Data Protection (GDPR)

In July 2018, new rules on data protection came into force in Norway. The new Personal Data Act implemented the EU General Data Protection Regulation ("GDPR"), and imposes stricter obligations on all businesses. The data protection rules apply to any processing of data concerning employees, customers, suppliers, members and visitors on the business' websites. The Norwegian Data Protection Authority (Datatilsynet) can impose administrative fines up to 20 000 000 euro or 4 % of the total worldwide annual turnover.

Our data protection team has wide-ranging experience in assisting businesses with ensuring effective compliance with data protection legislation, including law on banking/finance, telecommunications, security and health.  Our experience ranges from providing general assistance with regard to Binding Corporate Rules (BCR and BCRP) and internal control to many of Norway's largest corporations, to assisting entrepreneurs with fundamental issues and complaint handling vis-à-vis supervisory authorities concerning new technology. The data protection team has been ranked best in Norway by the Norwegian business paper Finansavisen in their large annual survey for 2018. The team is part of Simonsen Vogt Wiig's Technology and Media department, which has received top ratings by both Chambers and Partners, Legal 500 and Finansavisen.

Based on our broad experience, in-depth knowledge of the Norwegian Data Protection Authority's practices, tested procedures and tools, we can provide clear and practical advice tailored to your business.

Generally, many businesses require assistance regarding:

  • Mapping the business' processing of personal data
  • Assessing the legality of various processing activities (gap analysis)
  • Identifying and prioritizing necessary measures.
  • Establishing a long-term data protection strategy
  • Reviewing or establishing documentation for internal control and routines
  • Formulate a privacy policy and other information required vis-à-vis customers and employees
  • Carrying out data protection impact assessments (DPIA) and risk assessments
  • Ensuring that data protection principles are implemented into relevant systems and solutions (privacy by design)
  • Reviewing or establishing data processing agreements
  • Establishing a basis for transferring personal data outside the EEA (BCR and/or Standard Contractual Clauses)
  • Representing the business in discussions with the Norwegian Data Protection Authority
  • Assessing whether the business is required to have a data protection officer (DPO). We may act as your business' data protection officer (read more) 

Our team has published the Data Protection Handbook (Personvernhåndboken), a practical guide to complying with data protection law. We have also contributed on a legal commmentary to the GDPR (Universitetsforlaget 2018)

We regularly hold courses and seminars, e.g. in cooperation with the Center for Continuing Legal Education (Juristenes Utdanningssenter, JUS).

For our clients and partners, we arrange the Data Protection Compliance Forum, which provides a platform for updates and exchanges of experiences in the data protection field.

To learn more about data protection, see our archive. You can subscribe to our Technology and Media newsletter here.


View all lawyers working with Data protection