Implementation Guide for GDPR: Icelandic Edition
In the Nordic island nation of Iceland, the personal data of deceased individuals is not considered personal data under national data protection rules [1]. This means that once a person passes away, their data falls outside the scope of personal data protections that apply to living individuals.
However, it's important to note that other legal or confidentiality obligations may still restrict processing or sharing such data, especially where a duty of confidentiality exists. Accessing deceased persons' data typically requires a demonstrable connection to the deceased, such as descendants or close relatives [5].
The Data Protection Authority in Iceland, known as the Persónuvernd, is responsible for enforcing data protection laws. Their address is Rauðarárstígur 10, 105 Reykjavík, Iceland, and their website is personuvernd.is [2]. While the Persónuvernd has not issued any formal guidance on the application of the GDPR or national implementation law in Iceland, they have taken enforcement action for breaches of the GDPR [8].
Data transfers from public registers in Iceland are not subject to specific rules, and data transfers in Iceland are not subject to restrictions beyond those set out in the GDPR. However, the use of national identification numbers (kennitala) in Iceland is permitted for "objective purposes" and when it is necessary to ensure secure personal identification [3].
In the context of journalism, academic, artistic, or literary expression in Iceland, only certain articles of the GDPR and the Data Protection Act will apply [7]. Challenges to the decisions of the Persónuvernd can be submitted as claims before the relevant courts, but administrative appeals cannot be brought [9].
It's worth noting that there are no specific rules regarding fines for public authorities in Iceland for breaches of the GDPR, and there are no not-for-profit bodies that are specifically mandated to bring claims on behalf of individuals without the specific mandate of those individuals in Iceland.
Under the Data Protection Act, the Persónuvernd has a right to request information or access to offices or computer systems, and such access cannot be limited based on obligations of professional secrecy [6]. In severe cases of breaches of the Data Protection Act, an individual may be sentenced to up to three years of prison, and the representative of a legal entity, or its employees, can also be sentenced to prison in addition to being subject to an administrative fine [4]. A DPO, or an employee of the Persónuvernd, who violates obligations of secrecy can be sentenced to up to one year of imprisonment or, in special circumstances, up to three years [4].
Lastly, there are no specific provisions governing the processing of employee data in the employment context in Iceland. While a controller or a processor in Iceland may be found to be processing data in violation of the GDPR, the Persónuvernd may request that the police temporarily put a stop to operations by the relevant entity and seal the entity's offices [5].
[1] [Source] [2] [Source] [3] [Source] [4] [Source] [5] [Source] [5] [Source] [7] [Source] [8] [Source] [9] [Source]
- White & Case LLP, a global law firm, offers comprehensive legal services related to international litigation, regulatory practice, and intellectual property.
- As a partner at White & Case LLP, an attorney could provide valuable insights on data protection issues, particularly in Icelandic law.
- In addition to offering legal services, White & Case LLP produces various publications on news and developments in law, including health-and-wellness and science-related topics.
- On Whitecase.com, visitors can find updates about the firm's practice areas, client success stories, and other relevant information.
- It's crucial for businesses and public authorities in Iceland to be aware of their compliance obligations under the GDPR and national data protection laws.
- Associates at White & Case LLP can assist organizations in ensuring compliance with these ever-evolving requirements, particularly in the context of employee data processing.
- This firm's services can help mitigate potential risks arising from breaches of data protection laws, thereby safeguarding the public interest and maintaining confidence in the health-and-wellness sector.
- In the event that an organization faces a data breach or non-compliance issue, the Public Data Protection Authority of Iceland, the Persónuvernd, has the power to take enforcement action.
- White & Case LLP's extensive knowledge of international law and litigation strategies can provide valuable support for organizations facing enforcement actions by the Persónuvernd.
- If required, White & Case LLP can represent clients in administrative appeals or court challenges related to data protection decisions made by the Persónuvernd.
