GDPR in Norway – Personal Data Act
GDPR starts to pertain within the EU at 25th May 2018. Since Norway is not an EU Member, GDPR in Norway is not directly effected.
However Norway is a member of the European Economic Area (EEA) and gets GDPR in place anyway. Norway published the Personal Data Act for implementing GDPR in Norway recently (see “Implementing GDPR in Norway” by Wikborg Rein). The Ministry of Justice and Public Security has proposed that GDPR should be incorporated into Norwegian law via a reference clause (c.f. EØS-notat, 24 March 2017). This means that a clause in the main text of the law will incorporate the GDPR into Norwegian law, with the GDPR text being then reproduced as an appendix to such law. In this process Norway used the options provided by and and GDPR Article 88 to keep some of the existing regulations whilst applying GDPR.
However Norway is a member of the European Economic Area (EEA) and gets GDPR in place anyway. Norway published the Personal Data Act for implementing GDPR in Norway recently (see “Implementing GDPR in Norway” by Wikborg Rein). The Ministry of Justice and Public Security has proposed that GDPR should be incorporated into Norwegian law via a reference clause (c.f. EØS-notat, 24 March 2017). This means that a clause in the main text of the law will incorporate the GDPR into Norwegian law, with the GDPR text being then reproduced as an appendix to such law. In this process Norway used the options provided by and and GDPR Article 88 to keep some of the existing regulations whilst applying GDPR.
Changes for GDPR in Norway by the Personal Data Act
Sensitive data
The use of “sensitive data” (see) will be prohibited, unless the data inspectorate may authorize the processing of sensitive personal data for the public benefit.Personal ID numbers
ID numbers of physical persons and other national identification numbers may only be used where there are reasonable grounds that require proper identification and the use of personal ID numbers is necessary for such identification (like before GDPR).Age limit for consent
The minimum age for giving consent to society for using information about you is set at the age of 13 (like Sweden and Denmark).One-stop-shop
A data controller who is active in multiple EU countries may use the supervisory authority in the country where they have their main establishment for all personal data matters in the EU and EEA. Same is true for data controllers processing Norwegian personal data where the controller is established in another EU/EEA state.Surveillance cameras
There is a separate regulation on the use of surveillance cameras (CCTV) in the workplace and the use of dummy surveillance equipment. However, Norway plans to replace the detailed regulation on the use of surveillance cameras.Credit information
The Ministry plans to change the rules on credit information at a later point.Employer access to email and other electronic files
The specific Norwegian regulation on restrictions for employers’ access to emails and other electronic files used by employees on supplied hardware and systems will remain in place, with some minor adjustments.- Penalties
Penalties similar to GDPR Article 83 will be implemented.