Data protection / Privacy

New technology has increased the potential for personal data to be exploited for commercial or political purposes. At the same time, there is a strong European tradition for giving citizens control over their own personal data. Today’s data protection regulations have not kept pace with the enormous developments in the use of personal data that we have seen over the past 20 years. For this reason, the EU has adopted a new set of rules to protect our digital privacy, the General Data Protection Regulation or GDPR.

What is the EU’s General Data Protection Regulation (GDPR)?

The EU’s General Data Protection Regulation (GDPR) strengthens the rights that European citizens have over their own personal data. It also requires organisations that hold such data to reinforce their privacy and data protection capabilities through a systematic and holistic approach to data processing. In Norway, the regulation is enforced by the Norwegian Data Protection Authority (Datatilsynet), which has been granted wide-ranging competence to impose sanctions in the event of non-compliance. The GDPR will apply not only to all organisations (both commercial and not-for-profit) in the EU and EEA area, but also to organisations outside the EU that process personal data on European citizens. This means, for example, that major US companies like Facebook, Google and Microsoft must also comply with the GDPR.

The regulations set out when and how it is permitted to process personal data, and grant each data subject (the person to whom the personal data refers) rights that the companies holding the data must fulfil. These companies are also subject to requirements relating to the use of external service providers (data processors), such as cloud services and data system suppliers, the transfer of data out of the EU/EEA area, internal control, confidentiality/disclosure, subject access and information security.

How can SANDS help?

The regulatory framework is changing rapidly. Norwegian companies are often poorly prepared to prove that they comply with the regulations. It is not unusual for some to hide behind excuses, claiming that the regulations are impenetrable or that their area of application and scope are insufficiently understood.

SANDS’ Digital Privacy and Data Protection Group consists of six lawyers, who help Norwegian and international clients to adapt to the new regulations and otherwise keep up to date on all aspects relating to the processing of personal data. In light of the GDPR, many companies have suddenly realised that the processing of personal data is constrained by Norwegian law. Many are surprised by what is already required by the regulations applicable even before the GDPR comes into force.

We can help clients to prepare and negotiate data processing agreements, analyse and determine the grounds for data processing, draw up privacy policies, establish grounds for the transfer of personal data to jurisdictions outside the EU/EEA, develop deletion routines and perform impact and risk assessments. We can also assist with profiling, internal training on the regulations governing personal data, the establishment of routines and internal control systems, contact with the regulatory authorities, questions relating to big data, analytics, predictive analyses and all aspects of personal data protection relating to cloud services, etc. We are closely monitoring the practical implementation of the GDPR, and keep fully up to date on the technological developments as well.

SANDS serves many major companies in a large number of different sectors, including technology, health, finance and retail.

Read more about our other practice areas: