Data & Privacy · Norway
Data & Privacy - Norway
Norway has a comprehensive, GDPR-based personal-data protection regime. As an EEA member, it incorporated the EU GDPR into national law through the Personal Data Act (personopplysningsloven), which entered into force on 20 July 2018 and adds Norwegian-specific adaptations. The independent supervisory authority is Datatilsynet, with appeals heard by the Privacy Appeals Board (Personvernnemnda) and ultimately the courts.
The Personal Data Act (personopplysningsloven) makes the GDPR Norwegian law and supplements it with national rules under the GDPR's 'opening clauses'. It took effect on 20 July 2018, the date the GDPR became applicable in Norway via the EEA Agreement.
Datatilsynet (the Norwegian Data Protection Authority), headquartered in Oslo and originally established in 1980, is the independent supervisor; it acts free of government instruction in individual cases.
Datatilsynet exercises the full Article 58 GDPR investigative and corrective powers, including audits, processing bans, reprimands and administrative fines of up to EUR 20 million or 4% of global annual turnover.
Decisions of Datatilsynet can be appealed to the Privacy Appeals Board (Personvernnemnda), a seven-member collegial body; its rulings are final administratively but can be challenged in court.
Datatilsynet is among Europe's more active enforcers; in 2025 the Court of Appeal upheld its large fine against Grindr, and it issued a NOK 4 million fine against Telenor (March 2025) over DPO/organisational obligations.
Standard GDPR rights (access, rectification, erasure, portability, objection) and controller/processor duties (lawful basis, transparency, security, breach notification, DPIAs, DPOs) apply, with some sector adaptations in national law.
Machine-assisted translation · verified 5/23/2026 · orientation, not legal advice. English version →