Iceland - Data Protection
History of Data Protection in ICELAND
The first Icelandic Act concerning data protection was the Act Respecting Systematic Recording of Personal Data, which was passed in 1989.
On 1 January 2001 a new Act on the Protection and Processing of Personal Data, No. 77/2000, entered into force. This Act aimed to implement Directive 95/46/EC into Icelandic law, and indeed the EC granted Iceland an adequacy agreement soon after.
The Icelandic Data Protection Authority is charged with the task of ensuring any processing of data to which the act applies is conducted lawfully.
Summary of Data Protection in ICELAND
|Title of Data Protection Legislation||Act on the Protection and Processing of Personal Data, No. 77/2000|
|Name of supervisory authority||The Data Protection Authority|
|General Powers of supervisory authority||
Section 37 of the 2000 Act states that the Personal
Data Protection Authority must ensure that the Act is complied with.
Section 37 goes on to say that "the Authority may consider individual cases on its own accord, or upon the reception of a communication from someone alleging that data have not been handled as required by this Act", before listing the tasks of the Authority. These include: Deciding on applications for permits, receiving notifications, and ordering, as necessary, any measures relating to technology, safety and organisation of data processing in order to ensure that this takes place as required in this Act; Monitoring the general trends within the field of personal data protection domestically as well as abroad, and maintaining an overall view of, and providing information on, the chief issues in the field of personal data protection; Providing guidance to parties planning to process personal data, or developing systems for such processing as regards protection of personal data, including by provision of assistance in the compilation of professional and ethical codes for individual groups and professions; Providing statements, upon request or of its own initiative, on issues concerning the processing of personal data, and providing opinions on bills and proposed administrative provisions of significance for the protection of personal data. Section 38 states that the Authority "may request from a controller, a processor and any party working on their behalf any information and written explanations necessary in order for it to perform its functions […] the Authority may also summon a controller, a processor or any party working on their behalf to a meeting for provision of oral information and explanations concerning a certain processing of personal information.
When exercising its control functions, the Personal Data Protection Authority shall, without judicial warrant, have access to premises where personal data are being processed and where data are stored […]" Section 40 states that the Authority "may order cessation of the processing of personal data, including collection, registration and disclosure, order partial or total erasure of personal data or deletion of files, prohibit further use of personal data, or order the controller to take measures that ensure lawful processing".
|Who has standing to notify the supervisory authority of breaches?||The data subject. See Article 37 of the Act on the Protection and Processing of Personal Data.|
|What are the penalties for data controllers if they breach the law?||Article 42 of the 2000 law sets out the penalties for data controllers who are in breach of the law. Breaches are punishable by a fine or by imprisonment, "unless more severe sanctions are provided for in other acts of law".|
|Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)?||
Article 10 of the 2000 law sets out the conditions for
"the usage of the national identification number". It states
"The national identification number may be used if it is done for apposite purposes and it is necessary to ensure a correct identification of a person. The Authority can prohibit or order that the national identification number be used".
|Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate?||It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it. See Article 8 of the 2000 law.|
|Does the Data Protection Legislation cover the deceased?||Yes|
|Who is able to indirectly identify the data subject?||Anybody|
- Act on the Protection of Individuals with regard to the Processing of Personal Data no. 77/2000
- Act on Biobanks no. 110/2000
- Act on a Health Sector Database no. 139/1998
Regulation on Health Sector Database
- Icelandic Data Protection Authority
- Mannverd (Association of Icelanders for Ethics in Science and Medicine)
- Professor Einar Árnason 'Personal Identifiability in the Icelandic Health Sector Database' from Journal of Information, Law & Technology, 2002 Issue 2.