The Icelandic Data Protection Authority (Skrifstofa Persónuverndar) deals with specific cases on the basis of inquiries from public authorities or private individuals.
On 1 January 2001 a new Act on the Protection and Processing of Personal Data, No. 77/2000 (DPA), entered into force. The act implements the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Since the passing of the DPA, the Data Protection Authority has issued some public guidelines and regulations on their website on how to obtain an informed consent, rules concerning notification of processing of Personal Data, rules concerning security assessments and systematic safety measures. They have, however, not yet been translated into English.
When is license from a data protection authority required?
According to Article 31 in the Icelandic Data Protection Act ( (Lög nr. 77/2000 um persónuvernd og meðferð persónuupplýsinga (DPA)), each data controller who uses electronic technology to process general and/or sensitive personal data is obligated to notify the processing of data to the Data Protection Authority in Iceland. The notification should be sent to the Data Protection Authority using a form intended for that purpose and in due time before the processing begins. Any changes that are made from the original notification shall also be reported.
The manual processing of data is exempted from notification (cf. Article 5.6 in Rules no. 698/2004). The Data Protection Authority may also decide that certain categories of electronic processing of general information shall be exempt from notification, or that they shall be subject to simpler notification requirements (cf. Article 31 in the DPA).
The notification requirement does not apply to the processing of personal data by an individual, relating solely to himself, or intended for personal use only. Nor does it apply if the processing only involves data that have been and are accessible to the public. Moreover, the processing carried out in the course of a research or a study, where recorded data do not contain any personal characteristics, numbers, or other information traceable to a specific individual is also exempted from notification (cf. Article 1 in Rules no. 698/2004).
If certain processing of general or sensitive personal data is likely to present specific risks to the rights and freedoms of data subjects, then the Data Protection Authority can decide that the processing may not begin until it has been examined by the Authority and approved of, by the issuing of a special permit (cf. Article 33 in the DPA).
There is no legal requirement to appoint a Data Protection Official. However, the Data Protection Authority can handle a case regarding the processing of sensitive personal data by stipulating, that a special data protection official be appointed to oversee, on behalf of the Data Protection Authority, that the processing is in compliance with law (jf. Article 35 in the DPA).
Data Protection Authority (Skrifstofa Persónuverndar):
Act on the Protection and Processing of Personal Data, No. 77/2000 (Lög nr. 77/2000 um persónuvernd og meðferð persónuupplýsinga):
Rules no. 698/2004 on the obligation to notify and processing which requires a permit (reglna nr. 698/2004, um tilkynningarskylda og leyfisskylda vinnslu persónuupplýsinga):