DLA Piper Intelligence

Data Protection
Laws of the World

Law

Norway
Norway

Being a member of the European Economic Area (‘EEA’), Norway has implemented the EU Data Protection Directive 95/46/EC with the Personal Data Act (LOV-2000-04-14-31, below the ‘Act’) and the Personal Data Regulations (FOR-2000-12-15-1265, below the ‘Regulations’).   

Last modified 25 Jan 2017
Law
Norway

Being a member of the European Economic Area (‘EEA’), Norway has implemented the EU Data Protection Directive 95/46/EC with the Personal Data Act (LOV-2000-04-14-31, below the ‘Act’) and the Personal Data Regulations (FOR-2000-12-15-1265, below the ‘Regulations’).   

Last modified 25 Jan 2017
Definitions

Definition of personal data

Any information and assessments that may be linked to a natural person (the Act section 2, number 1).

Definition of sensitive personal data

Information relating to:

  • racial or ethnic origin, or political opinions, philosophical or religious beliefs
  • the fact that a person has been suspected of, charged with, indicted for or convicted of a criminal act
  • health
  • sex life, or 
  • trade union membership (the Act section 2, number 8).
Last modified 25 Jan 2017
Authority

The Data Protection Authority (Nw: Datatilsynet, below the ‘DPA’)

Visiting address: Tollbugata 3, 0152 Oslo
Postal address: PO. Box 8177 Dep., NO-0034 Oslo

T +47 22 39 69 00
F +47 22 42 23 50

W www.datatilsynet.no 
E postkasse@datatilsynet.no 

Last modified 25 Jan 2017
Registration

The Act separates between obligations to submit notification to the DPA and obligations to obtain a license from the DPA. Certain types of processing of personal data are, however, neither subject to the notification obligation nor the license obligation. Thus, there is no general rule in Norway requiring all controllers to register with the DPA.

Examples of processing activities exempt from both the notification obligation and the license obligation:

  • the processing of personal data concerning customers, subscribers and suppliers (as part of the administration and fulfilment of contractual obligations), cf. the Regulations section 7-7, and
  • employers' standard processing of personal data relating to current or former employees, personnel, representatives, temporary manpower and applicants for a position, cf. the Regulations section 7-16.

Examples of processing activities subject to the notification obligation:

  • video surveillance
  • whistleblower schemes
  • prize competitions, or
  • compliance with legislation to combat money laundering.

Examples of processing activities subject to the license obligation:

  • a license from the DPA is generally required for the processing of sensitive personal data, cf. the Act section 33, and
  • controllers in certain business sectors are obligated to obtain a license, including:
    • providers of telecommunication services for the purpose of customer administration, invoicing and the provision of services in connection with the subscriber's use of the telecommunications network (cf. the Regulations section 7-1)
    • providers of insurance services for the purpose of customer administration, invoicing and the implementation of insurance contracts (cf. the Regulations section 7-2), and
    • banks and financial institutions for the purpose of customer administration, invoicing and the implementation of banking services (cf. the Regulations section 7-3).
Last modified 25 Jan 2017
Data Protection Officers

There is no statutory requirement to appoint a Data Protection Officer (‘DPO’). The DPA may pursuant to the Regulations section 7-12 consent to exemptions being granted from the obligation to submit notification pursuant to the Act, if the controller designates an independent privacy ombudsman (Nw: Personvernombud) who is responsible for ensuring that the controller complies with the Act and the Regulations. The main benefits are as follows:

  • the controller will be exempt from the obligation to submit notifications pursuant to the Act and the Regulations
  • the appointment of a DPO will build goodwill for and strengthen the controller's reputation with respect to privacy issues and processing of personal data (shows the controller's focus for privacy/processing compliance efforts), and
  • the DPA's courses will maintain and strengthen the DPO's qualifications and skills within processing of personal data and general privacy issues.

The DPO is inter alia responsible for:

  • ensuring that the controller complies with the Act and the Regulations
  • maintaining an overview of the categories of personal data that are processed and the types of processing
  • ensuring that the controller has implemented an internal control system
  • being a contact person for the DPA
  • addressing breaches of the Act and the Regulations
  • keeping itself posted with respect to the trends and developments within privacy and applicable legislation, and
  • assisting the data subjects and answering questions relating to the processing and privacy issues.
Last modified 25 Jan 2017
Collection & Processing

Data controllers may collect and process personal data when any of the following conditions are met:

  • the data subject consents
     
  • there is statutory authority for the processing
     
  • the processing is necessary to fulfil a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into such a contract
     
  • the processing is necessary to enable the controller to fulfil a legal obligation
     
  • the processing is necessary to protect the vital interests of the data subject
     
  • the processing is necessary to perform a task in the public interest
     
  • the processing is necessary to exercise official authority, or
     
  • the processing is necessary to enable the controller or third parties to whom the data is disclosed to protect a legitimate interest, except where such interest is overridden by the interests of the data subject.

Where sensitive personal data is processed, one of the above conditions must be met plus one of a further list of additional conditions.

Whichever of the above conditions is relied upon, the controller must first provide the data subject with certain information, unless an exemption applies. The notification shall include information on the identity of the controller, the purposes of the processing, whether the data will be disclosed and if so, the identity of the controller, the fact that the provision of data is voluntary and any other circumstances that will enable the data subject to exercise his rights pursuant to the Act.

Last modified 25 Jan 2017
Transfer

Personal data may pursuant to the Act section 29 only be transferred to countries which ensure an adequate level of protection of the data. There are, however, several exceptions from this point of departure. Personal data may pursuant to the Act section 30 also be transferred to countries which do not ensure an adequate level of protection if:

  1. the data subject has consented to the transfer

  2. there is an obligation to transfer the personal data pursuant to an international agreement or as a result of membership of an international organisation

  3. the transfer is necessary for the performance of a contract with the data subject, or for the performance of tasks at the request of the data subject prior to entering into such a contract

  4. the transfer is necessary for the conclusion or performance of a contract with a third party in the interest of the data subject

  5. the transfer is necessary in order to protect the vital interests of the data subject

  6. the transfer is necessary in order to establish, exercise or defend a legal claim

  7. the transfer is necessary or legally required in order to protect an important public interest, or

  8. there is statutory authority for demanding data from a public register.

The DPA may allow transfer even if the conditions set out above are not fulfilled if the controller provides adequate safeguards with respect to the protection of the rights of the data subject, such as transfers:

  • subject to the EU Model Clauses and approved by the DPA before the transfer
  • pursuant to Binding Corporate Rules approved by the DPA, and
  • to Safe Harbour certified entities in the USA.*

* Please note that following the Judgment of the Court of Justice of the European Union on 6 October 2015 in the case of Schrems (C-362/14) the US-EU safe harbor regime is no longer regarded as a valid basis for transferring personal data to the US. This section of the Handbook will be updated in due course to reflect regulator actions in the wake of the decision. In the meantime, please refer to DLA Piper’s Privacy Matters blog http://blogs.dlapiper.com/privacymatters/ for more information and insight into the decision.

Last modified 25 Jan 2017
Security

Data controllers and processors shall by means of planned, systematic measures ensure satisfactory data security with regard to confidentiality, integrity and accessibility in connection with the processing of personal data.

Last modified 25 Jan 2017
Breach Notification

Data security breaches which have resulted in the unauthorised disclosure of personal data where confidentiality is necessary, is subject to notification to the DPA. DPA guidance and practice indicates that data subjects may need to be notified provided the discrepancy may be detrimental to the interests of the data subject (eg identity theft, forgery, harassment).

Last modified 25 Jan 2017
Enforcement

The DPA is responsible for enforcement of the Act and DPA’s decisions may be appealed to the Privacy Appeals Board (Nw: Personvernnemnda).

Sanctions and remedies for non-compliance:

  • change/cease unlawful processing (the Act section 46): The DPA may order that processing of personal data in violation of the provisions in or pursuant to the Act shall cease, or impose conditions which must be met in order for the processing to comply with the Act
  • data offence fine (the Act section 46): The DPA may issue orders to the effect that violation of provisions laid down in or pursuant to the Act shall result in a data offence fine of maximum 10 times the National Insurance Basic Amount. The National Insurance Basic Amount is regulated yearly and has since 1 May 2013 been NOK 85 245. Thus, the maximum data offence fine is per January 2014 NOK 852 450 (≈ EUR 100 000)
  • coercive fines (the Act section 47): For certain breaches, the DPA may also impose a coercive fine which will run for each day from the expiry of the time limit set for compliance with the order until the order has been complied with
  • penalties (the Act section 48): Anyone who wilfully or through gross negligence violates certain provisions in the Act, shall pursuant to the Act section 48 be liable to fines or imprisonment for a term not exceeding one year or both. In particularly aggravating circumstances, a sentence of imprisonment for a term not exceeding three years may be imposed. An accomplice shall be liable to similar penalties, and/or
  • compensation (the Act section 49): The controller shall compensate damage suffered as a result of the fact that personal data have been processed contrary to provisions laid down in or pursuant to the Act, unless it is established that the damage is not due to error or neglect on the part of the controller. The compensation shall be equivalent to the financial loss incurred by the injured party as a result of the unlawful processing. The controller may also be ordered to pay such compensation for damage of a non-economic nature (compensation for non-pecuniary damage) as seems reasonable.
Last modified 25 Jan 2017
Electronic Marketing

The Act will apply to most electronic marketing activities, as there is likely to be processing and use of personal data involved (eg an email address is likely to be ‘personal data’ for the purposes of the Act).

Pursuant to the Marketing Control Act (Nw: Markedsføringsloven) section 15, it is prohibited in the course of trade, without the prior consent of the recipient, to send marketing communications to natural persons using electronic methods of communication which permit individual communication, such as electronic mail, telefax or automated calling systems (calling machines).

Prior consent is however not required for electronic mail marketing where there is an existing customer relationship and the contracting trader has obtained the electronic address of the customer in connection with a sale. The marketing may only relate to the trader’s own goods, services or other products corresponding to those on which the customer relationship is based.

At the time that the electronic address is obtained, and at the time of any subsequent marketing communication, the customer shall be given a simple and free opportunity to opt out of receiving such communications.

‘Electronic mail’ in the context of the Marketing Control Act means any communication in the form of text, speech, sound or image that is sent via an electronic communications network, and that can be stored on the network or in the terminal equipment of the recipient until the recipient retrieves it. This includes text and multimedia messages sent to mobile telephones.

Direct marketing emails must not conceal or disguise the identity of the sender. If the email is unsolicited, it shall clearly state that the email contains a marketing message upon receipt of the message (The Norwegian E-commerce Act, Nw: Ehandelsloven, section 9).

Last modified 25 Jan 2017
Online Privacy

Traffic Data

Traffic data is defined in Norwegian Regulation relating to Electronic Communications Networks and Electronic Communications Services (Nw: Ekomforskriften F16.02.2004 nr 401) section 7-1 as data which is necessary to transfer communication in an electronic communications network or for billing of such transfer services.

Processing of traffic data held by a Communications Services Provider ('CSP') (Nw: Tilbyder) may only be performed by individuals tasked with invoicing, traffic management, customer enquiries, marketing of electronic communications networks or the prevention or detection of fraud.

Traffic Data held by a CSP must be erased or anonymised when it is no longer necessary for the purpose of the transmission of a communication (Electronic Communications Act section 2-7 (Nw: Ekomloven). However, Traffic Data can be retained if it is being used to provide a value added service and consent has been given for the retention of the Traffic Data.

Location Data

Location data may only be processed subject to explicit consent for the provision of a value added service which is not a public telephony service, and the users must be given understandable information on which data is processed and how the data is used. The user shall have the opportunity to withdraw their consent. See Norwegian Regulation relating to Electronic Communications Networks and Electronic Communications Services section 7-2.

Cookie Compliance

The Electronic Communications Act has been changed in accordance with directive 2009/136/EC regarding the use of cookies. According to section 2-7 b, the user must give their consent before cookies or any other form of data is stored in their browser. The users must receive clear and comprehensive information about the use of cookies and the purpose of the storage or access. However, obtaining user consent is not required if the cookie solely has the purpose of transferring communication in an electronic network, or if it is deemed to be necessary for the delivery of a service requested by the user. The user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. Where the use of a cookie involves processing of personal data, the service providers will have to comply with the additional requirements of the Data Protection Act.

Last modified 25 Jan 2017
Contacts
Cecilie  Rønnevik
Cecilie Rønnevik
Lawyer - Advokatfullmektig
T +4724131540
Petter Bjerke
Petter Bjerke
Partner
T T +47 2413 1654
Last modified 25 Jan 2017