Data protection & privacy laws in Iceland (2026)

The Icelandic Parliament enacted Act No. 90/2018 on Data Protection and Processing of Personal Data in July 2018 to transpose the GDPR into national law via the EEA Agreement. It covers all automated and relevant manual processing by controllers and processors established in Iceland, or targeting individuals there.

Persónuvernd (personuvernd.is) is Iceland's independent data protection authority, constituted as the supervisory authority for GDPR Article 51 purposes. It investigates complaints, conducts audits, issues guidance, and participates in EDPB consistency mechanisms as a non-voting member.

Controllers must satisfy one of the GDPR's six lawful bases (consent, contract, legal obligation, vital interests, public task, or legitimate interests); stricter conditions apply to special-category data. Data subjects hold the full GDPR suite of rights: access, rectification, erasure, restriction, portability, and objection.

Act 90/2018 mirrors the GDPR's two-tier fine structure: up to ISK 1.2 billion or 2% of global annual turnover for lower-tier violations (security, DPIAs, records), and up to ISK 2.4 billion or 4% for higher-tier violations (core principles, data-subject rights, international transfers). Intentional, profit-driven breaches can result in up to three years' imprisonment.

Persónuvernd's 2025 annual report identified cybersecurity incidents, health-data processing, and AI governance as its top supervisory priorities. The authority also published new rules on workplace electronic monitoring, alongside model consent labels and guidance on email/internet monitoring.

The EU AI Act entered into force on 1 August 2024 and becomes fully applicable by August 2026. As an EEA EFTA state, Iceland requires a separate EEA Joint Committee decision to incorporate the AI Act; Persónuvernd is expected to play a supervisory role for AI systems once incorporated.