Age limit for information society services. The minimum age for consent to use of information society services is set at 13 years (same as in eg. Sweden and Denmark).
  • Exceptions from the duty to provide information to registered persons under the GDPR are limited to some extent in the interests of protecting the public interest and the registered persons.
  • Confidential duties of DPOs. Additional duties of confidentiality are imposed on Data Protection Officers.
  • One-stop-shop. A controller active in multiple EU countries may use the supervisory authority where the controller has its main establishment for all personal data matters in the EU and EEA, which includes controllers processing personal data with regard to Norway if the controller is established in another EU/EEA state.
  • Surveillance cameras. There is separate regulation on the use of surveillance cameras (CCTV) with regard to surveillance in the workplace and the use of dummy surveillance equipment. However, the detailed regulation under Norwegian law on the use of surveillance cameras will be repealed.
  • Credit information. The specific rules on credit information activities under the current regime are not continued, and the way credit information activities are regulated will be addressed by the Ministry at a later point.
  • Employer access to email etc. The specific Norwegian regulation on restrictions for employers’ access to emails and other electronic files used by employees on hardware and systems provided by the employer will remain in force, with some minor adjustments.
  • Additional regulation. There will be additional regulation on the duty to have a Data Protection Officer in place and the duty for the controller to have advance approval by the Data Inspectorate on certain types of processing. However, no proposal on such regulation has been published yet.

Please also note that the previous regime on notification and the requirement of concessions in Norway will cease, however concessions given under the present Personal Data Act will remain in effect until the concessions expire.

The previous penalties for breach of the Personal Data Act as an offence are removed, however a high level of administrative fines (up to 4 % of annual global turnover or EUR 20 mill. – whichever is greater) – according to the GDPR will be implemented.