Data & Privacy · Iceland
Data protection & GDPR compliance in Iceland (2026)
Iceland shaded by its data & privacy status
Data protection in Iceland: comprehensive law, under Act No. 90/2018 on Data Protection and Processing of Personal Data (implementing EU GDPR via EEA Agreement); supervised by Persónuvernd (Icelandic Data Protection Authority).
Iceland is a member of the European Economic Area (EEA) and, as such, the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) applies in full. Iceland implemented the GDPR domestically through Act No. 90/2018, which entered into force on 15 July 2018 and mirrors the GDPR's principles, obligations, and data-subject rights. Persónuvernd acts as the national supervisory authority and is a non-voting member of the European Data Protection Board (EDPB).
GDPR & data protection in Iceland
In Iceland, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Icelandic Data Protection Authority (Persónuvernd).
- Framework
- the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
- Supervisory authority
- the Icelandic Data Protection Authority (Persónuvernd)
- Applies to
- any organisation processing the personal data of people in Iceland, wherever the organisation is based
- Maximum fine
- €20 million or 4% of global annual turnover, whichever is higher
- Breach notification
- within 72 hours of becoming aware, to the supervisory authority
- DPO
- required for large-scale monitoring or large-scale special-category processing
The GDPR is bloc-wide; Iceland supplements it with a national data-protection act and its own supervisory authority.
GDPR in Iceland: FAQ
Yes. As an EU/EEA member, Iceland applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Icelandic Data Protection Authority (Persónuvernd).
The Icelandic Data Protection Authority (Persónuvernd).
Up to €20 million or 4% of global annual turnover, whichever is higher.
A DPO is required where you carry out large-scale monitoring or process special-category data at scale.
Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.
Key points
The Icelandic Parliament enacted Act No. 90/2018 on Data Protection and Processing of Personal Data in July 2018 to transpose the GDPR into national law via the EEA Agreement. It covers all automated and relevant manual processing by controllers and processors established in Iceland, or targeting individuals there.
Persónuvernd (personuvernd.is) is Iceland's independent data protection authority, constituted as the supervisory authority for GDPR Article 51 purposes. It investigates complaints, conducts audits, issues guidance, and participates in EDPB consistency mechanisms as a non-voting member.
Controllers must satisfy one of the GDPR's six lawful bases (consent, contract, legal obligation, vital interests, public task, or legitimate interests); stricter conditions apply to special-category data. Data subjects hold the full GDPR suite of rights: access, rectification, erasure, restriction, portability, and objection.
Act 90/2018 mirrors the GDPR's two-tier fine structure: up to ISK 1.2 billion or 2% of global annual turnover for lower-tier violations (security, DPIAs, records), and up to ISK 2.4 billion or 4% for higher-tier violations (core principles, data-subject rights, international transfers). Intentional, profit-driven breaches can result in up to three years' imprisonment.
Persónuvernd's 2025 annual report identified cybersecurity incidents, health-data processing, and AI governance as its top supervisory priorities. The authority also published new rules on workplace electronic monitoring, alongside model consent labels and guidance on email/internet monitoring.
The EU AI Act entered into force on 1 August 2024 and becomes fully applicable by August 2026. As an EEA EFTA state, Iceland requires a separate EEA Joint Committee decision to incorporate the AI Act; Persónuvernd is expected to play a supervisory role for AI systems once incorporated.
Iceland - other topics
Data & Privacy in other countries
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →