The EU General Data Protection Regulation – GDPR – is applicable law in Norway from 20 July 2018. The regulation is incorporated in the Norwegian Personal Data Act by a reference clause.
The purpose of the regulation is to strengthen fundamental rights of individuals upon processing of personal data. The purpose is also to provide a more coherent data protection framework in the EU. The rules are given in a regulation, which means it has direct applicability in all EU member states without further implementation. GDPR is also applicable for any organisation operating outside of the EU, but which offer goods or services to customers or businesses in the EU.
In the next paragraphs we will review the main provisions of the GDPR. Finally, we will comment the adaption of GDPR in Norwegian law.
Personal data means all information relating to an identified or identifiable natural person, including name, photographs, e-mail dress, IP-address, car registration number, behavioural patterns, fingerprints, date of birth etc. Nearly all companies process personal data – for example about employees, customers and business partners – and must therefore comply with the requirements of the GDPR. The person the information is related to is called the “data subject”.
Processing of personal data means any operation which is performed on personal data, such as collection, recording, storage, adaptation or alteration, use, retrieval, disclosure by transmission, alignment etc.
Controller means the natural or legal person which determines the purposes and means of the processing of personal data.
The GDPR establishes a number of conditions that must be fulfilled in order to lawfully process personal data.
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. This entails, inter alia, that the processing must be understandable for the data subject, and that there must be a legal basis for the processing (more information below).
Personal data shall be processed for specified, explicit and legitimate purposes only. The purpose of the processing is decisive for the use of the personal data, and the processing period. Personal data may not be further processed in a manner that is incompatible with the initial purposes for which they were collected. The GDPR contains an explicit listing of purposes which are not considered incompatible with the initial purposes.
The GDPR further contains quality requirements - the personal data must be relevant and adequate for the purposes for which they are processed, as well as accurate and up to date. The personal data shall be limited to what is necessary in relation to the purposes for which they are processed.
Furthermore, the personal data shall be processed in a manner that ensures appropriate security of the personal data.
Processing of personal data is only lawful if there is a legal basis for the processing in accordance with GDPR article 6. Such legal basis may be consent from the data subject, that the processing is necessary for the performance of a contract, or for compliance with a legal obligation. The legal basis may also be that the processing is necessary for the purposes of legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Several requirements apply if consent is used as the legal basis. The consent must be given by a statement or by a clear affirmative action. Pre-ticket box or passivity is not sufficient to constitute a lawful consent under the GDPR. The consent must further be freely given, specific, informed and unambiguous, and the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.
The alternatives in article 6 have equal status. Consent is therefore not a “more lawful” basis for the processing of personal data.
Processing of sensitive personal data, such as health data, must in addition have a legal basis for the processing in GDPR article 9 no. 2.
Companies which process personal data shall be able to demonstrate compliance with the fundamental requirements relating to processing of personal data. In order to ensure and demonstrate that the processing of personal data is carried out in accordance with the personal data legislation, the controller shall implement appropriate technical and organisational measures.
Upon an inspection by the relevant supervisory authority, the authority will as a starting point ask for documentation for compliance with the GDPR, and review such documentation. The essential document for demonstrating such compliance is an internal control. This expression is not found in the GDPR, but means a document which describes the business’ processing of personal data, the company’s assessments, as well as routines and measures to ensure compliance with the personal data legislation.
Data subjects have the right to be informed about the collection and use of their personal data when personal data are collected from the data subject. The information shall be given when the personal data are obtained at latest. The information must be concise, transparent, intelligible, easily accessible and written in clear and plain language. This shall ensure that the data subject understands how the information is used, the consequences of the processing, his/her rights and how to enforce such rights.
Information shall also be provided to the data subject when the information is collected from a third party. The information is almost identical to the information which shall be given when the personal data are collected from the data subject.
The GDPR provides a number of rights to data subjects:
The principles of data protection by design and by default are found in the GDPR, and means that companies must consider privacy in all solutions, systems and services which are used to process personal data. Privacy must be the default setting, and technical and organizational measures must be implemented to ensure the data protection principles. This means, inter alia, that a system shall not collect or display more personal data than necessary.
The GDPR requires the following businesses to appoint a data protection officer:
The data protection officer shall ensure that the controller processes personal data in accordance with the GDPR, and advice on how to comply with the rules of the regulation. The data protection officer is also the primary point of contact for the national supervisory authority.
A DPIA must be performed if a processing is likely to result in a high risk to the rights and freedoms of natural persons. The GDPR explicitly regulates the elements of a DPIA.
The controller shall consult the supervisory authority prior to the processing if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
Data processor means an entity which processes personal data on behalf of the controller. The duties of the processor towards the controller must be specified in a contract. The processor may only process the personal data in accordance with the agreement. GDPR contains specific requirements regarding the content of such agreements.
According to the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a security level appropriate to the risk. When determining the appropriate security level,
the risks related to the processing must be taken into account, in particular accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
In the event of a personal data breach, the controller shall without undue delay, and where feasible, not later than 72 hours after becoming aware of it, notify the personal data breach to the supervisory authority. This does not apply if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The controller shall document any personal data breaches, and the documentation shall enable the supervisory authority to verify compliance with the obligation to notify.
In some circumstances, the data subject must be informed of the personal data breach.
Each member state must provide for an independent supervisory authority to be responsible for the enforcement of the regulation. The supervisory authority in Norway is the Norwegian Data Protection Authority (Datatilsynet).
Upon infringements of the GDPR, the supervisory authority may impose fines up to 20 million euros, or up to 4% of the total worldwide annual turnover the preceding financial year.
Certain articles in the GDPR provide EU/EEA states a possibility to introduce specific national rules.
Such national rules are established in the Norwegian Personal Data Act (“PDA”). For example, the PDA section 16 contains exceptions to the right to information and access. These rights do not apply, inter alia, to data which is of importance for Norwegian foreign politics interests or defence interests, or data to which a statutory obligation of professional secrecy applies.
The PDA establishes the Norwegian Data Protection Authority as a supervisory authority, and the Privacy Appeals Board as the complaint body, and imposes a professional secrecy duty for data protection officers as well as employees of the Norwegian Data Protection Authority/ Privacy Appeals Board. The PDA further contains a provision on the Norwegian age limit for giving consent to the processing of personal data, which is 13 years, and a provision which permits the use of personal ID numbers in some circumstances.
* * *
Failure to comply with the personal data legislation can have major consequences for your company’s reputation and economic situation. Homble Olsby has extensive experience of assisting companies in GDPR-compliance, and prepare necessary documentation to demonstrate compliance.