1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?
Norway follows the GDPR rules, so a data breach having qualified effect on the privacy of individuals must be notified to the DPA and in some cases to the individuals themselves.
1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Typical breaches will be a breach of confidentiality, but also a breach of integrity and in some cases, even lack of availability may trigger the duty to notify. The threshold for notifying is quite low in Norway.
It is the controller that shall decide whether or not to notify the DPA, hence a data processor experiencing a breach shall notify the controller (Article 33 (2) GDPR). A data processor shall as a general rule, on its own initiative, not notify the DPA or the individuals.
1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?
The notification shall set out the aspects specified in Article 33 (3) GDPR, hence it shall contain the following information:
- the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- the likely consequences of the personal data breach;
- the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
There is a standard form available for filing this information.
Notification shall take place within 72 hours after becoming aware of the breach.
1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?
Fines for not filing a breach follow the rules in Article 83 GDPR:
Administrative fines up to EUR 10,000,000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
It is presently not clarified whether or not data subjects may claim compensation for failure to notify.
1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?
This is currently not advised upon from the DPA, but a breach significantly affecting individuals, such as credit card data breach and identity theft, should be notified to the individual.
1.6 What are the applicable (data protection) laws or guidelines within your country?
The Norwegian Act on Personal Data sets out some country specific rules that govern in addition to the rules in the GDPR.
1.7 Contact information for the local Data Protection Authority:
The Norwegian Data Protection Authority
P.O. Box 8177 Dep, N‐0034, Oslo, Norway
+47 22 39 6900
+47 22 42 2350
For more information, contact:
Advokatfirmaet Schjødt AS
Ruseløkkveien 14, P.O. Box 2444 Solli, NO-0201 Oslo, Norway
+47 23 01 1529
+47 22 83 1712