GDPR Guide to National Implementation: Norway - A practical guide to national GDPR compliance requirements across the EEA

SUMMARY

Q1/ Applicable legislation - (a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation? New legislation has been passed.

 
FREE EXCERPT

[co-authors: Rune Opdahl and Fredrik Wiker, Wiershol]

Norway In this chapter:

Q1/ Applicable legislation

Q2/ Personal data of deceased persons

Q3/ Legal bases for processing

Q4/ Consent of children

Q5/ Processing of sensitive personal data

Q6/ Data relating to criminal offences or convictions

Q7/ Exemptions

Q8/ Restrictions on data subjects’ rights

Q9/ Joint controllership

Q10/ Processor

Q11/ Data protection Impact Assessments

Q12/ Prior authorisation and public interest

Q13/ DPOs

Q14/ International data transfers

Q15/ DPAs

Q16/ Claims by not-for-profit bodies

Q17/ Administrative fines, penalties and sanctions

Q18/ Freedom of expression and information

Q19/ National identification numbers

Q20/ Processing in the context of employment

Q21/ Other material derogations

Q22/ Current legal challenges

Q23/ Enforcement

Q24/ Regulatory Guidance

Q1/ Applicable legislation

(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?

New legislation has been passed.

———

(b) Relevant legislation includes:

  • The Norwegian Data Protection Act (the “Act”)
    • Date in force: 20 July 2018
    • Link: see here
  • Regulation on employers right to access email and other electronically stored material
    • Date in force: 20 July 2018
    • Link: see here

———

(c) What is the status of national pre-GDPR data protection law?

The relevant pre-GDPR legislation has been repealed in full.

———

Q2/ Personal data of deceased persons

Does national law make specific rules regarding the processing of personal data of deceased persons?

There are no specific rules governing this issue.

———

Q3/ Legal bases for processing

(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?

There are no specific rules governing this issue.

———

(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?

The DPA may authorise processing of sensitive personal data where the processing is necessary due to substantial public interest. In addition, the Ministry of Government Administration and Reform (the “Ministry”), the body under which the DPA operates, has the power to enact provisions which specify instances in which such processing may take place. No such regulation has been enacted to date.

———

(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?

Substantial registers of criminal convictions can only be processed by a public authority. Where criminal data are processed for scientific or historical research purposes under a public authority’s control, the public authority has a duty to consult the DPO or someone who fulfils the requirements in Arts. 37(5)-(6) & 38(3) GDPR. The duty to consult does not apply if an Impact Assessment has been performed.

Public authorities may exchange personal data when it is necessary in order to prevent, detect or sanction work related crime. This does not apply to sensitive personal data unless the Ministry has issued regulation which gives public authorities a legal basis to exchange personal data. Exchange of personal data may not take place if it is prohibited by statutory law or any statutory duty of confidentiality applies.

———

(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?

There are no specific additional criteria governing this issue.

———

Q4/ Consent of children

At what age can a child give their consent to processing in relation to ISS?

13 years of age.

———

Q5/ Processing of sensitive personal data

(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?

All sensitive personal data can be processed if the data subject’s valid consent has been obtained.

———

b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:

(i) Employment, social security and/or social protection law

Employees’ sensitive personal data can only be processed if it is necessary to perform obligations or exercise rights in the field of employment.

(ii) Substantial public interest

The DPA may authorise the processing of sensitive personal data where the processing is necessary due to substantial public interest. In addition, the Ministry, which oversees the operation of the DPA, has the power to specify instances in which such processing may take place. No such regulation has been enacted to date.

(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services

There are no specific rules on processing this category of data.

(iv) Public interest in the area of public health

There are no specific rules on processing this category of data.

(v) Archiving purposes, scientific or historical research purposes or statistical purposes

Processing may take place without the consent of the data subject if the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) GDPR, as long as the public interest in the processing clearly exceeds the disadvantages for the data subject, and only after consultation with the DPO.

The obligation to consult with the DPO also applies to the processing of sensitive personal data for scientific or historical research purposes based on the data subjects’ consent. If consent has been obtained, the public in the processing does not have to exceed the disadvantages for the data subject.

———

(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?

There are no specific rules on processing this category of data.

———

Q6/ Data relating to criminal offences or convictions

Under what conditions does national law permit the processing of personal data relating to criminal convictions?

The processing of personal data relating to criminal offences (pursuant to the Art. 10 GDPR) may only take place in the following circumstances:

  • the provisions in Art. 9(2)(a), (c), (d), (e) or (f) GDPR are met;
  • such data may only be processed in relation to employment when it is necessary to perform obligations or exercise rights in the field of employment;
  • both the DPA and the Ministry may authorise processing when it is necessary due to substantial public interests; or
  • such data may be processed without the data subject’s consent if the processing is necessary for archive purposes in the public interest, scientific or historical research purposes or for statistical purposes, as long as society’s interest in the processing clearly exceeds the disadvantages for the data subject.

The obligation to consult with the DPO also applies to the processing of criminal data for scientific or historical research purposes based on the data subject’s explicit consent.

In addition, see Q3(c) above.

———

Q7/ Exemptions

(a) Does national law specify exemptions to a data subject’s right to erasure?

There are no specific exemptions to the right to erasure.

———

(b) Does national law...

To continue reading

REQUEST YOUR TRIAL