Iceland’s New Data Protection Law and GDPR Implementation

December 28, 2021 | 5 minutes read
Iceland’s New Data Protection Law and GDPR Implementation

Iceland’s Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018 is a data protection law that was recently passed in Iceland. While the country of Iceland is not an EU member state, is a member of the European Economic Area or EEA for short, and as such as subject to the provisions of the General Data Protection Regulation or GDPR. To this point, the Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018 implements the EU’s GPDR law into Icelandic law, in accordance with provisions of the GDPR that allow for countries to pass their own data privacy laws to complement the projections offered by the GDPR. Subsequently, the collection and processing of personal data within Iceland is regulated by both laws.

How are data controllers and processors defined under Iceland’s Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018?

Under Iceland’s Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018, a data controller is defined as the “natural or legal person, public authority, or other body which determines, alone or jointly with others, the purposes and means of the processing of personal data.” Alternatively, a data processor is defined as a “natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.” Moreover, the law defines personal data as “information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”

What are the obligations of data controllers and processors under the law?

As Iceland’s Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018 the EU’s GDPR law into Icelandic laws, the requirements of data controllers and processors under the former are very similar to the latter. However, there are some variations between the two laws as it relates to the obligations and duties of data controllers and processors operating within Iceland. For example, while EU’s GPDR law mandates that data controllers and processors provide data subjects with data breach notifications in the event that a data breach occurs, Iceland’s Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018 outlines certain exceptions to his rule. These exceptions include instances where said notifications would not serve the national security interests of Iceland, or instances where said notifications would deter the investigation or prosecution of criminal offenses.

Conversely, Iceland’s Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018 also places certain requirements on data processing impact assessments. Under the law, the Icelandic data protection authority or the Persónuvernd for short has the authority to “make public a list of the kind of processing operations which are subject to the requirement for a DPIA.” Furthermore, the law also places certain requirements on data controllers and processors as it pertains to sensitive personal data. For instance, “the processing of personal data relating to criminal convictions and offenses should not be carried out by official authorities, unless such processing is necessary for the execution of their legal activities.”

What are the rights of Icelandic citizens under the Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018?

The rights of Icelandic citizens are largely the same as those provided to citizens of EU member states under the General Data Protection Regulation. For example, as it relates to a data subject’s right to object to or opt-out of the processing of their personal data, “The National Registry of Iceland (‘Registers Iceland’) maintains a registry of those individuals who object to their names being used for marketing purposes. The Minister, in cooperation with Persónuvernd, issues further rules on Registers Iceland and what information may be registered within it.” Additionally, in terms of data subjects’ right to access their personal data that has been collected or processed, this right can be restricted under certain circumstances. Such circumstances include instances where a data subject’s right to access their personal data would conflict with the public security or national defense of the country of Iceland.

In terms of penalties regarding non-compliance with the law, the Persónuvernd also has the authority to enforce the provisions of Iceland’s Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018. Such authority allows the regulatory body to impose a daily fine of up to ISK 200,000 ($1,540) against data controllers and processors who violate the provisions of the law. What’s more, said parties are also subject to further administrative fines, which can range from ISK 100,000 ($770) to ISK 1.2 million ($9,243), or “up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher”, depending on the scope and severity of the violation in question.

The country of Iceland has a long history of providing personal data protection for their respective citizens, and the passing of Iceland’s Act on Data Protection and the Processing of Personal Data No 90 of 27 June 2018 only further supports this fact. In accordance with the EU’s GDPR law, Icelandic citizens are afforded a level of data protection that is offered by few countries around the world. In particular, the Persónuvernd’s ability to impose daily fines against data controllers and processors who fail to comply with the law represents a very steep penalty, the provisions of the law ensure that Icelandic citizens can have the peace of mind that their personal data is being protected at all times.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »