a€?Controllera€? implies the organic or legal person, public expert, department and other body which, alone or jointly with other people, identifies the needs and ways of the operating of private data.
“Processora€? ways an all-natural or legal people, general public expert, service or any other human anatomy which processes personal facts for the controller.
The phrase found in the private facts Act, like GDPR, are a€?special types of private dataa€?; these are generally individual information showing racial or ethnic beginnings, governmental viewpoints, spiritual or philosophical beliefs, trade-union membership, data regarding fitness or sex life and intimate direction, hereditary facts or biometric facts.
a€?Data Breacha€? implies a breach of security resulting in the unintentional or illegal deterioration, loss, alteration, unauthorised disclosure of, or entry to, personal data sent, stored or perhaps prepared.
The private Health Data processing program Act of 2014 refers to a€?characteristics that right recognize a natural persona€? (direkte personidentifiserende kjennetegn). The word try, however, not identified and need to be grasped in light from the meaning of have a peek at this site a€?personal dataa€? in the GDPR plus the latest Personal information operate; see furthermore the definition of a€?indirectly recognizable fitness dataa€? the following. Similarly, some sector-specific fitness laws, like the wellness employees Act, refers to a€?characteristics that straight recognize a natural persona€? (direkte personentydige kjennetegn).
The Personal fitness information submitting program operate of 2014 refers to the phase a€?indirectly identifiable fitness dataa€? (indirekte identifiserbare helseopplysninger) as a€?health facts where term, national character amounts also attributes that diagnose one [personentydige kjennetegn] become eliminated, but in which the facts may however feel connected to an individuala€?.
3. Territorial Extent
3.1 carry out the information safeguards laws apply at businesses created in additional jurisdictions? If so, with what situation would a small business established in another jurisdiction end up being subject to those rules?
The Personal Data operate pertains to the handling of personal information that will be performed regarding the the actions of a business of a control or processor in Norway, and no matter whether or not the processing takes place within the EEA or perhaps not.
A business which is not established in Norway but is at the mercy of the guidelines of Norway by advantage of community international laws is at the mercy of the Personal Data Act.
The private facts operate pertains to businesses away from EEA if they (either as control or processor) process private facts of Norwegian people pertaining to: (i) the providing of goods or solutions (whether in substitution for installment) to Norwegian customers; or (ii) the track of the habits of Norwegian residents (towards the level that such actions happens in Norway).
4. Trick Concepts
Private facts needs to be processed lawfully, relatively and in a clear manner. Controllers must definitely provide some minimal information to information subjects regarding the range and additional handling of their private facts. These types of info needs to be given in a concise, clear, intelligible and easily obtainable type, making use of obvious and basic words.
Operating of private data is legitimate only when, and to the level that, truly authorized under EU data protection legislation. The GDPR produces an exhaustive variety of appropriate basics where private information is prepared, of which the following are probably the most pertinent for enterprises: (i) before, freely given, specific, well-informed and unambiguous consent on the information matter; (ii) contractual need (i.e., the processing is essential your overall performance of a contract that the data subject is a celebration, or for the purposes of pre-contractual methods taken at the data subject’s consult); (iii) conformity with appropriate duties (in other words., the control have an appropriate responsibility, in regulations in the EU or an EU affiliate condition, to execute the relevant handling); or (iv) legitimate interests (in other words., the processing is essential for reason for genuine welfare pursued of the control, except where in actuality the controller’s passion is overridden of the welfare, fundamental legal rights or freedoms on the impacted data topics).