Data Protection

All companies need to manage personal information. This may be information about employees, customers and suppliers, visitors to business websites, activity logs in the company's IT systems, or a wide range of other types of information.

The General Data Protection Regulation (GDPR), which has been implemented in Norway through the Personal Data Act of 2018, introduces stricter regulation with increased documentation requirements and more protection for individual privacy. The GDPR also imposes much stricter sanctions in case of violation. This places great demands on companies. Although the challenges will vary with the scope of the individual company's processing of personal data, no company will remain unaffected. 

Today, most companies use data processors (such as IT service providers and software maintenance providers). New and more detailed rules apply to these supplier relationships as well, for example, with regard to the content of data processor agreements and the data processor's own duties.

Based on our experience, companies have a special need for assistance regarding:

  • Analysis of strategy and scope
  • Establishment and documentation of internal control systems
  • Agreements, including data processor agreements
  • Transfer of personal data outside the EU / EEA
  • Control measures in the workplace, including access to employee e-mail
  • Collection, storage and use of large volumes of data  ("big data")
  • Use of cloud services
  • Handling a personal data breach

We are the authors of the Norwegian chapter of the International Comparative Legal Guide to Data Protection.

Data protection legal issues are also relevant in connection with the conclusion of IT contracts etc. Read more here.

Read our latest articles on data protection

  • China, Data Protection


    China: Long-awaited standard contract released and filing requirement added for transfer of personal information out of China

    On 24 February 2023, the Cyber Administration of China ("CAC") issued measures containing a standard contract template for transfers of personal information, detailed guidelines including for a required impact assessment and a filing-requirement for transfers of personal information from China to other countries.

  • Data Protection


    EDPB focuses on BCR-Cs: New recommendations 01/2022 for BCR-C sent for public consultation

    In 2021 and 2022, many businesses in Norway were busy performing a Schrems-II assessment of their transfers of personal data to third countries, and transitioning to the modernised standard contractual clauses (SCC) issued by the EU Commission in 2021.

  • Shipping Offshore, Data Protection


    Transfer of employee information outside of China under PIPL and the new Draft Standard Contract

    The Cyberspace Administration of China has issued a draft standard contract for cross-border transfers of personal information out of China which will, if adopted, constitute a valid transfer mechanism under the Chinese Personal Information Protection Law. Both the transferring entity and the overseas recipient must still be aware of additional data protection requirements related to cross-border transfers, including reporting requirements.