By Jan Sandtrø, Partner, Norway
Last week the new Personal Data Act for implementing the GDPR in Norway was published. Norway has taken a similar approach to, for example, Ireland in translating the GDPR into Norwegian, but there are also some additional regulations proposed which are specific to Norway.
The specific regulations for Norway are proposed in the new Personal Data Act and include regulation based on the GDPR, as well as taking advantage of the margin of maneuverability to allow for the continuance of some of Norway’s existing legislation.
- Sensitive data. As a general rule, use of “sensitive data” (special categories of personal data) will be prohibited, however it is proposed that the Data Inspectorate may authorize the processing of sensitive personal data where the processing is in the public interest.
- Use of personal ID numbers. The rights regarding processing of ID numbers for physical persons and other national identification numbers are continued as under the previous act, meaning that personal ID numbers may only be used where there are reasonable grounds to require proper identification and the use of personal ID numbers is necessary for such identification.
- Age limit for information society services. The minimum age for consent for information society services is set at 13 years of age (which is the same as in e.g. Sweden and Denmark).
- Exceptions from a duty to provide information to registered persons under the GDPR are limited to some extent in the interests of protecting the public interest and the registered persons.
- Confidential duties of DPOs. Additional duties of confidentiality are imposed on Data Protection Officers.
- One-stop-shop. A data controller active in multiple EU countries may use the supervisory authority in the country where it has its main establishment for all personal data matters in the EU and EEA, including for data controllers processing Norwegian personal data where the controller is established in another EU/EEA state.
- Surveillance cameras. There is a separate regulation on the use of surveillance cameras (CCTV) in the workplace and the use of dummy surveillance equipment. However, the detailed regulation under Norwegian law on the use of surveillance cameras will be repealed.
- Credit information. The specific rules on credit information activities under the current regime are not continued, and the way credit information activities are regulated will be addressed by the Ministry at a later point.
- Employer access to email etc. The specific Norwegian regulation on restrictions for employers’ access to emails and other electronic files used by employees on supplied hardware and systems will remain in force, with some minor adjustments.
- Additional regulation. There will be additional regulation on the requirement to have a Data Protection Officer in place and the duty for the data controller to have advance approval by the Data Inspectorate on certain types of processing. However, no proposal on such regulation has been published yet.
Please also note that the previous regime on notification and the requirement of concessions in Norway will cease (however concessions given under the present Personal Data Act will remain in effect until the concessions expire). The previous penalties for breach of the Personal Data Act as an offence are removed, however a high level of administrative fines (up to four percent of annual global turnover or EUR 20 million, whichever is greater) according to the GDPR will be implemented.