➦ Norsk versjon

Act relating to the processing of personal data (The Personal Data Act)

DateLOV-2018-06-15-38
MinistryMinistry of Justice and Public Security
Entry into force20.07.2018
Last consolidatedLOV-2021-06-18-124 from 01.01.2022
Abbreviated titleThe Personal Data Act
Original titleLov om behandling av personopplysninger (personopplysningsloven)
Kapitteloversikt:

Amendment Acts incorporated in this text: This translation was first published by Lovdata on 11 July 2023 and included all amendment acts in force up to this date, the last of which was Act 18 June 2021 No. 124 in force 1 January 2022.

This is an unofficial translation of the Norwegian version of the Act and is provided for information purposes only. Legal authenticity remains with the Norwegian version as published in Norsk Lovtidend. In the event of any discrepancy, the Norwegian version shall prevail.

The translation is provided by the Ministry of Justice and Public Security.

Chapter 1. The General Data Protection Regulation

Section 1.Incorporation of the General Data Protection Regulation

Annex XI no. 5e of the EEA agreement (regulation (EU) 2016/679) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) will apply as a law with the adaptations that follow from Annex XI, Protocol 1 and the Agreement in general.

Chapter 2. Substantive and geographical scope of the Act

Section 2.Substantive scope and relationship to other acts

This Act and the General Data Protection Regulation applies to processing of personal data wholly or partly by automated means and to processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. This Act and the General Data Protection Regulation do not apply when otherwise is stipulated in or pursuant to a statute.

This Act and the General Data Protection Regulation do not apply

a.to processing of personal data by a natural person in the course of a purely personal or household activity
b.to cases that are considered or decided pursuant to laws relating to administration of justice (the Courts of Justice Act, the Criminal Procedure Act, the Dispute Act and the Act relating to legal enforcement etc.).

Article 56 and chapter VII of the General Data Protection Regulation only apply within the scope of the EEA Agreement.

In the event of a conflict, the provisions in the General Data Protection Regulation take precedence over provisions in any other statute that regulates the same matter, cf. section 2 of the EEA Act.

The King may issue regulations to the effect that this Act or parts of it will not apply to certain institutions and activities.

Section 3.Relationship to freedom of expression and freedom of information

To the extent necessary for the exercise of the right to freedom of expression and freedom of information, the General Data Protection Regulation and this Act do not apply to processing of personal data for journalistic purposes or with a view to academic, artistic or literary expressions. When assessing the extent to which the General Data Protection Regulation and this Act apply to the processing, particular consideration shall be given to

a.the public interest in the processing or the expressions it leads to
b.codes of conduct, ethical guidelines and self-determination schemes or the like that contribute to protecting the privacy of the data subject during the processing
c.the negative consequences the application of provisions in the General Data Protection Regulation or this Act may have for the exercise of the right to freedom of expression and freedom of information
d.the consequences the processing may have for the data subject, and whether the data subject has a special need for protection.

Notwithstanding the provisions of the first subsection, no exceptions may be made from the General Data Protection Regulation Articles 24, 26, 28, 29, 32, 33 no. 2 and 40 to 43, cf. Chapters I, VI, VIII, X and XI and Chapter 1, 2, 6 and 7 of this Act.

When media covered by the Media Liability Act, process personal data exclusively for purposes mentioned in the first subsection, only the provisions mentioned in the second subsection shall apply.

Section 4.Geographical scope

This Act and the General Data Protection Regulation apply to processing of personal data in the context of the activities of an establishment of a controller or a processor in Norway, regardless of whether the processing takes place in the EEA or not.

This Act and the General Data Protection Regulation applies to the processing of personal data of data subjects who are in Norway by a controller or processor not established in the EEA, where the processing activities are related to:

a.the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in Norway; or
b.the monitoring of their behaviour as far as their behaviour takes place within Norway.

This Act and the General Data Protection Regulation also applies to the processing of personal data by a controller not established in Norway, but in a place where Norwegian law applies by virtue of public international law.

The King may issue regulations to the effect that this Act and the General Data Protection Regulation shall apply fully or partly on Svalbard and Jan Mayen and stipulate special rules for processing of personal data for these regions.

Chapter 3. Further rules on the processing of personal data

Section 5.Children's consent in connection with information society services

The age of consent is 13 years pursuant to Article 6 (1) (a) of the General Data Protection Regulation for such purposes as mentioned in Article 8 (1) of the General Data Protection Regulation.

Section 6.Processing of special categories of personal data regarding employment

Personal data as mentioned in Article 9 (1) of the General Data Protection Regulation may be processed when it is necessary to carry out employment-related obligations or rights.

Section 7.Processing of special categories of personal data according to permission or regulation

The Norwegian Data Protection Authority may in special cases give permission to process personal data as mentioned in Article 9 (1) of the General Data Protection Regulation if processing is necessary for reasons of substantial public interest. The Norwegian Data Protection Authority shall determine conditions in order to protect the fundamental rights and interests of the data subject.

The King may in regulations allow for processing of personal data as mentioned in Article 9 (1) of the General Data Protection Regulation when it is necessary for reasons of substantial public interest. Such regulations shall stipulate suitable and special measures to protect the fundamental rights and interests of the data subject.

Section 8.Processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Personal data may be processed on the basis of Article 6 (1) (e) of the General Data Protection Regulation if it is necessary for archiving purposes in the public interest, purposes related to scientific or historical research or statistical purposes. The processing shall be subject to the necessary safeguards in line with Article 89 (1) of the General Data Protection Regulation.

Section 9.Processing of special categories of personal data without consent for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Personal data as mentioned in Article 9 (1) of the General Data Protection Regulation may be processed without consent from the data subject if the processing is necessary for archiving purposes in the public interest, purposes related to scientific or historical research or statistical purposes, and the public interest in having the processing take place, clearly outweighs the disadvantages for the individual. The processing shall be subject to the necessary safeguards in line with Article 89 (1) of the General Data Protection Regulation.

Before processing is performed based on the first subsection, the data controller shall consult the data protection officer pursuant to Article 37 of the General Data Protection Regulation or someone else who meets the requirements in Article 37 (5) and (6) and Article 38 (3) first and second sentence of the General Data Protection Regulation. This consultation shall assess whether the processing will meet the requirements in the General Data Protection Regulation and other provisions stipulated in or pursuant to this Act. The obligation to consult does not apply, however, if a data protection impact assessment has been conducted pursuant to Article 35 of the General Data Protection Regulation.

The King may issue regulations concerning the processing of special categories of personal data for archiving purposes in the public interest, purposes related to scientific or historical research or statistical purposes.

Section 10.Obligation to consult prior to the processing of special categories of personal data for research purposes based on consent

The obligation to consult pursuant to section 9 second subsection applies correspondingly when personal data as mentioned in the General Data Protection Regulation Article 9 (1) are to be processed for scientific or historical research purposes on the basis of consent from the data subject.

Section 11.Processing of personal data concerning criminal convictions and offences etc.

Article 9 (2) (a) and (c) to (f) of the General Data Protection Regulation and sections 6, 7 and 9 of this Act apply correspondingly to processing of personal data as mentioned in Article 10 of the General Data Protection Regulation that it is not carried out under supervision of a public authority. Comprehensive registers of criminal convictions may only be kept under supervision of a public authority.

The consultation obligation pursuant to section 9 second subsection also applies correspondingly when personal data as mentioned in Article 10 of the General Data Protection Regulation are to be processed for scientific or historical research purposes on the basis of

a.consent of the data subject, whether or not the processing is carried out under supervision of a public authority
b.section 8 of this Act, if the processing is carried out under supervision of a public authority.

Section 12.Use of national identity numbers and other unique identifiers

National identity number and other unique identifiers can only be processed when there is a legitimate need for definite identification and the method is necessary to obtain such identifiation.

The King may issue regulations concerning the use of national identity number and other unique identifiers.

Section 12 a.Public authorities may disclose personal data in order to combat work-related crime

Public authorities may disclose personal data to each other when it is necessary in order to prevent, uncover, forestall or sanction work-related crime. The first sentence does not apply to personal data as mentioned in Article 9 of the General Data Protection Regulation. The Ministry may issue regulations with further rules concerning which public authorities may exchange personal data pursuant to this provision.

The first subsection does not apply when otherwise is stipulated in or pursuant to a statute, and does not permit the disclosure of information which is subject to a statutory duty of secrecy.

Section 13.Regulations concerning transfer of personal data to third countries or international organisations

The King may issue regulations concerning transfer of personal data to third countries or international organisations.

Section 14.Regulations concerning prior consultation and prior approval

The King may issue regulations concerning prior consultation with the Norwegian Data Protection Authority and prior approval from the Norwegian Data Protection Authority.

Section 15.Regulations concerning incorporation of delegated acts and implementing acts

The King may issue regulations concerning incorporation of delegated acts and implementing acts.

Chapter 4. Exceptions from the rights of the data subject

Section 16.Exceptions from the rights to information and access and the obligation to communicate a personal data breach

The rights to information and access pursuant to Articles 13, 14 and 15 of the General Data Protection Regulation do not comprise information which

a.is of importance for Norway's foreign policy interests or national defence and security interests, when the data controller may exempt the information pursuant to sections 20 or 21 of the Freedom of Information Act
b.it is necessary to keep secret for the purposes of prevention, investigation, detection and prosecution of criminal offences
c.it must be considered inadvisable for the data subject to learn of, on account of his or her health or relationship to people close to him or her
d.in or pursuant to a statute is subject to a duty of secrecy
e.exclusively is found in texts prepared for internal case preparation, and that has not been disclosed to others, as far as it is necessary to deny access in order to ensure proper internal decision-making processes
f.it would be contrary to obvious and fundamental private or public interests to disclose.

Information as mentioned in first subsection c may nevertheless on request be made known to a representative of the data subject unless there are particular reasons for not doing so.

Anyone denying access pursuant to the first subsection, must provide reasons for it in writing, with a precise reference to the legal basis for the exception. If access is denied based on the first subsection f, the considerations that warrant secrecy must also be stated.

The obligation to communicate a personal data breach to the data subject pursuant to the Article 34 of the General Data Protection Regulation does not apply if such communication would disclose information as mentioned in the first subsection a, b and d.

The King may issue regulations concerning exceptions from and further conditions for the rights to information and access and communication regarding a personal data breach.

Section 17.Exceptions from the data subject's rights concerning the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes and statistical purposes

The right to access pursuant to Article 15 of the General Data Protection Regulation does not apply to processing of personal data for archiving purposes in the public interest, purposes related to scientific or historical research or statistical purposes in accordance with Article 89 (1) of the General Data Protection Regulation to the extent

a.it would require a disproportionate amount of work or
b.the right to access is likely to render it impossible to achieve the objectives of the processing or seriously obstruct such achievement.

The rights to rectification and restriction of processing pursuant to Articles 16 and 18 of the General Data Protection Regulation do not apply to processing for archiving purposes in the public interest, purposes related to scientific or historical research or statistical purposes in accordance with Article 89 (1) of the General Data Protection Regulation to the extent such rights are likely to render it impossible to achieve the objectives of the processing or seriously obstruct such achievement.

The first and second subsection do not apply if the processing will have legal effects or direct factual effects for the data subject.

Chapter 5. Data protection officers

Section 18.The data protection officers' duty of secrecy

Data protection officers are obligated to prevent others from gaining access to or knowledge of what they learn in the performance of their tasks concerning

a.an individual's personal affairs
b.technical devices, production methods, business analyses and calculations and business secrets in general when the information is of such a nature that others may exploit it in their own business activity
c.security measures pursuant to Article 32 of the General Data Protection Regulation
d.individuals' reporting of breaches of this Act.

The duty of secrecy does not apply if the data protection officer receives consent to disclose the information from the person concerned, or if it is necessary in order to perform the statutory duties of the data protection officer.

The duty of secrecy also applies after the data protection officer has concluded the service or work. Information as mentioned in this section must not be exploited in the officer's own activity or in service or work for others.

Section 19.Regulations concerning the obligation to designate data protection officers

The King may issue regulations concerning the obligation to designate data protection officers.

Chapter 6. Supervision and appeals

Section 20.The Norwegian Data Protection Authority

The Norwegian Data Protection Authority is the supervisory authority pursuant to Article 51 of the General Data Protection Regulation and is an independent administrative body subordinate to the King and the Ministry. The Norwegian Data Protection Authority cannot be instructed concerning its processing of individual cases or its other professional activities. The King and the Ministry cannot reverse decisions made by the Norwegian Data Protection Authority.

The Norwegian Data Protection Authority is headed by a director appointed by the King. The King may issue regulations stipulating that the director of the Norwegian Data Protection Authority must be employed for a fixed term, the length of such a term and whether reappointment is possible.

The Norwegian Data Protection Authority's powers pursuant to Article 58 of the General Data Protection Regulation apply correspondingly for supervision of compliance with

a.the provisions of this Act and regulations issued pursuant to this Act
b.provisions concerning the processing of personal data in other acts and regulations, to the extent the processing is within the scope of this Act and the scope of the General Data Protection Regulations pursuant to section 2.

The King may issue regulations concerning coverage of the Norwegian Data Protection Authority's costs related to control.

Section 21.Annual report from the Norwegian Data Protection Authority

The Norwegian Data Protection Authority must send its annual rapport pursuant to Article 59 of the General Data Protection Regulation to the King, who presents the report to the Storting.

Section 22.The Privacy Appeals Board

The Privacy Appeals Board is an independent administrative body subordinate to the King and the Ministry. The Board cannot be instructed concerning its processing of individual cases or its other professional activities. The King and the Ministry cannot reverse decisions made by the Board.

The Privacy Appeals Board decides appeals against decisions made by the Norwegian Data Protection Authority unless otherwise stipulated. The Norwegian Data Protection Authority's decisions pursuant to Article 56 and chapter VII of the General Data Protection Regulation cannot be appealed to the Privacy Appeals Board.

The Privacy Appeals Board consists of seven members with personal deputies. The members and deputy members are appointed by the King for four years, with the possibility of reappointment for a further four years. The Board must have a chair and deputy chair who both have a cand.jur. or master's degree in law.

The Privacy Appeals Board may determine that appeals that need to be decided quickly, can be decided by the chair and deputy chair with two other Board members.

The Privacy Appeals Board must every year inform the King of its activities.

The King may issue regulations concerning the organisation of and case processing in the Privacy Appeals Board.

Section 23.Access to information

The Norwegian Data Protection Authority shall conduct its investigative powers pursuant to Article 58 (1) of the General Data Protection Regulation without hindrance from the duty of secrecy.

The Privacy Appeals Board may exert authority pursuant to Article 58 (1) a of the General Data Protection Regulation. This shall happen without hindrance from the duty of secrecy.

Processing of personal data that is necessary for the security of Norway or its allies, the relationship to foreign powers or other vital national security interests, is exempt from Article 58 (1) of the General Data Protection Regulation. If there is disagreement between the data controller and the Norwegian Data Protection Authority concerning the scope of the first sentence, the issue will be decided by the Privacy Appeals Board.

Section 24.Duty of secrecy

The provisions concerning duty of secrecy in section 13 ff. of the Public Administration Act apply to the staff of the Norwegian Data Protection Authority, the members of the Privacy Appeals Board and all others who perform services or work for the Norwegian Data Protection Authority or the Privacy Appeals Board. The duty of secrecy also concerns information regarding security measures pursuant to Article 32 of the General Data Protection Regulation and individuals' reporting of breaches of this Act.

Notwithstanding its duty of secrecy, the Norwegian Data Protection Authority can, pursuant to the first subsection, provide foreign supervisory authorities with information when this is necessary to enable a supervisory authority comprised by the regulation to make a decision as part of its supervisory activities.

Section 25.Parties in legal actions

The Norwegian Data Protection Authority acts as a party on behalf of the State in legal actions related to its supervisory activity.

Legal actions regarding the validity of decisions made by the Privacy Appeals Board is to be addressed to the state, represented by the Privacy Appeals Board.

Chapter 7. Sanctions and coercive fines

Section 26.Violation penalties

Article 83 (4) of the General Data Protection Regulation applies correspondingly for violations of Articles 10 and 24 of the General Data Protection Regulation.

The Norwegian Data Protection Authority may issue public authorities and bodies with an administrative fine pursuant to the rules in Article 83, cf. Article 83 (7) of the General Data Protection Regulation.

Section 27.Compliance deadline and court review in cases concerning a violation penalty

The deadline for complying with an administrative fine decision is four weeks from when the decision became final.

The court can review all aspects of violation penalty cases. The court can hand down a judgment on the merits of the case if it finds it appropriate and justifiable.

Section 28.Limitation period

The ability to issue an administrative fine is limited to a period of five years after the violation has ceased. This limitation period is interrupted if the Norwegian Data Protection Authority issues an advance notice or makes a decision to issue an administrative fine.

Section 29.Coercive fines

If an order has been issued pursuant to this Act, the Norwegian Data Protection Authority may stipulate a coercive fine for every day after the expiry of the deadline for complying with the order, until the order has been fulfilled.

The King may issue regulations with further provisions regarding coercive fines, inter alia concerning the amount and duration of a coercive fine, stipulation of a coercive fine and waiving of coercive fines accrued.

Section 30.Damages for non-economic loss

A party who is liable to pay compensation pursuant to the rules in Article 82 of the General Data Protection Regulation, can also be ordered to pay such damages for non-pecuniary damage as seems reasonable.

Chapter 8. Bogus video surveillance equipment etc.

Section 31.False video surveillance equipment etc.

When video surveillance would be a violation of the General Data Protection Regulation or this Act, it is also prohibited to use false video surveillance equipment or by means of signage, posters etc. give the impression that video surveillance is taking place. Chapter VI and Article 83 (4) of the General Data Protection Regulation, as well as Chapter 6, section 26 second subsection and sections 27 to 29 of this Act, apply correspondingly.

By video surveillance is meant continuous or regularly repeated surveillance of people by means of a remote-controlled or automatic surveillance camera or similar equipment that has been fixed in place. By false video surveillance equipment is meant equipment that might easily be taken for a genuine camera solution.

Chapter 9. Entry into force. Transitional rules. Amendments to other acts

Section 32.Entry into force

This Act enters into force from a date​1 determined by the King. The Act of 14 April 2000 no. 31 relating to the processing of personal data is repealed from the same date.

The various provisions may enter into force and be repealed on different dates.

1In force from 20 July 2018.

Section 33.Transitional rules

Those rules for processing of personal data that were in force at the time when the action took place, must be applied when a violation penalty is decided. However, the legislation on the date of the decision must be applied if this leads to a more favourable result for the accountable.

The King may provide further transitional rules.

Section 34.Amendments to other acts

From the date when this Act enters into force, the following amendments are made to other acts:
– – –