Obligation to notify
According to the Norwegian Personal Data Act, a data controller is obligated to notify the Data Protection Authority in Norway before processing personal data by automatic means or establishing a manual personal data filing system which contains sensitive personal data (cf. Article 31).  The notification duty applies whether or not the data subjects have given their consent to the processing.
When processing non-sensitive personal data, the Data Protection Authority merely establishes an obligation to notify, and a prior approval of the Authority is not required. The processing of sensitive data, however, requires a license from the Authority prior to the processing, whether or not the processing is based on consent (cf. Article 33).
The Data Protection Authority’s notification form for the processing of personal data can be found here:
A list of licenses granted by the Data protection Authority can be found here (in Norwegian):
Exemption from obtaining such license is granted, if the controller has appointed a Data Protection Official, given notice of this to the Data Protection Authority, and the official has recommended the project (cf. Article 7-27).
Research projects of large scale (over 5000 persons) and of a long duration (over 15 years), as well as research on large data sets that are not sufficiently anonymized or de-identified, are nevertheless not exempted, and therefore require a license from the Authority prior to the processing.
Research on humans, human biological material and personal health information, which aims to generate new knowledge about health and disease (cf. Article 4, Health Research Act), is not regulated by the Personal Data Act, but are instead required to obtain a prior approval from the Regional Committee for Medical and Health Research Ethics (REC) under the Health Research Act (See Requirements to acquire approval from an ethics committee).
Data processor agreement
Some undertakings choose to outsource the processing of personal data wholly or partly to other enterprises, so-called data processors. The relations between a data controller and a data processor must be regulated by an agreement – a data processor agreement (Article 13 and 15 of the Personal Data Act).
According to Article 15 of the Personal Data Act, no data processor may process personal data in any other way than that which is agreed in writing with the data controller. In addition the data controller must ensure that the data processor has an adequate security level.
The Data Protection Authority provides a template for a data processor agreement that is pursuant to the Personal Data Act and the Personal Health Data Filing System Act. This includes a list of requirements that constitute the minimum requirements of the Personal Data Act. The agreement is not an exhaustive template or list, but an outline of what a data processor agreement should include. The data controller may establish more stringent requirements than those mentioned in the Personal Data Act, but may not propose terms and conditions that are in conflict with the minimum requirements of the Personal Data Act.
The minimum requirements are as follows:
1. Purpose statement
The agreement must clearly state the purpose of the processing of personal data. The processor may only process the data in accordance with the purpose defined by the controller.
2. Description of how the personal data are to be processed
The agreement must state clearly what the processor is to do with the personal data. Are they only to be stored for future use (archival authority), or are they to be processed in some way. The agreement must also regulate or clarify whether there is to be other processing, such as linkage to other personal data/registers.
2.1 Specific procedures for use of the personal data
Personal data can only be processed for the purposes for which they were gathered. The data processor is therefore not entitled to use the data in any other way/for other purposes.
2.2 Rules for the disclosure of personal data
The data processor must act accordingly to the agreement. If (s)he is to disclose personal data to other external parties, this must be clearly stated in the data processor agreement. The agreement shall also include provisions indicating the party to whom personal data may be surrendered and the conditions for such use.
3. Regulation of any use of subcontractors in the agreement
If the data processor intends to make use of subcontractors for the provision of services, this must be clearly indicated in the agreement between the data processor and the data controller. Articles 2-15 of the Personal Data Regulations prescribe security requirements for other undertakings - the contracting party.
4. Protection of the data subject rights
The agreement shall specify the division of work between the controller and the processor. This refers, for example, to issues such as who is to handle and process inquiries from the data subjects. A typical case scenario would be the reception of an enquiry submitted to the controller, who forwards it to the processor, who then answers the data subject’s inquiry. The enquiry could contain questions concerning issues such as:
o Access; see Article 18 of the Personal Data Act,
o Rectification and deletion; see Articles 27 and 28 of the Personal Data Act
5. Requirement for the data processor to have satisfactory information security
The requirements for satisfactory information security are laid down in section 13 of the Personal Data Act. The agreement shall also specify which security measures shall take the data processor to safeguard confidentiality, integrity and accessibility when processing personal data. Chapter 2 of the Personal Data Regulations provides further information about this.
6. Term of agreement
The agreement shall also include:
o Information about the term of the agreement
o What is to be done with the data upon the agreement expiry. This includes information as to whether the data are to be restored or deleted, and whether backup copies are to be restored or deleted.
o How often a security audit is to be made.
7. Transfer to other countries
According to articles 29 and 30 of the Personal Data Act, the agreement shall also regulate those cases in which personal data are to be transferred to other countries (cf. article).
Follow up notification
The Personal Data Act also requires a follow up notification of status every third year of the processing of personal data (cf. Article 31).
The Data Protection Authority
Norwegian Social Science Data Services
Guide to data processor agreements:
The Personal Data Act
The Health Research Act
Personal Health Data Filing System Act (in Norwegian)
The Health Research Act, 2008. ACT 2008-06-20 no. 44: Act on medical and health research [pdf] Available at: <http://www.ub.uio.no/ujur/ulovdata/lov-20080620-044-eng.pdf>. [Accessed 24. February 2014].
The Personal Data Act, 2000. Act of 14 April 2000 No. 31 relating to the processing of personal data [pdf] Available at: <http://www.datatilsynet.no/Global/english/Personal_Data_Act_20120420.pdf>. [Accessed 24. February 2014].
 In addition to the standard types of sensitive data, the Norwegian Personal Data Act also includes a further category of criminal matters (that a person has been suspected, charged or convicted of a crime), cf. Section 2-8 b).