Data & Privacy ยท Norway
Data protection & GDPR compliance in Norway (2026)
Norway shaded by its data & privacy status
Data protection in Norway: comprehensive law, under Personal Data Act 2018 (personopplysningsloven), which incorporates the EU GDPR into Norwegian law via the EEA Agreement; supervised by Datatilsynet (the Norwegian Data Protection Authority)..
Norway has a comprehensive, GDPR-based personal-data protection regime. As an EEA member, it incorporated the EU GDPR into national law through the Personal Data Act (personopplysningsloven), which entered into force on 20 July 2018 and adds Norwegian-specific adaptations. The independent supervisory authority is Datatilsynet, with appeals heard by the Privacy Appeals Board (Personvernnemnda) and ultimately the courts.
GDPR & data protection in Norway
In Norway, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Norwegian Data Protection Authority (Datatilsynet).
- Framework
- the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
- Supervisory authority
- the Norwegian Data Protection Authority (Datatilsynet)
- Applies to
- any organisation processing the personal data of people in Norway, wherever the organisation is based
- Maximum fine
- โฌ20 million or 4% of global annual turnover, whichever is higher
- Breach notification
- within 72 hours of becoming aware, to the supervisory authority
- DPO
- required for large-scale monitoring or large-scale special-category processing
The GDPR is bloc-wide; Norway supplements it with a national data-protection act and its own supervisory authority.
GDPR in Norway: FAQ
Yes. As an EU/EEA member, Norway applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Norwegian Data Protection Authority (Datatilsynet).
The Norwegian Data Protection Authority (Datatilsynet).
Up to โฌ20 million or 4% of global annual turnover, whichever is higher.
A DPO is required where you carry out large-scale monitoring or process special-category data at scale.
Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.
Key points
The Personal Data Act (personopplysningsloven) makes the GDPR Norwegian law and supplements it with national rules under the GDPR's 'opening clauses'. It took effect on 20 July 2018, the date the GDPR became applicable in Norway via the EEA Agreement.
Datatilsynet (the Norwegian Data Protection Authority), headquartered in Oslo and originally established in 1980, is the independent supervisor; it acts free of government instruction in individual cases.
Datatilsynet exercises the full Article 58 GDPR investigative and corrective powers, including audits, processing bans, reprimands and administrative fines of up to EUR 20 million or 4% of global annual turnover.
Decisions of Datatilsynet can be appealed to the Privacy Appeals Board (Personvernnemnda), a seven-member collegial body; its rulings are final administratively but can be challenged in court.
Datatilsynet is among Europe's more active enforcers; in 2025 the Court of Appeal upheld its large fine against Grindr, and it issued a NOK 4 million fine against Telenor (March 2025) over DPO/organisational obligations.
Standard GDPR rights (access, rectification, erasure, portability, objection) and controller/processor duties (lawful basis, transparency, security, breach notification, DPIAs, DPOs) apply, with some sector adaptations in national law.
Timeline - major decisions & events
Norway's second-highest court confirmed Datatilsynet's record fine against Grindr LLC for sharing users' location, device IDs, and app-use data (inferring sexual orientation and HIV status) with ad-tech partners without valid GDPR consent. The ruling cements the principle that sharing identifiers tied to a sensitive-category app constitutes disclosure of special-category data under GDPR Art. 9.
Datatilsynet โThe Ministry of Digitalisation and Public Governance published a draft Act to incorporate the EU AI Regulation (2024/1689) into Norwegian law via the EEA Agreement, proposing a multi-agency supervisory model with Datatilsynet as market surveillance authority for law-enforcement AI uses. Enactment is targeted for mid-2026, in line with the EU's own timeline.
Norwegian Ministry of Digitalisation and Public Governance โNorway's DPA issued a NOK 4 million fine against the country's largest telecom for failing to ensure the Data Protection Officer's independence and a direct reporting line to top management, violating GDPR Arts. 37-39 and 24. The case was handled via the GDPR cooperation mechanism together with the Swedish and Danish DPAs.
Datatilsynet โThe Norwegian Labour and Welfare Administration was fined NOK 20 million and issued multiple binding remediation orders for systemic IT security failures and inadequate data protection governance affecting millions of welfare recipients. The decision signalled Datatilsynet's willingness to use escalating sanctions against public bodies that fail to remediate.
Datatilsynet โFollowing Norway's Art. 66(2) referral, the European Data Protection Board issued an urgent binding decision instructing the Irish DPA to permanently ban Meta from relying on contract or legitimate interest as legal bases for behavioral advertising across all EEA states. This was the first successful use of the GDPR's cross-border emergency escalation mechanism, triggered and led by Norway.
European Data Protection Board โThe Norwegian Personal Data Processing Appeals Board (Personvernnemnda) upheld Datatilsynet's 2021 fine in full, rejecting Grindr's arguments on legal basis and proportionality. The confirmed fine remained the largest GDPR penalty issued by any Nordic supervisory authority.
Datatilsynet โNorway's DPA imposed a three-month temporary ban on Meta Ireland processing Norwegian users' data for behavioral advertising under contract or legitimate interest legal bases, the first Nordic use of the GDPR's emergency unilateral powers. Norway then referred the matter to the EDPB in September 2023, leading to the EEA-wide permanent ban.
Datatilsynet โNorway's DPA fined Grindr for sharing users' precise location, device identifiers, and app-use data with advertising partners without valid consent from July 2018 to April 2020; the disclosure was deemed to reveal sexual orientation under GDPR Art. 9. At the time, it was the largest fine per capita issued by any European DPA.
Datatilsynet โThe GDPR was formally incorporated into the EEA Agreement (Annex XI) and Norway's supplementing Personal Data Act 2018 (LOV-2018-06-15-38) took effect simultaneously, binding Norway to GDPR obligations identical to EU Member States. The Act sets the consent age for children at 13 and adds national rules on employment data, research, and national ID numbers.
Lovdata โ Norwegian Official Legislation Portal โA Storting constitutional amendment added ยง102, explicitly guaranteeing every person the right to respect for private and family life, home, and communications. This elevated data privacy to a fundamental constitutional right, providing a domestic constitutional foundation that reinforces and co-exists with the GDPR framework adopted four years later.
Lovdata โ Norwegian Constitution โNorway enacted a comprehensive new Personal Data Act (Lov-2000-04-14-31) transposing the EU's first harmonised data protection directive, replacing the 1978 Personal Data Registers Act. The Act introduced formal data subject rights, controller obligations, and expanded Datatilsynet's investigative and sanctioning powers.
Lovdata โ Norwegian Official Legislation Portal โNorway enacted Lov-1978-06-09-48 (Personregisterloven), one of the world's first national data protection statutes, and established Datatilsynet (the Data Inspectorate) as an independent supervisory authority commencing operations in 1980. This placed Norway at the global vanguard of privacy regulation and created the institutional architecture that underpins today's GDPR enforcement.
Datatilsynet โNorway - other topics
Data & Privacy in other countries
Last verified 5/23/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ