Data Protection and GDPR
We have a market leading team of experts, providing strategic and business-oriented consulting on privacy-related matters.
Our privacy team offers comprehensive assistance to companies across various industries and the public sector on all issues related to the use and protection of personal data and other business-critical data.
Our team comprises of lawyers with professional expertise in privacy, digitization, and IT/information security, and they are equipped to assist businesses with all types of privacy concerns, including electronic marketing and e-administration. We help businesses to identify and ensure compliance with General Data Protection Regulation (GDPR) and other privacy regulations. Our lawyers actively participate in relevant professional and industry forums, keeping abreast of current trends, and have extensive experience dealing with authorities, including matters involving the Data Protection Authority.
Our privacy experts provide advice related to compliance, business development, and the handling of security incidents. We assist with entering into all types of agreements concerning data sharing and use, including data processing agreements, agreements on the transfer of personal data to third countries and on the use of cloud services. We also advise on matters relating to privacy in the workplace, notification and investigation, and technology transactions. Our team works closely with other professional groups within the firm to ensure that our clients receive comprehensive assistance that covers all interconnected areas of their business operations.
- Compliance: We provide advice related to ensuring and documenting compliance with data protection legislation, preparing various types of GDPR documentation, determining roles and responsibilities, and implementing training measures to ensure ongoing compliance. We assist with both comprehensive, global GDPR compliance projects, preparing/implementing the Binding Corporate Rules (BCR)/UK BCR as a transfer basis, and conducting Data Protection Impact Assessments (DPIA). We also provide consultancy services related to privacy when implementing various forms of IDD/screening activities and all types of matters with the Norwegian Data Protection Authority, including local supervision and decisions/complaints.
- Business development: We offer consulting services in the development and introduction of new digital products and services, with commercial and strategic consulting where the business model is based on the use of personal data, such as the health or finance sector. It is crucial to identify the scope for action and ensure that applicable regulations are taken into account as early as possible in a development process to ensure the achievement of secure business development.
- Agreements and use of cloud services: We provide assistance with entering into data processing agreements, transfer agreements and the implementation of Transfer Impact Assessment (TIA) related to the availability of personal data outside the EU/EEA. We also assist clients with entering into agreements on joint data responsibility or the disclosure/distribution of data in connection with commercial collaboration.
- Personal data protection in the workplace (control measures): We offer advice related to the introduction of various digital tools that lead to a form of control and monitoring of employees and access to employee e-mail accounts. We also advise on privacy related issues when implementing notification and investigation.
- Information security: We assist with the formulation of requirements for proportionate information security and solutions for authentication (electronic ID), identity management, and the use of encryption.
- Security incidents: We provide assistance with handling breaches of personal data security, assessing risk, and notifying the Data Inspectorate and affected individuals. We also offer advice related to a more holistic handling of such events, including assessing various legal issues that arise in the wake of such matters.
International Comparative Legal Guide
For several years, we have written the Norwegian chapter in the International Comparative Legal Guide to Data Protection.
Read our articles on Data Protection and GDPR
China: Long-awaited standard contract released and filing requirement added for transfer of personal information out of China
On 24 February 2023, the Cyber Administration of China ("CAC") issued measures containing a standard contract template for transfers of personal information, detailed guidelines including for a required impact assessment and a filing-requirement for transfers of personal information from China to other countries.
Transfer of employee information outside of China under PIPL and the new Draft Standard Contract
The Cyberspace Administration of China has issued a draft standard contract for cross-border transfers of personal information out of China which will, if adopted, constitute a valid transfer mechanism under the Chinese Personal Information Protection Law. Both the transferring entity and the overseas recipient must still be aware of additional data protection requirements related to cross-border transfers, including reporting requirements.
New Guidelines and Recommendations on Data Protection at the Workplace
The Norwegian Data Protection Authority (Nw.: Datatilsynet) has recently published both updated guidelines on employees' whistleblowing and an interesting study on monitoring and control of employees' digital activities (both available only in Norwegian). Both these new initiatives relate to data protection at the workplace, and are relevant to all businesses.