Law: Act 90/2018 on Privacy and Processing of Personal Data (the Act) and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: Icelandic data protection authority (Persónuvernd)

Summary: As Iceland is an European Economic Area (EEA) member, the GDPR applies by virtue of Decision No. 154/2018 of the EEA Joint Committee (here). The Act 90/2018 on Privacy and Processing of Personal Data (the Act) implements the GDPR in Iceland.

Furthermore, the transitional provisions of the Act state that all rules and regulations which have been issued under the old Law 77/2000 on the Protection of Privacy as Regards the Processing of Personal Data will continue to be valid as long as they do not infringe the Act and the GDPR. Additionally, the Icelandic data protection authority (Persónuvernd) is an active regulator that has issued several guidelines on the GDPR and data processing in Iceland.