DLA Piper Intelligence

Data Protection
Laws of the World

Law

Iceland
Iceland

The governing legislation on data protection is Act No 77/2000 on the Protection and Processing of Personal Data ('Data Protection Act'), which implemented EU Data Protection Directive 95/46/EC.

Last modified 26 Jan 2017
Law
Iceland

The governing legislation on data protection is Act No 77/2000 on the Protection and Processing of Personal Data ('Data Protection Act'), which implemented EU Data Protection Directive 95/46/EC.

Last modified 26 Jan 2017
Definitions

Definition of personal data

Any data relating to the data subject (identified or identifiable), i.e. information that can be traced directly or indirectly to a specific individual, deceased or living.

Definition of sensitive personal data

Sensitive personal data means data on origin, skin colour, race, political opinions, religious beliefs and other life philosophies; data on whether a man has been suspected of, indicted for, prosecuted for or convicted of a punishable offence; health data, including genetic data and data on use of alcohol, medical drugs and narcotics; data concerning sex life (and sexual behaviour); and data on trade-union membership.

Last modified 26 Jan 2017
Authority

The Data Protection Authority

Raudarárstíg 10
105 Reykjavík

www.personuvernd.is 

Last modified 26 Jan 2017
Registration

All electronic processing of personal data, which falls under the Data Protection Act, must be notified to the Icelandic Data Protection Authority, by the controller of the data, unless an exemption applies.

For example, there is an exemption for data processing which is necessary and carried out in the regular or standard course of activities, relating solely to those data subjects who have a connection to the activities being performed or the relevant field of work, eg the controller is only processing data related to business associates, customers, employees and members and none of the data processed includes sensitive data.

Notification to the Data Protection Authority is required for any changes to the processing of personal data, which has already been notified.

Notification to the Data Protection Authority must be submitted electronically and in Icelandic.

Certain data processing is also subject to an authorization from the Icelandic Data Protection Authority. For example, processing that involves the collection and disclosure of information related to the financial and credit standing data of individuals must be authorized by the Icelandic Data Protection Authority.

Last modified 26 Jan 2017
Data Protection Officers

There is no specific requirement under the Data Protection Act to appoint data protection officers.

Where a controller does not have an establishment in Iceland, but the Data Protection Act is still applicable (e.g., because the controller uses processing equipment in Iceland), the controller must, however, designate a representative established in Iceland. In such cases, the provisions of the Act relating to controllers shall apply to the representative.

Last modified 26 Jan 2017
Collection & Processing

Data controllers may collect and process personal data when any of the following conditions are met:

  • the data subject has unambiguously agreed to the processing or given his consent
  • the processing is necessary to honour a contract to which the data subject is a party, or to take measures at the request of the data subject before a contract is established
  • the processing is necessary to fulfill a legal obligation of the controller
  • the processing is necessary to protect vital interests of the data subject
  • the processing is necessary for a task that is carried out in the public interest
  • the processing is necessary in the exercise of official authority vested in the controller or in a third party to whom data are transferred
  • the processing is necessary for the controller, or a third party, or parties to whom data are transferred, to be able to safeguard legitimate interests, except where overridden by fundamental rights and freedom of the data subject, which shall be protected by law.

Where sensitive personal data is processed, one of the above conditions must be met as well as one of a further list of additional conditions. Examples of such additional conditions are if the data subject gives his consent to the processing and/or if the processing is specifically authorized in another Act of law.

The processing must in all events be processed in a fair, appropriate and lawful manner, and the data must be obtained for a specific, explicit and appropriate purpose.

Furthermore, unless an exemption applies, the controller must provide the data subject with notice of certain information, including the identity of the controller, the purpose of the processing, and the recipients of the data.

Last modified 26 Jan 2017
Transfer

The transfer of personal data to a country that does not provide an adequate level of personal data protection is prohibited, unless:

  • the data subject has consented to the transfer
  • it is necessary for the fulfillment of obligations under international law or as a result of Iceland's membership with an international organization
  • such a transfer is authorized in another legislative act
  • the delivery is necessary to establish or fulfill a contract between the data subject and the controller
  • the transfer is necessary to establish or fulfill a contract in the interest of the data subject
  • the delivery is necessary in order to protect the vital interests of the data subject
  • the dissemination is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims, or
  • the data in question are accessible to the general public.

Countries in the European Economic Area are considered to provide an adequate level of personal data protection, and so are Switzerland, Canada, Argentina, Guernsey, Isle of Man, Jersey, Faroe Islands, Andorra, Israel, Uruguay and New Zealand.

The Icelandic Data Protection Authority can also authorize a transfer of personal data to an insecure third country where a controller adduces adequate (contractual) safeguards with respect to the protection of the rights of the data subject(s).

Last modified 26 Jan 2017
Security

A controller must implement appropriate technical and organizational measures to protect personal data against unlawful destruction, against accidental loss or alteration and against unauthorized access. The same rule applies to data processors of personal data, in practice, because controllers are required to contractually pass down their security obligations under the Data Protection Act to their processors.

Last modified 26 Jan 2017
Breach Notification

There is no mandatory requirement in the Data Protection Act to report data security breaches or losses to the Icelandic Data Protection Authority.

Last modified 26 Jan 2017
Enforcement

The Icelandic Data Protection Authority is responsible for the enforcement of the Data Protection Act.

Infringements of the provisions of the Data Protection Act, and of regulations issued according to it, are punishable by means of fines or a prison term of up to three years, unless more severe sanctions are provided for in other acts of law. The same punishment shall apply if instructions by the Data Protection Authority are not observed.

If a controller or a processor has processed personal data in violation of the Data Protection Act, rules or instructions by the Data Protection Authority, then the controller may be required to compensate the data subject for the financial damage suffered as a result of the violation.

The Data Protection Authority can furthermore order the cessation of the processing of personal data and the Authority can decide to impose daily fines if its instructions are not complied with, until it concludes that necessary improvements have been made.

Last modified 26 Jan 2017
Electronic Marketing

Based on the Electronic Communications Act No 81/2003 the use of electronic communications systems, including for email and other direct marketing, is only allowed if a subscriber has given prior consent.

If the email address has been obtained in the context of the sale of a good or service, the controller may use it for direct marketing of the controller’s own goods or services to customers who have not objected to receiving email marketing from the controller, provided the customers are given the opportunity, free of charge, to object to such use of their email address when it is collected and each time a message is sent.

Further, all marketing emails must include the name and address of the party responsible for the marketing.

Last modified 26 Jan 2017
Online Privacy

There are no provisions in Icelandic legislation that specifically deal with the use of cookies or location data. However, location data and IP addresses are considered personal data under the Data Protection Act.

If the use of cookies leads to the use of IP addresses or other personal data, the processing of such data must comply with the Data Protection Act. The processing is therefore not permissible unless one of the listed conditions is met, in most instances the data subject must consent to the processing of such data.  

Last modified 26 Jan 2017
Contacts
Hjördís Halldórsdóttir
Hjördís Halldórsdóttir
Partner
T +354 5 400 300
Áslaug Björgvinsdóttir
Áslaug Björgvinsdóttir
Partner
T +354 5 400 300
Last modified 26 Jan 2017