General Data Protection Regulation (GDPR)

The General Data Protection Regulation sets out general requirements for the processing of personal data. The regulation replaces the EU's Data Protection Directive and introduces stricter obligations and penalties compared to the Data Protection Directive.

Purpose: The General Data Protection Regulation sets out requirement regarding processing of personal data, i.e., all information that can be linked to identifiable individuals. The primary purpose is to ensure the fundamental rights and freedoms of natural persons, particularly the right to the protection of personal data. Secondly, the regulation aims to ensure the free exchange of personal data within the EEA.

Scope: The regulation is relevant for all businesses that process personal data, whether it concerns their own employees, customers, or citizens. Furthermore, the regulation is relevant for all businesses that process personal data as part of their services.

Core obligations: The regulation establishes fundamental principles for the processing of personal data, including lawfulness, fairness, and transparency, purpose limitation, data minimization, accuracy, storage limitation, as well as integrity and confidentiality. Most obligations apply to data controllers, i.e. businesses that determine the purposes and means for the processing of personal data. The data controller must be able to demonstrate compliance through appropriate technical and organizational measures. Most businesses will need to establish privacy policies, data processing agreements with data processors, internal guidelines and procedures, and records of processing activities. It is as a general rule prohibited to transfer personal data outside the EEA, unless there is a legal basis for the transfer according to Chapter V of the regulation.

Short facts
  • EUROPEAN PARLIAMENT AND COUNCIL REGULATION (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – https://eur-lex.europa.eu/eli/reg/2016/679/oj
  • Adopted: April 14, 2016
  • In force in the EU from May 25, 2018
  • Implemented in Norwegian law through the Personal Data Act
  • Effective in Norway from July 20, 2018.