Norway ‘Strongly Recommends’ Victims Be Notified of Data Breaches

    May 11, 2016

    Norway’s data protection authority, Datatilsynet, published a press release on April 11 strongly recommending that data controllers voluntarily provide individualized information to affected individuals when a breach occurs, reported the online privacy journal DataGuidance. According to the report, companies may be ordered to provide notification if they fail to do so on their own. 

    The report quotes Datatilsynet Director Helge Veum, “We believe our position is in line with the modern principle of transparency. Even where the individual cannot take action following the exposure of his/her personal data, we deem there is a right to know per se which deserves protection.”

    Data controllers are required to notify Datatilsynet under the Personal Data Regulations when they discover that confidential personal information has been disclosed to unauthorized persons. In addition, the country’s Personal Data Act (DPA) requires that individuals be provided with information concerning possible disclosure of personal data, including the identity of the recipient.

    While Norway’s laws and regulations do not appear to require an explicit notification duty, rulings by the nation’s Privacy Appeals Board, which was established in Section 43 of the PDA to hear appeals related to decisions made by Datatilsynet, have taken the position that individuals have a fundamental right know when breaches occur.


    The online Global Policy Brief is intended to help you stay current on international news and events. Further information about the issue is accessed by clicking on the link provided at the end of each summary.

    Want to sign up to receive an email version of the Global Policy Brief? It's free! Just tell us a little about yourself and you'll receive a monthly dose of the latest in legislation, regulation, and more.

    © 2017, ARMA International