The Act on Data Protection and the Processing of Personal Data No. 90/2018.

Note: On July 15, 2018, the Icelandic Act on Data Protection and the processing of Personal Data No. 90/2018 (the “Data Protection Act” or the “Act”) entered into force, repealing the Act on the Protection and Processing of Personal Data No. 77/2000. The Act implements Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).

Since the Data Protection Act entered into force the Data Protection Authority has issued some regulations, rules and public guidelines, such as on the processing of personal data in police records and for enforcement purposes (regulation no. 577/2020), rules on the licensing of the processing of personal data (rules no. 811/2019), advertisement on processing actives that require a data protection impact assessment (advertisement no. 828/2019) and guidelines on data protection officers, guidelines on consent, guidelines on data breach and guidelines for processors guidelines for the implementation of information technology systems for processing children's personal information. 

Furthermore, the rules and guidelines published by the Data Protection Authority on the basis of the previous Act No. 77/2000 remain in force provided that they are not in violation of the new Act. These are, among others, rules on electronic surveillance no. 837/2006, rules concerning the security of personal data (Rules No. 299/2001), rules on employers’ supervision of employee’s emails (Advertisement No. 1001/2001) and rules on the transfer of personal data over borders (Advertisement No. 228/2010).

The Icelandic Data Protection Authority, Persónuvernd, has issued several key decisions:
•    Case No. 2020064844. The Data Protection Authority fined the Directorate of Health ISK 12,000,000 due to a security vulnerability in Heilsuvera. The security vulnerability allowed two individuals to gain unauthorized access to data from other individuals in Heilsuvera. A security breach was reported, and consequently the DPA reviewed Heilsuvera’s security measures. The Data Protection Authority came to the conclusion that adequite security measures had not been taken and that privacy by default and design had not been ensured.
•    Case No. 2021122453. The Data Protection Authority concluded that both the controller and the processor had breached their legal obligation to have in place technological and organisational security measures, because they didn't have a sufficient incident registration for information security purposes. The processing agreement did not stipulate clearly that the processor should maintain such register, but it referred the ISO27001 standard, and by that, the processor was considered to have committed to comply with the standard in all respects, including maintaining incident registration. 
•    Case No. 2020092288. A processor was fined for not having in place a sufficient data processing agreement. 
•    Case No. 2020010545. A processor was fined for using video surveillance to monitor employees without providing the data subjects with sufficient information. 

    There have also been a few notable cases by the national courts:
•    Judgement 18/2024 by the Supreme Court. The Court found that a controller cannot its accountability obligations by referring to inconsistent information from the processor, especially when data concerns children. In this case an investigation by the Data Protection Authority revealed that personal data of students were transferred to the U.S. and processed there, despite the controller having believed otherwise. It was established that in the U.S. supervisory authorities have broad legal powers to use personal data transferred from the European Union without having to ensure the protection of individuals’ privacy. Provisions in the Data Processing agreement should have prompted the controller to investigate this further and ensure that appropriate measures were taken to safeguard personal data during its transfer out of the country.
•    Judgement 151/2003 by the Supreme Court. the Court found that if processing of sensitive personal data is based on a legal obligation, the legal framework must clearly outline the minimum security measures and stipulate how the processing shall be performed. 

    "Personal data" is defined in Article 3(2) of the Data Protection Act as: "Information about an identified or identifiable natural person (data subject). An individual is considered identifiable if they can be identified directly or indirectly, such as by reference to an identifier like a name, social security number (identification number), location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

    "Sensitive personal data" is defined in Article 3(3) of the Data Protection Act as covering special categories of personal data. This includes:
1.    Information on race, ethnic origin, political opinions, religious or philosophical beliefs or trade union membership.
2.    Health data, i.e. personal data related to the physical or mental health of a natural person, including the provision of health care services and information on the use of medicine, alcohol or drugs. 
3.    Information about a person-s sex life and sexual orientation. 
4.    Genetic Data, i.e. personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that individual and which results, in particular, from an analysis of biological sample from the person. 
5.    Biometric data, i.e. personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that individual, such as facial images or dactyloscopic data (fingerprint data), provided the data is processed for the purpose of uniquely identifying a natural person.

Data Protection under Icelandic law is ensured through a framework of principles, legal basis, security requirements, and accountability measures, primarily established in the Data Protection Act, which implements the GDPR. 

The core of the data protection lies in the principles set out in Article 8 of the Data Protection Act, which mandates that the personal data must be:

1.    Processed lawfully, fairly, and in a transparent manner (lawfulness, fairness and transparency).
2.    Collected for specified, explicit, and legitimate purposes (purpose limitation).
3.    Adequate, relevant and limited to what is necessary (data minimisation). 
4.    Accurate and, where necessary, kept up to date (accuracy). 
5.    Kept in a form which permits identification of data subjects for no longer than is necessary (storage limitation).
6.    Processed in a manner that ensures appropriate security (integrity and confidentiality).

Protection is further enforced by the requirement that all processing must have a lawful basis under Article 9, such as consent, contractual necessity, or legal obligation. For sensitive personal data, stricter conditions apply; in addition to a lawful basis from Article 9, one of the specific conditions in Article 11 must also be met. Furthermore, Article 27 requires controllers and processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This obligation is exemplified in the case concerning the Health Care Institution of South Iceland (HSU), where the DPA ordered improvements to logging, access controls, and internal monitoring. Finally, the principle of accountability (Article 8(2)) requires the controller to be responsible for, and be able to demonstrate, compliance with all these principles.

The Data Protection Act applies to data controllers and data processors, both in the private and public sector.

Note: The Act specifically defines data controllers as the natural or legal person, public authority or other party which, alone or jointly with others, determines the purposes and means of the processing of personal data. Data processor, however, is a natural or legal person, public authority or other party which processes personal data on behalf of the controller. 

The Act applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form, or are intended to form, part of a filing system. 

The Act applies to the processing of personal data in the context of the activities of a controller or a processor who is established in Iceland, regardless of whether the processing takes place in the European Economic Area or not.

The Act also applies to the processing of personal data of data subjects in Iceland, conducted in the context of the activities of a controller or a processor, not established in the European Economic Area, or where the processing activities are related to (i) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Economic Area; or (ii) the monitoring of their behavior as far as their behavior takes place within the area.
 

The term "data processing" is defined broadly in Article 3(4) of the Data Protection Act as: "An operation or set of operations which is performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction." 

The Act sets forth main principles relating to the collection and processing of personal data which must always be adhered to.

Note: 

• The Act sets forth the main principles relating to the collection and processing of personal data and stipulates that personal data must be: processed in a lawful, fair and transparent manner; 
• collected for explicitly specified, legitimate and objective purposes and not processed further for other and incompatible purposes; further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that proper safeguards are adhered to;
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• reliable and kept up to date when necessary, personal data which are unreliable or incomplete, having regard to the purposes of their processing, shall be erased or rectified;
• preserved in a form which does not permit the identification of data subjects for longer than is necessary for the purposes of the processing; 
• processed in a manner that ensures appropriate security of the personal data.

The controller is responsible for and must be able to demonstrate its compliance with the above principles. 

The processing of personal data requires a legal basis under the Act. To process sensitive personal data additional requirements must be fulfilled.

The data controller and data processor, if any, is responsible for establishing and updating risk analysis procedures and putting security measures in place, in conformity with laws, rules and instructions given by the Data Protection Authority. Data controllers must also routinely conduct internal audits on the security of their processing. Personal data must be erased when an objective reason to preserve it no longer exists.

Note: The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Act, taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.

The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, which are designed to implement data-protection principles and to integrate the necessary safeguards into the processing in order to meet the requirements of the Act and protect the rights of data subjects.

The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed.

Both the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, having regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in cases where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

The controller shall also conduct internal audits on the processing of personal data to ensure that they are processed in accordance with prevailing laws and regulations and the security measures that are to be implemented.

Internal audits shall be conducted routinely. The frequency and intensity of the audits shall be relative to the danger associated with the processing, the nature of the data processed, the technology used to ensure the security of the data and the cost associated with conducting the audits. They shall nonetheless be conducted at least annually.

The controller shall see to it that a report is written on each of the measures that the internal audit is comprised of. In such a report, the results of each part of the audit shall be described. Internal audit reports shall be preserved in a secure manner. The Data Protection Authority has the right to review these reports at any time.

The Data Protection Authority has provided instructions on how to conduct internal audits, see Rules no. 299/2001 on the security of personal data. The Act requires that when there is no longer an objective reason to preserve personal data, the controller shall erase them.

Chapter III of the Data Protection Act outlines the rights of data subjects. These rights are fundamental to giving individuals control over their personal data. The key rights include:

•    Right to information and transparency, cf. Article 17: Individuals have the right to be informed about the collection and use of their personal data.
•    Right of access, cf. Article 17: Individuals have the right to access their personal data and supplementary information.
•    Right to rectification, cf. Article 20: Individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete.
•    Right to erasure ('right to be forgotten'), cf. Article 20: Individuals have the right to have personal data erased under certain circumstances.
•    Right to restriction of processing, cf. Article 20: Individuals have the right to request the restriction or suppression of their personal data.
•    Right to data portability, cf. Article 20: This allows individuals to obtain and reuse their personal data for their own purposes across different services.
•    Right to object, cf. Article 21: Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority.
•    Rights related to automated decision-making and profiling, cf. Article 22: This provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.

These rights are not absolute and can be subject to limitations as specified in the law, for example, for reasons of national security, defense, or the investigation of criminal offences, cf. Article 17(4).

Not applicable.

Authorization for the use of data, or the lawful basis for processing, is handled according to Article 9 of the Data Protection Act. Processing is only lawful if at least one of the following six bases applies:

1.    Consent: The data subject has freely given specific, informed, and unambiguous consent for their data to be processed for a specific purpose (Article 10 of the Data Protection Act details the conditions for valid consent).
2.    Contract: The processing is necessary for the performance of a contract the data subject has with the controller, or in order to take steps at the request of the data subject prior to entering into a contract.
3.    Legal obligation: The processing is necessary for the controller to comply with the a legal obligation.
4.    Vital interests: The processing is necessary to protect the vital interests of the data subject or another natural person. 
5.    Public task: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6.    Legitimate interests: The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, in particular if the data subject is a child.

When processing sensitive personal data, in addition to one of the bases above, a specific condition from Article 11 must also be met, such as explicit consent, the necessity for the establishment, exercise or defense of legal claims, or reasons of substantial public interest. 

Yes, cross-border data transfers are strictly regulated under Chapter V of the GDPR,  incorporated into Icelandic law with the Data Protection Act. Article 16 of the Data Protection Act confirms the applicability of these rules. The primary restriction is that personal data may only be transferred outside the European Economic Area (EEA) if the recipient country ensures an adequate level of data protection.

This is achieved through a hierarchy of mechanisms:

1.    Adequacy Decisions: The European Commission can determine that a third country provides an adequate level of protection. Transfers to such countries can proceed without any further authorization.
2.    Appropriate Safeguards: In the absence of an adequacy decision, transfers are permitted if the controller or processor has provided appropriate safeguards. These include Standard Contractual Clauses (SCCs) adopted by the European Commission or Binding Corporate Rules (BCRs) for intra-group transfers.
3.    Derogations: In exceptional cases, transfers may be made on limited grounds such as the data subjects' explicit consent, necessity for the performance of a contract, or important reasons of public interest.

The rulings concerning the municipalities' use of Google (case No. ) and the SidekickHealth ehf. Case (case No.) demonstrate that relying on SCCs for transfers to the U.S. is considered insufficient without supplementary measures to protect the data against access by U.S. surveillance authorities. This reflects the key restriction established following the Schrems II judgment of the Court of Justice of the European Union.

In case of a data breach, the Act requires controllers to notify the breach to the Data Protection Authority and in high-risk cases, also to the data subjects.  

Note: In the case of a personal data breach, the controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Data Protection Authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

If a data processor becomes aware of a data breach it shall notify the controller without undue delay after becoming aware of it. 

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subjects affected by the data breach. 

According to the Data Protection Act, the Data Protection Authority is responsible for monitoring the application of the Act and administrative rules based on it.

Note: The Icelandic Data Protection Authority (ICE: Persónuvernd) is an independent authority with a specific board of directors and is administratively subject to the Minister of Justice.

The Data Protection Authority acts with independence in exercising its functions and its decisions according to the Act cannot be referred to a higher administrative authority.

The Data Protection Authority’s main task according to the Act is to monitor the application of the Act, GDPR and other rules on data protection. The Data Protection Authority handles and investigates complaints lodged by a data subject, or by a body, organization or association, and rules whether a violation has occurred. Furthermore, the Data Protection Authority shall inter alia promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing; advise the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing; upon request, provide information to any data subject concerning the exercise of their rights under the Act and, if appropriate, cooperate with the supervisory authorities in other Member States to that end and to fulfil any other tasks related to the protection of personal data.

The Data Protection Authority has the investigative powers according to Article 58 of GDPR, cf. Article 41 and 42 of the Act. These are, among others, the power to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks; the power to carry out investigations in the form of data protection audits and the power to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks.
 

Noncompliance with the law can result in criminal sanctions, penalties and compensation.

Electronic marketing is regulated by the Electronic Communication Act No. 81/2003 and direct marketing requires the prior consent of the recipient.

According to the Electronic Communication Act No. 81/2003, the use of automated calling systems, facsimile machines or electronic mail for direct marketing is only allowed if a subscriber has given prior consent. However, e-mail addresses obtained in the context of the sale of a product or service may be used for direct marketing of their own goods or services if customers are given the opportunity to object to such use of addresses free of charge when they are listed and similarly each time a message is sent if the customer has not initially refused such use.

Further, unsolicited electronic communications in the form of direct marketing are not allowed to be sent to subscribers who do not wish to receive these communications.

Yes. While the Data Protection Act is the general data protection law, the Act does allow for sector- or industry-specific laws implemented within the GDPR framework to operate concurrently or with priority. Iceland’s legislation includes several notable examples:

•    Law Enforcement: The processing of personal data by competent authorities for law enforcement purposes is governed by a separate act, Act No. 75/2019 on the Processing of Personal Data for Law Enforcement Purposes, which transposes the EU's Law Enforcement Directive.
•    Financial Information and Credit: Article 15 of the Data Protection Act requires a license from the Data Protection Authority for the operation of credit reference agencies. This is further detailed in Regulation No. 606/2023 on the processing of information on financial affairs and credit standing.
•    Scientific Research in the Health Sector: Article 34 of Act No. 90/2018 refers to a specific law governing scientific research in the health sector.
•    Education: The recent Act No. 91/2023 on the Centre for Education and School Services contains a specific article (Article 5) granting the Centre authority to process personal data, including sensitive data, to fulfil its statutory duties. 
•    Network and Information Security: Regulation No. 480/2021 on the activities of the national CERT team (CERT-ÍS) includes specific provisions on its authority to process personal data for cybersecurity purposes, including deviations from certain data subject rights.
•    Health Records: The Public Health Act No. 41/2007 requires the encryption of personal data retained in certain health records. 

The requirements for appointing a Data Protection Officer (DPO) are set out in Article 35 of the Data Protection Act. A DPO must be appointed in three main cases:
1.    The processing is carried out by a public authority or body.
2.    The core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale.
3.    The core activities of the controller or processor consist of processing on a large scale of sensitive personal data or personal data relating to criminal convictions and offences.

The DPO must be appointed based on professional qualities and expert knowledge of data protection law and practices. 

Key requirements, detailed further in GDPR Articles 37-39, include ensuring the DPO's independence and avoiding conflicts of interest. Th DPO should not hold a position within the organisation that leads to a conflict of interests, such as senior management role where they would determine the purposes and means for the processing while also being tasked with independently monitoring the same processing. The DPO must report directly to the highest management level and have direct access to management. 

Under Article 26 of Act No. 90/2018, both data controllers and processors are required to maintain internal records of their processing activities. This is a central element of the accountability principle. The records must be in writing, including in electronic form, and made available to the Data Protection Authority upon request.

The records maintained by a controller must include the following information:

•    The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the DPO.
•    The purposes of the processing.
•    A description of the categories of data subjects and of the categories of personal data.
•    The categories of recipients of personal data.
•    Details of transfers to third countries, including identification of the country and documentation of the appropriate safeguards.
•    Envisaged time limits for erasure of the different categories of data.
•    A general description of the technical and organizational security measures in place.

Processors must maintain records of all categories of processing activities carried out on behalf of a controller, including information about:
•    Name and contact details of the processor or processors.
•    Categories of processing carried out on behalf of each controller.
•    Transfers to third countries, if any.
•    A general description of technical and organizational security measures.

An exemption exists for organizations with fewer than 250 employees, but this exemption does not apply if the processing is likely to result in a risk to individuals' rights and freedoms, is not occasional, or involves sensitive data or data on criminal convictions or offences.

The requirement to conduct a DPIA is established in Article 29 of the Data Protection Act. A DPIA is mandatory before starting any processing that is likely to result in a high risk to the rights and freedoms of natural persons. This is particularly relevant when using new technologies or conducting large-scale processing of sensitive data or profiling.

the Data Protection Authority is required to publish a list of processing operations for which a DPIA is mandatory. If the DPIA indicates that the processing would result in a high risk that the controller cannot mitigate with appropriate measures, the controller must consult the Data Protection Authority before the processing begins, cf. Article 30. 

The requirements for managing third-party vendors who process data on behalf of a controller (i.e., data processors) are detailed in Article 25 of the Data Protection, which mirrors Article 28 of the GDPR.

•    The controller must only use processors that provide sufficient guarantees to implement appropriate technical and organizational measures to meet the law's requirements.
•    The relationship must be governed by a legally binding contract (a Data Processing Agreement or DPA).
•    The DPA must set out the subject matter, duration, nature, and purpose of the processing, the type of personal data, the categories of data subjects, and the obligations and rights of the controller.
•    The DPA must stipulate that the processor will only act on the controller's documented instructions, ensure staff confidentiality, implement security measures, adhere to strict conditions for engaging sub-processors, and assist the controller in fulfilling its obligations.

Chapter VII of the Data Protection Act establishes the enforcement powers of the Data Protection Authority and the penalties for non-compliance.

•    Corrective Powers, cf. Article 42: the Data Protection Authority can issue warnings, reprimands, and orders to comply with data subject requests, bring processing into compliance, or ban processing temporarily or permanently.
•    Daily Fines, cf. Article 45: For failure to comply with certain orders, the Data Protection Authority can impose daily fines of up to ISK 200,000 per day until compliance is achieved.
•    Administrative Fines, cf. Article 46: This is the most significant enforcement tool. Fines are divided into two tiers:
o    Up to ISK 1.2 billion or 2% of total worldwide annual turnover for breaches related to the obligations of controllers and processors, such as security measures, DPIAs, and records of processing.
o    Up to ISK 2.4 billion or 4% of total worldwide annual turnover for more severe breaches, such as violations of the core principles of processing, data subjects' rights, and rules on international data transfers.
•    Criminal Penalties, cf. Article 48: For severe infringements committed intentionally and for profit, individuals can face imprisonment for up to three years.
•    Right to Compensation, cf. Article 51: Any person who has suffered material or non-material damage as a result of an infringement has the right to receive compensation from the controller or processor for the damage suffered.

Ongoing compliance is a core tenet of the data protection framework, rooted in the principle of accountability found in Article 8(2) of the Act. This means controllers are not only responsible for complying with the law but must also be able to demonstrate that compliance.

This entails several ongoing activities:

•    Regular Review: Controllers must regularly review and update their data protection policies, procedures, and documentation, including their records of processing activities, cf. Article 26.
•    Security Management: Security is not a one-time task. Controllers must continuously ensure that their technical and organizational measures provide a level of security appropriate to the risk, cf. Article 27.
•    Vendor Management: Contracts with data processors must be managed and reviewed to ensure ongoing compliance, cf. Article 25.
•    DPIAs: DPIAs are dynamic documents. They should be reviewed and updated if the nature, scope, context, or purposes of the processing change, cf. Article 29.

Regarding audits, Article 41(1)(b) of the Act grants the Data Protection Authority the power to carry out data protection audits and inspections. This is a key part of its investigative and enforcement powers. These audits can result in formal decisions, orders, and fines, thereby enforcing ongoing compliance.

The Data Protection Act entered into force on July 15, 2018, implementing GDPR. No further developments of the legislative text are expected at this time.