Global Data Privacy Guide |
|
Iceland |
|
|
(Europe)
Firm
LOGOS
Contributors
Áslaug Björgvinsdóttir |
|
| What is the key legislation? | The Act on Data Protection and the Processing of Personal Data No. 90/2018. Note: On July 15, 2018, the Icelandic Act on Data Protection and the processing of Personal Data No. 90/2018 (the “Data Protection Act” or the “Act”) entered into force, repealing the Act on the Protection and Processing of Personal Data No. 77/2000. The Act implements Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”). Since the Data Protection Act entered into force the Data Protection Authority has issued some regulations, rules and public guidelines, such as on the processing of personal data in police records and for enforcement purposes (regulation no. 577/2020), rules on the licensing of the processing of personal data (rules no. 811/2019), advertisement on processing actives that require a data protection impact assessment (advertisement no. 828/2019) and guidelines on data protection officers, guidelines on consent, guidelines on data breach and guidelines for processors guidelines for the implementation of information technology systems for processing children's personal information. Furthermore, the rules and guidelines published by the Data Protection Authority on the basis of the previous Act No. 77/2000 remain in force provided that they are not in violation of the new Act. These are, among others, rules on electronic surveillance no. 837/2006, rules concerning the security of personal data (Rules No. 299/2001), rules on employers’ supervision of employee’s emails (Advertisement No. 1001/2001) and rules on the transfer of personal data over borders (Advertisement No. 228/2010). |
| What data is protected? | The Data Protection Act protects personal data as defined in the Act. Note: Personal data in the Data Protection Act is defined as any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The definition in the Act is based on the definition of personal data provided in GDPR. Examples of what would be considered personal data include names, addresses, ID numbers, photos and fingerprints. Sensitive personal data is specifically defined in the Act as (i) data on race, ethnic origin, political opinions, religious beliefs, other life philosophies and on trade-union membership; (ii) health data, i.e. data relating to a person’s physical or mental health, including data on the healthcare a person has received and data on use of medical drugs, alcohol and narcotics; (iii) data concerning sex life and sexual behavior; (iv) genetic data i.e. personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person, and which result, in particular, from an analysis of a biological sample from the natural person in question; and (v) biometric data i.e. data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data, provided that the data is processed in order to identify a person with a unique way. |
| Who is subject to privacy obligations? | The Data Protection Act applies to data controllers and data processors, both in the private and public sector. Note: The Act specifically defines data controllers as the natural or legal person, public authority or other party which, alone or jointly with others, determines the purposes and means of the processing of personal data. Data processor, however, is a natural or legal person, public authority or other party which processes personal data on behalf of the controller. The Act applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form, or are intended to form, part of a filing system. The Act applies to the processing of personal data in the context of the activities of a controller or a processor who is established in Iceland, regardless of whether the processing takes place in the European Economic Area or not. The Act also applies to the processing of personal data of data subjects in Iceland, conducted in the context of the activities of a controller or a processor, not established in the European Economic Area, or where the processing activities are related to (i) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Economic Area; or (ii) the monitoring of their behavior as far as their behavior takes place within the area. |
| What are the principles applicable to personal data processing? | The Act sets forth main principles relating to the collection and processing of personal data which must always be adhered to. Note:
|
| How is the processing of personal data regulated? | The processing of personal data requires a legal basis under the Act. To process sensitive personal data additional requirements must be fulfilled. |
| How are storage, security and retention of personal data regulated? | The data controller and data processor, if any, is responsible for establishing and updating risk analysis procedures and putting security measures in place, in conformity with laws, rules and instructions given by the Data Protection Authority. Data controllers must also routinely conduct internal audits on the security of their processing. Personal data must be erased when an objective reason to preserve it no longer exists. Note: The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Act, taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, which are designed to implement data-protection principles and to integrate the necessary safeguards into the processing in order to meet the requirements of the Act and protect the rights of data subjects. The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed. Both the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, having regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in cases where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. The controller shall also conduct internal audits on the processing of personal data to ensure that they are processed in accordance with prevailing laws and regulations and the security measures that are to be implemented. Internal audits shall be conducted routinely. The frequency and intensity of the audits shall be relative to the danger associated with the processing, the nature of the data processed, the technology used to ensure the security of the data and the cost associated with conducting the audits. They shall nonetheless be conducted at least annually. The controller shall see to it that a report is written on each of the measures that the internal audit is comprised of. In such a report, the results of each part of the audit shall be described. Internal audit reports shall be preserved in a secure manner. The Data Protection Authority has the right to review these reports at any time. The Data Protection Authority has provided instructions on how to conduct internal audits, see Rules no. 299/2001 on the security of personal data. The Act requires that when there is no longer an objective reason to preserve personal data, the controller shall erase them. |
| What are the data subjects' rights? | Data subjects have the right to receive information about the process of their personal data and have the right to request access to and the correction of their personal data. Note: The data subject has a right to obtain information about processing, regardless of whether the personal data is obtained from the data subject itself or not, as well as a right of access to personal data concerning the data subject, in accordance with Articles 13-15 of GDPR, cf. Article 17(2) of the Act. The information that the data controller shall provide the data subject with is among others the identity and the contact details of the controller, the purposes of the processing for which the personal data are intended as well as the legal basis for the processing and the categories of personal data concerned. The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and other information such as the purposes of the processing, the categories of personal data concerned and the recipients or categories of recipient to whom the personal data have been or will be disclosed. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The data subject has a right to obtain from the controller the rectification of inaccurate personal data concerning him or her, as well as a right to obtain from the controller the erasure of personal data concerning him or her. |
| Are there restrictions on cross-border data transfers? | The Act restricts transfers of personal data to countries outside the EEA and to international organizations. Such transfers may only be carried out if the transfer has a legal basis under Chapter 5 of the GDPR. Note: In the absence of a decision by the European Commission, a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. |
| Are there any notification requirements for data breaches? | In case of a data breach, the Act requires controllers to notify the breach to the Data Protection Authority and in high-risk cases, also to the data subjects. Note: In the case of a personal data breach, the controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Data Protection Authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. If a data processor becomes aware of a data breach it shall notify the controller without undue delay after becoming aware of it. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subjects affected by the data breach. |
| Who is the privacy regulator? | According to the Data Protection Act, the Data Protection Authority is responsible for monitoring the application of the Act and administrative rules based on it. Note: The Icelandic Data Protection Authority (ICE: Persónuvernd) is an independent authority with a specific board of directors and is administratively subject to the Minister of Justice. The Data Protection Authority acts with independence in exercising its functions and its decisions according to the Act cannot be referred to a higher administrative authority. The Data Protection Authority’s main task according to the Act is to monitor the application of the Act, GDPR and other rules on data protection. The Data Protection Authority handles and investigates complaints lodged by a data subject, or by a body, organization or association, and rules whether a violation has occurred. Furthermore, the Data Protection Authority shall inter alia promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing; advise the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing; upon request, provide information to any data subject concerning the exercise of their rights under the Act and, if appropriate, cooperate with the supervisory authorities in other Member States to that end and to fulfil any other tasks related to the protection of personal data. The Data Protection Authority has the investigative powers according to Article 58 of GDPR, cf. Article 41 and 42 of the Act. These are, among others, the power to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks; the power to carry out investigations in the form of data protection audits and the power to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks. |
| What are the consequences of a privacy breach? | Noncompliance with the law can result in criminal sanctions, penalties and compensation. |
| How is electronic marketing regulated? | Electronic marketing is regulated by the Electronic Communication Act No. 81/2003 and direct marketing requires the prior consent of the recipient. |
| Are there any recent developments or expected reforms? | The Data Protection Act entered into force on July 15, 2018, implementing GDPR. No further developments of the legislative text are expected at this time. |
Global Data Privacy Guide
The Act on Data Protection and the Processing of Personal Data No. 90/2018.
Note: On July 15, 2018, the Icelandic Act on Data Protection and the processing of Personal Data No. 90/2018 (the “Data Protection Act” or the “Act”) entered into force, repealing the Act on the Protection and Processing of Personal Data No. 77/2000. The Act implements Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).
Since the Data Protection Act entered into force the Data Protection Authority has issued some regulations, rules and public guidelines, such as on the processing of personal data in police records and for enforcement purposes (regulation no. 577/2020), rules on the licensing of the processing of personal data (rules no. 811/2019), advertisement on processing actives that require a data protection impact assessment (advertisement no. 828/2019) and guidelines on data protection officers, guidelines on consent, guidelines on data breach and guidelines for processors guidelines for the implementation of information technology systems for processing children's personal information.
Furthermore, the rules and guidelines published by the Data Protection Authority on the basis of the previous Act No. 77/2000 remain in force provided that they are not in violation of the new Act. These are, among others, rules on electronic surveillance no. 837/2006, rules concerning the security of personal data (Rules No. 299/2001), rules on employers’ supervision of employee’s emails (Advertisement No. 1001/2001) and rules on the transfer of personal data over borders (Advertisement No. 228/2010).
The Data Protection Act protects personal data as defined in the Act.
Note: Personal data in the Data Protection Act is defined as any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The definition in the Act is based on the definition of personal data provided in GDPR.
Examples of what would be considered personal data include names, addresses, ID numbers, photos and fingerprints.
Sensitive personal data is specifically defined in the Act as (i) data on race, ethnic origin, political opinions, religious beliefs, other life philosophies and on trade-union membership; (ii) health data, i.e. data relating to a person’s physical or mental health, including data on the healthcare a person has received and data on use of medical drugs, alcohol and narcotics; (iii) data concerning sex life and sexual behavior; (iv) genetic data i.e. personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person, and which result, in particular, from an analysis of a biological sample from the natural person in question; and (v) biometric data i.e. data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data, provided that the data is processed in order to identify a person with a unique way.
The Data Protection Act applies to data controllers and data processors, both in the private and public sector.
Note: The Act specifically defines data controllers as the natural or legal person, public authority or other party which, alone or jointly with others, determines the purposes and means of the processing of personal data. Data processor, however, is a natural or legal person, public authority or other party which processes personal data on behalf of the controller.
The Act applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form, or are intended to form, part of a filing system.
The Act applies to the processing of personal data in the context of the activities of a controller or a processor who is established in Iceland, regardless of whether the processing takes place in the European Economic Area or not.
The Act also applies to the processing of personal data of data subjects in Iceland, conducted in the context of the activities of a controller or a processor, not established in the European Economic Area, or where the processing activities are related to (i) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Economic Area; or (ii) the monitoring of their behavior as far as their behavior takes place within the area.
The Act sets forth main principles relating to the collection and processing of personal data which must always be adhered to.
Note:
- The Act sets forth the main principles relating to the collection and processing of personal data and stipulates that personal data must be: processed in a lawful, fair and transparent manner;
- collected for explicitly specified, legitimate and objective purposes and not processed further for other and incompatible purposes; further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that proper safeguards are adhered to;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- reliable and kept up to date when necessary, personal data which are unreliable or incomplete, having regard to the purposes of their processing, shall be erased or rectified;
- preserved in a form which does not permit the identification of data subjects for longer than is necessary for the purposes of the processing;
- processed in a manner that ensures appropriate security of the personal data.
The controller is responsible for and must be able to demonstrate its compliance with the above principles.
The processing of personal data requires a legal basis under the Act. To process sensitive personal data additional requirements must be fulfilled.
The data controller and data processor, if any, is responsible for establishing and updating risk analysis procedures and putting security measures in place, in conformity with laws, rules and instructions given by the Data Protection Authority. Data controllers must also routinely conduct internal audits on the security of their processing. Personal data must be erased when an objective reason to preserve it no longer exists.
Note: The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Act, taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, which are designed to implement data-protection principles and to integrate the necessary safeguards into the processing in order to meet the requirements of the Act and protect the rights of data subjects.
The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed.
Both the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, having regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in cases where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
The controller shall also conduct internal audits on the processing of personal data to ensure that they are processed in accordance with prevailing laws and regulations and the security measures that are to be implemented.
Internal audits shall be conducted routinely. The frequency and intensity of the audits shall be relative to the danger associated with the processing, the nature of the data processed, the technology used to ensure the security of the data and the cost associated with conducting the audits. They shall nonetheless be conducted at least annually.
The controller shall see to it that a report is written on each of the measures that the internal audit is comprised of. In such a report, the results of each part of the audit shall be described. Internal audit reports shall be preserved in a secure manner. The Data Protection Authority has the right to review these reports at any time.
The Data Protection Authority has provided instructions on how to conduct internal audits, see Rules no. 299/2001 on the security of personal data. The Act requires that when there is no longer an objective reason to preserve personal data, the controller shall erase them.
Data subjects have the right to receive information about the process of their personal data and have the right to request access to and the correction of their personal data.
Note: The data subject has a right to obtain information about processing, regardless of whether the personal data is obtained from the data subject itself or not, as well as a right of access to personal data concerning the data subject, in accordance with Articles 13-15 of GDPR, cf. Article 17(2) of the Act.
The information that the data controller shall provide the data subject with is among others the identity and the contact details of the controller, the purposes of the processing for which the personal data are intended as well as the legal basis for the processing and the categories of personal data concerned.
The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and other information such as the purposes of the processing, the categories of personal data concerned and the recipients or categories of recipient to whom the personal data have been or will be disclosed.
Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
The data subject has a right to obtain from the controller the rectification of inaccurate personal data concerning him or her, as well as a right to obtain from the controller the erasure of personal data concerning him or her.
The Act restricts transfers of personal data to countries outside the EEA and to international organizations. Such transfers may only be carried out if the transfer has a legal basis under Chapter 5 of the GDPR.
Note: In the absence of a decision by the European Commission, a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
In case of a data breach, the Act requires controllers to notify the breach to the Data Protection Authority and in high-risk cases, also to the data subjects.
Note: In the case of a personal data breach, the controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Data Protection Authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
If a data processor becomes aware of a data breach it shall notify the controller without undue delay after becoming aware of it.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subjects affected by the data breach.
According to the Data Protection Act, the Data Protection Authority is responsible for monitoring the application of the Act and administrative rules based on it.
Note: The Icelandic Data Protection Authority (ICE: Persónuvernd) is an independent authority with a specific board of directors and is administratively subject to the Minister of Justice.
The Data Protection Authority acts with independence in exercising its functions and its decisions according to the Act cannot be referred to a higher administrative authority.
The Data Protection Authority’s main task according to the Act is to monitor the application of the Act, GDPR and other rules on data protection. The Data Protection Authority handles and investigates complaints lodged by a data subject, or by a body, organization or association, and rules whether a violation has occurred. Furthermore, the Data Protection Authority shall inter alia promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing; advise the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing; upon request, provide information to any data subject concerning the exercise of their rights under the Act and, if appropriate, cooperate with the supervisory authorities in other Member States to that end and to fulfil any other tasks related to the protection of personal data.
The Data Protection Authority has the investigative powers according to Article 58 of GDPR, cf. Article 41 and 42 of the Act. These are, among others, the power to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks; the power to carry out investigations in the form of data protection audits and the power to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks.
Noncompliance with the law can result in criminal sanctions, penalties and compensation.
Electronic marketing is regulated by the Electronic Communication Act No. 81/2003 and direct marketing requires the prior consent of the recipient.
The Data Protection Act entered into force on July 15, 2018, implementing GDPR. No further developments of the legislative text are expected at this time.