Clym Logo
IS flag

IS

Data Protection and Processing Act Iceland

Overview

The Icelandic Data Protection and Processing Act (Act No. 90/2018) establishes rules for processing personal data, complementing the General Data Protection Regulation (GDPR) within Iceland. It aims to safeguard individuals’ privacy rights while providing clear obligations for entities that handle personal data. This law applies to both automated and manual data processing, ensuring alignment with European data protection standards.

Regulation Summary

  • July 13, 2018 – Act No. 90/2018 adopted.
  • July 15, 2018 – Act came into force.

  • Entities processing personal data in Iceland.
  • Foreign businesses offering goods or services to Icelandic residents.
  • Public sector organizations handling personal data.

  • Personal and household data processing.
  • Processing for national security and law enforcement purposes.
  • Anonymized data that cannot be linked to individuals.

  • Obtain informed consent before processing personal data.
  • Provide clear and accessible privacy policies.
  • Implement security measures to protect personal data.
  • Ensure accuracy and allow individuals to correct their data.
  • Report data breaches to the Data Protection Authority (Persónuvernd) within 72 hours.

  • Publish a privacy notice outlining data collection practices.
  • Allow users to withdraw consent easily.
  • Ensure data security protections for user information.
  • Manage cookie and tracking preferences transparently.

  • Restrictions on cross-border data transfers without adequate safeguards.
  • Parental consent required for processing children's data (under age 13).
  • Maintain processing records for regulatory compliance.

  • Right to access and correct personal data.
  • Right to request data deletion (Right to be Forgotten).
  • Right to withdraw consent at any time.
  • Right to object to processing and automated decision-making.
  • Right to file complaints with Persónuvernd.

  • Regulated by Persónuvernd (Icelandic Data Protection Authority).
  • Fines up to €20 million or 4% of annual revenue for serious violations.
  • Investigations, corrective actions, and possible sanctions for non-compliance.