Data Protection and Processing Act Iceland

    Overview

    The Icelandic Data Protection and Processing Act (Act No. 90/2018) establishes rules for processing personal data, complementing the General Data Protection Regulation (GDPR) within Iceland. It aims to safeguard individuals’ privacy rights while providing clear obligations for entities that handle personal data. This law applies to both automated and manual data processing, ensuring alignment with European data protection standards.

     

    Regulation Summary

    Timeline
    • July 13, 2018 – Act No. 90/2018 adopted.
    • July 15, 2018 – Act came into force.
    What Businesses Are Affected?
    • Entities processing personal data in Iceland.
    • Foreign businesses offering goods or services to Icelandic residents.
    • Public sector organizations handling personal data.
    Exemptions
    • Personal and household data processing.
    • Processing for national security and law enforcement purposes.
    • Anonymized data that cannot be linked to individuals.
    Responsibilities for Businesses
    • Obtain informed consent before processing personal data.
    • Provide clear and accessible privacy policies.
    • Implement security measures to protect personal data.
    • Ensure accuracy and allow individuals to correct their data.
    • Report data breaches to the Data Protection Authority (Persónuvernd) within 72 hours.
    Specific Website Owner Responsibilities
    • Publish a privacy notice outlining data collection practices.
    • Allow users to withdraw consent easily.
    • Ensure data security protections for user information.
    • Manage cookie and tracking preferences transparently.
    Additional Requirements
    • Restrictions on cross-border data transfers without adequate safeguards.
    • Parental consent required for processing children's data (under age 13).
    • Maintain processing records for regulatory compliance.
    Data Subject Rights
    • Right to access and correct personal data.
    • Right to request data deletion (Right to be Forgotten).
    • Right to withdraw consent at any time.
    • Right to object to processing and automated decision-making.
    • Right to file complaints with Persónuvernd.
    Enforcement & Penalties
    • Regulated by Persónuvernd (Icelandic Data Protection Authority).
    • Fines up to €20 million or 4% of annual revenue for serious violations.
    • Investigations, corrective actions, and possible sanctions for non-compliance.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596