Personal Data Act (PDA) Norway

    Overview

    The Norwegian Personal Data Act implements the General Data Protection Regulation (GDPR) within Norway’s legal framework. It aims to protect individuals from violations of their privacy through the misuse of personal data. The Act applies to both automated and non-automated data processing and incorporates GDPR’s principles and obligations. It also adapts the regulation to specific national requirements, including the processing of sensitive personal data and children’s consent. Enforcement is carried out by the Norwegian Data Protection Authority.

     

    Regulation Summary

    Timeline
    • July 20, 2018 – The Personal Data Act comes into force, repealing the 2000 Data Protection Act.
    • January 1, 2022 – Latest amendments incorporated.
    What Businesses Are Affected?
    • Organizations processing personal data in Norway.
    • Foreign companies targeting Norwegian residents.
    • Public and private sector entities handling personal data.
    Exemptions
    • Personal or household use of data.
    • Processing for national security, defense, or law enforcement.
    • Processing for journalistic, literary, or artistic expression.
    Responsibilities for Businesses
    • Obtain clear and informed consent.
    • Implement appropriate security measures.
    • Maintain records of data processing activities.
    • Appoint a Data Protection Officer (DPO) where required.
    • Notify Datatilsynet of data breaches within 72 hours of becoming aware of the breach.
    • Ensure data accuracy and allow rectifications.
    Specific Website Owner Responsibilities
    • Publish a privacy policy that is clear and accessible.
    • Obtain user consent for cookies and tracking technologies.
    • Provide mechanisms for individuals to exercise their rights.
    • Secure online forms and user data against unauthorized access.
    Additional Requirements
    • Parental consent required for children under 13 years.
    • Restrictions on cross-border data transfers.
    • Legal justifications required for processing sensitive data.
    Data Subject Rights
    • Right to access and obtain copies of personal data.
    • Right to rectification and erasure (Right to be Forgotten).
    • Right to restrict or object to processing.
    • Right to data portability.
    • Right to challenge automated decision-making and profiling.
    Enforcement
    • Supervised by Datatilsynet.
    • Fines: Up to €20 million or 4% of annual global turnover, whichever is higher.
    • Additional penalties include corrective orders and data processing limitations.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596