Law: Law on the Processing of Personal Data (Personal Data Act) of 15 June 2018 (only available in Norwegian here) (the Act) and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: Norwegian data protection authority (Datatilsynet)

Summary: Norway, as an EEA Member State, applies the GDPR following its adoption by the EEA Joint Committee through Decision 154/2018 of the EEA Joint Committee of 6 July 2018. On June 15, 2018, the Law on the Processing of Personal Data (Personal Data Act) (only available in Norwegian here) (the Act) was enacted to implement the GDPR in Norway. Furthermore, the Norwegian data protection authority (Datatilsynet) has been particularly active in both enforcement and in publishing guidance on a variety of important data protection issues, including codes of conduct, direct marketing, software development with Privacy by Design and by Default, and CCTV surveillance.

In addition, Datatilsynet and the Consumer Authority published comprehensive guidance on direct marketing that also addresses the protection of children and young consumers in relation to targeted advertising. Moreover, there are various guidelines from Datatilsynet and the Norwegian Directorate of eHealth addressing patient records, biobanks, and pharmacovigilance that have also been issued.