Advanced Search

Law On Processing Of Personal Data (Personal Data Act)

Original Language Title: Lov om behandling av personopplysninger (personopplysningsloven)

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.

Law on the treatment of personal information (the personal information law).

Date LOL-2000--04-14-31
Ministry of The Justis and the Department of Emergency
Last modified LAW-2015 -06-19-65 from 01.10.2015
Published In 2000 booklet 8
Istrontrecation 01.01.2001
Changing LAW-1978--06--09-48
Announcement
Card title Privacy Act pl.

Capital overview :

Jf. former law 9 June 1978 # 48. Jof. EES deal Attachment XI No 5e (dir 95/4/6) and 5ha (dir 2002/58).

Chapter I. Law's purpose and scope

SECTION 1. Law's purpose

The purpose of this law is to protect the individual courage that the privacy of privacy is violated through the treatment of personal information.

The law shall contribute to personal information being processed in accordance with basic privacy considerations, herunder the need for personal integrity, privacy and adequate quality of personal information.

SECTION 2. Definitions

In this law understood by :

1) personal information : information and assessments that can be connected to an individual,
2) treatment of personal information : any use of personal information, such as collection, registration, composition, storage and extradition or a combination of such uses,
3) person registry : registries, rosters m.v. where personal information is stored systematically so that information on the individual may exist again,
4) processing responsible : the one that determines the purpose of the processing of personal information and what aids to use,
5) data processing : the one that processes personal information on behalf of the treatment manager,
6) recorded : the one that a personal information can be attached to,
7) consent : a volunteer, expressly and informed statement from the recorded that he or she accepts treatment of information about himself,
8) sensitive personal information : details of
a) racial or ethnic background, or political, philosophical or religious opinion,
b) that a person has been a suspect, charged, prosecuted or convicted of a punishing act,
c) health conditions,
d) sexual relationships,
e) membership in unions.
SECTION 3. Sakal scope

The law applies to

a) treatment of personal information that completely or partly happens to electronic aids,
b) other processing of personal information when these are involved or should be included in a person registry and
c) all forms of camera monitoring, as defined in Section 36 first clauses.

The law does not apply to the treatment of personal information that the individual is conducting for purely personal or other private purposes.

The king can give regulation that the law or parts of it shall not apply to specific institutions and case areas.

The king can provide regulation on particular forms of treatment of personal information, and about the treatment of personal information in particular enterprises or industries. For the processing of personal information that clauses in credit information business, it can in regulation are given regulations about what types of information can be processed, what sources of information can be obtained from, who credit information can issued to and how the provision can happen, the deletion of credit and secrecy of the employees of the credit information agency. It can also be given rules that the law or some provisions granted in or in the co-hold of it shall apply for the treatment of credit information about others than individuals.

0 Changed by law 9 jan 2009 # 3, 20 apr 2012 # 18 (ikr. 20 apr 2012 ifg res. 20 apr 2012 # 335).
SECTION 4. Geographic Scope

The law applies to the treatment managers established in Norway. The king can in regulation decide that the law completely or partly shall apply to Svalbard and Jan Mayen, and determine the shonest rules about the treatment of personal information for these areas.

The law also applies to the treatment managers established in states outside the EAIS area if the treatment managers use aids in Norway. This still does not apply if the relief funds are used only to transmit personal information via Norway.

Processing managers as mentioned in other clause shall have a representative established in Norway. The provisions that apply to the treatment managers also apply to the representative.

SECTION 5. The relationship with other laws

The provisions of the law apply to the treatment of personal information if nothing else follows by a special law regulating the processing way.

SECTION 6. The relationship of the legislat's right after other laws

The law here does not limit the envision right after the public law, the management law or other legisltual right to visibility in personal information.

If other statutory right to visibility access to more information than the law here, the treatment of the treatment shall be responsible for the actions of the court to ask for such visibility.

0 Modified by law 19 May 2006 # 16 (ikr. 1 jan 2009 ifg res. 17 oct 2008 No. 1 1118).
SECTION 7. The relationship of freedom of speech

For the treatment of personal information exclusively for artistic, literant or journalistic purposes only applies to the provisions of Section 13 to 15, Section 36 to 41, jf. Chapter VIII.

0 Modified by law 20 apr 2012 # 18 (ikr. 20 apr 2012 ifg res. 20 apr 2012 # 335).

Chapter II. Almemorial rules for the treatment of personal information

SECTION 8. Terms of terms to process personal information

Personal data (jf. Section 2 # 1) can be processed only if it registered has consented, or it is determined in law that it is allowed to such treatment, or the treatment is necessary for

a) to fulfill an agreement with the registered, or to perform to-do items after the registrar's request before such an agreement be made,
b) that the processing managers should be able to fulfill a legal obligation,
c) to remand the registerally vital interests,
d) to carry out a task of public interest,
e) to exercise public authority, or
f) that the treatment manager or third person to whom the information is issued to the custody of a entitled interest, and the envision of the registrar's privacy does not exceed this interest.
SECTION 9. Treatment of sensitive personal information

Sensitive personal information (jf. Section 2 # 8) can only be processed if the treatment meets one of the terms in Section 8 and

a) the registered consent of the treatment,
b) it is stipulable in law that it is access to such treatment,
c) The treatment is necessary to protect a person's vital interests, and the registered is not capable of consent,
d) it exclusively processed information that the registered self-volunteer has made commonly known,
e) The treatment is necessary to determine, make the current or defend a court requirement,
f) treatment is necessary for the treatment of the treatment managers to conduct their work-legal duties or rights,
g) treatment is necessary for preventive disease treatment, medical diagnosis, medical care, or patient treatment or for the management of health services, and the information is processed by health personnel with secrecy, or
h) The treatment is necessary for historical, statistical or scientific purposes, and the interest of society in that treatment takes place clearly exceeding the disadvantages it can be made for the individual.

Ideal composition and stilends can process sensitive personal information within the frame of their business even if the treatment does not meet one of the terms in the first clause letter a-h. The treatment can only include details of members or persons as due to the breakdown of the intermission or the foundation's purposes voluntarily are in regular contact with it, and only information collected through this contact. The personnel information cannot be issued without the registered consent of the registered consent.

The data management can determine that sensitive personal information can be processed also in other cases if significant civic interests suggest it and it is set in works measures to ensure the enrollment of the registerally.

SECTION 10. Register of Criminal Justice

A full register of criminal charges can only be conveyed under the control of a public authority.

SECTION 11. Basic requirements for the treatment of personal information

The treatment managers shall ensure that the personal information that is processed

a) only treated when this is allowed after Section 8 and Section 9,
b) only enjoyed the purposes of expressly stated purposes that are mainly due in the treatment of the treatment of the treatment of the
c) is not used later for purposes that are incompatible with the original purpose of the collection, without the recorded consent,
d) are sufficient and relevant for the purpose of the treatment, and
e) are correct and updated, and are not saved any longer than it necessary from the purpose of the treatment, jf. Section 27 and Section 28.

Later treatment of the personal information for historical, statistical or scientific purposes is not considered incompatible with the original preobjectives with the collection of information, jf. first clause of the letter c, if society's interest in the treatment takes place, clearly exceeding the disadvantages it can cause for the individual.

Personal data regarding children should not be treated in a way that is reckless with respect to the child's best.

0 Modified by law 20 apr 2012 # 18 (ikr. 20 apr 2012 ifg res. 20 apr 2012 # 335).
SECTION 12. Use of the birth number m.v.

Birth number and other unique identification funds can only be enjoyed in the treatment when there is mainly needed for secure identification and the method is necessary to achieve such identification.

The data management can impose a processing manager to use identification funds as mentioned in the first clause to ensure that the personal information has adequate quality.

The king can provide regulation with closer rules about the use of birth number and other unique identification funds.

SECTION 13. Information security

The processing managers and data handler shall through planned and systematic measures ensure satisfactory information security with respect to confidentiality, integrity, and availability by the processing of personal information.

In order to achieve satisfactory information security, the processing managers and data handler should document the information system and security measures. The documentation shall be available for the co-workers of the treatment manager and with the data handler. The documentation should also be available for the Data Health and Privacy Board.

A treatment manager allowing others access to personal information, e.g. a data handler or others conducting missions in association with the information system, shall impose on these meet requirements in the first and other clause.

The king can provide regulation on information security by the treatment of personal information, herunder closer rules about organizational and technical security measures.

SECTION 14. Internacontrol

The treatment managers shall establish and hold the ordinance planned and systematic measures necessary to meet the requirements in or in co-hold of this law, herunder secure the quality of information.

The treatment managers shall document the measures. The documentation shall be available for the co-workers of the treatment manager and with the data handler. The documentation should also be available for the Data Health and Privacy Board.

The king can give regulation with closer rules about internet control.

SECTION 15. The data manager's disposal of personal information

A data handler cannot process personal information in any way other than what is written agreed with the treatment manager. The information also cannot without such agreement be handed over to anyone else for storage or beworked.

In the agreement with the treatment manager, it shall also step forward that the data handler duties to conduct such Sikringle measures as follows by Section 13.

SECTION 16. Deadline to respond to inquiries about information m.v.

The treatment supervisor shall respond to inquiries about visibility or other rights after Section 18, Section 22, Section 26, Section 27 and Section 28 without due stay and latest within 30 days from the day that the inquiry came in.

If very honest conditions make it impossible to respond to the inquiry within 30 days, the review can be postponed until it is possible to provide answers. The treatment supervisor shall then provide a preliminary response with information about the reason for the delay and probable time for when answers can be issued.

SECTION 17. Payment

The treatment managers may not require any satisfaction to provide information after chapter III or to comply with the registered following chapter IV.

Chapter III. Information on the treatment of personal information

SECTION 18. Right to visibility

Any requests for it shall know what kind of treatment of personal information is a processing supervisor, and may require the following information about a specific type of processing :

a) name and address on the treatment manager and dennes any representative,
b) who has the daily responsibility to fulfill the treatment of the treatment of accountability,
c) purpose of the treatment,
d) descriptions of what types of personal information are processed,
e) where the information has been obtained from, and
f) whether the personal information will be issued, and optionally who is the recipient.

If the requesting disclosure is registered, the treatment manager shall inform the

a) what information about the recorded as processed, and
b) The security measures at the treatment so far visibility do not weaken security.

The registered may require that the treatment manager equalise the information in the first clause of the letter a-f of the extent this is necessary for the registered to be able to be able to own interests.

The court of information after the second and third clause does not apply if the personal information is processed exclusively for historical, statistical or scientific purposes and the treatment does not get any direct importance for the recorded.

SECTION 19. Information-liked when collected information from the recorded

When collected personal information from the registered self, the processing managers of own measures shall first inform the registered of

a) name and address on the treatment manager and dennes any representative,
b) purpose of the treatment,
c) information will be issued, and optionally who is the recipient,
d) it is voluntary to give from the information, and
e) other that makes it registered able to use its rights by law here in the best possible way, as e.g. information on the right to demand visibility, jf. Section 18, and the right to demand correction, jf. Section 27 and Section 28.

Notification is not required if it is on the clean that it registered already knows the information in the first clause.

SECTION 20. Information-liked when collected information from others other than the recorded

A treatment manager who collects personal information from others than the registered self shall by its own measures inform the registered of which information is collected and providing information as mentioned in Section 19 first clause as soon as the information is obtained. If the purpose of collecting the information is to pass them on to others, the treatment managers may wait to notify the registered until the extradition occurs.

The registered has no claim of notice after the first clause if

a) The collection or service of the information is expressly determined in law,
b) notification is impossible or unsustainable difficult, or
c) it is on the clean that the registered already familiar with the information notified shall contain.

When notification exempting with the home of the letter b, the information is still to be provided at the latest when it is made a referral to the registered basis of the information.

SECTION 21. Information-liked by the use of personprofiles

When someone addressing or hits decisions that align against it registered on the basis of personprofiles that are meant to describe behavior, preferences, abilities or needs, f ex as clause in marketing business, should the treatment manager inform the recorded about

a) who is the processing manager,
b) what information types are applied, and
c) where the information is obtained from.
SECTION 22. Right to information about automated decisions

If a decision has legal or other significant importance for the registered and fully based on automatic processing of personal information, it can be registered as the decision correcs against, demanding that the treatment managers account for The rules content of the computer programs that lie to the decision.

SECTION 23. Exceptions from the right to information

The court to visibility after Section 18 and Section 22 and the duty of providing information after Section 19, Section 20 and Section 21 does not include information that

a) whether they were known would be able to harm national security, the country's defense or relationship with foreign powers or international organizations,
b) it is mandated to secrecy by consideration of prevention, investigation, disclosure and legal persecution of criminal conduct,
c) it must be deemed unadvisable that the registered one is given knowledge, for consideration of their health or relationship with persons who are close to them,
d) that in the co-law of law applies to the secrecy of,
e) exclusively exists in text that has been worked out for the internal case preparation and also not extradited to others,
f) it will be in violation of obvious and fundamental private or public interests to inform of, herenvisions to the registered self.

Details after the first clause of the letter c may at request still be made known to a representative of the registered when not candid reasons speak against it.

The person who refuses to give visibility to the co-hold of the first clause must justify this in writing with precise reference to the exception home.

The king can give regulation on other exceptions from the course of the court and information service and on terms of the use of the court of the court.

SECTION 24 How the information should be provided

The information can be required in writing with the treatment manager or with dennes data handler as mentioned in Section 15. Prior to the disclosure of information about a registered, the processing supervisor may require the registered delivery of a written and signed petition.

Chapter IV. Other rights for the registered

SECTION 25. Right to require manual treatment

The one that fully automated decision as mentioned in Section 22 courses against or as the case otherwise directly applies may require the decision to be attempted by a physical person.

The court after the first clause does not apply if the registrar's privacy interests are detained in sufficient manner and the decision is homered in law or ties to the fulfillment of contract.

Section 26 (Raised by law 9 jan 2009 # 2 (ikr. 1 June 2009 ifg res. 9 jan 2009 # 7).) SECTION 27. Correction of faulty personal information

If it is processed personal information that is incorrect, incomplete or as it is not allowed to process, the processing managers shall be responsible for their own measures or on the motion of the registered proper of the faulty information. The processing managers shall if possible ensure that the error does not affect the registered, e.g. by notifying recipients of the issued information.

The correction of incorrect or incomplete personal information that may have meaning as documentation should happen by that the information clearly marked and supplyes with correct information.

If heavy-road privacy concerns suggest it, the Computer Safety without the obstacle of other clause can determine that correction should happen by the faulty personal information deleted or blocked. If the information cannot be discarded in the co-filing of the archival Act, the Rissarchiware shall be heard prior to the meeting of the deletion. The betting runs in front of the rules of the archival Act 4. December 1992 No. 126 Section 9 and Section 18.

The deletion should be supplyated with registration of correct and complete information. If this is not possible, and the document that contained the deleted information for that reason gives an obvious misleading image, the entire document should be deleted.

The king can provide regulation with filler regulations on how correction should be carried out.

SECTION 28. Offers against saving unnecessary personal information

The processing managers shall not save personal information any longer than what is necessary to conduct the purpose of the treatment. Unless the personal information is then retained according to the archival Act or other legislation, they shall be deleted.

The treatment managers can without the obstacle of the first clause save personal information for historical, statistical or scientific purposes, if society's interest in that information be stored clearly exceeding the disadvantages it can cause for the individual. The treatment supervisor shall then ensure that the information is not retained in ways that allow it to identify the registered longer than necessary.

The registered may require that information that is strongly accounting for him or her to be blocked or deleted if this

a) not battles against other law, and
b) is defensible from an overall assessment of blunged, the needs of documentation, the envision of the recorded, cultural historical consideration and the resources of the requirement assumes.

The data protection can-after the National Archives is heard-hit the ordinance that the court to purge after third clause runs in front of the rules of the archival Act 4. December 1992 No. 126 Section 9 and Section 18.

If the document that contained the deleted information gives an obvious misleading image after the deletion, the entire document should be deleted.

Chapter V. Transfer of personal information to overseas

SECTION 29. Basic terms

Personal data can only be transferred to states that ensure a justifiable treatment of the information. States that have implemented Directive 95 /46/EC on the protection of physical persons in connection with the treatment of personal information and whether free exchange of such information, meets the requirement of defensible treatment.

In the assessment of whether the treatment is secured in the defensible manner, it shall be placed emphasis on the Enlightenment's species, the planned treatment's purpose and duration as well as the rule of law, rules of good business custom and security measures applicable in the person state. It shall also be placed emphasis on whether the state has attributed to the European Parliament Convention 28. January 1981 # 108 about the privacy of the electronic processing of personal information.

SECTION 30. Exceptions

Personal data can also be transferred to states that do not ensure a justifiable treatment of the information if

a) the registered has consented to the transfer,
b) it has been obliged to transfer the information after the fold-in agreement or as a result of membership of international organization,
c) The transfer is necessary to fulfill an agreement with the registered, or to perform to do's after the registrar's request before such an agreement be made,
d) The transfer is necessary to make or fulfill an agreement with a third person in the enrollment interest,
e) The transfer is needed to be in custody of the registerally vital interests,
f) The transfer is necessary to determine, make the current or defend a court requirement,
g) the transfer is necessary or follows by law to protect an important community interest, or
h) it is stipulable in law that it is allowed to demand information from a public register.

The data protection can allow transfer even if the terms of the first clause are not met if the treatment manager provides adequate guarantees for the protection of the registern rights. The data protection can set terms for the transfer.

The king may give regulation on transfer of personal information to overseas, heri to halt or limit transmission to specific states that do not satisfy the requirements of Section 29.

Chapter VI. Melde and consession alike

SECTION 31 Meldeduty

The treatment managers shall give message to the Data Protection before

a) treatment of personal information with electronic aids,
b) creation of manually personnel register that contains sensitive personal information.

The message is to be given the latest 30 days before the treatment takes to. The data authority shall provide the processing responsible receipt for the message received.

New message must be given prior to treatment that goes out over that frame for treatment indicated in co-hold of Section 32. Although no changes have been issued, new message should be issued three years after the previous message was issued.

The king may give regulation that certain treatment ways or treatment managers are excluding from the meldduty, subject to simplified meldduty or subject to the context of the consession. For treatments that are exemptions from eldeduty, regulation can be given regulation to limit disadvantages that the treatment otherwise may be subject to the recorded.

SECTION 32. The message's content

The message is to illuminate

a) name and address on the treatment manager and on dennes any representative and data handler,
b) when processing starts,
c) who has the daily responsibility to fulfill the treatment of the treatment of accountability,
d) purpose of the treatment,
e) overview of the types of personal information to be processed,
f) where the personal information is obtained from,
g) the judicial basis for the collection of the information,
h) who the personal information will be issued to, herunder any recipients in other states, and
in) what security measures are related to the processing.

The king can give regulation on what information the messages should contain and about the completion of the flour duty.

SECTION 33. Session alike

The session is required from the Data Authority to process sensitive personal information. This still does not apply to the treatment of sensitive personal information that has been given unsolicited.

The data management can determine that also the treatment of other than sensitive personal information requires consession, if the treatment otherwise clearly will violate heavy-road privacy interests. In the assessment of whether the consession is required, the Data Authority is supposed to take into account the nature of the personnel information, the quantity and purpose of the treatment.

If the Data Authority believes that the consession for a treatment will be obviously unnecessary, the Board of Health may decide that the treatment does not require consession.

The treatment managers may require the Data Authority to determine whether a treatment will require the consession.

The context of the context of after the first and second clause does not apply to the treatment of personal information in the organ of state or municipality when the treatment has home in its own law.

The king can give regulation that certain treatment ways do not need consession after the first clause. For treatment ways that avoidance from the consession, regulation can be issued to limit disadvantages that the treatment otherwise may be subject to the recorded.

0 Modified by law 20 apr 2012 # 18 (ikr. 20 apr 2012 ifg res. 20 apr 2012 # 335).
SECTION 34. The decision of whether the session shall be given

At the decision of whether to be issued, it shall be clarified if the processing of personal information can be caused to the disadvantages of the individual not to be helped through the provisions of the II-V and terms after Section 35. In that case, it has to be considered if the disadvantages are being weighed in for consideration as speeches for the treatment.

SECTION 35. Conditions of the Consession

In the session, it shall be considered to set terms for the treatment when such terms are necessary to limit the disadvantages of the treatment otherwise would be subject to the recorded.

0 Endres at law 15 apr 2011 # 11 (ikr. from the time the King decides).

Chapter VII. Cameroon

0 The headline changed by law 20 apr 2012 number 18 (ikr. 20 apr 2012 ifg res. 20 apr 2012 # 335).
SECTION 36. Definition

With camera monitoring, persistent or regularly repeated personal monitoring by remote officer or automatic-acting surveillance camera or other similar equipment is mounted. As camera monitoring is considered both monitoring with and without the possibility of recordings of audio and video material. The same goes for equipment that can easily be confused with a real camera solution.

Cameroon can only take place where the terms of this are met after Section 37 (ordinary terms) and Section 38 to 40 (additional terms).

0 Changed by law 9 jan 2009 # 3, 20 apr 2012 # 18 (ikr. 20 apr 2012 ifg res. 20 apr 2012 # 335).
SECTION 37. Almemorial conditions for camera monitoring

The Privacy Act applies in its entirety for all forms of camera monitoring, jf. Section 3 first clause letter c, with the precision locations set forth by other to the fourth clause.

Cameroon monitoring that must be believed to have essential importance for prevention and clarification of penalties are permitted even if the terms of Section 9 first clause letter a to h are not met. In such cases, the context of the session is not applicable after Section 33.

At the assessment of what is a justified interest after the Privacy Act Section 8 letter f it for camera monitoring is placed significantly weighing on whether the monitoring helps protect life or health or prevention Penalty actions.

Cameroon shall be deemed only as the treatment of sensitive personal information in which such constitutes a significantly part of the information that the monitoring includes.

0 Modified by law 20 apr 2012 # 18 (ikr. 20 apr 2012 ifg res. 20 apr 2012 # 335).
SECTION 38. Additional terms by monitoring site where a limited circuit of people travels periodically

Cameroon monitoring location where a limited circuit of people travels periodically, is only permitted if it out from business is needed to prevent hazardous situations from occurring and the supervision of employee or other people's safety or that of the is a special need for monitoring.

0 Modified by law 20 apr 2012 # 18 (ikr. 20 apr 2012 ifg res. 20 apr 2012 # 335).
Section 38 a. Additional terms by monitoring parks, beaches and similar recreation areas available to the public

Cameroon monitoring parks, beaches and similar recreation areas available to the public, are only permitted when the need for monitoring clearly exceeds the one's interest in not being monitored.

By assessment of the need for monitoring, it is especially placed emphasis on whether monitoring is of significant importance to prevention penalties that can threaten life or health, prevent accidents or to protect similar civic interests.

By the assessment of the single interest of not being monitored, it should particularly be placed emphasis on how monitoring is to happen, as well as what kind of area to monitor.

0 Added by law 20 apr 2012 # 18 (ikr. 20 apr 2012 ifg res. 20 apr 2012 # 335).
SECTION 39. Additional terms for the issue of footage made at camera monitoring

Personal data collected on footage made by camera monitoring can only be issued to others than the treatment manager if the one who is the cancellation or extradition follows by law. Oppents can still be issued to the police by the investigation of criminal acts or accidents unless the legislation of law is to hinder.

0 Modified by law 20 apr 2012 # 18 (ikr. 20 apr 2012 ifg res. 20 apr 2012 # 335).
SECTION 40. Additional terms about notice that monitoring takes place

At camera monitoring in public or place where a limited circuit of people travels periodically, it should by depicting or otherwise made clear aware that the site is being monitored, that monitoring, optionally, includes audio recordings and who which is the processing manager.

0 Modified by law 20 apr 2012 # 18 (ikr. 20 apr 2012 ifg res. 20 apr 2012 # 335).
SECTION 41. Prescription

The king can provide regulations with closer regulations on camera monitoring and recordings in connection with such monitoring, herunder about safeguards, use and deletion of footage made by camera monitoring and about the envision of the The footage where he or she is the image. It can also be given regulation that footage can be issued beyond what follows by Section 39.

0 Modified by law 20 apr 2012 # 18 (ikr. 20 apr 2012 ifg res. 20 apr 2012 # 335).

Chapter VIII. Access and sanctions

SECTION 42. Data Regumissions Organization and Tasks

The data protection is an independent management agency administrative child the King and the Ministry of the Ministry. The King and the Department cannot provide instruction on or rev the Data Regutioners's acting of authority in individual cases following the law.

The data protection is led by a director who is appointed by the King. The king can decide that the director is being placed on the varian.

The data protection is

1) bring a systematic and public roster of all treatments that have been entered after Section 31 or given session after Section 33, with information mentioned in Section 18 first clause jf. SECTION 23,
2) process applications of consessions, receive messages and assess whether to be given the injunction where the law provides home for this,
3) verify that laws and regulations that apply to the treatment of personal information are followed, and that errors or are missing are fixed,
4) keep informed about and inform of the general national and international development in the treatment of personal information and about the problems that link to such treatment,
5) identify dangers of the privacy, and advise on how they can be avoided or be restricted,
6) provide advice and guidance in questions about the privacy and safeguards of personal information to those who plan to process personal information or develop systems for such treatment, herunder assist in the management of industry-wise behavioural,
7) after the enquiry or of its own measures give statement in questions about the treatment of personal information, and
8) give the King year message about his business.

Decisions such as the Data Safety Securities Section of Section 9, Section 27, Section 28, Section 33, Section 35, Section 46, Section 46 and Section 47 can be scratched to the Privacy Board. Decisions that shall be made in co-hold of Section 27 or Section 28 can be incurred on to the King if the decision applies to personal information processed for historical purposes.

SECTION 43. Privacy Board's organizing and tasks

Privacy Board will determine complaints about Data Regutionists ' decisions, jf. Section 42 fourth joints. Nemnda is an independent management agency administrative child the King and the Ministry of the Ministry. Section 42 first clause different period applies to the equivalent.

The Privacy Board has seven members appointed for four years of admission to reentry for another four years. The leader and deputy leader are appointed by Parliament of Parliament. The other five members are appointed by the King.

Privacy Board may decide that the leader or deputy leader along with two other nestboard members can process complaints over decisions that need to be decided without a stay.

Privacy Board is orientating annual King about the treatment of the complainers.

Search targets about the validity of the Privacy Board's decisions are directed against the state by the Privacy Board.

The king can give closer rules about the Privacy Board's organizing and case management.

SECTION 44. Regulatory Authority's access to information

The Computer Health and Privacy Board may require the information needed for them to conduct their tasks.

The data-control can as clause in its control with the rules of the law, require admission to places where there are personregistries, monitoring equipment and imaging recordings as mentioned in Section 37, personal information processed electronic and aids for such treatment. The vision can conduct those samples or controls as it finds necessary and require assistance from the staff at the site of the extent that this must to be conducted samples or controls.

The court to demand information or access to premises and aids in accordance with the first and other clause shall apply without the obstacle of secrecy.

The king can give regulation on exceptions from the first to third clause of the purposes of national security. The king can also give regulation on coverage of the expenses by control.

0 Modified by law 9 jan 2009 # 3.
SECTION 45. Taushetti of the Department of Regulators

For employees of the Data Authority, members of the Privacy Board and others who perform service for the Regulations apply to the provisions of secrecy in the Management Act Section 13 fg. Taushood Duty also includes information security measures, jf. SECTION 13.

The Computer Safety and Privacy Board may without the obstacle of the privilege after the first clause to provide information to foreign regulatory authorities when needed to be able to hit the ordinance as clause of the probation worker.

SECTION 46. Overtime fees. In order of change or termination of illegal treatments

The data protection can impose the one that has violated this law or regulations in co-compliance with it, paying a monetary amount to the treasury fee of up to 10 times the base amount in the census. Physical people can only ilegges the violation fee for the forlassia or unaccentable violations. An enterprise cannot be illegation of the violation fee if the violation is due to conditions outside of the company's control.

At the assessment of whether the violation fee shall be illegation, and by the measurement, it shall be especially placed on weight

a) how serious the violation has violated the interests of the interests of the law,
b) the degree of guilt,
c) about the violation of guidelines, instruction, training, control or other measures could have the prevention of the violation,
d) whether the violation has been committed to promoting the offender's interests,
e) whether the offender has had or could have achieved any benefit at the violation,
f) of the present iteration,
g) about other reactions as a result of the violation is being disloyal the offender or someone who has acted on behalf of this one, among other things if any individual becomes illaged punishment and
h) The offender's economic ability.

The Fulfillment deadline is 4 weeks after the ordinance of the violation fee is final. If an ordinance for the violation fee is brought in for a court, it can try all sides of the matter.

The Data Authority may provide the injunction that the treatment of personal information in violation of regulations in or in the co-operation of this Act shall cease, or quiet terms that must be met for the treatment to be in compliance with the law.

0 Modified by law 9 jan 2009 # 3.
SECTION 47. Compulsive

Upon cuts after Section 12, Section 27, Section 28 and Section 46, the DataAuthority can determine an obsessive running for every day that goes after the expiration of the deadline set for the fulfillment of the injunction, until the injunction has been met.

The pitfall is not running until the end of the cloth deadline is out. If the ordinance of the bill does not run the foreclosure before the Privacy Board has decided it.

The data protection can be waived on-run foreclosure.

Section 47 a Incretions of refusion requirements, violation fees and compulsisment

Reflection requirements as mentioned in Section 44, the violation fee after Section 46 and compulsive after Section 47 is compulsive for outlay.

0 Added by law 9 jan 2009 # 3, modified by law 11 jan 2013 # 3 (ikr. 1 June 2013 ifg. res. 24 May 2013 # 533).
SECTION 48. Punishment

With fines or jail until one year or both share punishment it as intentional or aggravated negligent

a) fail to send message after Section 31,
b) process personal information without the required consession after Section 33,
c) overcomes terms determined after Section 35 or Section 46,
d) fail to comply with the Department of Computer Protection after Section 12, Section 27, Section 28 or Section 46,
e) treat personal information in violation of Section 13, Section 15, Section 26 or Section 39, or
f) fail to give information after Section 19, Section 20, Section 21, Section 40 or Section 44.

By particularly display circumstances, prison can be made up until three years of idreddit. At the decision of whether there has been particularly display-wide circumstances, it should be placed emphasis on the danger of great damage or disadvantage for the recorded, the intended gain by the violation, the violation of the violation, the duration of the violation, and scope, expelled blame, and whether the treatment responsible has previously been punished for overtaking the equivalent of regulations.

In regulation provided in the co-state of the law, it can be determined that it as intentional or coarse negligent regulation shall be punished with fines or imprisonment until one year or both.

0 Modified by law 19 June 2015 # 65 (ikr. 1 oct 2015).
SECTION 49. Replacement

The treatment responsible shall replace damage that has been occurred as a result of personal information being processed in violation of regulations in or in co-law, unless it is well-made that the damage is not due to failure or neglect on it the processing liability lies side.

Processing managers who convey credit information and who have been able to disclose information that show incorrect or evidently misleading, should replace damage that has been occurred as a result of the erroneous message, without regard to the damage caused by errors or neglect on the treatment of the treatment liability.

The replacement is supposed to respond to the financial loss that the scathing has been inflicted as a result of the illegal treatment. The treatment manager can also be placed to pay such damages for damage of non-economic species (vindicated) that think reasonably.

Chapter IX. Ipowersetting. Trangural rules. Changes in other laws

SECTION 50. Ipowersetting

The law takes effect from the time the King decides. The king can decide that the individual provisions of the law shall be three in effect at different times.

0 The law went on ir. 1 jan 2001 ifg. res. 30 June 2000 # 641.
SECTION 51. Overtime rules
1. For the treatment of personal information that has been initiated before the law takes effect and that is the report or consession splikable by the provisions of Chapter VI, it shall be sent in accordance with Section 31 or sought confirmation of the session from the Data Protection Act according to Section 33 within one year from the Commencement of the Commencement. If the treatment is done in accordance with the session of the co-registry law Section 9, the deadline for sending message or seeking the consession two years from the Commencement Act. Until message has been submitted or the Data Authority has provided the consession, the personal information can be processed according to the rules of the labor registry law.
2. A consent that a registered has issued before the law takes effect shall still apply, if it satisfies the terms of Section 2 # 7.
3. Commaking as the Data Authority receives after the law takes effect, the Privacy Board is processed by the Privacy Board.
4. The king can at regulation give closer transition rules.
SECTION 52. Changes in other laws

In other laws, the following changes are made :--