Data Protection in Norway

Data protection laws in Norway

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Norway regulation

The GDPR was incorporated in the EEA Agreement by a Joint Committee Decision dated July 6, 2018. The new Norwegian Personal Data Act (LOV-2018-06-15-38) ("PDA") implements GDPR and became effective as of July 20, 2018.

In addition to implementing GDPR, the PDA includes specific regulations as described below. In connection with the implementation of GDPR, several sector-specific regulations, e.g, in the healthcare sector, has been updated to ensure compliance with GDPR.

The PDA has a similar geographical scope as GDPR article 3 in that it applies to:

  1. data controllers and processors established in Norway regardless of whether the processing activities takes place Norway / EEA or not; and
  2. processing activities by a data controller or data processor which is not established in the EEA to the extent the processing activity relates to:
    1. offering of goods and services to data subjects in Norway, irrespective of whether a payment of the data subject is required; or
    2. the monitoring of their behavior, to the extent that such behavior takes place within Norway.

The PDA applies to processing of personal data by controller who is not established in Norway, but in a place governed by Norwegian law according to public international law.

Continue reading

  • no results

Back to top