Data Protection

All companies need to manage personal information. This may be information about employees, customers and suppliers, visitors to business websites, activity logs in the company's IT systems, or a wide range of other types of information.

The General Data Protection Regulation (GDPR), which has been implemented in Norway through the Personal Data Act of 2018, introduces stricter regulation with increased documentation requirements and more protection for individual privacy. The GDPR also imposes much stricter sanctions in case of violation. This places great demands on companies. Although the challenges will vary with the scope of the individual company's processing of personal data, no company will remain unaffected. 

Today, most companies use data processors (such as IT service providers and software maintenance providers). New and more detailed rules apply to these supplier relationships as well, for example, with regard to the content of data processor agreements and the data processor's own duties.

Based on our experience, companies have a special need for assistance regarding:

  • Analysis of strategy and scope
  • Establishment and documentation of internal control systems
  • Agreements, including data processor agreements
  • Transfer of personal data outside the EU / EEA
  • Control measures in the workplace, including access to employee e-mail
  • Collection, storage and use of large volumes of data  ("big data")
  • Use of cloud services
  • Handling a personal data breach

We are the authors of the Norwegian chapter of the International Comparative Legal Guide to Data Protection, available here.

Data protection legal issues are also relevant in connection with the conclusion of IT contracts etc. Read more here.

  • Data Protection


    The UK prepares for Data Protection after Brexit: Two New Regulations

    When the UK leaves the EU, the General Data Protection Regulation (GDPR) will no longer be directly applicable in the UK. Two new sets of regulations have therefore been recently promulgated by the British Parliament to retain, as much as possible, the status quo and are meant to come into effect upon the UK's withdrawal from the EU. Both sets of regulations were issued pursuant to the UK's European Union (Withdrawal) Act 2018.

  • Data Protection


    Two recent decisions of the Norwegian Privacy Appeals Board

    The Norwegian Data Protection Authority (NDPA) has a broad set of powers, including the power to deliver warnings, reprimands or impose fines on data controllers and processors for non-compliance with the new Personal Data Act and the GDPR. As the new Personal Data Act and the GDPR only recently came into force, there are not yet many decisions based on the new legal regime. However, some of the recent NDPA decisions were appealed to the Privacy Appeals Board (PAB) and the appeal decisions have referred to the new legislation. Two such recent decisions respectively concern the data subject's right to object to processing and the right to erasure.

  • Data Protection


    List of processing operations where a DPIA is always required

    The Norwegian Data Protection Authority has recently published a list of processing operations that shall always require a data protection impact assessment (DPIA) pursuant to article 35(4) of the General Data Protection Regulation (GDPR).