Iceland’s New Data Protection Law and GDPR Implementation
Iceland’s Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018 is a data protection law that was recently passed in Iceland. While the country of Iceland is not an EU member state, is a member of the European Economic Area or EEA for short, and as such as subject to the provisions of the General Data Protection Regulation or GDPR. To this point, the Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018 implements the EU’s GPDR law into Icelandic law, in accordance with provisions of the GDPR that allow for countries to pass their own data privacy laws to complement the projections offered by the GDPR. Subsequently, the collection and processing of personal data within Iceland is regulated by both laws.
How are data controllers and processors defined under Iceland’s Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018?
Under Iceland’s Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018, a data controller is defined as the “natural or legal person, public authority, or other body which determines, alone or jointly with others, the purposes and means of the processing of personal data.” Alternatively, a data processor is defined as a “natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.” Moreover, the law defines personal data as “information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”
What are the obligations of data controllers and processors under the law?
As Iceland’s Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018 the EU’s GDPR law into Icelandic laws, the requirements of data controllers and processors under the former are very similar to the latter. However, there are some variations between the two laws as it relates to the obligations and duties of data controllers and processors operating within Iceland. For example, while EU’s GPDR law mandates that data controllers and processors provide data subjects with data breach notifications in the event that a data breach occurs, Iceland’s Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018 outlines certain exceptions to his rule. These exceptions include instances where said notifications would not serve the national security interests of Iceland, or instances where said notifications would deter the investigation or prosecution of criminal offenses.
Conversely, Iceland’s Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018 also places certain requirements on data processing impact assessments. Under the law, the Icelandic data protection authority or the Persónuvernd for short has the authority to “make public a list of the kind of processing operations which are subject to the requirement for a DPIA.” Furthermore, the law also places certain requirements on data controllers and processors as it pertains to sensitive personal data. For instance, “the processing of personal data relating to criminal convictions and offenses should not be carried out by official authorities, unless such processing is necessary for the execution of their legal activities.”
What are the rights of Icelandic citizens under the Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018?
The rights of Icelandic citizens are largely the same as those provided to citizens of EU member states under the General Data Protection Regulation. For example, as it relates to a data subject’s right to object to or opt-out of the processing of their personal data, “The National Registry of Iceland (‘Registers Iceland’) maintains a registry of those individuals who object to their names being used for marketing purposes. The Minister, in cooperation with Persónuvernd, issues further rules on Registers Iceland and what information may be registered within it.” Additionally, in terms of data subjects’ right to access their personal data that has been collected or processed, this right can be restricted under certain circumstances. Such circumstances include instances where a data subject’s right to access their personal data would conflict with the public security or national defense of the country of Iceland.
In terms of penalties regarding non-compliance with the law, the Persónuvernd also has the authority to enforce the provisions of Iceland’s Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018. Such authority allows the regulatory body to impose a daily fine of up to ISK 200,000 ($1,540) against data controllers and processors who violate the provisions of the law. What’s more, said parties are also subject to further administrative fines, which can range from ISK 100,000 ($770) to ISK 1.2 million ($9,243), or “up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher”, depending on the scope and severity of the violation in question.
The country of Iceland has a long history of providing personal data protection for their respective citizens, and the passing of Iceland’s Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018 only further supports this fact. In accordance with the EU’s GDPR law, Icelandic citizens are afforded a level of data protection that is offered by few countries around the world. In particular, the Persónuvernd’s ability to impose daily fines against data controllers and processors who fail to comply with the law represents a very steep penalty, the provisions of the law ensure that Icelandic citizens can have the peace of mind that their personal data is being protected at all times.