Logo and page links

Main menu

The enterprise is liable as data controller

Providers of electronic services on the internet are bound by the same rules regarding the processing of personal data and the responsibilities of the data processor as more traditional businesses.

Data processing is defined in Section 2(2) of the Personal Data Act.

The data controller decides whether cloud computing services should be used. If a service processes data on behalf of the data controller, the service provider is deemed to be the data processor. The Norwegian Data Protection Authority therefore considers providers of cloud services to be data processors, irrespective of the service provided.

A data processor cannot process personal data in any other way than that agreed with the data controller, see s 15 of the Personal Data Act. The data processor also has a duty to perform security measures in accordance with s 13 of the Personal Data Act and Chapter 2 of the Personal Data Regulations. A data processor agreement does not exempt the data controller from their statutory liability.

The Norwegian Data Protection Authority has prepared a guide for drawing up such a data processor agreement, as well as a draft example. These can be found at datatilsynet.no. The draft agreement and guide also contain a list of minimum requirements that the Norwegian Data Protection Authority expects such an agreement to contain.

The actual agreement may encompass other issues, but this will depend on the internal control procedures of the data controller purchasing the service. Such issues might include backup copying, deletion, access management and the segmenting of databases.