Data Protected - Norway
Contributed by Advokatfirmaet Wiersholm AS
Last updated February 2024
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
_____________________________________________________________________
General | Data Protection Laws
____________________________________________________________
National Legislation
General data protection laws
The General Data Protection Regulation (EU) (2016/679) (“GDPR”).
The Act of 15 June 2018 no. 38 relating to the processing of personal data (the “Personal Data Act”) implements the GDPR by reference to its incorporation into the EEA Agreement, together with a limited number of provisions complementing the GDPR.
Entry into force
The GDPR was adopted in the EEA through a Joint Committee Decision on 6 July 2018.
The Personal Data Act, including the GDPR, entered into force in Norway on 20 July 2018.
_____________________________________________________________________ Top
National Supervisory Authority
Details of the competent national supervisory authority
The Norwegian Data Protection Authority will continue to act as the supervisory authority in Norway.
The Data Protection Authority
Visitor address: Trelastgata 3, 0191 Oslo, Norway
Postal address: P.O. Box 458 Sentrum, NO-0105 Oslo, Norway
The Norwegian Data Protection Authority is a member of the European Data Protection Board. As Norway is not an EU member state, the Data Protection Authority, however, does not have the right to vote or act as chair or deputy chair of the European Data Protection Board. Otherwise, the Norwegian Data Protection Authority would participate in the European Data Protection Board without any restrictions.
Notification or registration scheme and timing
There is no obligation to notify regulators of any processing under the GDPR. However, controllers and processors must keep a record of their processing and make it available to their supervisory authority on request (subject to limited exemptions).
The Norwegian Data Protection Authority may in special cases grant permission to process special category personal data if processing is necessary in the interest of important public interests as mentioned in the GDPR Article 9. The Norwegian Government can grant the same permission through regulations.
Exemptions to notification
Not applicable.
_____________________________________________________________________Top
Scope of Application
What is the territorial scope of application?
The GDPR applies to the processing of personal data in the context of the establishment of a controller or processor in the EU.
It also contains express extra-territorial provisions and will apply to controllers or processors based outside the EU that: (i) offer goods or services to individuals in the EU; or (ii) monitor individuals within the EU. Controllers and processors caught by these provisions will need to appoint a representative in the EU, subject to certain limited exemptions.
The European Data Protection Board has issued Guidelines on the territorial scope of the GDPR (3/2018).
The Personal Data Act applies to: (i) controllers or processors established in Norway whether or not the processing takes place in the EEA; (ii) processing of personal data on data subjects located in Norway, and which is performed by a processor or controller not located in the EEA, if the processing relates to: (a) the offering of goods and services to data subjects in Norway, whether or not for payment, and (b) the monitoring of their behaviour, to the extent that such behaviour takes place in Norway; and (iii) the processing of personal data by a controller not established in Norway, but in a location subject to Norwegian law according to international law.
Is there a concept of a controller and processor?
Yes. The GDPR contains the concept of a controller, who determines the purpose and means of processing, and a processor, who just processes personal data on behalf of the controller.
The European Data Protection Board has issued Guidelines on the concepts of controller and processor in the GDPR (7/2020).
Both controllers and processors are subject to the rules in the GDPR, but the obligations placed on processors are more limited.
Are both manual and electronic records subject to data protection legislation?
Yes. The GDPR applies to both electronic records and structured hard copy records.
Are there any national derogations?
The GDPR does not apply to law enforcement activities which are instead subject to the Law Enforcement Directive. The GDPR also does not apply to areas of law that are outside the scope of Union law, such as national security, and does not apply to purely personal or household activity.
The Personal Data Act sets out that the GDPR does not apply when personal data is processed by a physical person for strictly personal or family related activities; or processed or determined in accordance with the Norwegian laws relating to the administration of justice. To the extent necessary for the exercise of the right to freedom of expression and information, the GDPR does not apply to the processing of personal data for journalistic purposes or in relation to academic, artistic or literary expressions. Whether the processing is assumed necessary shall be based on a concrete and discretionary assessment, which, among other things, depends on society's interest in the processing. However, this is not a complete exemption and certain provisions of the GDPR and national legislation continue to apply.
_____________________________________________________________________Top
Personal Data
What is personal data?
Personal data is information relating to an identified or identifiable natural person.
This is a broad term and includes a wide range of information. The GDPR expressly states it includes online identifiers such as cookies.
Is information about legal entities personal data?
No. However, information about sole traders and partnerships is likely to be personal data.
What are the rules for processing personal data?
All processing of personal data must comply with all six general data quality principles. Personal data must be: (i) processed fairly, lawfully and transparently; (ii) collected for specific, explicit and legitimate purposes and not processed in a manner incompatible with those purposes; (iii) adequate, relevant and not excessive; (iv) accurate and, where necessary, up to date; (v) kept in an identifiable form for no longer than necessary; and (vi) kept secure.
The processing of personal data must also satisfy at least one condition for processing personal data. These conditions are that the processing is: (a) carried out with the data subject’s consent; (b) necessary for the performance of a contract with the data subject; (c) necessary for compliance with a legal obligation; (d) necessary in order to protect the vital interests of the data subject; (e) necessary for the public interest or in the exercise of official authority; or (f) necessary for the controller’s or a third party's legitimate interests, except where overridden by the interests or fundamental rights and freedoms of the data subject.
These rules are almost identical to the core requirements for processing personal data in the old Data Protection Directive. The European Data Protection Board has issued Guidelines on the performance of a contract processing condition for online services (2/2019).
Under the Personal Data Act, the processing of national identity numbers and other unique identifiers (e.g. fingerprints) may only take place when there is an objective need for certain identification and the method is necessary to achieve such identification. The Personal Data Act also contains a provision permitting the government to adopt a regulation on the use of national identity numbers and other unique means of identification.
Pursuant to the Working Environment Act, a company's access to an employee's e-mail account etc. is only permitted if it is either necessary to safeguard the company's business or other legitimate interests, or in the case of justified suspicions that the employee's use of the e-mail account or other electronic equipment constitutes a material breach of the employee's obligations or may provide grounds for notice or dismissal. The Working Environment Act and relevant Regulations provide several requirements in relation to the above, including a duty to notify the employee, and the employee's right to be present during a review.
Pursuant to the Working Environment Act, the employer may only implement video surveillance (including the use of fake equipment) in relation to employees when such measures are objectively justified by circumstances relating to the undertaking and it does not involve undue strain on the employees. In addition, video surveillance of office premises a limited circle of people frequently occupy, must only be performed when necessary to prevent hazardous situations, and to safeguard the safety of the employees and others, or when there is a specific need for such surveillance. The Working Environment Act and relevant Regulations provide several requirements in relation to the above, including a duty to clearly provide information on the relevant surveillance.
Pursuant to the Personal Data Act, an employer may process special categories of personal data and data relating to criminal convictions and offences when the processing is necessary to perform obligations or exercise rights in the field of employment.
Are there any formalities to obtain consent to process personal data?
The requirements for consent under the GDPR are strict.
To be valid, consent must be in clear and plain language and, where sought in writing, separate from other matters. Consent must be based on affirmative action so pre-ticked boxes are not acceptable. Consent might not be valid if: (i) there is any detriment to the data subject for refusing; (ii) there is an imbalance of power; (iii) consent for multiple purposes is bundled together; or (iv) the consent is a condition of entering into a contract. Finally, consent can be withdrawn at any time.
In practice, other processing conditions should be relied on where possible. Consent will only be an appropriate processing condition if the individual has a genuine choice over the matter, for example, whether to be sent marketing materials.
The European Data Protection Board has issued Guidelines on consent (5/2020).
Are there any special rules when processing personal data about children?
Consent from a child in relation to online services will only be valid if authorised by a parent. A child is someone under 16 years old, though Member States may reduce this age to 13.
Currently, children can only consent to processing of personal data at the age of 18 in accordance with the general rule on legal capacity.
An updated version of the Norwegian Children Act is currently being drafted. The current proposal states that children of the age of 13 can generally consent to the sharing of their personal data. However, the age limit increases to 18 if the consent concerns data that falls within special category personal data or information on criminal offences. Please note that this proposal is at an early stage and is currently not applicable.
The age of consent in relation to information society services is 13 years pursuant to the Personal Data Act.
Are there any special rules when processing personal data about employees?
The GDPR allows Member States to implement more specific national rules governing the processing of personal data about employees. It may also be possible to process special category personal data where it is necessary for a legal obligation in the field of employment law.
As mentioned above, pursuant to the Working Environment Act, a company's access to an employee's e-mail account etc. is only permitted if it is either necessary to safeguard the company's business or other legitimate interests, or in the case of justified suspicions that the employee's use of the e-mail account or other electronic equipment constitutes a material breach of the employee's obligations or may provide grounds for notice or dismissal.
Further, the employer may only implement video surveillance (including the use of fake equipment) in relation to employees when such measures are objectively justified by circumstances relating to the undertaking and it does not involve undue strain on the employees. Additionally video surveillance of office premises a limited circle of people frequently occupy, may only be done when necessary to prevent hazardous situations, and to safeguard the safety of the employees and others, or when there is a specific need for such surveillance. Pursuant to the Personal Data Act, the processing of special categories of personal data and data relating to criminal convictions and offences is permitted when the processing is necessary to perform obligations or exercise rights in the field of employment.
Employers can require a police certificate of conduct from job applicants only where this is explicitly stated in law or regulation. This applies, for example, for positions where the employee is given responsibility for children.
_____________________________________________________________________ Top
Sensitive Personal Data
What is sensitive personal data?
Special category data is personal data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. The decision in OT (C-184/20) might suggest this should be interpreted broadly to include publication of information that indirectly discloses these characteristics.
The inclusion of genetic and biometric data is new and an extension to the types of sensitive personal data in the Data Protection Directive.
Information about criminal offences is dealt with separately and is subject to even tighter controls.
Pursuant to the Personal Data Act, data relating to criminal convictions and offences is generally processed in accordance with the regulations applicable to the processing of special categories of personal data.
Are there additional rules for processing sensitive personal data?
Special category data may only be processed if a condition for processing special category data is satisfied. A condition arises where the processing: (a) is carried out with the data subject’s explicit consent; (b) is necessary for a legal obligation in the fields of employment, social security and social protection law; (c) is necessary to protect the vital interests of the data subject or another person where the data subject is unable to give consent; (d) is carried out by a non-profit-seeking body and relates to members of that body or persons who have regular contact; (e) relates to data made public by the data subject; (f) is necessary for legal claims; (g) is for reasons of substantial public interest under EU or Member State law; (h) is necessary for healthcare reasons; (i) is necessary for public health reasons; or (j) is necessary for archiving, scientific or historical research purposes or statistical purposes and is based on EU or Member State law.
Pursuant to the Personal Data Act, the processing of special categories of personal data and data relating to criminal convictions and offences is permitted when the processing is necessary to perform obligations or exercise rights in the field of employment.
In addition, special categories of personal data and data relating to criminal convictions and offences may be processed without consent for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes provided that the benefits for society clearly exceed the detriment to the data subject. Such processing requires that the controller consults its data protection officer, or similar, or that a data protection impact assessment has been performed.
The Personal Data Act also includes a clause providing that the Data Protection Authority has the authority to allow controllers to be exempt from the prohibition against processing sensitive personal data when the processing is necessary for important public interests, and the Data Protection Authority shall in such cases set out conditions for such processing to safeguard the data subjects' fundamental rights and interests. The Personal Data Act also includes a clause providing that the government may adopt a regulation found to be necessary in relation to important public interests, and that the government shall in such cases set out conditions for such processing to safeguard the data subjects' fundamental rights and interests.
Further, the Personal Data Act sets out that national identity numbers and other unique identifiers may only be processed when there is a just need for secure identification and the method is necessary to achieve such identification.
Are there additional rules for processing information about criminal offences?
It is only possible to process personal data relating to criminal convictions or offences if: (a) it is carried out under the control of official authority; or (b) when the processing is authorised by EU or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.
See above. The Personal Data Act sets out that information about criminal offences is to be processed pursuant to the regulations applicable for the processing of special categories of personal data.
Are there any formalities to obtain consent to process sensitive personal data?
Consent to process sensitive personal data must be explicit. The general restrictions on consent, set out above, will also apply. This suggests a degree of formality, such as ticking a box containing the express words “I consent”. It is unlikely explicit consent could be obtained through a course of conduct.
_____________________________________________________________________ Top
Data Protection Officers
When must a data protection officer be appointed?
Both controllers and processors must appoint a data protection officer if: (i) they are a public authority; (ii) their core activities consist of regular and systematic monitoring of data subjects on a large scale; or (iii) their core activities consist of processing special category personal data on a large scale (including processing information about criminal offences).
Pursuant to the preparatory works of the Personal Data Act, the expression "public authority or body" in Article 37(1) litra a of the GDPR, must refer to the central or local government bodies covered by section 1 of the Norwegian Public Administration Act.
The data protection officer is subject to a duty of confidentiality pursuant to the Personal Data Act.
Data protection officers must be registered with the Data Protection Authority.
The Personal Data Act contains a provision permitting the government to adopt a regulation on the obligation to appoint a data protection officer.
What are the duties of the data protection officer?
The data protection officer must be involved in all data protection issues and cannot be dismissed or penalised for performing their role. The data protection officer must report directly to the highest level of management. Details of the data protection officer must be communicated to the relevant supervisory authority.
The Article 29 Working Party has issued Guidelines on Data Protection Officers (WP243).
_____________________________________________________________________ Top
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
The GDPR adds a new general accountability obligation under which you must not only comply with these new rules, but also be able to demonstrate you comply with them. This means ensuring suitable policies are in place supported by audit and training.
Are privacy impact assessments mandatory?
A privacy impact assessment must be conducted where “high risk” processing is carried out. This includes: (a) systematic and extensive profiling that produces legal effects or significantly affects individuals; (b) processing on a large scale either special categories of personal data or personal data relating to criminal convictions and offences; and (c) systematic monitoring of a publicly accessible area on a large scale (e.g. CCTV). Where the assessment indicates the risk cannot be mitigated, the controller must consult the relevant supervisory authority.
The Article 29 Working Party has subsequently issued Guidelines on Data Protection Impact Assessments (WP 248). It suggests there are nine criteria to consider to determine whether to conduct a privacy impact assessment, and that an assessment should be made if two or more of those criteria are met. This is arguably wider than the criteria set out in the paragraph above.
_____________________________________________________________________ Top
Rights of Data Subjects
Privacy notices
A controller must provide data subjects with a privacy notice setting out how the individual’s personal data will be processed. The privacy notice must contain the enhanced transparency information.
The Article 29 Working Party has issued Guidelines on Transparency (WP260).
In Norway, there is no obligation to provide this information in Norwegian, but it may be difficult to demonstrate that the information has been provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language if it is not in a language that the data subject is familiar with.
Rights to access information
Data subjects will have a right to access copies of their personal data by making a written request to the controller. The initial request is free, though a charge can be made for subsequent requests. Controllers can refuse the request if it is manifestly unfounded or excessive. The right to obtain a copy of personal data should not adversely affect the rights and freedoms of others. The response must be provided within a month, though this can be extended by two months if the request is complex.
The European Data Protection Board has issued Guidelines on rights of access (1/2022).
The Personal Data Act provides exemptions from the right of access and information provided that: (i) the information is of importance to Norway's national security interests or the defence of the country; (ii)the information must be kept secret for the purpose of the prevention, investigation, detection and prosecution of criminal offenses; (iii) it is considered inadvisable for the data subject to gain knowledge of the information out of consideration for the health of the person concerned or for the relationship to persons close to the person concerned; (iv)the information is subject to a statutory obligation of professional secrecy (must if relevant be explained to the data subject); (v) the information is solely found in texts drawn up for internal preparatory purposes and which have not been disclosed to other persons; and (vi)disclosure of the information would conflict with obvious and fundamental private and public interests.
The Personal Data Act contains a provision permitting the government to adopt a regulation on exemptions and terms for access and information.
Pursuant to the Personal Data Act, the right of access does not apply to the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes insofar as this requires a disproportionate effort, or is likely to make impossible or seriously impair the purpose of the processing, provided that the processing does not produce legal effects or direct actual effects for the data subject.
Rights to data portability
Data subjects will also have a right to data portability where the condition for processing personal data is consent or the performance of a contract. It entitles individuals to obtain any personal data they have “provided” to the controller in a machine-readable format. Individuals can also ask for the data to be transferred directly from one controller to another. There is no right to charge fees for this service.
The Article 29 Working Party has issued Guidelines on data portability (WP242).
Right to be forgotten
A data subject can ask that their data be deleted in certain circumstances. However, those circumstances are relatively limited, for example where the processing is based on consent, that consent is withdrawn and there are no other grounds for processing. Even where the right does arise, there are range of exemptions, for example where there is a legal obligation to retain the data.
The European Data Protection Board has issued Guidelines on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1) (5/2019).
Objection to direct marketing
A data subject can object to their personal data being processed for direct marketing purposes at any time. This includes profiling to the extent related to direct marketing.
Other rights
The GDPR contains a range of other rights, including a right to have inaccurate data corrected. There is also a right to object to processing being carried out in the performance of a public task or under the legitimate interests condition.
Finally, there are controls on taking decisions based solely on automated decision making that produce legal effects or similarly significantly affects the data subject. The Article 29 Working Party has issued Guidelines on Automated Decision Making and Profiling (WP251).
Pursuant to the Personal Data Act, exemptions from the right to restrict processing may be made when personal data are processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes insofar as this is likely to make impossible or seriously impair the purpose of the processing, provided that the processing does not produce legal effects or direct actual effect for the data subject.
_____________________________________________________________________ Top
Security
Security requirements in order to protect personal data
The GDPR contains a general obligation to implement appropriate technical and organisational measures to protect personal data.
In addition, controllers and processors must ensure, where appropriate: (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of its information technology systems; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Specific rules governing processing by third party agents (processors)
A controller must ensure that any processor it instructs will ensure adequate security for personal data and otherwise meet the requirements of the GDPR.
The controller must have written contracts with its processor containing the enhanced processor clauses.
Notice of breach laws
A personal data breach must be notified to the relevant supervisory authority unless it is unlikely to result in a risk to data subjects. The notification must, where feasible, be made within 72 hours. If the personal data breach is a high risk for data subjects, those data subjects must also be notified.
Specific notice of breach laws apply to the electronic communications sector under national laws implementing the Privacy and Electronic Communications Directive and to operators of essential services and digital service providers under national laws implementing the Network and Information Systems Directive.
The European Data Protection Board has issued Guidelines on Personal Data Breach Notification (9/2022) and Examples regarding Personal Data Breach Notification (1/2021).
The Personal Data Act stipulates that exemptions may be made from the obligation to notify affected data subjects provided that this would reveal information: (i) of importance to Norway's national security interests or the defence of the country; (ii) that must be kept secret for the purpose of the prevention, investigation, detection and prosecution of criminal offences; and (iii) that is subject to a statutory obligation of professional secrecy (this must if relevant be explained to the data subject).
The Personal Data Act also contains a provision permitting the government to adopt a regulation on breach notification obligations.
Moreover, data controllers in certain sectors may be required to inform sectoral regulators of any breach (for example, financial services firms may be required to inform the Norwegian Financial Supervisory Authority of any breach).
_____________________________________________________________________ Top
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
The GDPR contains a restriction on transborder dataflows. This restriction does not apply if the transfer is to a whitelisted country.
Transfers can be made: (i) pursuant to a set of Standard Contractual Clauses; (ii) pursuant to binding corporate rules; (iii) to an importer who has signed up to an approved code or obtained an approved certification; or (iv) where otherwise approved by the relevant supervisory authority. However, following the decision in Schrems II (C-311/18) any transfer made on this basis must be subject to a transfer impact assessment of the laws of the relevant third country and supplemented by supplementary protections where necessary.
The European Data Protection Board has issued Recommendation on European Essential Guarantees for surveillance measures (2/2020) and a Recommendation on measures that supplement transfer tools (1/2020) to help conduct this transfer impact assessment. The European Commission has also issued an FAQ on the new Standard Contractual Clauses.
Transfers are also possible if an individual derogation applies. These derogations allow a transfer if it: (i) is made with the data subject’s explicit consent; (ii) is necessary for the performance of a contract with, or in the interests of, the data subject; (iii) is necessary or legally required on important public interest grounds, or for legal claims; (iv) is necessary to protect the vital interests of the data subject; (v) is made from a public register; or (vi) is made under the so-called minor transfer exemption.
The European Data Protection Board has issued Guidelines on derogations applicable to international transfers (2/2018). Finally, the European Data Protection Board has issued Guidelines on the interplay between Article 3 and international transfers (2/2018) to help identify when a transfer takes place.
The Personal Data Act sets out that regulations that specify requirements in relation to transfer to third countries may be issued. No such regulations have been issued yet.
Notification and approval of national regulator (including notification of use of Standard Contractual Clauses)
In general, there is no need for prior approval from a supervisory authority. However, this depends on the justification for the transfer.
For example, there will be no obligation to get approval for the use of Standard Contractual Clauses (though it is possible some supervisory authorities may want to be notified of their use). In contrast, it will be necessary to get approval to rely on binding corporate rules, and the supervisory authority must be informed of transfers made using the minor transfers exemption.
Use of binding corporate rules
The GDPR places binding corporate rules on a statutory footing. It will be possible to obtain authorisation from one supervisory authority (subject to approval through the consistency mechanism) that will cover transfers from anywhere in the EU.
In Norway, the Data Protection Authority has approved binding corporate rules from Akastor ASA, Aker Solutions ASA, DNV GL, Itera ASA, Kongsberg, Kvaerner ASA, Norsk Hydro ASA, Equinor ASA, Yara International ASA and Jotun A/S.
_____________________________________________________________________ Top
Enforcement
Fines
The GDPR is intended to make data protection a boardroom issue. It introduces an antitrust-type sanction regime with fines of up to 4% of annual worldwide turnover or €20m, whichever is the greater. These fines apply to breaches of many of the provisions of the GDPR, including failure to comply with the six general data quality principles or carrying out processing without satisfying a condition for processing personal data.
A limited number of breaches fall into a lower tier and so are subject to fines of up to 2% of annual worldwide turnover or €10m, whichever is the greater. Failing to notify a personal data breach or failing to put an adequate contract in place with a processor fall into this lower tier.
Fines can only be imposed where there is an intentional or negligent infringement of the GDPR, see Deutsche Wohnen (C-807/21).
The EDPB has published Guidelines on the calculation of administrative fines (04/2022).
Pursuant to the Personal Data Act, fines of up to the greater of 2% of annual worldwide turnover or €10m may also be imposed for contravention of the GDPR provisions on the processing of personal data relating to criminal convictions and offences, and for the failure of a controller to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. Such fines may also be imposed on official authorities by the Data Protection Authority.
In accordance with the Personal Data Act, the Data Protection Authority may impose daily fines if its decision is not complied with.
If found liable for damages in accordance with the GDPR, damages for non-economic loss may also be imposed pursuant to the Personal Data Act.
Imprisonment
The penal provision in the previously applicable Personal Data Act has been repealed.
Compensation
Data subjects have a right to compensation in respect of material and non-material damage. This requires more than a mere infringement of the GDPR and there must be actual material or non-material damage, however there is no minimum threshold of seriousness before compensation is available, see Österreichische Post (C-300/21).
Other powers
Regulators will have a range of other powers and sanctions at their disposal. This includes investigative powers, such as the ability to demand information from controllers and processors, and to carry out audits. They will also have corrective powers enabling them to issue warnings or reprimands, to enforce an individual’s rights and to issue a temporary or permanent ban on processing.
Practice
Fines: Some of the most significant fines issued by the Norwegian Data Protection Authority are set out below (only available in Norwegian here):
- In November 2023, the Norwegian Labour and Welfare Administration (NAV) was fined approximately €1,700,000 for failing to comply with privacy regulations and insufficient security and organisation of their IT systems. Due to NAV’s importance and the highly sensitive nature of the information on NAV’s systems, the Data Protection Authority issued a particularly high infringement fee.
- In March 2023, Argon Medical Devices was fined approximately €220,000 for breach of the GDPR. In July 2021, Argon discovered a security breach concerning the personal data of all their European employees, including those in Norway. The company did not report the incident to the data protection authority until September 2021, thereby violating the 72-hour deadline for reporting breaches of the GDPR. The security breach involved personal information that could be used for fraud and identity theft.
- In February 2023, Sats ASA was find approximately €900,000 for failing to comply with access and deletion requirements under the GDPR. The gym chain was also found to lack the legal authority to process data on customer’s’ training history.
- In December 2021, Grindr LLC was fined approximately €6,300,000 for having disclosed personal data to advertising partners without a valid legal basis and having disclosed special category personal data to advertising partners without a valid exemption.
- Østre Toten municipality suffered a data security attack in January 2021 and was fined approximately €412,000 in October 2021 for its lack of security measures in place to protect against such an attack. For example, they did not have two-factor login authentication nor any adequately secured backup systems. They had no system for logging important events and did not have a suitable management system to protect personal data.
- In May 2021, Ferde AS was fined approximately €496,000 for transmitting information related to customers passing through toll booths to a data processor in China. The investigation revealed that Ferde AS had failed to establish that a data processing agreement was in place, failed to carry out a risk assessment of the Chinese counterpart and also lacked a legal basis for the processing of personal data of motorists in China.
Other enforcement action: Among other, further enforcement actions from the Norwegian Data Protection Authority is as follows (only available in Norwegian here):
- In June 2022, the Norwegian Data Protection Authority banned the processing of personal data in the browser tool "Shinigami Eyes" because of the lack of a legal basis for the processing and a lack of information given to users.
- In April 2022, Mowi ASA was reprimanded for failing the information requirement under the GDPR and was required to ensure that their information routines and documentation comply with the GDPR, which included making changes to the company's privacy notice.
- In December 2021, Trumf AS was given an advanced notification of a fine of approximately €500,000 for failure to implement a solution to verify that a customer who registers a bank account is also the holder of the account.
- In July 2020, the Norwegian Data Protection Authority temporarily banned the processing of personal data in the first version of the Norwegian app 'Smittestopp' which was developed by the Norwegian Institute of Public Health to help prevent COVID-19 from spreading. The Norwegian Data Protection Authority claimed that the processing of location data and other personal data to such a large extent (as in this app) was disproportionate compared to the users' fundamental privacy rights. All personal data was deleted, and a new version of the app was released.
Case law: The first decision from the Supreme Court of Norway ("the Supreme Court") on the GDPR has just been reached. Ruling HR-2021-2403-A of 7 April 2021 sets out that the website Legelisten.no (a website for publishing information about doctors and other healthcare personnel) has legal basis in Article 6 of the GDPR for its processing of personal data. It was emphasised that Legelisten.no is an important source for the public to obtain information regarding health service providers, which that this was not overridden by the interests or rights and freedoms of the healthcare professionals. The fact that they may demand statements be deleted if compelling reasons requires it was taken into consideration.
In addition, the enforcement of the previous law may still be instructive.
Ruling HR-2019-1226-A of 26 June 2019 sets out that the retention of the DNA profile of a man who had been sentenced to imprisonment for tax fraud in the DNA identity register, was valid and not a breach of the European Convention on Human Rights. It was also mentioned that the Norwegian rules allow deletion after an individual assessment and that detailed provisions on, among other things, access, blocking, transparency and storage give the necessary privacy guarantees.
Ruling HR-2017-833-A of 26 April 2017 (only available in Norwegian here) sets out that the copyright owner of movies was not entitled to obtain the identity behind IP addresses used to download such movies using Bit Torrent networks. The Supreme Court found that the data subjects' privacy interests outweighed the interest of the copyright owner.
Ruling HR-2013-234-A of 31 January 2013 (only available in Norwegian here) sets out that an employer's use of GPS data as evidence in a dismissal case was incompatible with the purpose for which the data was originally collected and thus in breach of personal data regulations.
_____________________________________________________________________ Top
ePrivacy | Marketing and cookies
_____________________________________________________________
National Legislation
ePrivacy laws
The Marketing Control Act, dated 9 January 2009, implemented Article 13 of the Privacy and Electronic Communications Directive. The Marketing Control Act came in to force on 1 June 2009. Please note that the Act has introduced provisions which give the Consumer Ombudsman the right to impose fines for infringements of the Marketing Control Act.
The Marketing Control Act, the Ecommerce Act and the Ecommerce Regulation were amended on 1 July 2013 to implement the amendments to the Privacy and Electronic Communications Directive.
_____________________________________________________________________ Top
Cookies
Conditions for use of cookies
Under the Ecommerce Act, which was introduced 1 July 2013, users need to be informed of the fact that cookies are used, what kinds of cookies are used, the purpose of the cookies, and who is processing the information. Further, users must consent to the use of cookies.
Provided that said information is provided in a clear, specific and easily accessible manner (on the relevant web site), consent is deemed given: (i) by explicit acceptance on the relevant web site, typically by ticking "I accept"; or (ii) by the fact that the user has enabled cookies in the browser settings. The Norwegian legislator has for "practical reasons" not applied the traditional requirements for valid consents (that the consent needs to be explicitly given), except when cookies are used for marketing purposes.
The consent and information requirement does not apply to the use of cookies used solely for transmitting communications in an electronic communications network or for those cookies necessary to provide an information society service at the express request of the user.
Regulatory guidance on the use of cookies
There is no regulatory guidance on the use of cookies under Norwegian law.
_____________________________________________________________________ Top
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
The Marketing Control Act prohibits direct marketing to individuals in the course of business using methods of telecommunication which permit individual communication, such as e-mail, text messaging services to mobile telephones, facsimile or automatic calling machines, without the prior consent of the recipient, unless there is an existing customer relationship and the e-mail is collected in connection with such relationship. A valid consent must be obtained by means of opt-in (a positive indication that the consumer would like to receive marketing, typically by actively ticking a box) rather than opt-out (an opportunity to object to receive marketing). Prior to giving its consent, the consumer must be clearly informed of the extent and contents of the marketing, including how often marketing communications will be sent, which products will be marketed and specific information as to who the marketing communications will be sent from or on behalf of.
Conditions for direct marketing by e-mail to corporate subscribers
Direct marketing by e-mail to corporate subscribers is permitted provided that the e-mail is sent: (i) to the corporation as such; or (ii) to a relevant contact person within the corporation and the service or product marketed is relevant to the business.
For other types of direct marketing to corporate e-mail addresses, the same conditions apply as for direct marketing by e-mail to individual subscribers.
Exemptions and other issues
Direct marketing using telecommunication such as e-mail is permitted if the similar products and services exemption applies. Individual-to-individual e-mail routines set up by companies on the company’s website (tip-a-friend) are permitted in most circumstances. An easy means of opt out shall be provided in each individual communication, regardless of the legal grounds on which the direct marketing is based. The sender must also include the eCommerce information.
_____________________________________________________________________ Top
Marketing by Telephone
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
Direct marketing orally by telephone to individuals does not require prior consent.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
Marketing by telephone to corporate subscribers does not require prior consent.
Exemptions and other issues
Section 12 of the Marketing Control Act prohibits direct marketing to individuals by telephone or addressed mail if the individual has chosen to register in the central marketing exclusion register or in the marketer’s register of addresses. However, the similar products and services exemption applies. Direct marketing by text messaging services is prohibited without the prior consent of the recipient (see above under “Marketing by E-mail”).
_____________________________________________________________________ Top