Logo and page links

Main menu

Personal Data Regulations

Preliminaries

Legal basis: Laid down by the Royal Decree of 15 December 2000 pursuant to the Act of 14 April 2000 No. 31 on the processing of personal data (Personal Data Act), sections 3, 4, 12, 13, 14, 30, 31, 32, 33, 41, 43, 44, 48 and 51. Issued by the Ministry of Justice and the Police (now the Ministry of Local Government and Modernisation)

Added legal basis: Delegation decision of 11 April 2008 No. 345

Amendments: Amended by the Regulations of 23 December 2003 No. 1798, 6 May 2005 No. 408, 23 August 2005 No. 923, 16 February 2006 No. 200, 5 June 2007 No. 1092, 24 April 2008 No. 396 (ratifies earlier amendments), the Regulations of 29 January 2009 No. 84, 5 June 2009 No. 598, 7 May 2010 No. 654, 9 August 2013 No. 970, 19 August 2013 No. 1001, 24 Aril 2014 No. 569. Is amended when the Ministry decides pursuant to the Regulations of 9 August 2013 No. 970.

- The scope of the Personal Data Act -

Section 1-1. The Office of the Auditor General's processing of personal data

When the Office of the Auditor General processes personal data as part of its control activities, such processing shall be exempted from sections 18, 27, 31 and 33 of the Personal Data Act.

The Personal Data Act in its entirety shall apply to all other processing by the Office of the Auditor General.

Section 1-2. Personal data processing that is necessary in the interests of national security

Personal data processing that is necessary in the interests of national security or the security of allies, the relationship to foreign powers and other vital national security interests shall be exempted from section 44, first to third paragraphs, of the Personal Data Act, and from sections 31 and 33 of the Act.

Any disagreement between the data controller and the Data Protection Authority regarding the extent of the exemption shall be decided by the Privacy Appeals Board.

Section 1-3. Processing of personal data in the administration of justice, etc.

The Personal Data Act shall not apply to matters that are dealt with or decided pursuant to the Acts relating to administration of justice (the Courts of Justice Act, the Criminal Procedure Act, the Dispute Act and the Enforcement Act, etc.).

Amended by the Regulations of 23 December 2003 No. 1798 (in force from 1 January 2004). 5 June 2007 No. 1092 (in force from January 2008), 24 April 2008 No. 396 (ratification).

Section 1-4. Svalbard

The Personal Data Act and associated Regulations shall apply to data controllers who are established on Svalbard.

The Protection Authority may by individual decision grant dispensation from the individual provisions of the Personal Data Act if local conditions make this necessary.

Section 1-5. Jan Mayen

The Personal Data Act and associated Regulations shall apply to data controllers who are established on Jan Mayen.

 - Information security -

Section 2 -1. Proportionality requirements relating to the protection of personal data

The provisions of this chapter shall apply to such processing of personal data as is carried out entirely or partly by automatic means where it is necessary, in order to prevent the danger of loss of life and health, financial loss or loss of esteem and personal integrity, to protect the confidentiality, availability and integrity of the data.

Where such a danger exists, the planned and systematic measures taken pursuant to these Regulations shall be proportional to the probability and consequence of breaches of security.

Section 2-2. Orders from the Data Protection Authority

The Data Protection Authority may issue orders regarding the protection of personal data, including the establishment of criteria for acceptable risk associated with the processing of personal data.

Section 2-3. Security management

The general manager of the enterprise run by the data controller is responsible for ensuring compliance with the provisions of this chapter.

The purpose of the processing of personal data and general guidelines for the use of information technology shall be described in security objectives.

Choices and priorities in security activities shall be described in a security strategy.

Use of the information system shall be reviewed regularly in order to ascertain whether it is appropriate in relation to the needs of the enterprise, and whether the security strategy provides adequate information security.

The result of the review shall be documented and used as a basis for any changes in security objectives and strategy.

Section 2-4. Risk assessment

An overview shall be maintained of the kinds of personal data that are processed. The enterprise shall itself establish criteria for acceptable risk associated with the processing of personal data.

The data controller shall carry out a risk assessment in order to determine the probability and consequences of breaches of security. A new risk assessment shall be carried out in the event of changes of significance for information security.

The result of the risk assessment shall be compared with the established criteria for acceptable risk associated with the processing of personal data, cf. first paragraph and section 2-2.

The result of the risk assessment shall be documented.

Section 2-5. Security audits

Security audits of the use of the information system shall be carried out regularly.

A security audit shall comprise an assessment of organization, security measures and use of communication partners and suppliers.

If the security audit reveals any unforeseen use of the information system, this shall be treated as a discrepancy, cf. section 2-6.

The result of the security audit shall be documented.

Section 2-6. Discrepancies

Any use of the information system that is contrary to established routines, and security breaches, shall be treated as a discrepancy.

The purpose of discrepancy processing shall be to re-establish the normal state of affairs, eliminate the cause of the discrepancy and prevent its recurrence.

If the discrepancy has resulted in the unauthorised disclosure of personal data where confidentiality is necessary, the Data Protection Authority shall be notified.

The result of discrepancy processing shall be documented.

Section 2-7. Organization

The distribution of responsibility for and authority governing the use of the information system shall be clearly established.

The distribution of responsibility and authority shall be documented and shall not be changed without the authorization of the data controller's general manager.

The information system shall be configured in such a way as to achieve adequate information security.

The configuration shall be documented and shall not be changed without the authorization of the data controller's general manager.

Use of the information system that has significance for information security shall be carried out in accordance with established routines.

Section 2-8. Personnel

Members of the staff of the data controller shall only use the information system to carry out assigned asks, and shall be personally authorized to make such use.

The staff members shall have the knowledge necessary to use the information system in accordance with the routines that have been established.

Authorized use of the information system shall be registered.

Section 2-9. Duty of confidentiality

Members of the staff of the data controller shall be subject to a duty of confidentiality as regards personal data where confidentiality is necessary. The duty of confidentiality shall also apply to other data of significance for information security.

Section 2-10. Physical security

 

Measures shall be taken to prevent unauthorized access to equipment that is used to process personal data pursuant to these Regulations.

The security measures shall also prevent unauthorized access to other equipment of significance for information security.

Equipment shall be installed in such a way that influence from the environment in which it is operated does not significantly affect the processing of personal data.

Section 2-11. Protection of confidentiality

Measures shall be taken to prevent unauthorized access to personal data where confidentiality is necessary.

The security measures shall also prevent unauthorized access to other data of significance for information security.

Personal data that are transferred electronically by means of a transfer medium that is beyond the physical control of the data controller shall be encrypted or protected in another way when confidentiality is necessary.

As regards storage media that contain personal data where confidentiality is necessary, the need to protect confidentiality shall be shown by means of marking or in another way.

If the storage medium is no longer used for the processing of such data, the data shall be erased from the medium.

Section 2-12. Securing of accessibility

Measures shall be taken to secure access to personal data where accessibility is necessary.

The security measures shall also secure access to other data of significance for information security.

Preparations shall be made for alternative processing in the event of the information system being unavailable for normal use.

Personal data and other data that are necessary to restore normal use shall be copied.

Section 2-13. Protection of integrity

Measures shall be taken to prevent unauthorized changes in personal data where integrity is necessary. The security measures shall also prevent unauthorized changes in other data of significance for information security.

Measures shall be taken to prevent malicious software.

Section 2-14. Security measures

Security measures shall prevent unauthorized use of the information system and make it possible to detect attempts to make such use.

Attempts to make unauthorized use of the information system shall be registered.

Security measures shall include measures that cannot be influenced or circumvented by members of the staff, and shall not be limited to actions that any individual member is supposed to carry out.

Security measures shall be documented.

Section 2-15. Security in other enterprises

The data controller shall only transfer personal data by automatic means to a person who satisfies the requirements of these Regulations.

The data controller may transfer personal data to any person if the transfer is carried out in accordance with the provisions of sections 29 and 30 of the Personal Data Act, or when it has been laid down by statute that requests may be made to obtain the data from a public register.

Data suppliers who carry out security measures, or make other use of the information system on behalf of the data controller, shall satisfy the requirements of this chapter.

The data controller shall clearly establish the distribution of responsibility and authority in respect of communication partners and suppliers. The distribution of responsibility and authority shall be described in a special agreement.

The data controller shall have knowledge of the security strategy of communication partners and suppliers, and regularly make sure that the strategy provides adequate information security.

Section 2-16. Documentation

Routines for using the information system and other data of significance for information security shall be documented.

The documentation shall be stored for at least five years from the time the document was replaced by a new, current version.

Records of authorized use of the information system and of attempts at unauthorized use shall be stored for at least three months. The same shall apply to records of all other events of significance for information security.

- Internal controls -

Section 3-1. Systematic measures for processing personal data

The data controller shall establish internal controls in accordance with section 14 of the Personal Data Act. The systematic measures shall be adapted to the nature, activities and size of the enterprise to the extent that is necessary in order to comply with requirements laid down in or pursuant to the Personal Data Act, with special emphasis on provisions laid down pursuant to section 13 of the Personal Data Act.

Internal controls entail that the data controller shall, inter alia, ensure that he has knowledge of current rules governing the processing of personal data, that he has adequate and up-to-date documentation for the implementation of the above-mentioned routines, and that this documentation is available to the persons it may concern.

The data controller shall also have routines for fulfilling his duties and the rights of data subjects pursuant to current rules of privacy, including routines for

a) obtaining and verifying the consent of data subjects, cf. sections 8, 9 and 11 of the Personal Data Act,

b) evaluating the purpose of personal data processing in accordance with section 11a of the Personal Data Act,

c) evaluating the quality of personal data in relation to the defined purpose of processing the data, cf. sections 11d and 11e, 27 and 28 of the Personal Data Act, and following up any discrepancies,

d) replying to requests for access and information, cf. sections 16 to 24 of the Personal Data Act,

e) complying with the data subject's demands for a bar on certain forms of personal data processing, cf. sections 25 and 26 of the Personal Data Act,

f) complying with the provisions of the Personal Data Act regarding the obligation to give notification and to obtain a licence, cf. sections 31 to 33 of the Personal Data Act.

Data processors who process personal data on assignment for data controllers shall process the data in accordance with routines established by data controllers.

Section 3-2. Dispensation

The Data Protection Authority may grant a dispensation from all or parts of this chapter when special circumstances exist.

- Credit information services -

Section 4-1. Relationship to the Personal Data Act

The provisions of the Personal Data Act shall apply to the processing of personal data in credit information services unless these Regulations otherwise provide.

The Personal Data Act shall also apply to the processing of credit information relating to persons other than natural persons.

Section 4-2. Definition of a credit information service

For the purposes of this chapter, the term "credit information service" means activities which consist in providing information that throws light on creditworthiness or financial solvency (credit information). This chapter does not apply to the utilization of information within an enterprise, or in relation to enterprises within the same corporate group unless the information is provided by an enterprise operating a credit information service. Nor does it apply to the provision of information to another credit information enterprise to which this Act applies, provided that the information is to be utilized in this enterprise's own credit information service.

The following services are not regarded as credit information services:

a) notifications from public registers regarding rights in and charges on real or movable property,

b) notifications from banks, cf. the Norges Bank Act, the Norwegian State Housing Bank Act, the Savings Banks Act and the Commercial Banks Act, and from finance companies, cf. the Financial Institutions Act, in connection with withdrawals from accounts and the execution of payment services. The same applies when such notifications are transmitted for a bank or finance company by an outside enterprise,

c) notifications to the data subject,

d) the publication of publicly exhibited tax assessments pursuant to section 8-8 of the Tax Assessment Act,

e) the Brønnøysund registers' processing of registers required by statute (law).

f) notices from the Register of Mortgaged Moveable Property concerning registered attachments of earnings and proceedings indicating "no distrainable property".

Amended by the Regulations of 24 April 2008 No. 396, 9 August 2013 No. 970.

Section 4-3. Disclosure of credit information

Credit information may only be given to persons who have an objective need for it. Credit information shall be provided on a non-discriminatory basis to creditors from EEA states.

Credit information shall be provided in writing either by automatic means or in paper-based form. However, credit information may be given orally provided that it does not contain any data that can be cited against the data subject, or if the credit information must be given without delay for practical reasons. If credit information is given orally, the information and the applicant's name and address shall be recorded and kept on file for at least six months. If the information contains any data that can be cited against the data subject, it shall be confirmed in writing.

Credit information may be supplied by distribution of publications or lists, provided that the publication or list only contains data concerning business enterprises, and that the data is given in summary form. Such publications may only be given to persons who are members or subscribers of the credit information processor.

Agreements entailing that the applicant shall be given any information that comes to the knowledge of the credit information enterprise in the future may only be made in respect of information relating to business enterprises.

Amended by the Regulations of 7 May 2010 No. 654 (in force from 11 June 2010).

Section 4-4. Right of access of and information to the data subject

If credit information relating to natural persons is provided or confirmed in writing, the credit information enterprise shall at the same time send a duplicate, copy or other notification concerning the contents free of charge to the person about whom data has been requested. The data subject shall be invited to request that any errors be rectified.

The right of access of legal persons follows from section 18 of the Personal Data Act.

The data subject may also demand to be informed of what credit information has been provided about him in the last six months, to whom it was given and where it was obtained.

Section 4-5. Permission to operate a credit information service

An enterprise may not process personal data for credit information purposes until the Data Protection Authority has granted it a licence. The same applies to credit information for persons other than natural persons.

When deciding whether to grant a licence, sections 34 and 35 of the Personal Data Act shall apply. For enterprises over which foreign interests have a controlling influence, conditions may be laid down regarding the form of establishment and the composition of the company's management.

Section 4-6. Validity of licences granted in pursuance of the Personal Data Filing Systems Act.

Licences granted for personal data filing systems for use in a credit information service pursuant to section 9 of the Act of 9 June 1978 No. 48 on personal data filing systems, etc., shall apply as licences pursuant to section 4-5 of these Regulations, insofar as the licence is not contrary to the Personal Data Act.

Section 4-7. The authority of the Data Protection Authority

If special reasons so indicate, the Data Protection Authority may by individual decision exempt the data controller from obligations that follow from the provisions of this chapter.

- Chapter 5 (Repealed) -

Repealed by the Regulations of 5 June 2009 No. 598.

- Transfer of personal data to other countries -

Section 6-1. The EU Commission's decisions concerning the level of protection in third countries

The Commission's decisions pursuant to Directive 95/46/EF, Articles 25 and 26, cf. 31, shall also apply to Norway in accordance with the EEA Joint Committee's Decision No. 83/1999 (of 25 June 1999 regarding the amendment of Protocol 37 and Annex XI of the EEA Agreement), unless the right of reservation is exercised.

The Data Protection Authority shall ensure compliance with the decisions.

Amended by the Regulations of 23 December 2003 No. 1798 (in force from 1 January 2004), 24 April 2008 No. 396 (ratification).

Section 6-2. The Data Protection Authority's assessment of the level of protection in third countries

If the Data Protection Authority concludes that a third country does not have an adequate level of protection for the processing of personal data, the Data Protection Authority shall notify the EU Commission and the other member states of its decision.

If the Data Protection Authority, after assessing a specific case pursuant to Directive 95/46/EF, Article 26, no. 2, nevertheless permits the transfer of personal data to a third country that does not ensure an adequate level of protection pursuant to Directive 95/46/EF, Article 25, no. 2, the Data Protection Authority shall notify the EU Commission and other member states of its decision.

If the Commission or other member states object to the Data Protection Authority's decisions pursuant to the second paragraph, and the Commission takes steps, the Data Protection Authority shall ensure compliance with the decision.

Amended by the Regulations of 23 December 2003 No. 1798 (in force from 1 January 2004), 24 April 2008 No. 396 (ratification).

Section 6-3.Obligation to give notification of transfer of personal data to data processors in third countries

Transfer of personal data to third countries that do not have an adequate level of protection may take place without prior approval from the Data Protection Authority pursuant to Section 30, second paragraph, of the Personal Data Act, provided that the recipient of the information is a data processor and the basis for the transfer is the EU's standard contract as incorporated into the Committee's Decision 2010/87/EU dated 5 February 2010. The data controller shall notify the Data Protection Authority of the transfer by submitting a completed and signed standard contract. The transfer may take place once the notification has been submitted.

Third countries shall mean all countries that have not implemented Directive 95/46/EF nor been approved through a decision made by the EU Commission, cf. Section 6-1.

Repealed 1 January 2004 by the Regulations of 23 December 2003 No. 1798, cf. the Regulations of 24 April 2008 No. 396. Added by the Regulations of 24 April 2014 No. 569 (in force from 1 July 2014).

- Obligation to give notification and to obtain a license -

Section 7 -1. Obligation to obtain a licence for the processing of personal data in the telecommunications sector

Personal data processing by providers of telecommunication services for the purpose of customer administration, invoicing and the provision of services in connection with the subscriber's use of the telecommunications network shall be subject to licensing pursuant to the Personal Data Act.

For the purposes of these Regulations, the term "providers of telecommunication services" shall mean enterprises which for commercial purposes provide telecommunications wholly or partly by means of transmissions through the telecommunications network that are not broadcasts.

Is amended when the Ministry decides pursuant to the Regulations of 9 August 2013 No. 970.

Section 7-2. Obligation to obtain a licence for the processing of personal data in the insurance sector

Personal data processing by providers of insurance services (cf. the Act on Insurance Activity) for the purpose of customer administration, invoicing and the implementation of insurance contracts shall be subject to licensing pursuant to the Personal Data Act.

Amended by the Regulations of 9 August 2013 No. 970.

Section 7-3. Obligation to obtain a licence for the processing of personal data by banks and financial institutions

Personal data processing by banks and financial institutions (cf. the Norges Bank Act, the Norwegian State Housing Bank Act, the Savings Banks Act, the Commercial Banks Act, the Financial Institutions Act) for the purpose of customer administration, invoicing and the implementation of banking services shall be subject to licensing pursuant to the Personal Data Act.

Amended by the Regulations of 9 August 2013 No. 970.

Section 7-4. The authority of the Data Protection Authority

If special reasons so indicate, the Data Protection Authority may decide that personal data processing covered by sections 7-14 to 7-17 and sections 7-21 to 7-25 of these Regulations shall nevertheless be regulated by sections 31 or 33 of the Personal Data Act.

Amended by the Regulations of 24 April 2008 No. 396.

Section 7-5. Notification form

Notification to the Protection Authority shall be given on a form prepared by the Data Protection Authority and pursuant to rules for submission that have been drawn up by the Data Protection Authority.

II. Processing that is exempt from the obligation to give notification

Section 7-6. Exemption from the obligation to give notification

Processing covered by this chapter shall be exempt from the obligation to give notification pursuant to section 31, first paragraph, of the Personal Data Act. If sensitive data is processed, cf. section 2, subsection 8, of the Personal Data Act, the processing may be subject to licensing pursuant to section 33, first paragraph, of the Personal Data Act.

Exemption from the notification obligation presupposes that the personal data are processed in keeping with the purpose that follows from the individual provision. The provisions of the Personal Data Act regarding personal data processing in chapters I to V and VII to IX shall be complied with even if the processing is exempt from the obligation to give notification.

Amended by the Regulations of 23 December 2003 No. 1798 (in force from 1 January 2004). 24 April 2008 No. 396 (ratification).

Section 7-7. Customer, subscriber and supplier data

Processing of personal data concerning customers, subscribers and suppliers shall be exempt from the obligation to give notification pursuant to section 31, first paragraph, of the Personal Data Act. The same shall apply to data concerning a third person which is necessary for the fulfilment of contractual obligations.

Exemption from the notification obligation shall only apply if the personal data is processed as part of the administration and fulfilment of contractual obligations.

Section 7-8. Information relating to housing matters

The processing of personal data as part of the administration and fulfilment of obligations relating to the ownership or lease of real property shall be exempt from the obligation to give notification pursuant to section 31, first paragraph, of the Personal Data Act. This encompasses all leasing and ownership matters such as data relating to tenants in tenancy relationships, co-owners of jointly owned property and shareholders in housing cooperatives and housing cooperative stock corporations.

Amended by the Regulations of 23 December 2003 No. 1798 (in force from 1 January 2004), 24 April 2008 No. 396 (ratification).

Section 7-9. Register of shareholders

Personal data processing as required by section 4-5 of the Limited Liability Companies Act and section 4-4 of the Public Limited Liability Companies Act shall be exempt from the obligation to give notification pursuant to section 31, first paragraph, of the Personal Data Act.

Exemption from the notification obligation shall only apply if the purpose of the processing is to fulfil the obligations imposed on the individual company by company legislation.

Amended by the Regulations of 23 December 2003 No. 1798 (in force from 1 January 2004), 24 April 2008 No. 396 (ratification), 9 August 2013 No. 970, 19 August 2013 No. 1001.

Section 7-10. Keeping of mediation records

Personal data processing in connection with the keeping of mediation records as required by the Children Act and the Marriage Act shall be exempt from the obligation to give notification pursuant to section 31, first paragraph, of the Personal Data Act.

Exemption from the notification obligation shall only apply if the purpose of the processing is to verify that mediation has taken place, to evaluate and plan the mediation arrangement, or to provide a basis for statistical analyses.

Amended by the Regulations of 9 August 2013 No. 970.

Section 7-11. Activity logs in EDP systems or computer networks

Personal data processing as a consequence of the registration of activity (events) in an EDP system, and personal data processing relating to the use of system resources, shall be exempt from the obligation to give notification pursuant to section 31, first paragraph, of the Personal Data Act.

Exemption from the notification obligation shall only apply if the purpose of the processing is

a) to administer the system, or

b) to uncover/clarify breaches of security in the EDP system.

Personal data that are revealed as a result of processing pursuant to the second paragraph may not subsequently be processed in order to monitor or on the natural person.

Section 7-12. Data protection officer

The Data Protection Authority may consent to exemptions being granted from the obligation to give notification pursuant to section 31, first paragraph, of the Personal Data Act, if the data controller designates an independent data protection officer who is responsible for ensuring that the data controller complies with the Personal Data Act and associate Regulations. The data protection officer shall also maintain an overview of such data as are mentioned in section 32 of the Personal Data Act.

III. Processing that is exempt from the obligation to obtain a licence and the obligation to give notification

Section 7-13. Exemption from the obligation to obtain a licence and the obligation to give notification

Processing covered by this chapter shall be exempt from the obligation to obtain a licence pursuant to section 33, first paragraph, of the Personal Data Act and from the obligation to give notification pursuant to section 31, first paragraph, of the said Act.

Exemption from the licensing obligation and the notification obligation presupposes that the personal data shall be processed in keeping with the purpose that follows from the individual provision. The provisions of the Personal Data Act regarding the processing of personal data in chapters I to V, and VII to IX, shall be complied with even if the processing is exempt from the licensing obligation and the notification obligation.

Section 7-14. Sensitive customer data

The processing of sensitive personal data, cf. section 2-8 of the Personal Data Act, relating to customers shall be exempt from the obligation to obtain a licence pursuant to section 33, first paragraph, of the Act and from the obligation to give notification pursuant to section 31, first paragraph, of the Act.

Exemption from the licensing obligation and the notification obligation shall only apply if the data subject has consented to the registration and processing of the sensitive data, and the data are necessary for the fulfilment of a contractual obligation.

Personal data may only be processed as a necessary part of the administration and fulfilment of contractual obligations.

Section 7-15. Associations' membership data

Associations' processing of membership data shall be exempt from the obligation to obtain a licence pursuant to section 33, first paragraph, of the Personal Data Act and from the obligation to give notification pursuant to section 31, first paragraph, of the Act.

As regards the processing of sensitive personal data, the exemption from the licensing obligation and the notification obligation shall only apply if the data subject has consented to the registration and processing of the sensitive data, and the data have a close and natural connection with membership of the association.

The personal data may only be processed as a necessary part of the administration of the association's activity.

Section 7-16. Personnel registers

Employers' processing of non-sensitive personal data relating to current or former employees, personnel, representatives, temporary manpower and applicants for a position shall be exempt from the obligation to give notification pursuant to section 31, first paragraph, of the Personal Data Act.

If sensitive personal data are processed, the processing shall be exempt from the obligation to obtain a licence pursuant to section 33, first paragraph, of the Personal Data Act, but subject to the obligation to give notification pursuant to section 31, first paragraph of the Act. The exemption from the licensing obligation shall apply provided that:

a) the data subject has consented to the processing or the processing is laid down by law,

b) the data are related to the employment relationship,

c) the personal data are processed as part of the administration of personnel.

However, the obligation to give notification pursuant to the second paragraph shall not apply to the processing of

a) data concerning membership in trade unions as mentioned in section 2, subsection 8e of the Personal Data Act,

b) necessary data concerning absence and data that are subject to registration pursuant to section 5-1 of the Working Environment Act.

c) data that are necessary to adapt a work situation for health reasons.

Amended by the Regulations 23 December 2003 No. 1798 (in force 1 January 2004), 16 February 2006 No. 200, 24 April 2008 No. 396 (ratification), 9 August 2013 No. 970.

Section 7-17. Personal data relating to public representatives

The processing of personal data relating to the elected or appointed representatives of bodies established pursuant to the Local Government Act or the Church Act shall be exempt from the obligation to obtain a licence pursuant to section 33, first paragraph, of the Personal Data Act and from the obligation to give notification pursuant to section 31, first paragraph of the Act.

The same shall apply to the processing of personal data relating to representatives of the Storting or to members of the Storting's standing committees.

Amended by the Regulations of 9 August 2013 No. 970.

Section 7-18. Processing of personal data by courts of justice

Personal data processing by courts of justice in connection with the activity of the courts (including registration procedures and notarial functions and the like that are carried out by a judge's office) shall be exempt from the obligation to obtain a licence pursuant to section 33, first paragraph, of the Personal Data Act and from the obligation to give notification pursuant to section 31, first paragraph of the Act.

Section 7-19. Processing of personal data by supervisory authorities

The Data Protection Authority's processing of personal data pursuant to section 42 of the Personal Data Act shall be exempt from the obligation to obtain a licence pursuant to section 33, first paragraph, of the Personal Data Act and from the obligation to give notification pursuant to section 31, first paragraph of the Act.

Records as mentioned in section 42, third paragraph, no. 1, of the Personal Data Act shall also contain information concerning the Data Protection Authority's personal data processing.

The first and second paragraphs shall apply correspondingly to the Privacy Appeals Board.

Section 7-20. Pupil and student data at schools and universities, etc.

The processing of personal data relating to pupils and students that is carried out pursuant to the Education Act or the Universities Act or with the consent of the individual pupil or the person responsible for the pupil shall be exempt from the obligation to obtain a licence pursuant to section 33, first paragraph, of the Personal Data Act and from the obligation to give notification pursuant to section 31, first paragraph of the Act.

Added by the Regulations of 23 December 2003 No. 1798 (in force from 1 January 2004), cf. the Regulations of 24 April 2008 No. 396 (ratification), amended by the Regulations of 9 August 2013 No. 970.

Section 7-21. Information about children in kindergarten and supervised afternoon activities

The processing of personal data relating to children in kindergartens and day-care facilities for school children pursuant to the Kindergarten Act and the Education Act or with the consent of the person responsible for the child shall be exempt from the obligation to obtain a license pursuant to section 33, first paragraph, of the Personal Data Act and from the obligation to give notification pursuant to section 31, first paragraph of the Act.

Added by the Regulations of 23 December 2003 No. 1798 (in force from 1 January 2004), cf. the Regulations of 24 April 2008 No. 396 (ratification), amended by the Regulations of 9 August 2013 No. 970.

IV. Processing that is exempt from the obligation to obtain a licence, but subject to the obligation to give notification

Section 7-22. Exemptions from the obligation to obtain a licence

Processing covered by this chapter shall be exempt from the obligation to obtain a licence pursuant to section 33, first paragraph, of the Personal Data Act. However, notification of the processing shall be given pursuant to section 31, first paragraph, of the Personal Data Act.

Exemption from the licensing obligation shall only apply if the personal data are processed in keeping with the purpose that follows from the individual provision. The provisions of the Personal Data Act regarding personal data processing in chapters I to V and VII to IX shall be complied with even if no licence is required.

Amended by the Regulations of 23 December 2003 No. 1798 (in force from 1 January 2004, formerly section 7-20), cf. the Regulations of 24 April 2008 No. 396.

Section 7-23.Client records

Personal data processing in connection with activities that are regulated by Chapter 11 of the Courts of Justice Act, regarding legal aid and lawyers, the Auditors Act, the Estate Agency Act and the Securities Trading Act shall be exempt from the obligation to obtain a licence pursuant to section 33, first paragraph, of the Personal Data Act.

The exemption from the licensing obligation shall only apply for processing within the bounds of the legislation mentioned in the first paragraph.

Amended by the Regulations of 23 December 2003 No. 1798 (in force from 1 January 2004, formerly section 7-21), cf. the Regulations of 24 April 2008 No. 396 (ratification), 9 August 2013 No. 970.

Section 7-24. Records of money laundering and processing of associated personal data

Processing by entities with a reporting obligation of personal data for use in connection with the mandatory obligation to investigate and report pursuant to the Money Laundering Act, cf. the Regulations of 13 March 2009 No. 302 concerning measures to combat money laundering and the financing of terrorism, etc., shall be exempt from the obligation to obtain a licence pursuant to section 33, first paragraph, of the Personal Data Act. The exemption shall only cover data that are revealed by the institution's investigations pursuant to the Money Laundering Act.

The exemption from the licensing obligation shall only apply if

a) processing is exclusively of data obtained from the institution's investigations under the Money Laundering Act, and

b) the personal data is processed for the purposes that follow from the Money Laundering Act and associated Regulations.

Amended by the Regulations of 23 December 2003 No. 1798 (in force from 1 January 2004, formerly section 7-22), cf. the Regulations of 24 April 2008 No. 396 (ratification), 9 August 2013 No. 970.

Section 7-25. Processing of patient records by healthcare personnel and social workers not subject to public authorisation or holding a licence

The processing of patient/client data by health or social welfare professionals who are not subject to official authorisation shall be exempt from the obligation to obtain a licence pursuant to section 33, first paragraph, of the Personal Data Act.

Exemption from the licensing obligation shall only apply if the personal data are processed in connection with:

a) treatment and follow-up of individual patients, or

b) preparation of statistics.

Amended by the Regulations of 23 December 2003 No. 1798 (in force from 1 January 2004, formerly section 7-23), cf. the Regulations of 24 April 2008 No. 396.

Section 7-26. Processing of patient records by healthcare personnel subject to public authorisation or holding a licence

The processing of patient/client data by officially authorized health professionals and health professionals who have been granted a licence, cf. sections 48 and 49 of the Health Personnel Act shall be exempt from the obligation to obtain a licence pursuant to section 33, first paragraph, of the Personal Data Act.

Exemption from the licensing obligation shall only apply if the personal data are processed in connection with:

a) treatment and follow-up of individual patients,

b) work as an appointed expert, or

c) preparation of statistics.

Amended by the Regulations of 23 December 2003 No. 1798 (in force from 1 January 2004, formerly section 7-24), cf. the Regulations of 24 April 2008 No. 396, 9 August 2013 No. 970.

Section 7-27. Research projects*

Personal data processing in connection with a research project is exempt from the obligation to obtain a licence pursuant to Section 33, first paragraph, of the Personal Data Act if the project is recommended by a data protection officer. If the project includes medical and healthcare research, it must also be recommended by a regional research ethics committee.

Research projects of a large scope and long duration, as well as research on large data sets that have not been pseudonymised or de-identified in some other secure manner, are not exempted. The exemption covers only analyses of non-participation (analyses of the distribution of education, income, benefits, etc. among participating and non-participating persons to determine the significance of the non-participation) to the extent these are based on consent.

Amended by the Regulations of 23 December 2003 No. 1798 (in force from 1 January 2004, formerly section 7-25), 6 May 2005 No. 408 (in force from 1 July 2005), 24 April 2008 No. 396 (ratification).

- Video surveillance -

Heading amended by the Regulations of 9 August 2013 No. 970.

Section 8-1. Scope

This chapter applies to video surveillance, cf. section 36 of the Personal Data Act.

Amended by the Regulations of 9 August 2013 No. 970.

Section 8-2. (Repealed by the Regulations of 9 August 2013 No. 970)

Section 8-3. Police use of recordings

Section 11, first paragraph, letter c), of the Personal Data Act shall not preclude police use of recordings in its possession, in connection with the prevention of criminal acts, in connection with the investigation of accidents or in cases concerning a search for missing persons.

The right of access pursuant to the Personal Data Act shall not apply to recordings that are in the possession of the police, or to recordings that may be of significance for the security of the realm or its allies, its relationship with foreign powers and other vital national security interests.

Amended by the Regulations of 9 August 2013 No. 970.

Section 8-4. Erasure of recordings

Recordings shall be erased when there is no longer any objective ground for storing them, cf. section 28 of the Personal Data Act.

Recordings shall be erased not later than seven days after the recordings are made. However, the obligation of erasure pursuant to the preceding sentence shall not apply if the recording is likely to be turned over to the police in connection with the investigation of criminal acts or accidents. In such cases, the recordings may be stored for a period not exceeding 30 days.

Recordings made on postal or bank premises shall be erased not later than three months after the recordings were made.

The obligation to erase data pursuant to the second and third paragraph shall not apply

a) to recordings that are in the possession of the police, or

b) to recordings that may be of significance for the security of the realm or its allies, its relationship with foreign powers and other vital national security interests, or

c) where the subject of the image recording consents to the recordings being stored for a longer period of time.

If the obligation of erasure pursuant to the first paragraph arises for recordings that have been turned over to the police by other persons, the police may return the recording to the said persons, who shall erase it as soon as possible if the time limit pursuant to the second and third paragraphs has expired.

If there is a special need to store for a longer period of time than that laid down in the second and third paragraphs, the Data Protection Authority may grant an exemption from these provisions.

Amended by the Regulations of 9 August 2013 No. 970.

Section 8-5. (Repealed by the Regulations of 9 August 2013 No. 970)

- Examination of e-mail box etc. -

The chapter is added pursuant to the Regulations of 29 January 2009 No. 84 (in force from 1 March 2009).

Section 9-1. Scope

This chapter concerns the employer's right to examine an employee's email box etc. The term employee's email box means an email box that the employer has placed at the disposal of the employee for use at work in the business. The rules apply in the same way for the employer's right to explore and examine the employee's personal space in the business' computer network and in other electronic communications media and electronic systems that the employer has placed at the disposal of the employee for use at work in the business. The provisions shall also apply to the employer's examination of information that the employee has deleted from the aforementioned spaces, but which is stored as back-up copies or similar that the employer can access.

These rules shall apply equally to present and former employees as well as other persons who perform or have performed work for the employer.

These rules shall apply equally where data processing is entrusted to a Data Processor.

These rules shall apply insofar as they are appropriate for the examination by a university or university college of the email boxes of students, and for the examination by organizations and associations of the email boxes of volunteer workers and trusted officials.

Added by the Regulations of 29 January 2009 No. 84 (in force from 1 March 2009).

Section 9-2. Criteria for examination

An employer may only explore, open or read email in an employee's email box

a) when necessary to maintain daily operations or other justified interest of the business,

b) in case of justified suspicion that the employee's use of email constitutes a serious breach of the duties that follow from the employment, or may constitute grounds for termination or dismissal.

An employer is not entitled to monitor employees' use of electronic systems, such as the Internet, beyond what follows from section 7-11 of these Regulations.

Added by the Regulations of 29 January 2009 No. 84 (in force from 1 March 2009).

Section 9-3. Procedures for examination

The employee shall be notified wherever possible and given an opportunity to speak before the employer makes the examination under this chapter. In the notice the employer shall explain why the criteria in section 9-2 are believed to be met and advise on the employee's rights under this provision. The employee shall wherever possible have the opportunity to be present during the examination, and shall have the right to the assistance of an elected delegate or other representative.

If the examination is made with no prior warning, the employee shall receive subsequent written notification of the examination as soon as it is done. This notification must, besides the information mentioned in the first paragraph, second sentence, contain details of the method of examination, the emails or other documents that were opened, and the result of the examination, cf. section 2-16.

The exemptions from the right to information in section 23 of the Personal Data Act will apply in the same way. The exemptions also cover the subsequent notification under the second paragraph.

The examination shall be conducted in such a manner that the data are left unchanged if possible so that information obtained can be verified.

If examination of an email box reveals no documentation that the employer is entitled to examine under section 9-2 letters a and b, the email box and the documents it contains must be closed forthwith. Any copies must be deleted.

Added by the Regulations of 29 January 2009 No. 84 (in force from 1 March 2009).

Section 9-4. Deletion, etc. on termination of employment

When the employment ends, the employee's email box and similar are to be discontinued and contents not necessary for day-to-day operation of the business should be deleted without undue delay. Section 28 of the Personal Data Act will apply correspondingly.

Added by the Regulations of 29 January 2009 No. 84 (in force from 1 March 2009).

Section 9-5. Prohibition of non-compliance with this chapter

The issuance of instructions or making of agreements concerning the employer's right to examine employee emails or similar that fail to comply with the provisions in this chapter to the detriment of the employee is prohibited.

Added by the Regulations of 29 January 2009 No. 84 (in force from 1 March 2009).

- Miscellaneous provisions -

Amended by the Regulations of 29 January 2009 No. 84 (in force from 1 March 2009, formerly chapter 9).

Section 10-1. The Privacy Appeals Board

The Privacy Appeals Board shall deal with appeals against the decisions of the Data Protection Authority as mentioned in section 42, fourth paragraph, of the Personal Data Act and appeals against the individual decisions of the Data Protection Authority pursuant to these Regulations.

The King will appoint personal deputies for the five members of the Board who are appointed by the King pursuant to section 43, second paragraph, of the Personal Data Act. The deputy members shall be appointed for the same term as the members.

The Privacy Appeals Board shall have a secretariat that shall facilitate the work of the Privacy Appeals Board and otherwise prepare matters for consideration by the Board.

The Privacy Appeals Board shall reach decisions by a simple majority vote. The decisions shall state whether they were reached unanimously. In the event of dissent, grounds for the minority view shall also be stated. To the extent that the decisions are not exempt from public disclosure, they shall be compiled in a record book that is open to the public.

Amended by the Regulations of 29 January 2009 No. 84 (in force from 1 March 2009, formerly section 9-1).

Section 10-2. Communications that contain a personal identity number

Postal communications that contain a personal identity number shall be designed in such a way that the number is not accessible to persons other than the addressee. The same shall apply to communications that are transmitted by means of telecommunications.

Amended by the Regulations of 29 January 2009 No. 84 (in force from 1 March 2009, formerly section 9-2).

Section 10-3. Penalties

Anyone who wilfully or through gross negligence omits to comply with the provisions of chapters 2 through 7 and sections 8-2, 8-3, 8-4, second to sixth paragraph, or section 8-5 of these Regulations shall be liable to fines or imprisonment for a term not exceeding one year or both.

An accomplice shall be liable to similar penalties.

Amended by the Regulations of 29 January 2009 No. 84 (in force from 1 March 2009, formerly section 9-3).

- Concluding provisions -

Amended by the Regulations of 29 January 2009 No. 84 (in force from 1 March 2009, formerly chapter 10).

Section 11-1. Commencement

These Regulations shall enter into force on 1 January 2001.

From the same date the following shall be repealed:

a) the Regulations of 21 December 1979 No. 7 relating to personal data filing systems, etc. and to the delegation of authority

b) the Regulations of 21 December 1979 No. 22 pursuant to the Act relating to personal data filing systems, etc.

c) The Delegation of Authority of 30 September 1988 No. 758 pursuant to the Personal Data Filing Systems Act

d) the Regulations of 12 December 1988 No. 1010 on annual tax for enterprises that are subject to an obligation to obtain a licence pursuant to the Personal Data Filing Systems Act

e) the Regulations of 1 July 1994 No. 536 on the use of image recordings made in connection with video surveillance

f) the Regulations of 23 March 1995 No. 267 on exemption from the obligation of financial institutions, etc. to obtain a licence for personal data filing systems in cases concerning money laundering

g) the Delegation of Authority of 22 May 1995 No. 486 to the Data Protection Authority.

Amended by the Regulations of 29 January 2009 No. 84 (in force from 1 March 2009, formerly section 10-1).

*Remarks on section 7-27

The starting point for this provision is that a notification obligation rather than a licensing obligation has been established. The former section 7-27 established criteria for how the initial contact should be stablished, consent, time of project conclusion, anonymisation or deletion at the end of the project, and a ban on electronic alignment of personal data records. The privacy protection elements that these criteria safeguarded are also protected in the present legislation. How the initial contact is established is largely a research ethics issue, albeit such that certain procedures are less problematic in a privacy perspective than others. The Data Protection Authority is confident that the Research Ethics Committee (REK) and Data Protection Officers will safeguard this aspect. That consent is the clear general rule for processing of personal data follows directly from sections 8 and 9 of the Personal Data Act. In so far as the Data Protection Officers can accept deviations from the general rule, it is expected that the researcher has justified his or her need for this in a satisfactory manner. The justification will be a key element in the Data Protection Authority's subsequent review. Additionally, there is the assumption that for a consent to be valid, information must be given about how long the personal data will be stored, cf. section 2 no. 7. This requirement also follows from the information obligation under section 19 and the following sections. Anonymisation or deletion should normally take place at project end. When it comes to electronic alignment, this is not intrinsically problematic from a privacy perspective.

The numbers included, the variables, and whether the material is anonymised (disidentified) immediately after the comparison is made, are all more important considerations. It is a condition for an exemption to apply that the project has been recommended by a Data Protection Officer. It is a further condition for the project that it must be recommended by a Regional Committee on Medical Research Ethics (Research Ethics Committee, REK) if the project includes medical and healthcare research. Thus, this change represents a more limited licensing duty, but an expanded notification duty for researchers at institutions associated with a Data Protection Officer. For institutions not associated with a Data Protection Officer, however, it means an extension of the licensing obligation.

For projects that are not deemed to be medical or healthcare research, it is sufficient to have the support of the Data Protection Officer. Since there is presently only a requirement for referral [to a higher authority] for medical and healthcare research, this assumes researchers in other areas of society must exercise special care. At the same time, it also assumes that the Data Protection Officer is familiar with research ethics and will, on his/her own initiative, refer projects which are deemed ethically dubious to a committee. The Data Protection Officers should also refer cases for which recommendation seems problematic, to the Data Protection Authority, or advise the Data Protection Authority to undertake a prequalification process.

In the second paragraph of the provision, a distinction is made concerning research projects of a large scale and long duration, and research into large data sets that have not been pseudonymised or disidentified in some other secure manner. This also covers the establishment of large collections (records) of personal data intended as the basis for other separate projects. The scope here must be related both to the number of people involved as research subjects and the amount of information recorded for each individual. The exemption from the licensing obligation will not apply to registers of this kind.

When it comes to the point that the exemption does not include research projects of large scale, it is assumed that projects covering 5000 research subjects will qualify as a large scale project. The reason for the figure 5000 is that a large majority of projects comprises a much lower number of participants, at the same time as the large population health studies are always subject to prequalification. Given the duration requirement, this number seems reasonable from a privacy point of view.

As for duration, it is assumed that a typical doctoral thesis will take 3-6 years, and that projects lasting longer than that can be termed "long term". Even so, the assumption here is that only projects with a duration of more than 15 years are considered long term. This time scale implies that if a project which was not initially expected to last more than 15 years, in fact exceeds this duration, then the requirement for prequalification (a licence) will apply.

Research into large data sets is nonetheless exempted from the licensing obligation if the material held by the researcher is pseudonymised or disidentified in some other secure manner. The requirement for pseudonymisation or disidentification in some other secure manner means that the researcher, or the institution for which the researcher works, cannot store the connection key. Also implicit in this is that the number and type of parameters cannot by nature be such that it is possible to re-identify the members of the set.

The large population studies performed by the Norwegian Institute of Public Health (FHI), the JANUS data bank and the so-called twins register/ heredity register at the University of Oslo are typical examples of registers that are not exempt from the licensing duty. These are extensive registers, both in terms of duration, number of data subjects (respondents), and volume of information recorded. It is not a deciding factor for whether or not a study is subject to a licensing requirement that it deals with biological material. Public health surveys which also collect biological material are unlikely to be covered by the exemption. However, this will be on the basis that the studies are of a long-term nature and form the basis for separate projects and studies.

Processing of information in individual projects based on a licensed register must be considered on the merits of the project under the licensing terms and this provision. The licensing duty will not be apply on a general basis for access to data in the large licensed registers regulated by law.

In distinguishing projects exempted from the licensing duty and other projects, it is the individual researcher who, jointly with the Data Protection Officer, is best able to assess the concerns that indicate prequalification of the individual project. This may be because of the number of people involved, the sensitivity of the information, or the duration of the project.

Different types of projects are often involved, at the same time as it is not solely the quantitative factors that will be decisive, but the scope of the personal data to be collected and analysed.

In the second paragraph, it is also pointed out that the exemption does not cover so-called "absentee analyses" unless these are based on consent. Absentee analyses means analyses of the distribution of education, income and benefits and so on, among attending and non-attending people, to determine the importance of the non-attendance. In a privacy perspective, non-consensual absentee analyses have not been granted a special status, and must therefore be subjected to prequalification by the Data Protection Authority. The reason that such analyses entails special privacy issues is that persons who have decided not to take part in a study are still included. The Data Protection Authority understands that in some contexts there may be a need to assess the composition of the selected group, but when these analyses are based on collection of a relatively large number of details about people who have refused to take part, and who presumably expect the researcher to respect their decision, there will be a need for a special assessment if we are to accept inclusion of such non-respondents against their will.

The processing of health data in connection with medical research is often a matter that comes under the scope of the Health Registers Act (Personal Health Data Filing System Act). The provisions in the Personal Data Act and the Personal Data Regulations regarding notification duty will, however, also apply to projects under the scope of the Health Registers Act. It follows from section 5 of the Health Registers Act that health data may only be processed electronically when permitted under section 9 and section 33 of the Personal Data Act, or when it follows from the Act and processing is not prohibited on some other legal ground. Section 33 of the Personal Data Act addresses the licensing obligation. It further follows from section 36 of the Health Registers Act, in so far as no other rule follows from that Act, that the Personal Data Act and the Personal Data Regulations will provide further rules.

The amendment does not affect the licensing or notification duty for studies that have already commenced. The amendment should however be invoked if the nature of the study changes in a manner making it necessary to submit a notice of the change or apply for a change in the licence.

Added by the Regulations of 6 May 2005 No. 408 (in force from 1 July 2005), cf. the Regulations of 24 April 2008 No. 396.