Uncategorized

GDPR in Norway

By December 4, 2025December 8th, 2025No Comments

GDPR in Norway

In a nutshell: Norway follows the EU’s GDPR through the Personal Data Act. It means same basic principles and rights as in the EU – plus some Norwegian peculiarities in working life, camera surveillance and usage of the National id-number (national identity number).

What is particularly Norwegian about GDPR?

  • Employer insight into email and files: There are strict conditions for when an employer can open an employee’s email box or private files – the rules are both described by the Data Protection Agency and set out in a separate regulation. For example, access may be legal when there is a reasonable suspicion of gross breaches of duties.
  • Control and monitoring of employees: Datatilsynet has a practical guide for control measures on the job, and since 2024 there are clarified prohibition from monitoring employees’ use of electronic devices beyond narrow exceptions.
  • Camera surveillance: Requirement of clear purpose, clear information (signage) and deletion when the purpose is achieved. Covert surveillance is not allowed.
  • National identity number (11 digits): Rules for when and how national identity numbers can be processed – use must be necessary and factualand there are concrete “do/do not” examples from the authorities.

International transfers (outside the EEA)

Norway uses the the same mechanisms as in the EU typically Standard Contractual Clauses (SCCs) together with a Transfer Impact Assessment to assess legislation and access risks in the recipient country.

Authorities andone-stop-shop”

Data Protection Authority is the national authority. By cross-border processing the Danish Data Protection Agency can act as lead supervisory authority (LSA), coordinating the case across the EEA, e.g. in Mowi-case, where Norway was the lead.

What does this mean for your organization?

  • Use the EU’s baseline for principles, rules, rights and safety and check out the Norwegian special rules in working life, CCTV and national identity numbers when doing business in Norway.
  • Before buying systems (SaaS, camera, HR/CRM): clarify processing basis, signage/information, retention periods and data processing agreements according to Norwegian requirements.

Train the entire organization with a GDPR Course

Check out our GDPR online course (Danish/English, approx. 30 min., 7 modules). It provides a common, documentable level and can be adapted to your policies

SEE MORE about GDPR