Protection of privacy
Administrative fines for breach of the privacy by design principle and of the duty to ensure information security in the GDPR
Two of Norway’s largest municipalities were found to be in breach of the General Data Protection Regulation (GDPR) in two separate and unrelated cases each of which involved the use of technology in the municipalities’ schools.
The UK prepares for Data Protection after Brexit: Two New Regulations
When the UK leaves the EU, the General Data Protection Regulation (GDPR) will no longer be directly applicable in the UK. Two new sets of regulations have therefore been recently promulgated by the British Parliament to retain, as much as possible, the status quo and are meant to come into effect upon the UK's withdrawal from the EU. Both sets of regulations were issued pursuant to the UK's European Union (Withdrawal) Act 2018.
Two recent decisions of the Norwegian Privacy Appeals Board
The Norwegian Data Protection Authority (NDPA) has a broad set of powers, including the power to deliver warnings, reprimands or impose fines on data controllers and processors for non-compliance with the new Personal Data Act and the GDPR. As the new Personal Data Act and the GDPR only recently came into force, there are not yet many decisions based on the new legal regime. However, some of the recent NDPA decisions were appealed to the Privacy Appeals Board (PAB) and the appeal decisions have referred to the new legislation. Two such recent decisions respectively concern the data subject's right to object to processing and the right to erasure.
List of processing operations where a DPIA is always required
The Norwegian Data Protection Authority has recently published a list of processing operations that shall always require a data protection impact assessment (DPIA) pursuant to article 35(4) of the General Data Protection Regulation (GDPR).
Complaints against Google by consumer organisations for breach of GDPR
On 27th November 2018, the Norwegian Consumer Council and consumer organizations from six other European countries – the Netherlands, Sweden, Greece, Poland, Slovenia and the Czech Republic – each filed a complaint against Google with their respective data protection authority.
Implementing the GDPR in Norway
The General Data Protection Regulation (GDPR) starts to apply within the European Union (EU) from 25th May 2018. Since the GDPR is an EU regulation, it will have direct applicability and direct effect in all EU member states as from that date. Norway, however, is not an EU member state but a member of the European Economic Area (EEA) and a different procedure therefore applies before the GDPR can become part of Norwegian law.
Identification and mapping of processing activities (Part 2)
In the first part of this article, we examined the controller's obligation to keep records of processing activities pursuant to Article 30 of the GDPR. In this second part, we focus on the data processor's obligations to keep such records.
Identification and mapping of processing activities (Part 1)
With less than a year until the General Data Protection Regulation (GDPR) enters into application, many companies are investigating the extent to which they are compliant as well as identifying what tasks need to be performed to enable them to become compliant by then.
The WP29 Opinion 2/2017 on data processing at work
Article 29 Working Party (WP 29), consisting of data protection authorities from all EU and EEA states and the European DP Supervisor, has recently issued an Opinion 2/2017 on data processing at work ("the Opinion").