Page 1

N NORSK L OVTIDEND
Avd. In Laws and central regulations etc.
Published in accordance with Act no. 53 of 19 June 1969.

Announced June 15, 2018 at 15.40

PDF version June 18, 2018

15.06.2018 No. 38

Act on the processing of personal data (Personal Data Act)
Prop.56 LS (2017–2018), Inst.278 L (2017–2018), Legislative Decree 54 (2017–2018). The Storting's first and second reading
resp. 22 and 28 May 2018. Promoted by the Ministry of Justice and Emergency Preparedness. See EEA Agreement Annex XI No. 5e (Regulation (EU)
2016/679).
The following law is repealed:
Act of 14 April 2000 no. 31 on the processing of personal data (the Personal Data Act).
Changes in the following laws:

1 Act of 12 May 1961 no. 2 on copyright in intellectual property, etc. (the Copyright Act).
2 Act of 21 June 1963 No. 23 on roads (Road Act).
3 Act of 8 June 1984 no. 58 on debt negotiation and bankruptcy (Bankruptcy Act).
4 Act of 16 June 1989 no. 69 on insurance contracts (the Insurance Contracts Act).
5 Act of 4 December 1992 No. 126 on archives.
6 Act of 11 June 1993 No. 101 on Aviation (Aviation Act).
7 Act of 3 June 1994 no. 15 on the Register of Legal Entities.
8 Act of 4 August 1995 no. 53 on the police (the Police Act).
9 Act of 28 February 1997 No. 19 on National Insurance (National Insurance Act).
10 Act of 19 June 1997 no. 62 on family protection offices.
11 Act of 2 July 1999 no. 63 on patient and user rights (Patient and User Rights Act).
12 Act of 2 July 1999 no. 64 on health personnel etc. (the Health Personnel Act).
13 Act of 23 June 2000 no. 56 on health and social preparedness (the Health Contingency Act).
14 Act of 15 June 2001 no. 81 on electronic signatures (the Signature Act).
15 Act of 21 February 2003 no. 12 on treatment biobanks (the Treatment Biobank Act).
16 Act of 19 December 2003 no. 124 on food production and food safety etc. (food law).
17 Act of 7 May 2004 no. 21 on the Office of the Auditor General.
18 Act of 10 December 2004 no. 76 on labor market services (the Labor Market Act).
19 Act of 17 June 2005 no. 62 on working environment, working hours and job security, etc. (Working Environment Act).
20 Act of 17 June 2005 no. 101 on property registration (cadastral law).
21 Act of 19 May 2006 no. 16 on the right of access to documents in public activities (the Public Administration Act).
22 Act of 16 June 2006 no. 20 on labor and welfare administration (Labor and Welfare Administration Act).
23 Act of 29 June 2007 no. 75 on securities trading (the Securities Trading Act).

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 2
2

24 Act of 21 December 2007 no. 119 on customs and movement of goods (the Customs Act).
25 Act of 20 June 2008 no. 44 on medical and health research (the Health Research Act).
26 Act of 17 October 2008 no. 79 on the committee for review of Storting pensions.
27 Act of 19 June 2009 no. 97 on animal welfare.
28 Act of 25 November 2011 no. 44 on mutual funds (Mutual Funds Act).
29 Act of 24 August 2012 no. 64 on housing support (the Housing Support Act).
30 Act of 11 January 2013 no. 3 on the Central Government Collection Agency (SI Act).
31 Act of 20 June 2014 no. 28 on the management of alternative investment funds.
32 Act of 20 June 2014 no. 42 on the processing of health information when providing health care
(Patient Records Act).
33 Act of 20 June 2014 no. 43 on health registers and processing of health information (the Health Register Act).
34 Act of 10 April 2015 no. 17 on financial undertakings and financial groups (the Financial Undertakings Act).
35 Act of 4 September 2015 no. 85 on the implementation of the Convention of 19 October 1996 on Jurisdiction,
choice of law, recognition, enforcement and co-operation regarding custody and protection measures
of children (Law on the Hague Convention 1996).
36 Act of 16 June 2017 no. 47 on debt information in credit assessments of private individuals
(Debt Information Act).
37 Act of 16 June 2017 no. 53 on amendments to the Patient and User Rights Act, the Health Personnel Act, etc. (strengthening of
the legal status of children when providing health and care services, etc.).
38 Act of 15 December 2017 no. 112 on testing of self-driving vehicles.

Chapter 1. The Privacy Ordinance
§ 1. Implementation of the Privacy Ordinance
EEA Agreement Annex XI No. 5e (Regulation (EU) 2016/679) on the protection of individuals with regard to
with the processing of personal data and on the free exchange of such data as well as on the repeal of
Directive 95/46 / EC (General Privacy Regulation) applies as law with the adaptations that follow from
Annex XI, Protocol 1 and the Agreement in general.

Chapter 2. The factual and geographical scope of the Act
§ 2. Factual scope and relationship to other laws
The Act and the Privacy Ordinance apply to fully or partially automated processing of
personal data and in the case of non-automated processing of personal data that is included in or shall be
enter into a register. The Act and the Privacy Ordinance do not apply when otherwise provided in or with
legal basis.
The law and the privacy ordinance do not apply
a) in the processing of personal data carried out by a natural person as part of a purely personal or
family activities
b) for cases that are processed or decided in accordance with the Administration of Justice Act (the Judiciary Act, the Criminal Procedure Act,
the Disputes Act and the Enforcement Act, etc.).

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 3
3

Article 56 and Chapter VII of the Privacy Regulation apply only within the scope of the EEA Agreement.
In the event of a conflict, the provisions of the Privacy Ordinance take precedence over provisions in another law such as
regulates the same matters, cf. section 2 of the EEA Act.
The King may issue regulations that the law or parts of it shall not apply to specific institutions and
subject areas.
§ 3. The relationship to freedom of expression and information
For the processing of personal data solely for journalistic purposes or for the purpose of
academic, artistic or literary statements apply only to the provisions of the Privacy Ordinance
Articles 24, 26, 28, 29, 29, 32 and 40 to 43, cf. Chapters VI and VIII of the Privacy Regulation and Chapters 6 and 7 of
the law here.
§ 4. Geographical scope
The Act and the Privacy Ordinance apply to the processing of personal data carried out in
connection with the activities of the business of a data controller or a data processor in Norway,
regardless of whether the treatment takes place in the EEA or not.
The Act and the Privacy Ordinance apply to the processing of personal data of registered persons
is located in Norway, and which is performed by a data controller or data processor that is not established in
EEA, if the treatment is related to
a) offer of goods or services to such registered in Norway, regardless of whether payment is required from it
registered or not, or
b) monitoring of their behavior, to the extent that their behavior takes place in Norway.
The Act and the Privacy Ordinance also apply to the processing of personal data performed by one
person responsible for processing who is not established in Norway, but in a place where Norwegian law is applied in accordance with
to international law.
The King may in regulations decide that the Act and the Privacy Ordinance shall apply in whole or in part
Svalbard and Jan Mayen, and lay down special rules on the processing of personal data for these
areas.

Chapter 3. Supplementary rules on the processing of personal data
§ 5. Children's consent in connection with information society services
The age limit is 13 years for consent according to the Privacy Ordinance Article 6 No. 1 letter ai
for purposes referred to in Article 8 (1) of the Privacy Regulation.
§ 6. Processing of special categories of personal data in employment
Personal data as mentioned in Article 9 (1) of the Privacy Regulation may be processed at any time
necessary to carry out labor law obligations or rights.
§ 7. Processing of special categories of personal data by permission or regulation
The Norwegian Data Protection Authority may in special cases grant permission to process personal data as mentioned in
Article 9 (1) of the Privacy Regulation if treatment is necessary in the interests of the general public
interests. The Norwegian Data Protection Authority shall lay down conditions for protecting the data subject's fundamental rights and
interests.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 4
4

The King may in regulations allow for the processing of personal data as mentioned in the Privacy Ordinance
Article 9 (1) when necessary in the interests of the public interest. In such a regulation it shall
appropriate and special measures are laid down to protect the data subject's fundamental rights and interests.
§ 8. Processing of personal data for archival purposes in the public interest, purpose related to
scientific or historical research or statistical purposes
Personal data may be processed on the basis of the Privacy Ordinance Article 6 No. 1 letter e
if it is necessary for archival purposes in the public interest, purposes related to scientific or
historical research or statistical purposes. The treatment shall be covered by the necessary guarantees in
compliance with Article 89 (1) of the Privacy Regulation.
§ 9. Processing of special categories of personal data without consent for archival purposes in
public interest, purposes related to scientific or historical research or statistical purposes
Personal data as mentioned in Article 9 (1) of the Privacy Regulation may be processed without consent
from the data subject if the processing is necessary for archival purposes in the public interest, purpose
related to scientific or historical research or statistical purposes and society's interest in that
the treatment takes place, clearly exceeds the disadvantages of the individual. The treatment must be covered by
necessary guarantees in accordance with Article 89 (1) of the Privacy Regulation.
Before treatment is carried out on the basis of the first paragraph, the person responsible for treatment shall consult with
the Privacy Ombudsman pursuant to Article 37 of the Privacy Ordinance or another who fulfills the conditions in
Article 37 (5) and (6) of the Privacy Regulation and the first and second sentences of Article 38 (3). By
the consultation, it shall be assessed whether the processing will meet the requirements of the Privacy Ordinance and others
provisions laid down in or pursuant to this Act. However, the duty to consult does not apply if it does
has carried out an assessment of privacy consequences in accordance with Article 35 of the Privacy Ordinance.
The King may issue regulations on the processing of special categories of personal data for archival purposes in
public interest, purposes related to scientific or historical research or statistical purposes.
§ 10. Duty to consult before processing special categories of personal data for research purposes
on the basis of consent
The duty to consult pursuant to section 9, second paragraph, applies correspondingly when personal data as mentioned in
Article 9 (1) of the Privacy Regulation shall be examined for scientific or historical research purposes
on the basis of the data subject's consent.
§ 11. Processing of personal data on criminal convictions and offenses etc.
Article 9 no. 2 letters a and c to f of the Privacy Ordinance as well as §§ 6, 7 and 9 of this Act apply
equivalent for the processing of personal data as mentioned in the Privacy Regulation Article 10 as
not carried out under the control of a public authority. Extensive records of criminal convictions can only
under the control of a public authority.
The duty to consult pursuant to section 9, second paragraph, applies correspondingly also to personal data as mentioned in
Article 10 of the Privacy Regulation shall be considered for scientific or historical research purposes
basis of
a) the consent of the data subject, regardless of whether the processing is carried out under the control of a public authority
or not
b) Section 8 of the Act here, if the processing is carried out under the control of a public authority.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 5
5

§ 12. Use of birth number and other unambiguous means of identification
Birth numbers and other unique means of identification can only be processed when there is a factual need for them
secure identification and the method necessary to achieve such identification.
The King may issue regulations on the use of birth numbers and other unambiguous means of identification.
§ 13. Regulations on the transfer of personal data to third countries or international
organizations
The King may issue regulations on the transfer of personal data to third countries or international ones
organizations.
§ 14. Regulations on prior discussion and prior approval
The King may issue regulations on prior discussion with the Norwegian Data Protection Authority and on prior approval from
The Data Inspectorate.
§ 15. Regulations on the implementation of delegated acts and implementing acts
The King may issue regulations on the implementation of delegated acts and implementing acts.

Chapter 4. Exceptions from the data subject's rights
§ 16. Exceptions from the right to information and access and the duty to notify violations
personal data security
The right to information and access under the Privacy Regulation Articles 13, 14 and 15 does not include
information such as
a) is of importance to Norway's foreign policy interests or national defense and security interests, when
the data controller may exempt the information pursuant to sections 20 or 21 of the Public Administration Act
b) it is required to keep secret for the sake of prevention, investigation, disclosure and legal prosecution
of criminal acts
c) it must be considered inadvisable that the data subject becomes aware of it for reasons of his or her health or
the relationship with people close to him
d) by law or pursuant to law is subject to a duty of confidentiality
e) is only found in text that has been prepared for internal case preparation, and which has not been handed over to
others, in so far as it is necessary to deny access to ensure sound internal decision-making processes
f) it would be contrary to obvious and fundamental private or public interests to inform about.
Information as mentioned in the first paragraph, letter c, may nevertheless be made known to a person upon request
representative of the data subject when no special reasons militate against it.
Anyone who refuses to provide access pursuant to the first paragraph must justify this in writing and provide a precise
reference to the exemption authority. If access is denied on the basis of the first paragraph, letter f, it shall
also states which considerations justify secrecy.
The duty to notify the data subject of breaches of personal data security after
Article 34 of the Privacy Regulation does not apply to the extent that such a notification will disclose
information as mentioned in the first paragraph, letters a, b and d.
The King may issue regulations on exceptions from and further conditions for the right to information and access and
notification of breaches of personal data security.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 6
6

§ 17. Exceptions from the data subject's rights in the processing of personal data for archival purposes in
public interest, scientific or historical research purposes and statistical purposes
The right of access under Article 15 of the Privacy Regulation does not apply to the processing of
personal data for archival purposes in the public interest, purposes related to scientific or
historical research or statistical purposes in accordance with Article 89 (1) of the Privacy Regulation so far
a) it will require a disproportionate effort to provide access or
b) the right of access is likely to make it impossible or seriously impede the achievement of the objectives of the treatment.
The right to rectification and restriction of processing pursuant to Articles 16 and 18 of the Privacy Ordinance applies
not for processing for archival purposes in the public interest, purposes related to scientific or
historical research or statistical purposes in accordance with Article 89 (1) of the Privacy Regulation so far
the rights are likely to make it impossible or seriously impede the objectives of the treatment
reached.
The first and second paragraphs do not apply if the treatment has legal effects or is directly factual
effects on the data subject.

Chapter 5. Privacy Agent
§ 18. The Privacy Ombudsman's duty of confidentiality
The privacy representative is obliged to prevent others from gaining access or knowledge of what they are doing in connection with
the performance of their tasks get to know about
a) someone's personal circumstances
(b) technical facilities, production methods, commercial analyzes and calculations; and
trade secrets otherwise when the information is of such a nature that others may exploit it in their own
business
c) security measures pursuant to Article 32 of the Privacy Regulation
d) individuals' notification of violations of the law here.
The duty of confidentiality does not apply if the privacy representative obtains consent from the person to whom the information applies
to present them, or this is necessary for the implementation of the privacy ombudsman's statutory obligation
tasks.
The duty of confidentiality also applies after the privacy representative has terminated the service or work.
Information as mentioned in this section may also not be used in one's own business or in service or
work for others.
§ 19. Regulations on the duty to appoint a privacy representative
The King may issue regulations on the duty to appoint a privacy representative.

Chapter 6. Supervision and Complaint
§ 20. The Data Inspectorate
The Norwegian Data Protection Authority is the supervisory authority pursuant to Article 51 of the Privacy Ordinance and is an independent authority
administrative body administratively subordinate to the King and the Ministry. The Danish Data Protection Agency cannot be instructed

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 7
7

on the processing of individual cases or on the professional activities in general. The King and the Ministry
can not reverse the Data Inspectorate's decision.
The Data Inspectorate is headed by a director appointed by the King. The King may issue regulations that the director of
The Data Inspectorate shall be employed on a term of office, on the length of the term of office and on the right to reappointment.
The Data Inspectorate's authority pursuant to Article 58 of the Privacy Ordinance applies correspondingly to the supervision of
compliance with
a) provisions in this Act and in regulations issued pursuant to this Act
b) provisions on the processing of personal data in other laws and regulations, as far as the processing
falls within the scope of the Act and the Privacy Ordinance pursuant to § 2.
The King may issue regulations to cover the Data Inspectorate's costs for control.
§ 21. Annual report from the Norwegian Data Protection Authority
The Norwegian Data Protection Authority shall send its annual report pursuant to Article 59 of the Privacy Ordinance to the King, who
submits the report to the Storting.
§ 22. Privacy Board
The Privacy Board is an independent administrative body administratively subordinate to the King and
the Ministry. The tribunal cannot be instructed on the processing of individual cases or on the professional one
the business in general. The King and the Ministry may not reverse the tribunal's decision.
The Privacy Board decides appeals against the Data Inspectorate's decisions unless otherwise specifically provided.
The Data Inspectorate's decision pursuant to Article 56 and Chapter VII of the Privacy Ordinance cannot be appealed to
Privacy Committee.
The Privacy Board has seven members with personal deputies. The members and
the deputies are appointed by the King for four years, with access to reappointment for another four years. The
shall be a leader and deputy leader, both of whom shall have a law degree or a master's degree
jurisprudence.
The Privacy Board may decide that complaints that must be decided quickly, may be decided by the manager or
the deputy chairman together with two other board members.
The Privacy Board shall annually inform the King of its activities.
The King may issue regulations on the Privacy Board's organization and case processing.
§ 23. Access to information
The Norwegian Data Protection Authority shall exercise its investigative authority pursuant to Article 58 (1) of the Privacy Ordinance without
obstacles to professional secrecy.
The Privacy Board may exercise authority pursuant to the Privacy Ordinance, Article 58, paragraph 1, letter a
shall take place without prejudice to the duty of confidentiality.
Processing of personal data that is necessary for the sake of the security of the kingdom or allies,
relations with foreign powers or other vital national security interests are excluded from
Article 58 no. 1 of the Privacy Ordinance In the event of a disagreement between the data controller and the Norwegian Data Protection Authority
the question of the extent of the first sentence is decided by the Privacy Board.
§ 24. Duty of confidentiality
The provisions on the duty of confidentiality in the Public Administration Act § 13 et seq. Apply to employees of the Norwegian Data Protection Authority,
the members of the Privacy Board and all others who perform service or work for the Norwegian Data Protection Authority or

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 8
8

Privacy Committee. The duty of confidentiality also includes information on security measures after
Article 32 of the Privacy Ordinance and individuals' notification of violations of the Act here.
The Data Inspectorate may, without prejudice to the duty of confidentiality pursuant to the first paragraph, provide information to foreigners
supervisory authorities when it is necessary for a supervisory authority covered by the Regulation to:
be able to make decisions as part of the supervisory activities.
§ 25. Party position
The Norwegian Data Protection Authority acts as a party on behalf of the state in lawsuits related to the supervisory activities.
Lawsuits regarding the validity of the Privacy Board's decision are directed against the state at the Privacy Board.

Chapter 7. Sanctions and coercive fines
§ 26. Infringement fee
Article 83 (4) of the Privacy Regulation applies correspondingly to violations of
Article 10 and Article 24 of the Privacy Regulation.
The Norwegian Data Protection Authority may impose infringement fines on public authorities and bodies in accordance with the rules in
Article 83 of the Privacy Regulation, cf. Article 83 (7).
§ 27. Deadline for fulfillment and judicial review in cases of infringement fines
The deadline for compliance with a decision on infringement fines is four weeks from the decision is final.
The court can try all aspects of infringement charges. The court may render a judgment for the reality of the case
if it deems it appropriate and justifiable.
§ 28. Limitation
The right to impose a violation fee expires five years after the violation has ceased. The deadline is canceled
in that the Data Inspectorate gives advance notice of or makes a decision on infringement fines.
§ 29. Coercive fine
By order under the Act here, the Data Inspectorate may determine a coercive fine that runs for each passing day
after the expiry of the time limit set for fulfillment of the order, until the order has been fulfilled.
The King may in regulations issue further provisions on coercive fines, including the coercive fine
size and duration, determination of a coercive fine and waiver of accrued coercive fines.
§ 30. Compensation for non-pecuniary damage
Anyone liable for damages under the rules of Article 82 of the Privacy Ordinance may also be ordered to
pay such compensation for damage of a non-economic nature (redress) that seems reasonable.

Chapter 8. Fake camera surveillance equipment, etc.
§ 31. Fake camera surveillance equipment etc.
When camera surveillance would be in violation of the Privacy Ordinance or the law here, it is not either
permitted to use fake camera surveillance equipment or by signage, notices or the like give the impression that

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 9
9

camera surveillance takes place. Chapter VI and Article 83 (4) and Chapter 6 of the Privacy Regulation,
§ 26 second paragraph and §§ 27 to 29 of this Act apply correspondingly.
By camera surveillance is meant continuous or regular repeated personal surveillance using
remote-controlled or automatically operating surveillance camera or other similar equipment that is permanently mounted.
By fake camera surveillance equipment is meant equipment that can easily be confused with a real camera solution.

Chapter 9. Entry into force. Transitional rules. Changes in other laws
§ 32. Entry into force
The law comes into force from the time the King decides. From the same time, the Act of 14 April 2000 no.
31 on the processing of personal data.
The various provisions can be enforced and repealed at different times.
§ 33. Transitional rules
The rules on the processing of personal data that applied at the time of the action shall be used as a basis
when a decision is made on an infringement fine. The legislation at the time of the decision shall nevertheless
used when this leads to a more favorable result for the person responsible.
The King may issue further transitional rules.
§ 34. Amendments to other laws
From the time the law here enters into force, the following changes are made to other laws:
1. Section 56 a of the Act of 12 May 1961 no. 2 on copyright in intellectual property, etc. is repealed.
2. The Act of 21 June 1963 No. 23 on roads is amended as follows:
Chapter II B shall read:

Chapter II B. Personal data.
§ 11 f. Handling of personal data
The road authority according to Chapter II and the supervisory authorities according to Chapter II A can work together
personal data when it is necessary to perform tasks given in or in accordance with the law here, or to
fulfill international obligations under the scope of the law. The same applies to a state development company
for roads that have been assigned tasks in accordance with section 9, first paragraph.
The Ministry may issue regulations on the handling of personal data, as provided for the purpose
with handsaminga, what information can be handled, how information should be handled,
conditions for possible disclosure, use of data handlers, requirements for deletion and requirements for compilations of
personal data for use in research and statistical purposes.
§ 27 fifth paragraph shall read:
Companies or other legal entities authorized by the Ministry to collect tolls,
can handsame personal information when it is necessary to perform this task. The same goes for companies
or other legal persons performing services in the area of ​tolls in accordance with regulations to this
the law, and when the Norwegian Public Roads Administration performs tasks in the toll area. Personal information as mentioned in
Article 9 (1) of the Privacy Regulation can only be dealt with in the first and second sentences if it is

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 10
10

strictly naudsynt out of the purpose of handsaminga. Those who have a home after the first and second sentence to
handsame personal information, may disclose information to third parties when international law or
agreements that Norway is bound by, allow for such extradition.
§ 27 sixth paragraph shall read:
The Ministry may issue regulations on the handling of personal data, as provided for the purpose
with handsaminga, what information can be handled, how information should be handled,
terms for any disclosure, use of data handsamar, terms for handsaming of sensitive
personal data, requirements for deletion and requirements for any compilation of personal data for use
for research and statistical purposes.
The current § 27 fifth paragraph becomes the new seventh paragraph.
3. In Act no. 58 of 8 June 1984 on debt negotiation and bankruptcy, section 156, fifth paragraph, second sentence, is repealed.
4. The Act no. 69 of 16 June 1989 on insurance contracts is made as follows:
§ 8-1 second paragraph shall read:
If the company requests consent to obtain confidential information from a third party,
the consent shall be limited to what is needed at each stage of the case. The consent must meet the requirements in
the Personal Data Act.
§ 18-1 second paragraph shall read:
If the company requests consent to obtain confidential information from a third party,
the consent shall be limited to what is needed at each stage of the case. The consent must meet the requirements in
the Personal Data Act.
5. The Act of 4 December 1992 no. 126 on archives is amended as follows:
§ 9 letters c and d shall read:
c. discard. This prohibition goes beyond the provisions on disposal in or pursuant to other laws.
The personal register or parts of the personal register may nevertheless be deleted in accordance with the provisions of the Health Register Act and in accordance with
provided for in accordance with the Health Register Act §§ 8 to 12. Such deletion can only take place after it has been obtained
phrase from the National Archivist. Personal registers or parts of personal registers can also be deleted according to instructions in
compliance with the Police Register Act § 69 first paragraph no. 16.
d. be corrected in such a way that previously incorrect or incomplete information has been deleted, if this has been
something to say for the proceedings, decisions or other things that according to the purpose of this law should be able to
documented. Provides for deletion in accordance with §§ 8 to 11 and § 25 second paragraph in
the Health Register Act, still applies unrestricted.
§ 18 second sentence shall read:
The rules in the Health Register Act on the correction and deletion of information will nevertheless apply in full.
6. In Act no. 101 of 11 June 1993 on aviation, section 12-14 is repealed.
7. In Act no. 15 of 3 June 1994 on the Register of Legal Entities, section 22, second paragraph, third sentence, shall read:
Credit information companies may nevertheless, by agreement approved by the Norwegian Data Protection Authority, gain access to such numbers to
internal use.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 11
11

8. In Act no. 53 of 4 August 1995 on the police, new section 6 a shall read:
§ 6 a. Camera surveillance
The police can use camera surveillance if it is necessary to carry out tasks as mentioned
in § 2 nos. 1 to 4. By camera surveillance is meant continuous or regularly repeated personal surveillance
by means of a remote-controlled or automatically operating surveillance camera or other similar equipment that is
fixed. Camera surveillance is considered both surveillance with and without the possibility of recording audio and
image material.
Camera surveillance can only be used if the considerations that require surveillance exceed the considerations
the data subject's privacy. Particular emphasis shall be placed on how the monitoring is to take place, as well as what kind
area to be monitored.
When signposting or in any other way, it must be made clear that the place is being monitored by
the police, and whether the surveillance may include audio recordings.
The King may issue regulations with further provisions on the processing of information obtained by
camera surveillance.
9. The Act of 19 February 1997 No. 19 on National Insurance is amended as follows:
§ 21-4 d first paragraph letter b second sentence shall read:
Health information and other information covered by Article 9 or 10 of the Privacy Regulation,
can not be obtained by mass collection.
§ 21-11 a seventh paragraph first sentence shall read:
When processing personal data in cases pursuant to Chapter 5, the Norwegian Directorate of Health is responsible for processing,
cf. Article 4 (7) of the Privacy Regulation.
§ 21-11 a eighth paragraph first sentence is repealed. The current second sentence becomes the new first sentence.
10. In Act no. 62 of 19 June 1997 on family protection offices, section 11, third paragraph, is repealed.
The current fourth paragraph becomes the new third paragraph.
11. The Act of 2 July 1999 no. 63 on patient and user rights is amended as follows:
§ 3-6 third paragraph shall read:
If health personnel make available information that is subject to the statutory duty to provide information,
the information applies to, as far as the circumstances indicate, is informed that the information has been made
available and what information it is about.
§ 5-1 first paragraph first sentence shall read:
The patient and the user have the right to access their medical record with vouchers and have the right to do so upon special request
copy, cf. Article 15 of the Privacy Regulation.
§ 5-3 shall read:
§ 5-3. Transmission and making available of medical records
The patient and the user have the right to oppose the transfer and making available of medical records or
information in journal. The information can also not be transferred or made available if it is
reason to believe that the patient or user would oppose it upon request. Transfer and
making available can nevertheless take place if there are compelling reasons to do so. Transfer and

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 12
12

making journal available or information in the journal shall take place in accordance with the provisions of the Act on
health personnel.
12. The Act of 2 July 1999 no. 64 on health personnel, etc. is amended as follows:
§ 29 first paragraph shall read:
The Ministry may decide that information can or shall be made available for use in research,
and that the information shall be available and used without prejudice to the duty of confidentiality pursuant to section 21.
The rules on professional secrecy under this Act apply correspondingly to the person who receives the information.
The Ministry may set conditions for the use of the information in order to protect the data subject's basics
rights and interests.
§ 29 fourth paragraph first sentence shall read:
The Ministry may in regulations regulate health personnel's right to make available and use
confidential information for purposes other than health care when the patient has given consent.
§ 29 b shall read:
§ 29 b. Information for health analyzes, quality assurance, administration, etc.
The Ministry may decide that information can or shall be made available for use
health analyzes and quality assurance, administration, planning or management of the health and care service
and that the information shall be available and used without prejudice to the duty of confidentiality pursuant to section 21.
The rules on professional secrecy under this Act apply correspondingly to the person who receives the information.
Accessibility can only take place if the use of the information is of significant interest
society and consideration for the patient's integrity and welfare are taken care of. The degree of personal identification shall
not be greater than necessary for the purpose in question. Only in special cases can permission be granted
use of directly personally identifiable information such as name or social security number.
The Ministry may set conditions for the use of the information in order to protect the data subject's basics
rights and interests.
§ 29 c shall read:
§ 29 c. Information for use in learning work and quality assurance
Unless the patient objects, confidential information may be provided upon special request
made available to other health personnel who have previously provided health care to the patient in a specific
course of treatment, for quality assurance of health care or own learning. Processing of the request
can be automated. The first sentence includes information that is necessary and relevant for the purpose. IN
the patient's medical record must be documented to whom information has been made available and which
information that has been made available, cf. section 40.
§ 42 shall read:
§ 42. Correction of medical records
Health personnel as mentioned in section 39 shall, at the request of the person to whom the information applies, or on their own initiative, rectify
incorrect or incomplete information, cf. Article 16 of the Privacy Ordinance
claims from the information to which it applies, or by own initiative, are also corrected if they are improper. Correction must
happen by re-entering the journal, or by adding a dated correction to the journal. Correction shall not take place
by deleting information or statements.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 13
13

If a claim for rectification is rejected, the requirement for rectification and justification for the refusal shall be recorded in
journals. Rejection of a claim for rectification can be appealed to the County Governor, who decides whether rectification can be made.
The Ministry may issue regulations on the procedure for rectification.
§ 45 second paragraph shall read:
Health information as mentioned in the first paragraph may be provided by the data controller for the information or it
the health personnel who have documented the information, cf. section 39.
13. The Act of 23 June 2000 no. 56 on health and social preparedness is amended as follows:
§ 2-4 first paragraph fourth sentence shall read:
The body that establishes the register is responsible for the data.
§ 2-4 second paragraph first sentence shall read:
When establishing registers, the data controller shall document that the health information is processed in
compliance with the Health Register Act § 6, including describing the purpose of the treatment and which
health information being processed.
§ 2-4 third paragraph first sentence shall read:
The information may be processed without the consent of the data subject and made available without hindrance
statutory duty of confidentiality if necessary to achieve the purpose of the register.
§ 2-4 fourth paragraph shall read:
The data controller may, without prejudice to the statutory duty of confidentiality, demand information that is necessary
for the purpose of the register from health personnel, from enterprises in the health and care service and from personnel and
enterprises as mentioned in the Public Health Act § 29 second and third paragraphs.
§ 2-4 fifth paragraph is repealed. The current sixth paragraph becomes the new fifth paragraph.
14. In Act No. 81 of 15 June 2001 on electronic signatures, section 7, second paragraph, second sentence shall read:
To the extent that nothing else follows from this Act, the Personal Data Act comes with regulations
application in the Data Inspectorate's control after the first sentence.
15. The Act of 21 February 2003 no. 12 on treatment biobanks is amended as follows:
§ 3 second paragraph shall read:
Unless otherwise provided by this Act, health and personal information derived from human beings
biological material is processed in accordance with the rules in the Privacy Ordinance, the Personal Data Act,
the Patient Records Act, the Health Personnel Act and any other legislation that specifically regulates the protection of
personal information.
§ 5 first paragraph no. 7 shall read:
7. who is responsible pursuant to section 7 and data controller pursuant to the Patient Records Act
§ 7, first paragraph, second and third sentences shall read:
If the biobank contains information that can be linked to individuals, it will also have one
data controller according to the Patient Records Act. The data controller shall appoint the person responsible.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 14
14

§ 15 third paragraph shall read:
Access to personally identifiable material can only be granted if the recipient has access to process it
in accordance with the Patient Records Act, the Personal Data Act or the Privacy Ordinance.
§ 17 second paragraph shall read:
The Norwegian Data Protection Authority shall supervise the processing of the health and personal data derived from
the material in a biobank, takes place in accordance with the Privacy Ordinance, the Personal Data Act and
patient record law.
16. In Act no. 124 of 19 December 2003 on food production and food safety, etc. § 29 first paragraph second
dot sounds:
Such registers may not, without consent, contain personal data covered by
Article 9 (1) of the Privacy Regulation on special categories of personal data.
17. In Act no. 76 of 10 December 2004 on labor market services, section 14 shall read:
§ 14. General case processing rules
The Public Administration Act and the Personal Data Act apply with the special rules laid down in this Act.
18. In Act no. 62 of 17 June 2005 on working environment, working hours and job security, etc. the following changes are made:
§ 9-5 shall read:
§ 9-5. Access to the employee's e-mail box, etc.
The Ministry may issue regulations on the employer's right to access the employee's e-mail box and other items
electronically stored material, including access to access, procedures for access and the obligation to
delete information.
New § 9-6 shall read:
§ 9-6. Camera surveillance
The Ministry may issue regulations on camera surveillance in the business, including access to
implement camera surveillance, notification that such surveillance is taking place, and delivery and deletion of
recordings made by such monitoring.
19. The following amendments are made to Act no. 101 of 17 June 2005 on property registration:
§ 22 fifth paragraph shall read:
Articles 13 and 14 of the Privacy Ordinance do not apply to keeping the cadastre.
§ 26 fifth paragraph shall read:
This section takes precedence over Article 16 of the Privacy Ordinance on the correction of personal data.
§ 30 seventh paragraph shall read:
The Ministry may in regulations provide more detailed rules on the processing, disclosure and sale of information.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 15
15

20. In Act no. 16 of 19 May 2006 on the right of access to documents in public activities, section 10, third paragraph, second
dot sounds:
The King may issue regulations on the availability of documents on the Internet and on certain types
personal information and documents to which a third party has intellectual property rights shall not be made
available in this way.
21. In Act no. 20 of 16 June 2006 on labor and welfare administration, section 3, third paragraph, first sentence
sounds:
The Directorate is responsible for processing the agency's processing of personal data, cf.
Article 4 (7) of the Privacy Regulation.
22. The Act of 29 June 2007 no. 75 on securities trading is amended as follows:
§ 9-17 second paragraph no. 2 shall read:
2. requirements for documentation, including provisions that make exceptions from the Personal Data Act.
§ 9-28 shall read:
Business organization or affiliated legal entity that provides training to and authorizes persons employed in
investment firms, affiliated agents, or branches of foreign firms providing investment services in Norway,
may process such information as mentioned in Article 10 of the Privacy Regulation as part of the assessment
of whether an employee should be given authorization, deprived of authorization or given a warning.
23. In Act of 21 December 2007 no. 119 on customs and movement of goods, section 13-12, first paragraph, shall read:
(1) When planning, targeting and carrying out inspections, the customs authorities may collect, store,
compile and use necessary personal information, including health information, cf.
Article 9 (1) of the Privacy Regulation, and information as mentioned in Article 10 of the Privacy Regulation.
For the same purpose can cross-border traffic on the road and ferry terminals with foreign traffic
monitored by the customs authorities using a sign recognition system.
24. The following amendments are made to Act no. 44 of 20 June 2008 on medical and health research:
§ 2 second, third and fourth paragraphs shall read:
For the processing of health information, the Privacy Ordinance and the Personal Data Act also apply
regulations, to the extent not otherwise provided by this Act. For information that is confidential
according to the Health Personnel Act § 21, and for information on deceased persons, the provisions of this Act apply
on the processing of health information as far as it is appropriate. The law does not apply to the establishment of health registers.
Section 3 of the Medicines Act applies to clinical trials of medicinal products in humans. For
clinical trials of medical devices apply the law on medical devices with regulations. The law here applies
complementary as far as appropriate.
The Ministry may issue regulations on the application of the Act for special areas within medical and
health research.
§ 3 second paragraph is repealed. The current third paragraph becomes a new second paragraph.
§ 4 letter d shall read:
d) health information: personal information about a natural person's physical or mental health, including
provision of health services, which provides information about the person's state of health, cf. the Privacy Ordinance
Article 4 (15)

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 16
16

§ 10, second paragraph, second sentence shall read:
The Regional Committee for Medical and Health Research Ethics may set conditions for approval,
including measures to protect the data subjects' fundamental rights and interests.
§ 13 second paragraph first sentence shall read:
By consent is meant any voluntary, specific, informed and unequivocal expression of will from the participant there
the person by a statement or clear confirmation gives his consent to the processing of
health information or human biological material.
§ 32 first paragraph first sentence shall read:
The processing of health information in medical and health research shall be in accordance with
the principles of Article 5 of the Privacy Regulation and have explicitly stated purposes.
§ 33 shall read:
§ 33. Requirement for prior approval
Processing of health information in medical and health professional research requires prior approval from
the Regional Committee for Medical and Health Research Ethics under Chapter 3.
Processing of health information from health registers according to the Health Register Act §§ 8 to 11 does not require
prior approval, unless otherwise provided by the regulations of the registers.
The Personal Data Act § 10 and § 11 second paragraph do not apply to medical and health research.
§ 34 shall read:
§ 34. Processing of health information
Health information can be compiled, made available and processed in other ways in line with
the purpose of the research project, any consents, the prior approval pursuant to section 33 and in accordance with
the research protocol.
The regional committee for medical and health research ethics may, after approval, follow
Chapter 3 denies such compilation, making available or other processing if this exists to
be medically or ethically unsound.
Compilation and making available of health information can be done to data controllers or
research managers who have access to process the personal data in accordance with the Privacy Ordinance
Articles 6 and 9.
§ 35 first paragraph fourth sentence shall read:
The regional committee for medical and health research ethics may set conditions for its use, among others
other measures to protect the data subjects' fundamental rights and interests.
§ 36 new first paragraph shall read:
The data subject may request correction or deletion in accordance with Articles 16 and 17 of the Privacy Ordinance
The Personal Data Act § 17 second and third paragraphs apply.
The current § 36 first, second and third paragraphs become new second, third and fourth paragraphs, respectively.
§ 37 is repealed.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 17
17

§ 40 first paragraph shall read:
The research participant has the right to access health information about themselves in accordance with the Privacy Ordinance
Article 15. The participant also has the right to inspect the security measures during the processing of
health information as far as access does not impair security.
§ 42 shall read:
§ 42. Exemption from access
The exceptions in the Personal Data Act §§ 16 and 17 from the right to information and access and from the duty to
notification of a breach of personal data security, applies correspondingly to access pursuant to §§ 40 and 41 i
the law here.
Rejection of requests for access and information may be reviewed by the regional committee for medical and
health research ethics.
§ 47 shall read:
§ 47. The Data Inspectorate's authority
The Norwegian Data Protection Authority supervises the use of health information pursuant to this Act in accordance with
the Privacy Ordinance and the Personal Data Act.
When the Data Inspectorate has issued an order, the Norwegian Board of Health Supervision shall be informed of this.
§ 50 second, third and fourth paragraphs shall read:
The person responsible for the research shall compensate for damage that has occurred as a result of being human biologically
material is processed in violation of provisions given in or pursuant to the law, unless it is proven
that the damage is not due to fault or negligence on the part of the person responsible for the research. The compensation must correspond to
the financial loss suffered by the injured party as a result of the illegal treatment of the human
biological material. The person responsible for research may also be ordered to pay such compensation for damages
non-economic nature (redress) that seems reasonable.
The data controller and the data processor shall compensate for damage that has occurred as a result of that
health information has been processed in violation of the Privacy Ordinance, cf. Article 82 of the Ordinance. Liability
applies correspondingly to the processing of health information in violation of this Act or regulations issued in
pursuant to the law.
For research managers and data controllers who are private, security must be provided for insurance
the financial responsibility that may arise under the second and third paragraphs.
Section 52 shall read:
§ 52. The Data Inspectorate's right to make decisions on infringement fines
When processing health information in violation of the law or regulations issued pursuant to the law, may
The Norwegian Data Protection Authority imposes infringement fines in accordance with the Privacy Ordinance, Article 83 and
the Personal Data Act §§ 26 and 27.
When the Data Inspectorate has made a decision pursuant to the first paragraph, the Norwegian Board of Health Supervision shall be informed of this.
§ 53 first and second paragraphs shall read:
The Norwegian Board of Health Supervision may determine an ongoing coercive fine for each day, week or month that follows
the expiry of the deadline set for fulfillment of the order pursuant to section 51, until the order has been fulfilled. One
coercive fines can also be determined as one-off fines. The Norwegian Board of Health Supervision may waive an accrued coercive fine.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 18
18

The coercive fine does not run until the appeal deadline has expired. If the decision is appealed, the coercive fine does not run until
the appellate court has decided that.
The Norwegian Data Protection Authority may determine coercive fines pursuant to section 29 of the Personal Data Act.
25. In Act no. 79 of 17 October 2008 on the committee for review of Storting pensions, section 3 is repealed.
26. In Act no. 97 of 19 June 2009 on animal welfare, section 36, first paragraph, second sentence shall read:
Such registers may not, without the consent of the person concerned, contain personal data that is covered
of the Privacy Regulation Article 9 or 10.
27. In Act no. 44 of 25 November 2011 on mutual funds, § 1-6 shall read:
Business organization or affiliated legal entity that provides training to and authorizes persons employed in
a management company, affiliated agent, or foreign management company as mentioned in §§ 3-3 first paragraph
or 3-4 first paragraph, may process such information as mentioned in the Privacy Regulation Article 10 as
paragraph in the assessment of whether an employee should be given authorization, deprived of authorization or given a warning.
28. The Act of 64 August 2012 no. 64 on housing support is amended as follows:
§ 8 first paragraph fourth sentence shall read:
The duty to provide information in the Privacy Ordinance Article 14 applies.
§ 8 a third paragraph second sentence shall read:
Information as mentioned in Articles 9 and 10 of the Privacy Ordinance may not be obtained by mass.
§ 8 b seventh paragraph shall read:
The duty to provide information in the Privacy Ordinance Article 14 applies.
§ 8 c second paragraph first sentence shall read:
The duty to provide information in Article 14 of the Privacy Ordinance applies to information that has been collected in accordance with
paragraph here, but the data subject is only entitled to information when the control has been completed.
29. In Act no. 3 of 11 January 2013 on the Central Government Collection Agency, section 6, second and third paragraphs, is repealed.
30. In Act no. 21 of 7 May 2004 on the Office of the Auditor General, section 17, second paragraph, shall read:
The Office of the Auditor General's processing of personal data in the audit and control work is exempt from
Articles 15, 16, 17, 18 and 19 of the Privacy Regulation.
31. In Act no. 28 of 20 June 2014 on the management of alternative investment funds, § 1-6 shall read:
§ 1-6. Processing of personal data in connection with authorization schemes for employees
Business organization or affiliated legal entity that provides training to and authorizes persons who are
employed by a manager of an alternative investment fund with a permit pursuant to § 2-2, or who is
subject to registration pursuant to § 1-4, may process such information as mentioned in the Privacy Ordinance
Article 10 as part of the assessment of whether an employee should be authorized, deprived of authorization or granted
warning.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 19
19

32. In Act no. 42 of 20 June 2014 on the processing of health information when providing health care, the following is done
changes:
§ 2 shall read:
§ 2. Definitions
For the purposes of this Act:
a) health care: any action that has preventive, diagnostic, therapeutic, health-preserving,
rehabilitative or nursing and care purposes, and which are performed by health personnel, cf. the Health Personnel Act § 3
first paragraph
b) health information: personal information about a natural person's physical or mental health, including about
provision of health services, which provides information about the person's state of health, cf. the Privacy Ordinance
Article 4 (15)
c) processing of health information: any operation or series of operations performed with
health information, whether automated or not, such as collection, registration, organization,
structuring, storage, adaptation or modification, retrieval, consultation, use, delivery by transfer,
dissemination or any other form of making available, compiling or collating, limiting,
deletion or destruction, cf. Article 4 (2) of the Privacy Ordinance
d) treatment-oriented health register: patient record and information system or other register, list
or the like, where health information is stored systematically, so that information about the individual can be found
again, and which shall provide a basis for health care or the administration of health care to individuals
e) data controller: responsible for the processing of health information in accordance with the Privacy Ordinance, Article 4 no.
7.
§ 3 new second paragraph shall read:
For information that is confidential pursuant to the Health Personnel Act § 21, and for information about the deceased
persons apply the provisions of the Act here on the processing of health information as far as they are appropriate.
The current § 3 second paragraph becomes the new third paragraph.
§ 4 first paragraph first sentence shall read:
The law applies to data controllers established in Norway.
§ 4 second paragraph is repealed.
§ 5 shall read:
§ 5. The relationship to the Privacy Ordinance and the Personal Data Act
The Privacy Ordinance and the Personal Data Act do not apply as far as nothing else follows from the Act here.
§ 6, first paragraph, second sentence is repealed.
§ 9 letter d shall read:
d) data responsibility.
§ 10 second paragraph shall read:
The regulations shall provide further provisions on the operation, processing and securing of health information, if
data responsibility, on access control and on how the rights of the patient or user are to be safeguarded.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 20
20

§ 11 third paragraph shall read:
The regulations shall provide further provisions on the processing of the information, on which information
which can be processed, about the individual's right to oppose the processing of the information and about data responsibility.
§ 12 third paragraph shall read:
The regulations shall provide further provisions on the purpose of the processing of the information, which
information to be processed and who is the data controller for the information.
§ 13 fifth paragraph shall read:
The King in Council may in regulations issue further provisions on the operation and processing of health information,
for example, what information is to be processed, who is the data controller, rules on deletion,
access and access control, as well as the patient's rights.
§ 18 first paragraph shall read:
The patient or user has the right to information and access in accordance with the Patient and User Rights Act
§ 3-6 third paragraph and § 5-1 and to the Privacy Ordinance Articles 13 and 15.
§ 19 first and second paragraphs shall read:
Within the framework of the duty of confidentiality, the data controller shall ensure that relevant and necessary
health information is available to health professionals and other collaborating personnel when this is the case
necessary to provide, administer or quality assure health care to the individual.
The data controller decides how the information is to be made available. The information
shall be made available in a manner that safeguards information security.
Section 20 shall read:
§ 20. Health information for purposes other than health care
The data controller may make health information available for purposes other than health care when it
certain consents or this is stipulated by law or pursuant to law. By consent is meant any volunteer,
specific, informed and unequivocal expression of will from the data subject where the person in question by a statement or
a clear confirmation gives his consent to the processing of health information that applies to the person in question, cf.
Article 4 (11) of the Privacy Regulation.
§ 21 shall read:
§ 21. Personal information from the National Register
The data controller may obtain personal information from the National Population Register when this is necessary to
fulfill the data controller's obligations under the law. This applies regardless of whether the information is
subject to a duty of confidentiality under the Population Register Act.
§ 22 shall read:
§ 22. Information security
The data controller and data processor shall implement technical and organizational measures to achieve
a level of security appropriate to the risk, cf. Article 32 of the Privacy Regulation
data controllers and the data processor shall, among other things, ensure access control, logging and subsequent
control.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 21
21

The Ministry may in regulations lay down further requirements for information security in the processing of
health information.
§ 23 first paragraph shall read:
The data controller shall implement technical and organizational measures to ensure and demonstrate that
the processing is carried out in accordance with the Privacy Ordinance, the Personal Data Act and this Act, cf.
Article 24 of the Regulation.
§ 23 second paragraph first and second sentence shall read:
The data controller must document the measures. The documentation must be available for
the employees of the data controller and the data processor.
§ 26 shall read:
§ 26. Supervision
The Norwegian Data Protection Authority supervises compliance with the law and regulations issued pursuant to the law. This applies
not for supervisory tasks that are incumbent on the Norwegian Board of Health Supervision or the County Governor pursuant to the Health Supervision Act.
§§ 27 and 28 are repealed.
§ 29 shall read:
§ 29. Infringement fee
When processing health information in violation of the law or regulations issued pursuant to the law, may
The Norwegian Data Protection Authority imposes infringement fines in accordance with the Privacy Ordinance, Article 83 and
the Personal Data Act §§ 26 and 27.
§ 30 second and fourth paragraphs are repealed. The current third paragraph becomes a new second paragraph.
§ 31 shall read:
§ 31. Compensation
The data controller and the data processor shall compensate for damage that has occurred as a result of that
health information has been processed in violation of the Privacy Regulation, pursuant to Article 82 of the Regulation and
§ 30 of the Personal Data Act. The liability applies correspondingly in the event of a breach of this Act or regulations issued in
pursuant to the law.
33. In Act no. 43 of 20 June 2014 on health registers and processing of health information, the following is done
changes:
§ 2 shall read:
§ 2. Definitions
For the purposes of this Act:
a) health information: personal information about a natural person's physical or mental health, including:
provision of health services, which provides information about the person's state of health, cf. the Privacy Ordinance
Article 4 (15)
b) processing of health information: any operation or series of operations performed with
health information, whether automated or not, such as collection, registration, organization,
structuring, storage, adaptation or modification, retrieval, consultation, use, delivery by transfer,
dissemination or any other form of making available, compiling or collating, limiting,

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 22
22

deletion or destruction, cf. Article 4 (2) of the Privacy Ordinance
c) health register: any structured collection of personal data that is available according to special criteria,
and which contains health information, cf. Article 4 (6) of the Privacy Ordinance
d) data controller: responsible for the processing of health information, cf. the Privacy Ordinance Article 4 no. 7
e) consent: any voluntary, specific, informed and unequivocal expression of will from the data subject where
the person in question by a statement or a clear confirmation gives his consent to the processing of
health information that applies to the person in question, cf. the Privacy Ordinance, Article 4, No. 11
f) indirectly identifiable health information: health information including name, birth number and others
unambiguous characteristics have been removed, but where the information can still be linked to an individual.
§ 3 new second and third paragraphs shall read:
For information that is confidential pursuant to the Health Personnel Act § 21, and for information about the deceased
persons apply the provisions here on the processing of health information as far as they are appropriate.
The Act also applies correspondingly to the processing of information in the Health Archives Register in the Norwegian Health Archives.
The current § 3 third and fourth paragraphs become new fourth and fifth paragraphs.
§ 4 shall read:
§ 4. Geographical scope
The law applies to data controllers established in Norway. The king may in regulation determine that the law entirely
or shall partly apply to Svalbard and Jan Mayen, and may lay down special rules on the treatment of
health information for these areas.
§ 5 shall read:
§ 5. The relationship to the Privacy Ordinance and the Personal Data Act
The Privacy Ordinance and the Personal Data Act do not apply to anything else that follows from this
the law.
§ 6 first and second paragraphs shall read:
Health information shall be processed in accordance with the principles for processing in the Privacy Ordinance
Article 5.
The degree of personal identification shall not be greater than necessary for the purpose in question. The degree of
personal identification must be substantiated. The supervisory authority may require the data controller to submit
the rationale.
§ 6 third and fourth paragraphs are repealed.
The current § 6 fifth paragraph becomes a new third paragraph.
§ 7 is repealed.
§ 8 fourth paragraph letter e shall read:
e) who is the data controller.
§ 9 letter b shall read:
b) the information is processed without the data controller having access to names, birth numbers or others directly
personally identifiable characteristics.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 23
23

§ 12 third paragraph shall read:
The National Archivist is data responsible for the information in the Health Archives Register, cf. the Archives Act § 4.
§ 12 fourth paragraph second sentence shall read:
The regulations shall state the data controller's duty to make data available.
§ 14 shall read:
§ 14. Information from the National Register
Data controllers may obtain personal data from which they are permitted to process in accordance with §§ 8 to 12
The population register.
§ 19 second and third paragraphs shall read:
The data controller can make health information available for the compilation. Unless otherwise noted
follows from law or pursuant to law, the result of the compilation shall not contain names,
birth number or other directly identifying characteristics. The compilation must be done by it
data controllers for one of the registers or a business the ministry decides.
In addition to this, health information can only be compared with other information when this is permitted
the Privacy Ordinance, the Personal Data Act or other law.
§ 19 third paragraph is repealed.
§ 20 first paragraph first sentence shall read:
The duty of confidentiality does not prevent the data controller from making indirectly identifiable information available
health information for research, health analyzes, and quality assurance, administration, planning or
management of the health and care service.
§ 20 second paragraph shall read:
The health information can only be made available if the processing of it is of significant interest
for society, the patient's integrity and confidentiality are taken into account, and the treatment is
unobtrusive from ethical, medical and health considerations. The data controller can set conditions for
made available to protect the data subject's fundamental rights and interests.
§ 21 shall read:
§ 21. Information security
The data controller and data processor shall implement technical and organizational measures to achieve
a level of security appropriate to the risk, cf. Article 32 of the Privacy Regulation
data controllers and the data processor shall, among other things, ensure access control, logging and subsequent
control. In registers established on the basis of §§ 10 or 11, direct personal identification must be provided
characteristics are stored encrypted.
The Ministry may in regulations lay down further requirements for information security in the processing of
health information.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 24
24

§ 22 shall read:
§ 22. Internal control
The data controller shall implement technical and organizational measures to ensure and demonstrate that
the processing is carried out in accordance with the Privacy Ordinance, the Personal Data Act and this Act, cf.
Article 24 of the Regulation.
The Ministry may, in regulations, issue further rules on technical and organizational measures pursuant to the first paragraph.
§ 23 shall read:
§ 23. Information to the public on the processing of health information
A data controller who processes information in accordance with regulations pursuant to §§ 8 to 11, shall by his own initiative
inform the public about what kind of processing of health information is carried out.
Section 24 shall read:
§ 24. Right to information and access
The data subject has the right to information and access in accordance with Articles 13 to 15 of the Privacy Ordinance.
The right to information and access does not apply to information covered by the exceptions in
the Personal Data Act §§ 16 and 17.
The registered person also has the right to access who has had access to or been provided with health information
which is linked to the data subject's name or birth number, from health registers pursuant to §§ 8 to 11.
In special cases, the Ministry may grant the data controller a time-limited dispensation from the obligation to grant
access under this paragraph.
When necessary to assess access requirements, the data controller may obtain personal information from
The population register. This applies without regard to the duty of confidentiality.
The King may in regulations issue further provisions on the right to information and access.
§ 25 the title shall read:
§ 25. Correction, blocking or deletion
§ 25 first paragraph shall read:
The data subject may request correction or deletion in accordance with Articles 16 and 17 of the Privacy Ordinance
The Personal Data Act § 17 second and third paragraphs apply. The data subject may also require that
health information that is processed in accordance with §§ 8 to 11, shall be deleted or blocked, if processing of
the information feels strongly burdensome to the data subject, and there are no strong general considerations such as
indicates that the information is being processed. Requests for correction, deletion or blocking of information are addressed to it
data controllers for the information.
§ 26 shall read:
§ 26. The supervisory authorities
The Norwegian Data Protection Authority supervises compliance with the law and regulations issued pursuant to the law. This applies
not for supervisory tasks that are incumbent on the Norwegian Board of Health Supervision or the County Governor pursuant to the Health Supervision Act.
§§ 27 and 28 are repealed.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 25
25

§ 29 shall read:
§ 29. Infringement fee
When processing health information in violation of the law or regulations issued pursuant to the law, may
The Norwegian Data Protection Authority imposes infringement fines in accordance with the Privacy Ordinance, Article 83 and
the Personal Data Act §§ 26 and 27.
§ 30 second and fourth paragraphs are repealed. The current third paragraph becomes a new second paragraph.
§ 31 shall read:
§ 31. Compensation
The data controller and the data processor shall compensate for damage that has occurred as a result of that
health information has been processed in violation of the Privacy Regulation, pursuant to Article 82 of the Regulation and
§ 30 of the Personal Data Act. The liability applies correspondingly in the event of a breach of this Act or regulations issued in
pursuant to the law.
34. In Act no. 17 of 10 April 2015 on financial undertakings and financial groups, section 9-8, first paragraph, shall read:
(1) A business organization or affiliated legal entity that provides training to and authorizes employees in
financial undertakings, undertakings acting as agents or other intermediaries for financial undertakings and foreign companies
financial undertakings that are to conduct or conduct business in this country may process information as mentioned in
Article 10 of the Privacy Ordinance as part of the assessment of whether an employee should be granted authorization is revoked
authorization or warning.
35. In Act no. 85 of 4 September 2015 on the implementation of the Convention of 19 October 1996 on Jurisdiction,
choice of law, recognition, enforcement and co-operation regarding custody and protection measures
of children, § 3 shall read:
§ 3. Duty of confidentiality
In cases where the Norwegian authorities have a duty under the convention to provide information, this can be done without
obstacles to statutory confidentiality. The same applies where the convention facilitates that
information can be provided upon request.
36. In Act no. 47 of 16 June 2017 on debt information in credit assessments of private individuals, the following is done
changes:
§ 2 letter c shall read:
(c) "credit information undertakings" means undertakings which carry on credit information activities in accordance with:
the Personal Data Act,
§ 12 first paragraph letter c shall read:
c) credit information companies, when these, at the request of credit providers as mentioned in letters a and b, are to make
credit assessment, or when these are to prepare credit scores at the request of someone who has objective needs
to obtain credit information, and
§ 13 second paragraph first sentence shall read:
Credit information companies can also provide information on credit scores where debt information is included
in the calculation basis, to the person who has a factual need for the information.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

Page 26
26

37. In Act no. 53 of 16 June 2017 on amendments to the Patient and User Rights Act, the Health Personnel Act, etc. (strengthening
of the legal status of children when providing health and care services, etc.) the following changes are made:
In Roman numeral VII the following is changed:
In section 30, a new second paragraph shall read:
Anyone who intentionally or with gross negligence violates the prohibition against wrongful acquisition of
health information in § 16, is punishable by fines or imprisonment for up to one year.
The current second paragraph becomes the third paragraph.
Roman Numbers VIII is amended as follows:
In section 30, a new second paragraph shall read:
Anyone who intentionally or with gross negligence violates the prohibition against wrongful acquisition of
health information in § 18, is punishable by fines or imprisonment for up to one year.
The current second paragraph becomes the third paragraph.
38. In Act no. 112 of 15 December 2017 on testing of self-driving vehicles, section 3, first paragraph, shall read:
The Road Traffic Act with regulations, the Professional Transport Act with regulations and the Personal Data Act with
regulations apply during the testing of self-driving vehicles, unless otherwise provided by this Act or
regulations issued pursuant to this.

For ev. corrections see at the bottom of the electronic version : https://lovdata.no/LTI/lov/2018-06-15-38

