	Global Data Privacy Guide
	Norway
	(Europe) Firm Advokatfirmaet Thommessen AS Contributors Christopher Clausen Updated 01 Mar 2022
What is the key legislation?	The key legislation governing privacy and the processing of personal data in Norway are (i) the General Data Protection Regulation (Regulation (EU) 2016/679 – the "GDPR") and (ii) the Norwegian Personal Data Act of 2018 (the "Act"). The Act implements the GDPR into Norwegian law and furthermore includes supplemental provisions regarding privacy and the processing of personal data. Both the GDPR and the Act are further supplemented by regulations enacted under the Act, as well as sector-specific legislation inter alia concerning the processing of personal data in the health and finance sectors.
What data is protected?	The GDPR and the Act protect personal data (i) processed wholly or partly by automated means, and (ii) the processing of personal data which form part of a filing system or are intended to form a part of a filing system. Processing means any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means. Examples of operations that are regarded as processing are the collection, recording, storage, adaptation or alteration, of personal data. Personal data means any information relating to an identified or identifiable natural person (this person is referred to as the "data subject"). An identifiable natural person is one who can be identified (directly or indirectly) in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Accordingly, the GDPR and the Act does not apply to personal data which has been rendered anonymous in such a manner that the data subject is no longer identifiable. The GDPR operates with two sub-categories of personal data, i.e. "special categories of personal data" and personal data relating to criminal convictions and offenses. Special categories of personal data are: Data revealing racial origin, ethnic origin, political opinions, religious beliefs, philosophical beliefs, or trade union membership; The processing of genetic data or biometric data for the purpose of uniquely identifying a data subject; and Health data, as well as data concerning a data subject's sex life or sexual orientation.
Who is subject to privacy obligations?	The GDPR and the Act apply to "controllers" and "processors" which are engaged in activities falling within the scope of the GDPR or the Act. The controller is defined as the person(s) (individual and/or legal entity) that, alone or jointly with others, determines the purpose and means of the processing of personal data. The processor is defined as the person(s) (individual and/or legal entity) that processes the personal data on behalf of the controller. The controller is the party with the general responsibility to comply with privacy obligations set forth in the GDPR and the *Act. The processor is subject to specific legal obligations under the GDPR* and the *Act, such as the security obligations under GDPR* Article 32(1). The GDPR and the *Act* apply to: The processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Economic Area (the "EEA") or Norway, respectively, regardless of whether or not the processing takes place in the EEA; The processing of personal data of data subjects who are in the EEA or Norway, respectively, by a controller or processor not established in the EEA, where the processing activities are related to: The offering of goods or services to the above data subjects; or The monitoring of their behavior as far as their behavior takes place within the EEA or Norway.
What are the principles applicable to personal data processing?	Any processing of personal data, including the collection of personal data, must be performed in compliance with the GDPR and the *Act. Article 5 of the GDPR* sets forth the main principles relating to the collection and processing of personal data and stipulates that personal data must be: Processed lawfully, fairly, and in a transparent manner in relation to the data subject; Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; Adequate, relevant and limited to those which are necessary in relation to the purposes for which they are processed; Kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. The controller is responsible for and must be able to demonstrate its compliance with the above principles. Furthermore, under GDPR Articles 12-14, the controller is required to inform the data subjects about the controller's processing of their personal data.
How is the processing of personal data regulated?	The collection, use and/or disclosure of personal data requires a legal basis under GDPR Article 6. A controller that intends to process special categories of personal data must identify both a legal basis under GDPR Article 6 and satisfy one of the alternative conditions for processing special categories of personal data under GDPR Article 9. The processing of personal data relating to criminal convictions and offenses requires a legal basis under GDPR Article 6, and must be (i) carried out only under the control of official authority, or (ii) be authorized under EEA or EEA member state law. Pursuant to GDPR Article 6 processing of personal data shall be lawful if one of the following legal bases applies: Consent – the data subject has consented to the processing; Contract – the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract; Legal obligation – the processing is necessary for compliance with a legal obligation to which the controller is subject; Vital interests – the processing is necessary in order to protect the vital interests of the data subject or of another natural person; or Legitimate interest test – the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. The processing of special categories of personal data is furthermore only permitted if one of the following ten conditions under GDPR Article 9 is satisfied: Explicit consent – the data subject has given explicit consent to the processing of those personal data for one or more specified purposes unless the relevant processing activity is prohibited under EEA or EEA member state law; Obligations in the field of employment, social security and social protection law – the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject (i) in the field of employment, social security and social protection law in so far as it is authorized by EEA or EEA member state law, or (ii) a collective agreement pursuant to EEA member state law providing for appropriate safeguards for the fundamental rights and the interests of the data subject; Vital interests – the processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; Foundations, associations or other not-for-profit bodies – the processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; Certain public data – the processing relates to personal data which are manifestly made public by the data subject; Legal claims – the processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity; Substantial public interests – the processing is necessary for reasons of substantial public interest, on the basis of EEA or EEA member state law which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; Preventive or occupational medicine etc. – the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EEA or EEA member state law or pursuant to contract with a health professional; Public interest in the area of public health – the processing is necessary for reasons of public interest in the area of public health, on the basis of EEA or EEA member state law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular, professional secrecy; Archiving, scientific, historical research, or statistical purposes – the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR Article 89, based on EEA or EEA member state law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
How are storage, security and retention of personal data regulated?	Storage: Storing personal data is regarded as a processing activity. Accordingly, the storing of personal data must be conducted in compliance with the requirements under the GDPR and the Act, including the main principles relating to the processing of personal data set forth in Article 5 of the GDPR (as further described above). Security: Pursuant to GDPR Article 32, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing. Examples of such security measures are: The pseudonymization and encryption of personal data; The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Retention: Pursuant to GDPR Article 17 personal data shall as a rule inter alia be deleted if: The personal data are no longer necessary in relation to the purposes for which they were collected; The data subject withdraws his/her consent, and the processing is based on the data subject's consent; or The personal data have been unlawfully processed.
What are the data subjects' rights?	There are inter alia rights of access to and correction of personal data under the *GDPR* and the *Act.* Access: Pursuant to GDPR Article 15, the data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processing. The data subject has furthermore a right to obtain access to the personal data and information relating to the processing, such as the purpose of the processing and the categories of personal data concerned. Certain exemptions to the data subject's right of access are set forth in Section 16 of the Act. Under Section 16 of the Act, the controller is inter alia not obligated to provide access to information (i) which is subject to a statutory duty of confidentiality, or (ii) which is only included in text drafted for internal case preparation, and which has not been disclosed to third parties. Correction: Pursuant to GDPR Article 16, the data subject has the right to obtain from the controller the correction/rectification of inaccurate personal data concerning him or her, and to have incomplete personal data completed. Other rights: The data subject furthermore has the right to erasure, to restrict processing, to data portability, to object to the processing of personal data, as well as rights in relation to automated decision making and profiling, under GDPR Chapter 3.
Are there restrictions on cross-border data transfers?	The GDPR restricts transfers of personal data to (i) countries outside the EEA (so-called "third countries"), and (ii) to international organizations. Such transfers may only be carried out if the transfer has a legal basis under Chapter 4 of the GDPR. Pursuant to GDPR Article 45, transfers of personal data to a third country or an international organization may take place on the basis of a so-called adequacy decision. An adequacy decision entails that the EU Commission has decided that the relevant third country (or a territory or one or more specified sectors within that third country), or the international organization ensures an adequate level of protection for individuals' rights and freedoms for their personal data. In the absence of an adequacy decision, the transfer must be covered by one of the appropriate safeguards under GDPR Article 46, or by the derogations for certain specific situations under GDPR Article 49. An appropriate safeguard is pursuant to GDPR Article 46: A legally binding and enforceable instrument between public authorities or bodies; Binding corporate rules established in accordance with GDPR Article 47; Standard data protection clauses (often referred to as "Standard Contractual Clauses" or "model clauses" adopted by the EU Commission; Standard data protection clauses adopted by a supervisory authority and approved by the EU Commission; An approved code of conduct together with binding and enforceable commitments of the receiver outside the EEA or an international organization; Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the EEA or the international organization; Contractual clauses authorized by the supervisory authority; or Administrative arrangements between public authorities or bodies include enforceable and effective data subject rights. Furthermore, controllers and processors relying on GDPR Article 46 safeguards to transfer personal data to third countries, must ensure that the safeguards are not undermined by the laws and practices of the destination country. This requirement follows from the Court of the Justice of the European Union's judgment C-311/18 (often referred to as the "*Schrems II decision") and has been further elaborated by the European Data Protection Board's Recommendations 01/2022. As mentioned above, in the absence of an adequacy decision pursuant to GDPR* Article 45, and an appropriate safeguard pursuant to GDPR Article 46, personal data may be transferred to a third country or to an international organization if the transfer is covered by one of the derogations under GDPR Article 49. GDPR Article 49 stipulates that the aforementioned transfer may take place if: The data subject has explicitly consented to the transfer, after being informed of the possible risk of such transfers; The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; The transfer is necessary for important reasons of public interest; The transfer is necessary for the establishment, exercise or defense of legal claims; The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or The transfer is made from a register that according to EEA law or EEA member state law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest. However, it should be noted that transfers pursuant to GDPR Article 49 should only take place on an ad hoc basis.
Are there any notification requirements for data breaches?	Controllers and processors are subject to notification requirements under GDPR Article 33 and GDPR Article 34. Pursuant to Article 33 of the GDPR, the controller shall notify the competent supervisory authority of any "personal data breach" without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Pursuant to GDPR Article 4, a "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. A processor is pursuant to GDPR Article 33 obligated to notify the controller without undue delay after becoming aware of a personal data breach. Furthermore, if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller is as a main rule also obligated to, without undue delay, communicate the personal data breach to the affected data subjects, cf. Article 34.
Who is the privacy regulator?	The privacy regulator in Norway is the Norwegian Data Protection Authority (the "NDPA"). The NDPA is an independent administrative body subordinate to the Norwegian King and the Norwegian Ministry of Local Government and Regional Development. The King and the Ministry may not issue instructions or reverse the NDPA's decisions in individual cases. The NDPA is inter alia responsible for monitoring and enforcing compliance with the GDPR and the Act. Decisions made by the NDPA may inter alia be appealed to the Norwegian Privacy Appeals Board.
What are the consequences of a privacy breach?	Introduction: The NDPA has several corrective powers, and may inter alia sanction infringements of the GDPR or the Act with administrative fines. The NDPA may also order controllers and processors to cease processing activities that do not comply with the aforementioned privacy legislation or impose conditions that must be met in order to ensure that the processing is in compliance with the GDPR or the Act. Infringements of the GDPR may also be sanctioned by other supervisory authorities in the EEA (i.e. other EEA data protection authorities than the NDPA). Any person who has suffered material or non-material damage as a result of an infringement of the GDPR or the Act has the right to receive compensation for the damage suffered. Administrative fines: There are two sets of maximum administrative fines under the GDPR. Infringements of the following provisions of the GDPR are subject to administrative fines up to EUR 20,000,000, or in the case of an undertaking, up to four percent of the total worldwide annual turnover of the preceding financial year, whichever is higher: GDPR Articles 5, 6, 7 and 9 (the principles relating to the processing of personal data); GDPR Articles 12 to 22 (rights of the data subject); GDPR Articles 44 to 49 (transfers of personal data to countries outside the EEA or to international organizations); Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to GDPR Article 58; or Failure to comply with the supervisory authority's investigation pursuant to GDPR Article 58. For other infringements, the maximum administrative fines are EUR 10,000,000, or in the case of an undertaking, up to two percent of the total worldwide annual turnover. Compensation and Liability: As mentioned above, data subjects may under GDPR Article 82 and Section 30 of the Act also claim compensation for any material or non-material damage as a result of an infringement of the GDPR or the Act.
How is electronic marketing regulated?	It is prohibited under Section 15 of the Norwegian Marketing Control Act, in the course of trade and without the prior consent of the recipient, to direct marketing communications at physical persons using electronic methods of communication that permit individual communication. Such electronic methods of communication inter alia include emails, text messages and automated calling systems/robocalls. The consent must be freely given, specific and informed. However, marketing by means of electronic messages without the prior consent of the recipient is permitted, if there exists a customer relationship and the contracting trader has obtained the electronic address of the customer in connection with a sale. The marketing may only relate to the trader’s own goods or services corresponding to those to which the customer relationship is based on. The customer must be given a simple and free of charge opportunity to opt-out of receiving such marketing communications when the electronic address is obtained, and at the time of any subsequent marketing communication.
Are there any recent developments or expected reforms?	*Amendments to the Norwegian Personal Data Act:* On January 1, 2022, the Norwegian Parliament (i.e. the "Storting") adopted amendments to Section 3 of the Act. The amendments deal with the relationship between the requirements under the *GDPR* and the freedom of expression. *New Norwegian Credit Information Act:* On December 20, 2019, the Storting announced a new Norwegian Credit Information Act (Nw. Kredittopplysningsloven). The Norwegian Credit Information Act has, however, not entered into force yet. If it enters into force, it will regulate the processing of personal data and other information in connection with the provision of credit information services. *New Norwegian Intelligence Service Act:* On January 1, 2021, a new Act regarding the Norwegian Intelligence Service (Nw. Etterretningstjenesteloven) entered into force. The Act regarding the Norwegian Intelligence Service (i) clarifies the legal basis of the activities of the Norwegian Intelligence Service, (ii) sets forth provisions regarding the Norwegian Intelligence Service's ability to intercept cross-border electronic communications, (iii) describes the activities of the Norwegian Intelligence Service in a more transparent manner, and (iv) clarifies the relationship between the Norwegian Intelligence Service and the Norwegian Police Security Service (Nw. Politiets sikkerhetstjeneste). The Norwegian Government chose to postpone the implementation of two chapters, Chapter 7 and 8, of the Norwegian Intelligence Service Act regarding the National Intelligence Service's access to bulk metadata for specified searches. However, on January 1, 2022, all of the provisions under Chapters 7 and 8 entered into force with the exception of Section 7-3. Section 7-3 establishes the right of the head of the Intelligence Service to decide whether the procedures set out in Chapters 7 and 8 will be initiated. As a result, even though the remaining provisions of Chapters 7 and 8 technically entered into force on January 1, 2022, they cannot be operationalized until Section 7-3 enters into force. It is not clear when Section 7-3 will come into effect. According to the Norwegian Ministry of Defense, further assessment is necessary due to uncertainty related to whether Chapter 7 and Chapter 8 comply with the European Convention on Human Rights ("ECHR").

Global Data Privacy Guide

Back XLS

What is the key legislation?

The key legislation governing privacy and the processing of personal data in Norway are (i) the General Data Protection Regulation (Regulation (EU) 2016/679 – the "GDPR") and (ii) the Norwegian Personal Data Act of 2018 (the "Act"). The Act implements the GDPR into Norwegian law and furthermore includes supplemental provisions regarding privacy and the processing of personal data.

Both the GDPR and the Act are further supplemented by regulations enacted under the Act, as well as sector-specific legislation inter alia concerning the processing of personal data in the health and finance sectors.

What data is protected?

The GDPR and the Act protect personal data (i) processed wholly or partly by automated means, and (ii) the processing of personal data which form part of a filing system or are intended to form a part of a filing system.

Processing means any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means. Examples of operations that are regarded as processing are the collection, recording, storage, adaptation or alteration, of personal data.

Personal data means any information relating to an identified or identifiable natural person (this person is referred to as the "data subject"). An identifiable natural person is one who can be identified (directly or indirectly) in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Accordingly, the GDPR and the Act does not apply to personal data which has been rendered anonymous in such a manner that the data subject is no longer identifiable.

The GDPR operates with two sub-categories of personal data, i.e. "special categories of personal data" and personal data relating to criminal convictions and offenses. Special categories of personal data are:

Data revealing racial origin, ethnic origin, political opinions, religious beliefs, philosophical beliefs, or trade union membership;
The processing of genetic data or biometric data for the purpose of uniquely identifying a data subject; and
Health data, as well as data concerning a data subject's sex life or sexual orientation.

Who is subject to privacy obligations?

The GDPR and the Act apply to "controllers" and "processors" which are engaged in activities falling within the scope of the GDPR or the Act.

The controller is defined as the person(s) (individual and/or legal entity) that, alone or jointly with others, determines the purpose and means of the processing of personal data.

The processor is defined as the person(s) (individual and/or legal entity) that processes the personal data on behalf of the controller.

The controller is the party with the general responsibility to comply with privacy obligations set forth in the GDPR and the Act. The processor is subject to specific legal obligations under the GDPR and the Act, such as the security obligations under GDPR Article 32(1).

The GDPR and the Act apply to:

The processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Economic Area (the "EEA") or Norway, respectively, regardless of whether or not the processing takes place in the EEA;
The processing of personal data of data subjects who are in the EEA or Norway, respectively, by a controller or processor not established in the EEA, where the processing activities are related to:
- The offering of goods or services to the above data subjects; or
- The monitoring of their behavior as far as their behavior takes place within the EEA or Norway.

What are the principles applicable to personal data processing?

Any processing of personal data, including the collection of personal data, must be performed in compliance with the GDPR and the Act.

Article 5 of the GDPR sets forth the main principles relating to the collection and processing of personal data and stipulates that personal data must be:

Processed lawfully, fairly, and in a transparent manner in relation to the data subject;
Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
Adequate, relevant and limited to those which are necessary in relation to the purposes for which they are processed;
Kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

The controller is responsible for and must be able to demonstrate its compliance with the above principles.

Furthermore, under GDPR Articles 12-14, the controller is required to inform the data subjects about the controller's processing of their personal data.

How is the processing of personal data regulated?

The collection, use and/or disclosure of personal data requires a legal basis under GDPR Article 6.

A controller that intends to process special categories of personal data must identify both a legal basis under GDPR Article 6 and satisfy one of the alternative conditions for processing special categories of personal data under GDPR Article 9.

The processing of personal data relating to criminal convictions and offenses requires a legal basis under GDPR Article 6, and must be (i) carried out only under the control of official authority, or (ii) be authorized under EEA or EEA member state law.

Pursuant to GDPR Article 6 processing of personal data shall be lawful if one of the following legal bases applies:

Consent – the data subject has consented to the processing;
Contract – the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
Legal obligation – the processing is necessary for compliance with a legal obligation to which the controller is subject;
Vital interests – the processing is necessary in order to protect the vital interests of the data subject or of another natural person; or
Legitimate interest test – the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The processing of special categories of personal data is furthermore only permitted if one of the following ten conditions under GDPR Article 9 is satisfied:

Explicit consent – the data subject has given explicit consent to the processing of those personal data for one or more specified purposes unless the relevant processing activity is prohibited under EEA or EEA member state law;
Obligations in the field of employment, social security and social protection law – the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject (i) in the field of employment, social security and social protection law in so far as it is authorized by EEA or EEA member state law, or (ii) a collective agreement pursuant to EEA member state law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
Vital interests – the processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
Foundations, associations or other not-for-profit bodies – the processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
Certain public data – the processing relates to personal data which are manifestly made public by the data subject;
Legal claims – the processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
Substantial public interests – the processing is necessary for reasons of substantial public interest, on the basis of EEA or EEA member state law which must be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
Preventive or occupational medicine etc. – the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EEA or EEA member state law or pursuant to contract with a health professional;
Public interest in the area of public health – the processing is necessary for reasons of public interest in the area of public health, on the basis of EEA or EEA member state law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular, professional secrecy;
Archiving, scientific, historical research, or statistical purposes – the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR Article 89, based on EEA or EEA member state law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

How are storage, security and retention of personal data regulated?

Storage:

Storing personal data is regarded as a processing activity. Accordingly, the storing of personal data must be conducted in compliance with the requirements under the GDPR and the Act, including the main principles relating to the processing of personal data set forth in Article 5 of the GDPR (as further described above).

Security:

Pursuant to GDPR Article 32, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing. Examples of such security measures are:

The pseudonymization and encryption of personal data;
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Retention:

Pursuant to GDPR Article 17 personal data shall as a rule inter alia be deleted if:

The personal data are no longer necessary in relation to the purposes for which they were collected;
The data subject withdraws his/her consent, and the processing is based on the data subject's consent; or
The personal data have been unlawfully processed.

What are the data subjects' rights?

There are inter alia rights of access to and correction of personal data under the GDPR and the Act.

Access:

Pursuant to GDPR Article 15, the data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processing. The data subject has furthermore a right to obtain access to the personal data and information relating to the processing, such as the purpose of the processing and the categories of personal data concerned.

Certain exemptions to the data subject's right of access are set forth in Section 16 of the Act. Under Section 16 of the Act, the controller is inter alia not obligated to provide access to information (i) which is subject to a statutory duty of confidentiality, or (ii) which is only included in text drafted for internal case preparation, and which has not been disclosed to third parties.

Correction:

Pursuant to GDPR Article 16, the data subject has the right to obtain from the controller the correction/rectification of inaccurate personal data concerning him or her, and to have incomplete personal data completed.

Other rights:

The data subject furthermore has the right to erasure, to restrict processing, to data portability, to object to the processing of personal data, as well as rights in relation to automated decision making and profiling, under GDPR Chapter 3.

Are there restrictions on cross-border data transfers?

The GDPR restricts transfers of personal data to (i) countries outside the EEA (so-called "third countries"), and (ii) to international organizations. Such transfers may only be carried out if the transfer has a legal basis under Chapter 4 of the GDPR.

Pursuant to GDPR Article 45, transfers of personal data to a third country or an international organization may take place on the basis of a so-called adequacy decision. An adequacy decision entails that the EU Commission has decided that the relevant third country (or a territory or one or more specified sectors within that third country), or the international organization ensures an adequate level of protection for individuals' rights and freedoms for their personal data.

In the absence of an adequacy decision, the transfer must be covered by one of the appropriate safeguards under GDPR Article 46, or by the derogations for certain specific situations under GDPR Article 49.

An appropriate safeguard is pursuant to GDPR Article 46:

A legally binding and enforceable instrument between public authorities or bodies;
Binding corporate rules established in accordance with GDPR Article 47;
Standard data protection clauses (often referred to as "Standard Contractual Clauses" or "model clauses" adopted by the EU Commission;
Standard data protection clauses adopted by a supervisory authority and approved by the EU Commission;
An approved code of conduct together with binding and enforceable commitments of the receiver outside the EEA or an international organization;
Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the EEA or the international organization;
Contractual clauses authorized by the supervisory authority; or
Administrative arrangements between public authorities or bodies include enforceable and effective data subject rights.

Furthermore, controllers and processors relying on GDPR Article 46 safeguards to transfer personal data to third countries, must ensure that the safeguards are not undermined by the laws and practices of the destination country. This requirement follows from the Court of the Justice of the European Union's judgment C-311/18 (often referred to as the "Schrems II decision") and has been further elaborated by the European Data Protection Board's Recommendations 01/2022.

As mentioned above, in the absence of an adequacy decision pursuant to GDPR Article 45, and an appropriate safeguard pursuant to GDPR Article 46, personal data may be transferred to a third country or to an international organization if the transfer is covered by one of the derogations under GDPR Article 49. GDPR Article 49 stipulates that the aforementioned transfer may take place if:

The data subject has explicitly consented to the transfer, after being informed of the possible risk of such transfers;
The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
The transfer is necessary for important reasons of public interest;
The transfer is necessary for the establishment, exercise or defense of legal claims;
The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
The transfer is made from a register that according to EEA law or EEA member state law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest.

However, it should be noted that transfers pursuant to GDPR Article 49 should only take place on an ad hoc basis.

Are there any notification requirements for data breaches?

Controllers and processors are subject to notification requirements under GDPR Article 33 and GDPR Article 34.

Pursuant to Article 33 of the GDPR, the controller shall notify the competent supervisory authority of any "personal data breach" without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Pursuant to GDPR Article 4, a "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

A processor is pursuant to GDPR Article 33 obligated to notify the controller without undue delay after becoming aware of a personal data breach.

Furthermore, if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller is as a main rule also obligated to, without undue delay, communicate the personal data breach to the affected data subjects, cf. Article 34.

Who is the privacy regulator?

The privacy regulator in Norway is the Norwegian Data Protection Authority (the "NDPA"). The NDPA is an independent administrative body subordinate to the Norwegian King and the Norwegian Ministry of Local Government and Regional Development. The King and the Ministry may not issue instructions or reverse the NDPA's decisions in individual cases. The NDPA is inter alia responsible for monitoring and enforcing compliance with the GDPR and the Act.

Decisions made by the NDPA may inter alia be appealed to the Norwegian Privacy Appeals Board.

What are the consequences of a privacy breach?

Introduction:

The NDPA has several corrective powers, and may inter alia sanction infringements of the GDPR or the Act with administrative fines. The NDPA may also order controllers and processors to cease processing activities that do not comply with the aforementioned privacy legislation or impose conditions that must be met in order to ensure that the processing is in compliance with the GDPR or the Act. Infringements of the GDPR may also be sanctioned by other supervisory authorities in the EEA (i.e. other EEA data protection authorities than the NDPA).

Any person who has suffered material or non-material damage as a result of an infringement of the GDPR or the Act has the right to receive compensation for the damage suffered.

Administrative fines:

There are two sets of maximum administrative fines under the GDPR.

Infringements of the following provisions of the GDPR are subject to administrative fines up to EUR 20,000,000, or in the case of an undertaking, up to four percent of the total worldwide annual turnover of the preceding financial year, whichever is higher:

GDPR Articles 5, 6, 7 and 9 (the principles relating to the processing of personal data);
GDPR Articles 12 to 22 (rights of the data subject);
GDPR Articles 44 to 49 (transfers of personal data to countries outside the EEA or to international organizations);
Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to GDPR Article 58; or
Failure to comply with the supervisory authority's investigation pursuant to GDPR Article 58.

For other infringements, the maximum administrative fines are EUR 10,000,000, or in the case of an undertaking, up to two percent of the total worldwide annual turnover.

Compensation and Liability:

As mentioned above, data subjects may under GDPR Article 82 and Section 30 of the Act also claim compensation for any material or non-material damage as a result of an infringement of the GDPR or the Act.

How is electronic marketing regulated?

It is prohibited under Section 15 of the Norwegian Marketing Control Act, in the course of trade and without the prior consent of the recipient, to direct marketing communications at physical persons using electronic methods of communication that permit individual communication. Such electronic methods of communication inter alia include emails, text messages and automated calling systems/robocalls. The consent must be freely given, specific and informed.

However, marketing by means of electronic messages without the prior consent of the recipient is permitted, if there exists a customer relationship and the contracting trader has obtained the electronic address of the customer in connection with a sale. The marketing may only relate to the trader’s own goods or services corresponding to those to which the customer relationship is based on. The customer must be given a simple and free of charge opportunity to opt-out of receiving such marketing communications when the electronic address is obtained, and at the time of any subsequent marketing communication.

Are there any recent developments or expected reforms?

Amendments to the Norwegian Personal Data Act:

On January 1, 2022, the Norwegian Parliament (i.e. the "Storting") adopted amendments to Section 3 of the Act. The amendments deal with the relationship between the requirements under the GDPR and the freedom of expression.

New Norwegian Credit Information Act:

On December 20, 2019, the Storting announced a new Norwegian Credit Information Act (Nw. Kredittopplysningsloven). The Norwegian Credit Information Act has, however, not entered into force yet. If it enters into force, it will regulate the processing of personal data and other information in connection with the provision of credit information services.

New Norwegian Intelligence Service Act:

On January 1, 2021, a new Act regarding the Norwegian Intelligence Service (Nw. Etterretningstjenesteloven) entered into force. The Act regarding the Norwegian Intelligence Service (i) clarifies the legal basis of the activities of the Norwegian Intelligence Service, (ii) sets forth provisions regarding the Norwegian Intelligence Service's ability to intercept cross-border electronic communications, (iii) describes the activities of the Norwegian Intelligence Service in a more transparent manner, and (iv) clarifies the relationship between the Norwegian Intelligence Service and the Norwegian Police Security Service (Nw. Politiets sikkerhetstjeneste).

The Norwegian Government chose to postpone the implementation of two chapters, Chapter 7 and 8, of the Norwegian Intelligence Service Act regarding the National Intelligence Service's access to bulk metadata for specified searches. However, on January 1, 2022, all of the provisions under Chapters 7 and 8 entered into force with the exception of Section 7-3. Section 7-3 establishes the right of the head of the Intelligence Service to decide whether the procedures set out in Chapters 7 and 8 will be initiated. As a result, even though the remaining provisions of Chapters 7 and 8 technically entered into force on January 1, 2022, they cannot be operationalized until Section 7-3 enters into force.

It is not clear when Section 7-3 will come into effect. According to the Norwegian Ministry of Defense, further assessment is necessary due to uncertainty related to whether Chapter 7 and Chapter 8 comply with the European Convention on Human Rights ("ECHR").

Global Data Privacy Guide

Norway

Global Data Privacy Guide

Norway

Members