ICELAND

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Act no. 90/2018 on Data Protection and the Processing of Personal Data

Status: Adopted

SME EXCEPTION

No Deviation

LAWFULNESS OF PROCESSING (ART 6)

No Deviation

CHILD'S CONSENT (ART 8)

SPECIFYING REQUIREMENT: The age of consent for a child is 13 years old (Art 10 Icelandic Act).

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

No Deviation

CCTV (Art 6)

SPECIFYING REQUIREMENT: The collection of personal data from electronic monitoring, including audiovisual, that includes sensitive data or information on criminal conduct is permitted if certain conditions are met, such as any content collected will be deleted when no longer necessary or, if carried out in the workplace, employees are clearly informed of the monitoring, and who the responsible person is (Art 14 Icelandic Act).

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

SPECIFYING REQUIREMENT: Official authorities may not process personal data relating to criminal convictions and offenses unless it is necessary for the purpose of their statutory tasks. Such data cannot be disclosed unless (1) the data subject has provided explicit consent; (2) it is necessary for the legitimate interests of the public or private sector, which clearly outweigh the interests of confidentiality of the information, including the interests of the data subject; or (3) it is necessary for the legitimate tasks of the relevant authority or for the authority’s decision, or for public-sector projects that have been legally entrusted to private entities. Private entities may only work with such data if the data subject has given explicit consent or the processing is necessary for legitimate interests that clearly outweigh the fundamental rights and freedoms of the data subject (Art 12 Icelandic Act). 

INFORMATION OBLIGATION (ART 13 & 14)

No Deviation

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

No Deviation

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

SPECIFYING REQUIREMENT: Art 13(1)–(3), 14(1)–(4), and 15 GDPR do not apply if the interests of data subjects are of greater importance. 

The rights granted by Art 13–15 GDPR can be restricted by legislative measures if such limitations of fundamental rights and freedoms are necessary and proportionate in a democratic society to safeguard Art 23(a)–(e) and (j) GDPR; the protection of the data subject, vital public interests, or the fundamental rights of others; and legal provisions related to confidentiality. Such rights restrictions also apply to personal data in working documents used in preparation for a controller’s decisions, if it has not been distributed to others, to the extent necessary to ensure the preparation of the proceedings. 

Information regarding cases that are being processed by official authorities may be exempt from access under Art 15(1) GDPR to the same extent as applies according to the exceptions to information rights under the Information Act and the Administrative Procedures Act (Art 17 Icelandic Act).

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

No Deviation

SECURITY OF PROCESSING (ART 32)

Status: Adopted

No Deviation

DATA BREACH (ART 33 & 34)

No Deviation

Data protection impact assessment (Art 35)

SPECIFYING REQUIREMENT: Authorization for scientific research in the field of health is governed by the Act on Scientific Research in the Health Sector (Art 34 Icelandic Act). 

DATA PROTECTION OFFICER (ART 37(4))

No Deviation

Certification (Art 42)

No Deviation

DATA TRANSFER DEROGATIONS (ART 49(5))

No Deviation

POWERS SUPERVISORY AUTHORITIES (ART 58)

No Deviation

CLASS ACTIONS (ART 80 (2))

No Deviation

ADMINISTRATIVE SANCTIONS (ART 83)

SPECIFYING REQUIREMENT: Failure to comply with the SA’s instructions in relation to Art 42(6), (7), and (9) of the Act (i.e., a temporary or permanent ban on processing; rectification or deletion of data or restriction of processing and such measures must be notified to recipients of such data; temporary suspension of data flows to recipients in a third country or to an international organization) may result in daily fines of up to ISK 200,000 (Art 45 Icelandic Act).

The SA may impose administrative fines from ISK 100,000 to ISK 1.2 billion pursuant to Art 83(4) GDPR, and from ISK 100,000 to ISK 2.4 billion pursuant to Art 83(5) GDPR. Fines may be imposed on individuals and legal entities, including authorities and institutions that fall within the scope of the Administrative Procedures Act
(Art 46 Icelandic Act).

ADMINISTRATIVE SANCTIONS (ART 83)

SPECIFYING REQUIREMENT: Gross violations of the Act may lead to imprisonment of up to three years. 

Violation of confidentiality obligations under Art 36 and 44 of the Act are subject to fines or imprisonment of up to one year. However, for certain violations, imprisonment may be up to three years (Art 48 Icelandic Act).

Freedom of expression and information (Art 85)

No Deviation

HR PROCESSING (ART 88)

No Deviation

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

SPECIFYING REQUIREMENT: Art 15, 16, 18, and 21 GDPR do not apply to processing of personal data for scientific or historical purposes or statistical purposes if such rights are likely to render impossible or significantly impede the achievement of the purposes.

Art 15, 16, and 18–21 GDPR do not apply to processing of personal data for archiving purposes in the public interest if such rights are likely to render impossible or significantly impede the achievement of the purposes. An individual may submit a declaration of preservation of his/her personal data (Art 18 Icelandic Act).

OBLIGATIONS OF SECRECY (ART 90)

No Deviation

Remarks

No Deviation