Law On Processing Of Personal Data (Personal Data Act)

Original Language Title: Lov om behandling av personopplysninger (personopplysningsloven)

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now

Read the untranslated law here: https://lovdata.no/dokument/NL/lov/2000-04-14-31

Law on processing of personal data (Personal Data Act).


Date LOV-2000-04-14-31


Affairs Ministry of Justice

Edited

LOV-2015-06-19-65 from 10/01/2015


Published in 2000 Booklet 8


Commencement 01.01.2001

Changes
LOV-1978-06-09-48

Promulgated


Short Title
Personal Data Act - popplyl.

Chapter Overview:

Chapter I. Purpose and scope (§§ 1-7)
Chapter II. General rules for processing of personal data (§§ 8-17)
Chapter III. Information on processing of personal data (§§ 18-24)
Chapter IV. Other rights of the registered (§§ 25-28)
Chapter V. Transfer of personal data abroad (§§ 29-30)
Chapter VI. Notification and licensing obligation (§§ 31-35)
Chapter VII. Camera surveillance (§§ 36-41)
Chapter VIII. Supervision and sanctions (§§ 42-49)
Chapter IX. Commencement. Transitional rules. Amendments to other laws (§§ 50-52)

Ref. former law June 9, 1978 No.. 48. Cf.. EEA Agreement Annex XI. 5e (dir 95/46) and 5ha (dir 2002/58).

Chapter I. Purpose and scope

§ 1. Purpose The purpose of this Act is to protect the individual against personal privacy being violated through the processing of personal data.
Act will help ensure that personal data is processed in accordance with the basic policy considerations, including the need to protect personal integrity, privacy and adequate quality of personal data.

§ 2. Definitions In this Act apply:

1)
Personal Data: information and assessments that can be linked to an individual,

2)
processing of personal data: any use of personal data, such as. collection, recording, storage and distribution or a combination of such uses,

3)
person registry, registers, inventories etc. where personal information is systematically stored so that information about the individual can be retrieved,

4)
controller: the person who determines the purpose of processing personal data and the tools to be used,

5)
data processor: the person who processes personal data on behalf of the data controller,

6)
registered: the whom personal data can be linked to,

7)
consent: a voluntary, explicit and informed declaration by the data that he or she accepts the processing of information about themselves,

8)
sensitive personal information: information about

A)
racial or ethnic background, or political, philosophical or religious beliefs,

B)
that a person has been suspected, charged or convicted of a criminal offense

C)
health conditions

D)
sexual relationship,

E)
trade union membership.

§ 3. Subject scope The Act applies to

A)
processing of personal data wholly or partly by automatic means,

B)
other processing of personal data when these are included or to be included in a personal register and

C)
all forms of camera surveillance, as defined in § 36.

Act does not treat personal information that an individual carries for personal or other private purposes.
King may issue regulations that the law or any part thereof shall not apply to certain institutions and administrative spheres.
The King may issue regulations on specific forms of processing of personal data and the processing of personal data in specific enterprises or industries. For the processing of personal data as part of a credit information may by regulations contain provisions, inter alia, the type of data that can be processed, the sources personal information can be retrieved from, whom credit information may be disclosed and how such disclosure may take place, cancellation of credit information and the confidentiality of the employees of the credit reporting agency. There may also be rules that the law or certain provisions laid down in or pursuant to the Act shall apply for the processing of credit information about others than individuals.

§ 4. Geographical scope This Act applies to data controllers established in Norway. The King may issue regulations that the law completely or partly apply to Svalbard and Jan Mayen, and establish special rules on the processing of personal data for these areas.
The Act also applies to data controllers established in states outside the European Economic Area if the controller uses equipment in Norway. This does not apply if equipment is used only to transmit personal information via Norway.

Controllers mentioned in the second paragraph should have a representative who is established in Norway. The provisions applicable to the treatment shall also apply to the representative.

§ 5. Relationship to other laws provisions of law applicable to the processing of personal data unless otherwise provided by a special law regulating the procedure.

§ 6 Relationship to the statutory right of access under other legislation This Act does not limit the right of access under the Freedom of Information Act, Public Administration or other statutory right of access to personal data.
If different statutory right of access gives access to more information than this Act, the controller shall on its own motion information concerning the right to request such access.

§ 7. Relationship to freedom of expression processing of personal data solely for artistic, literary or journalistic purposes only apply the provisions of §§ 13 to 15, §§ 36 to 41, cf. Chapter VIII.

Chapter II. General rules for processing of personal data

§ 8. Conditions for the processing Personal information (cfr. § 2, no. 1) may only be processed if the data subject has consented, or it is determined by law that there is access to such treatment, or treatment is required | ||
A)
to fulfill a contract with the data, or to perform tasks request of the data before such an agreement is concluded,

B)
enable the controller to fulfill a legal obligation,

C)
to protect the vital interests

D)
to perform a task of general interest,

E)
exercising public authority, or

F)
that the controller or third parties to whom the data are disclosed to safeguard a legitimate interest and concern for the data subject does not exceed this interest.

§ 9. Processing of sensitive personal data Sensitive personal data (cfr. § 2, no. 8) can only be processed if the processing fulfills one of the conditions in § 8 and

A)
registered consent to the processing,

B)
it is established by law that there is access to such treatment

C)
processing is necessary to protect a person's vital interests, and the data is not able to consent,

D)
only data which the data subject has voluntarily made publicly known,

E)
processing is necessary for the establishment, exercise or defense of a legal claim,

F)
processing is necessary for the controller to fulfill their labor law rights or obligations,

G)
processing is necessary for preventive therapies, medical diagnosis, care or treatment or the management of health services, and information is handled by health professionals with confidentiality, or

H)
processing is necessary for historical, statistical or scientific purposes, and public interest in the processing carried out clearly exceeds the disadvantages this may entail for the individual.

Non-profit associations and foundations can process sensitive personal data within the scope of their business even if treatment does not meet one of the conditions in the first paragraph a - h. Treatment may only include information about members or persons who, because of the association or foundation purpose voluntary is in regular contact with it, and only information that is collected through this contact. Personal data may not be disclosed without the data subject consents.
Inspectorate may decide that sensitive personal data can be processed in other cases if important public interests and the implementation of measures to ensure the interests of the data.

§ 10. Register of criminal convictions A complete register of criminal convictions may only be under the control of a public authority.

§ 11. Basic requirements for processing of personal data, the controller shall ensure that personal data processed

A)
treated only when permitted under § 8 and § 9,

B)
only used for explicitly stated purposes that is objectively justified in the data controller business,

C)
not used later for purposes that are incompatible with the original purpose of the collection, without the data subject consents,

D)
is sufficient and relevant for the purpose of processing, and

E)
are accurate and up to date, and not be stored longer than necessary for the purpose of treatment, cf. § 27 and § 28


Later processing of personal data for historical, statistical or scientific purposes is not considered incompatible with the original purposes of the collection of information, cf. Subsection c, if the public interest in the processing carried out clearly exceeds the disadvantages this may entail for the individual.
Personal Information concerning children should not be treated in a way that is unsustainable in the interests of the child.

§ 12. Use of personal identification, etc. National identity and other clear means of identification may only be used in the treatment when it is justifiable need for secure identification and method is necessary to achieve such identification.
Inspectorate may require a controller to use means of identification mentioned in the first paragraph to ensure that personal data are of adequate quality.
King may issue regulations with further rules concerning the use of numbers and other clear means of identification.

§ 13 Data The data controller and data processor shall, through planned and systematic actions ensure satisfactory information with regard to confidentiality, integrity and availability, processing of personal data.
To achieve satisfactory data should the controller and the data processor document the information and security measures. Documentation shall be made available to the employees of the data controller and the data processor. The documentation shall also be available to Inspectorate and the Privacy Appeals Board.
A controller as allowing access to personal data, for example. a data processor or other persons who perform services in connection with the data, shall ensure that these meet the requirements of subsections.
King may prescribe regulations regarding data on treatment of personal data, including rules on organizational and technical security measures.

§ 14 Internal The controller shall establish and maintain such planned and systematic actions necessary to meet the requirements in or pursuant to this Act, including measures to ensure the personal information.
The controller shall document the measures. Documentation shall be made available to the employees of the data controller and the data processor. The documentation shall also be available to Inspectorate and the Privacy Appeals Board.
King may issue regulations with further rules on internal control.

§ 15. The processor's use of personal data A data processor may process personal data in any other way than as agreed in writing with the data controller. The information may also not without such an agreement be left to someone else for storage or processing.
In agreement with the data controller must also be seen that the data processor is obliged to implement such measures as required by § 13

§ 16. The deadline for replies to requests for information etc. The data controller shall respond to requests for access or other rights in accordance with § 18, § 22, § 25, § 26, § 27 and § 28 without undue delay and within 30 days from the day the request is received.
If special circumstances make it impossible to respond to the request within 30 days, may be postponed until it is possible to provide answers. The controller shall then give a provisional reply stating the reason for the delay and likely when a reply can be given.

§ 17. Payment The controller can not claim compensation for providing information pursuant to Chapter III or for meeting demands of the data pursuant to Chapter IV.

Chapter III. Information on processing of personal data

§ 18. Right of access Anyone who requests it, should know what kind of processing of personal data a controller carries out and may require the following information about a particular type of treatment:

A)
name and address of the controller and his representative, if

B)
who has the daily responsibility for fulfilling the duties

C)
purpose of the processing,

D)
descriptions of the types of personal data processed,

E)
where the information is obtained from, and

F)
about personal data will be disclosed, and if so who is the recipient.

If the person requesting access is detected, the controller shall disclose

A)
what information the registered processed and

B)
security measures at the treatment so far transparency not impair safety.


The data subject may demand that the controller expands the information in the first paragraph a - fi the extent necessary for the data subject should be able to safeguard their own interests.
The right to information under the second and third paragraphs shall not apply if personal data are processed solely for historical, statistical or scientific purposes and the treatment will have no direct effect on the data.

§ 19 Obligation when it is collected from the data subject when it collected personal information from the data subject, the controller shall on its own initiative first inform the data subject about

A)
name and address of the controller and his representative, if

B)
purpose of the processing,

C)
data will be disclosed, and possibly identity of the recipient,

D)
its voluntary provision of data, and

E)
else that makes the data able to use their rights under the Act in the best possible way, eg. information about the right to demand access, ref. § 18, and the right to demand correction, ref. § 27 and § 28

Notification is not required if it is clear that the data subject already has the information in the first paragraph.

§ 20. Duty when it collected information from sources other than the registered A controller that collects personal information from anyone other than the registered person shall on its own initiative to inform the data subject about which information is collected and give information as mentioned in § 19 first paragraph as soon as information is obtained. If the purpose of collecting this information is to give them to others, the controller may wait to notify the data to disclosure takes place.
The registered are not entitled to notice under subsection if

A)
collection or communication of information is expressly authorized by statute,

B)
notification is impossible or unreasonably difficult, or

C)
it is clear that the data subject already has the information notified to contain.

When notification is omitted pursuant to subparagraph b, the information shall nevertheless be given later than when it is contacted to the registered based on the information.

§ 21. Duty using personal profiles When a turn to or makes decisions to which the data subject on the basis of personal profiles that are intended to describe the behavior, preferences, abilities or needs, for example in connection with marketing activities shall the controller to inform the data subject about

A)
who is the controller,

B)
which types of information are used and

C)
where the information originated.

§ 22. Right to information about automated decisions If a decision has legal or other significant effects for the data subject and is based on automatic processing of personal data, it can be registered as to the decision, request that the controller give an account for rules incorporated in computer programs that underlie the decision.

§ 23. Exceptions to right to information right of access pursuant to § 18 and § 22 and the obligation to provide information pursuant to § 19, § 20 and § 21 does not include information that

A)
if they became known, might endanger national security, national defense or relations with foreign states or international organizations,

B)
it is required to keep secret for the sake of prevention, investigation, detection and prosecution of criminal offenses,

C)
it is deemed inadvisable that the data becomes aware of, for the sake of their health or relations with persons who are concerned close,

D)
it pursuant to the law applicable confidentiality for,

E)
exclusively found in text that has been prepared for the internal preparation and which are not transferred to other

F)
it would conflict with obvious and fundamental private or public interests to information, including the interests of the data itself.

Information pursuant to subsection c may nonetheless on request be made known to a representative of the registered unless special reasons to the contrary.
Whoever refuses to provide access pursuant to subsection must justify in writing with a precise reference to the governing exceptions.
The King may issue regulations concerning other exceptions from the right of access and disclosure requirements and the conditions of use of the right of access.


§ 24. How the information should be given information may be requested in writing from the manager or from his processor as mentioned in § 15. Before providing access to data relating to a data, the controller may require that the data delivering a written and signed request .

Chapter IV. Other rights of the registered

§ 25. The right to require manual processing Whoever a fully automated decision as referred to in § 22 targets or as the case otherwise directly concerns may demand that the decision be reviewed by an individual.
Right under the first paragraph does not apply if the data subject's interests in terms of protection are adequately safeguarded and the decision is sanctioned by law or related to the performance of the contract.

§ 26. (Repealed by Act 9 January 2009 no. 2 (ikr. June 1, 2009 acc. Res. 9 January 2009 no. 7).)

§ 27. Rectification of deficient personal data If processed personal data which are inaccurate, incomplete or that it is not possible to treat, the controller shall on its own initiative or at the request of the data subject rectify the deficient data. The controller shall, if possible, make sure the error does not affect the data subject, for example. by notifying recipients of disclosed data.
Rectification of inaccurate or incomplete personal information that may be of significance as documentation shall be done by marking the data clearly and supplementing them with accurate information.
If weighty privacy considerations indicate, the Inspectorate notwithstanding subsection decide that rectification shall be effected by the deficient personal data deleted or locked. If information can not be destroyed pursuant to the Archives Act, the Director General is heard before a decision on cancellation. This decision shall take precedence over the provisions of the Archives Act 4 December 1992 No.. 126 § 9 and § 18
Erasure should be supplemented by the recording of accurate and complete information. If this is not possible, and the document that contained the erased data therefore provides a clearly misleading impression, the entire document is deleted.
The King may issue regulations containing supplementary provisions on rectification.

§ 28. Prohibition against storing unnecessary personal data, the controller shall not store personal data longer than is necessary to achieve the purpose of treatment. Unless personal data then must be stored in accordance with the Archives Act or other legislation should be deleted.
The controller may, notwithstanding subsection store personal data for historical, statistical or scientific purposes, if the public interest in the data being stored clearly exceeds the disadvantages this may entail for the individual. The controller must then ensure that the data are not stored in ways that make it possible to identify the data longer than necessary.
The data subject may require that information which is highly stressful for him or her shall be blocked or deleted if

A)
does not conflict with another law, and

B)
justified by an overall assessment of, inter alia, others need for documentation, interests of the data, historical considerations and the resources the implementation of the requirement presupposes.

Inspectorate can - after the National Archivist is heard - decide that the right to cancellation under subsection supersedes the provisions of the Archives Act 4 December 1992 No.. 126 § 9 and § 18
If the document containing the deleted data provides a clearly misleading impression after deletion, the entire document is deleted.

Chapter V. Transfer of personal data abroad

§ 29. Basic conditions Personal data may only be transferred to countries that ensure an adequate level of information. States that have implemented Directive 95/46 / EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, the requirement for the proper treatment.
In assessing the adequacy of properly, shall inter alia Emphasis is placed on its nature, the proposed processing purposes and duration as well as the rule of law, rules of conduct and safety prevailing in the State concerned. It should also be given to whether the State has adopted the European Convention on 28 January 1981 no. 108 on privacy with regard to automatic processing of personal data.

§ 30. Exceptions Personal data may also be transferred to countries which do not ensure an adequate level of data if

A)
the data subject has consented to the transfer,

B)
there is an obligation to transmit the information by international agreement or as a result of membership in the international organization,

C)

Transfer is necessary to fulfill a contract with the data, or to perform tasks request of the data before such an agreement is concluded,

D)
transfer is necessary for the conclusion or performance of a contract with a third party in the interest

E)
transfer is necessary to protect the vital interests

F)
transfer is necessary for the establishment, exercise or defense of a legal claim,

G)
transfer is necessary or legally required in order to protect an important public interest, or

H)
it is established by law that it is entitled to request information from a public register.

Inspectorate may allow the transfer even if the conditions in the first paragraph are not met if the controller provides sufficient guarantees for the protection of the rights of data subjects. Inspectorate to impose conditions on the transfer.
The King may issue regulations concerning the transfer of personal data to other countries, including whether to stop or restrict transfers to certain states that do not satisfy the requirements of § 29

Chapter VI. Notification and licensing obligations

§ 31. Notification requirements, the controller shall notify the Data Inspectorate before

A)
processing of personal data by automatic means,

B)
establishing manually person register containing sensitive personal data.

Notice shall be given at least 30 days before commencement of processing. Inspectorate shall give the controller a receipt for that message is received.
New notification must be given before treatment that goes beyond the scope of the treatment specified under § 32. Although there have not been any changes, provide new notification three years after the last notification was given.
The King may issue regulations stipulating that certain methods of processing or administrators are exempt from the notification requirement, subject to simplified notification or subject to licensing obligations. For treatments that are exempted from the notification obligation may be prescribed to limit the disadvantages that the treatment might otherwise entail for the data.

§ 32. Content of the report should disclose

A)
name and address of the controller and if applicable, his representative and the data processor,

B)
when treatment starts,

C)
who has the daily responsibility for fulfilling the duties

D)
purpose of the processing,

E)
overview of the types of personal data to be processed

F)
where personal data are retrieved from,

G)
the legal basis for collecting the data,

H)
whom personal information will be disclosed to, including any recipients in other states, and

I)
which safety is related to the treatment.

King may prescribe regulations regarding the information messages and about the implementation of the notification requirement.

§ 33 Obligation to a concession from the Data Inspectorate to process sensitive personal data. This does not apply to the processing of sensitive personal data is been volunteered.
Inspectorate may decide that treatment other than sensitive personal data requires a license, if treatment is otherwise obviously would violate weighty privacy interests. In assessing whether a license is required, inter alia Inspectorate pay attention to the person on its type, amount and purpose of the processing.
If Inspectorate believes that a license for a treatment would be clearly unnecessary, the Authority may decide that the treatment does not require a license.
The controller may require the Inspectorate determines whether a treatment will require a license.
Obligation by subsections do not apply to processing of personal data in the body of the state or municipality when treatment is authorized by special law.
The King may issue regulations stipulating that certain treatments will not need a license under subsection. Processing methods which are exempt from licensing, may be prescribed to limit the disadvantages that the treatment might otherwise entail for the data.

§ 34. The decision on whether to grant a license In deciding whether to grant a license, it shall be clarified whether the processing of personal data could disadvantage the individual who is not remedied by the provisions of Chapters II-V and conditions pursuant to § 35. In if so, it must be considered whether the disadvantages are outweighed by considerations in favor of treatment.

§ 35. Terms of the licensing In the license shall be considered to set conditions for the treatment of such conditions are necessary to minimize the inconvenience processing would otherwise entail for the data.

Chapter VII. Camera surveillance


§ 36. Definition camera surveillance means continuous or regularly repeated surveillance using remote-controlled or automatically operated surveillance camera or other similar equipment that is permanently installed. As camera surveillance is considered both monitoring with and without opportunity for recording audio and video material. The same applies to equipment that can easily be mistaken for a real camera solution.
Camera surveillance can only take place where the conditions are met in accordance with § 37 (general conditions) and §§ 38 to 40 (additional terms).

§ 37. General conditions for camera surveillance Personal Data Act applies in full for all the camera surveillance, cf. § 3 subsection c, with the specifications referred to in the second to fourth paragraphs.
Camera surveillance must be deemed to have significant impact on the prevention and detection of criminal offenses are allowed even if the conditions of § 9 first paragraph a to h are not met. In these cases nor concession under § 33
In assessing what constitutes a legitimate interest under the Personal Data Act § 8 ​​letter f shall be for camera surveillance attaching particular importance on monitoring helps to protect the life or health or prevents repeated or serious criminal offenses.
Camera surveillance should only be regarded as the processing of sensitive personal data where such are an integral part of the information that monitoring includes.

§ 38. Additional conditions by monitoring the place where a limited group of people regularly frequented Camera surveillance of place where a limited group of people regularly frequented is only permitted if there from business needs to prevent a hazard and safeguard interests of employees or the safety of others or the way is a special need for monitoring.

§ 38a. Additional conditions by monitoring the parks, beaches and similar recreational areas that are accessible to the public Camera surveillance of parks, beaches and similar recreational areas that are accessible to the public, is allowed only when the need for monitoring clearly outweigh the individual's interest in not being watched.
In assessing the need for monitoring should pay particular attention to whether the monitoring is paramount to preventing offenses that could endanger life or health, prevent accidents or attend similar philanthropic interests.
In assessing the individual's interest in not being watched, particular emphasis is on how monitoring should be carried, as well as what kind of area to be monitored.

§ 39. Additional terms for disclosure of recordings made by camera surveillance Personal information collected by recordings made by surveillance cameras, may only be disclosed to anyone other than the controller if the one pictured consent or disclosure freedom provided by law. Recordings can nevertheless be disclosed to the police for investigations of criminal offenses or accidents unless the statutory duty of confidentiality precludes.

§ 40. Additional Terms for notification that monitoring takes place On camera surveillance in public places or place where a limited group of people regularly frequented there shall be signs or otherwise made clearly aware that the place being monitored, the monitoring is necessary includes sound recordings and who is the controller.

§ 41. Regulations The King may issue regulations with further provisions on surveillance cameras and recording in connection with such monitoring, including the protection, use and deletion of recordings made by camera surveillance and on the right for the surveillance in those parts of the footage where he or she appears. It can also be prescribed that record may be disclosed beyond the requirements of § 39

Chapter VIII. Supervision and sanctions

§ 42. Data Inspectorate organization and functions of Inspectorate is an independent administrative body subordinate to the King and ministry. King and the Ministry may give instructions regarding or reverse the Data Inspectorate's exercise of authority in individual cases under the Act.
Inspectorate headed by a director appointed by the King. The King may decide that the director shall be appointed for a fixed term.
Inspectorate shall

1)
a systematic and public inventory of all treatments that are registered under § 31 or consented under § 33, with information mentioned in § 18, first paragraph. § 23,

2)
process applications for licenses, receive messages and consider whether to grant an order where the law provides for this,

3)
ensure that laws and regulations applicable to the processing of personal data are complied with, and that errors or omissions are corrected,

4)

Keep abreast and inform the general domestic and international developments in the processing of personal data and on the problems related to such treatment,

5)
identify risks for privacy, and advise on how they can be avoided or minimized

6)
provide advice and guidance on issues of privacy and security of personal information to those planning to process personal data or develop systems for such treatment, including assisting in the preparation of industry codes of conduct,

7)
by request or on its own initiative provide opinions on issues concerning the processing of personal data and

8)
give the King an annual report on its activities.

Decisions Data Inspectorate pursuant to § 9, § 12, § 27, § 28, § 30, § 33, § 34, § 35, § 44, § 46 and § 47 may be appealed to the Data Protection Tribunal. Decisions taken pursuant to § 27 or § 28 may be further appealed to the King if the decision pertains personal data processed for historical purposes.

§ 43. Privacy Appeals Board organization and functions of the Data Protection Tribunal decides appeals concerning the Data Inspectorate's decisions, ref. § 42 fourth paragraph. The Tribunal is an independent administrative body subordinate to the King and ministry. § 42 first paragraph, second sentence shall apply accordingly.
Privacy Board has seven members who are appointed for four years with the possibility of reappointment for another four years. Chairman and deputy chairman are appointed by the Parliament. The other five members are appointed by the King.
Protection Tribunal may decide that the chairman or vice chairman along with two other board members may deal with complaints against decisions must be settled without delay.
The Privacy King an annual report on the treatment of complaints.
Proceedings regarding the validity of the Privacy Appeals Board decisions directed against the state by the Privacy Appeals Board.
The King may issue further rules on Privacy Board organization and administrative procedures.

§ 44. The supervisory authorities access to information Inspectorate and the Privacy Appeals Board may require the information necessary to enable them to conduct their duties.
Inspectorate may as part of its control with the statutory provisions, to demand access to places where personal records, monitoring equipment and image recordings mentioned in § 37, personal data processed electronically and aids for such treatment. Authority may carry out tests or inspections as it considers necessary and require assistance from the personnel to the extent necessary to carry out the tests or checks.
The right to request information or access to premises and aids pursuant to subsections apply notwithstanding any confidentiality.
King may issue regulations concerning exemptions from subsections for reasons of national security. The King may also issue regulations concerning the reimbursement of expenses incurred control.

§ 45. Confidentiality of supervisory employees in Inspectorate, members of the Data Protection Tribunal and others who perform services for the supervisory authorities, the provisions on confidentiality in the Public Administration §§ 13 ff. The duty of confidentiality also covers information on safety measures, cf. § 13.
Inspectorate and the Privacy Appeals Board may, notwithstanding the duty of confidentiality under subsection provide information to foreign authorities when it is necessary to make a decision as part of its supervisory activities.

§ 46. Violation charges. Order changes or cessation of illegal treatments Inspectorate may order the person who has violated this Act or regulations pursuant thereto, to pay a sum of money to the Treasury (violation charges) up to 10 times the basic national insurance amount. Individuals can only fined for a willful or negligent violations. An entity can not subject to administrative fines if the violation is due to circumstances beyond the firm's control.
In assessing whether infringement penalties to be imposed, and at sentencing, particular emphasis is on

A)
how serious violation has violated the interests of the Act protects,

B)
degree of guilt,

C)
whether the offender by guidelines, instruction, training, inspection or other measures could have prevented the violation,

D)
whether the offense is committed to promote violators interests

E)
whether the offender has had or could have obtained some benefit in the contravention

F)
whether there is repetition,

G)
about other reactions as a result of the violation are imposed offender or a person acting on behalf of this, including whether any individual is punished and

H)
violators financial ability.


The time limit is four weeks after the decision on administrative penalties are final. If a decision on administrative penalties brought before a court, it can test all aspects of the case.
Inspectorate may order that the processing of personal data in violation of the provisions in or pursuant to this Act shall cease, or impose conditions that must be met for that treatment shall be in accordance with the law.

§ 47. Coercive fines In imposing under § 12, § 27, § 28 and § 46 Data Inspectorate may impose a coercive fine that runs every day from the expiry of the deadline set for compliance with the order until the order is fulfilled .
Coercive fine shall not before the appeal deadline has expired. If the decision is appealed, runner not coercive prior Protection Tribunal has determined it.
Inspectorate may waive fines.

§ 47 a. Collection of reimbursement claims, infringement penalties and fines Reimbursement Requirements referred to in § 44, violation penalty under § 46 and penalty according to § 47 is enforceable by execution.

§ 48. Penalties fines or imprisonment not exceeding one year or both to anyone who willfully or through gross negligence

A)
failing to notify under § 31,

B)
process personal information without the necessary license pursuant to § 33,

C)
contravenes conditions laid down under § 35 or § 46,

D)
failing to comply with orders from Inspectorate according to § 12, § 27, § 28 or § 46,

E)
processes personal data in contravention of § 13, § 15, § 26 or § 39, or

F)
fails to provide information pursuant to § 19, § 20, § 21, § 40 or § 44

In particularly aggravating circumstances, imprisonment for up to three years may be imposed. In deciding whether there are especially aggravating circumstances should be emphasized at the risk of great harm or inconvenience to the data, the gain sought by the infringement, the infringement duration and scope, guilt, and whether the controller has previously been convicted of having violating similar provisions.
In regulations issued pursuant thereto, may be provided that any person who willfully or through gross negligence violates such regulations shall be punished by fines or imprisonment not exceeding one year or both.

§ 49. Compensation The controller shall compensate any damage suffered as a result of that personal data is processed in violation of the provisions in or pursuant to law, unless it is proved that the damage is not due to the fault or neglect of the data controller side.
Controllers who provide credit information and who have communicated information which proves to be inaccurate or clearly misleading, shall compensate for damage suffered as a result of the erroneous communication, irrespective of whether the damage was caused by fault or neglect on the data controller side.
The compensation shall correspond to the financial loss incurred by the injured party as a result of the unlawful processing. The controller may also be ordered to pay such compensation for damage of non-pecuniary damage (reparation) which seems reasonable.

Chapter IX. Commencement. Transitional rules. Amendments to other laws

§ 50 Commencement This Act comes into force from the date decided by the King. The King may determine that certain provisions of the Act shall come into force at different times.

§ 51. Transitional provisions
1.
For treatment of personal data that commenced prior to the entry into force and for which notification or licensing pursuant to the provisions of Chapter VI, shall be notified in accordance with § 31 or apply for a license from the Data Inspectorate pursuant to § 33 within one years from the effective date. If the treatment is carried out under license pursuant to the Personal Data Registers Act § 9, the deadline for sending notification or applying for a license two years from entry into force. Until notification is sent or the Data Inspectorate has granted a license, personal data may be processed according to the rules of the Personal Data Registers Act.

2.
A consent as a registered've given before the law comes into force shall still apply, if it satisfies the conditions of § 2 no. 7.

3.
Complaints Inspectorate receives after the law enters into force, processed by the Privacy Appeals Board.

4.
The King may issue further transitional rules.

§ 52. Amendments to other laws in other laws amended as follows: - - -