Clym Logo
NO flag

NO

Personal Data Act (PDA) Norway

Overview

The Norwegian Personal Data Act implements the General Data Protection Regulation (GDPR) within Norway’s legal framework. It aims to protect individuals from violations of their privacy through the misuse of personal data. The Act applies to both automated and non-automated data processing and incorporates GDPR’s principles and obligations. It also adapts the regulation to specific national requirements, including the processing of sensitive personal data and children’s consent. Enforcement is carried out by the Norwegian Data Protection Authority.

Regulation Summary

  • July 20, 2018 – The Personal Data Act comes into force, repealing the 2000 Data Protection Act.
  • January 1, 2022 – Latest amendments incorporated.

  • Organizations processing personal data in Norway.
  • Foreign companies targeting Norwegian residents.
  • Public and private sector entities handling personal data.

  • Personal or household use of data.
  • Processing for national security, defense, or law enforcement.
  • Processing for journalistic, literary, or artistic expression.

  • Obtain clear and informed consent.
  • Implement appropriate security measures.
  • Maintain records of data processing activities.
  • Appoint a Data Protection Officer (DPO) where required.
  • Notify Datatilsynet of data breaches within 72 hours of becoming aware of the breach.
  • Ensure data accuracy and allow rectifications.

  • Publish a privacy policy that is clear and accessible.
  • Obtain user consent for cookies and tracking technologies.
  • Provide mechanisms for individuals to exercise their rights.
  • Secure online forms and user data against unauthorized access.

  • Parental consent required for children under 13 years.
  • Restrictions on cross-border data transfers.
  • Legal justifications required for processing sensitive data.

  • Right to access and obtain copies of personal data.
  • Right to rectification and erasure (Right to be Forgotten).
  • Right to restrict or object to processing.
  • Right to data portability.
  • Right to challenge automated decision-making and profiling.

  • Supervised by Datatilsynet.
  • Fines: Up to €20 million or 4% of annual global turnover, whichever is higher.
  • Additional penalties include corrective orders and data processing limitations.