Personal data comprises all the information or assessments concerning an individual, and most undertakings in both the private and the public sector are therefore subject to the above legislation.
Undertakings are therefore bound to process personal data in accordance with privacy of information principles, document their processing routines, safeguard data and carry out risk assessments of their systems.
In 2018 a new Personal Data Act was passed comprising national rules in addition to EU’s General Data Protection Regulation (GDPR). This new legislation enhances privacy protection by setting more stringent requirements to the routines employed when organisations process personal data.
Through GDPR there is a greater self-control requirement placed on employers and the basis for processing is subject to stricter rules. Furthermore, the person whose data is being processed has clearly defined rights, such as rights concerning inspection, information retrieval, as well as restrictions on storage, further distribution and usage for other purposes.
GDPR is now a central element throughout the working environment. Information about job applicants is already gathered at the recruitment stage. Following appointment, GDPR sets requirements as to the information an employee’s personal file may contain, and to which ends this information may be used. Moreover, on termination of employment this information must be deleted after a certain time.
A breach of the Personal Data Act can lead to an inspection by the Norwegian Data Protection Authority and imposition of an administrative fine. Indeed, certain evidence produced in connection with disputes may not be permissible because, for example, the routines for right of access to emails were not followed.
Dalan can assist undertakings in the following areas:
- Legal advice in connection with the Personal Data Act.
- Conduct of risk assessments.
- Drawing up routines for processing personal data.
- Formulation of compliance statements, data processing contracts, notifications of non-conformance, and applications to the Norwegian Data Protection Authority.
- Preparation and monitoring of control measures, also those linked to the requirements set by the Personal Data Act.
Support in individual cases for both employers and employees in connection with breaches of the Personal Data Act.
- Procedural assignments and disputes.