
Data Protection in Norway
In this guide you can get a brief overview of data protection law in Norway, including how the GDPR applies under the EEA Agreement, Norwegian-specific rules on national identity numbers and employee monitoring, and the role of the Norwegian Data Protection Authority.
This article is part of our Doing Business in Norway guide.
Introduction
This guide provides a practical introduction to Norwegian data protection law for foreign businesses operating in Norway or considering a Norwegian presence, whether through a Norwegian branch office or a Norwegian subsidiary. The guide focuses on the rules most relevant to day-to-day operations and highlights where Norwegian law goes beyond the GDPR framework that many foreign businesses will already be familiar with.
GDPR applies in full
While Norway is not a member of the European Union, it is a contracting party to the Agreement on the European Economic Area (the “EEA Agreement”), on which basis it incorporates the significant portion of the EU regulatory framework (incl. the GDPR into Norwegian law.
The GDPR therefore applies in Norway in the same way as in EU member states, with the same scope, obligations and sanctions. The GDPR was implemented into Norwegian law through the Personal Data Act of 2018, which both gives the GDPR force of law and adds several Norwegian-specific rules on top of it.
The Norwegian Data Protection Authority is the competent supervisory authority. It is an active regulator that publishes detailed guidance, conducts inspections and has issued substantial administrative fines against both Norwegian and foreign companies.
For a foreign business with a Norwegian subsidiary or branch, the GDPR’s establishment-based territorial scope will typically apply. Processing activities carried out in the context of the Norwegian establishment must comply with the GDPR, regardless of where the actual processing takes place. Even without a formal establishment, a foreign company targeting Norwegian consumers or monitoring individuals in Norway may fall within the GDPR’s extraterritorial reach under Article 3(2).
Norwegian-Specific Rules: What Foreign Businesses Need to Know
The Personal Data Act supplements the GDPR in several respects that are particularly relevant to foreign businesses with a Norwegian footprint.
National Identity Numbers
Section 12 of the Personal Data Act imposes restrictions on the processing of Norwegian national identity numbers and D-numbers that go beyond the ordinary GDPR framework. Such numbers may only be processed where there is a clear and legitimate need for certain identification of the data subject, or where processing is required by law. It is not sufficient that a valid GDPR legal basis exists; the specific necessity condition under Section 12 must be satisfied independently. This requirement is practically relevant for payroll and HR systems, customer onboarding, identity verification, and any operational context in which Norwegian identity numbers would routinely be collected or stored.
Employer Monitoring and Control Measures
Chapter 9 of the Working Environment Act regulates the use of control measures and employee monitoring in the workplace. This covers monitoring of employees’ use of electronic communications, e-mail, internet access, GPS tracking, and video surveillance, among other measures. An employer may only implement a control measure if it has an objective justification in the company’s operational needs and the burden placed on employees is not disproportionate to that purpose.
These requirements apply in addition to, and independently of, the GDPR. Even where a valid legal basis exists under the GDPR for processing employee data, the control measure must separately satisfy the Chapter 9 conditions. Employees must be informed in advance, and the measure should ordinarily be discussed with employee representatives before it is introduced. For foreign businesses accustomed to treating the GDPR as the sole compliance framework for employee monitoring, this additional layer of Norwegian employment law is a significant practical consideration when deploying group-wide HR monitoring solutions or surveillance tools in Norway.
Camera Surveillance
The Regulation on camera surveillance in undertakings contains specific rules on the use of camera surveillance, including requirements regarding signage and the rights of individuals in areas subject to monitoring. Where a Norwegian business premises includes areas accessible to employees or the public, these rules apply alongside the GDPR’s general accountability requirements and may impose obligations that are not obvious from the GDPR text alone.
Accountability and Enforcement
Foreign businesses with a Norwegian establishment should ensure that their group-level GDPR compliance framework accounts for the Norwegian-specific rules described above. This includes appointing a data protection officer where required, maintaining records of processing activities and conducting data protection impact assessments for high-risk processing activities.
Where the Norwegian entity participates in cross-border processing activities within the EEA, the GDPR’s one-stop-shop mechanism may apply. It is worth clarifying at an early stage which supervisory authority will act as lead authority, as this affects where enforcement proceedings may be initiated and where complaints about the company’s processing can be lodged.
The Norwegian Data Protection Authority is generally regarded as an engaged and accessible authority. It publishes sector-specific guidance and provides informal opinions, which can be a valuable resource for businesses seeking to understand their obligations in novel or uncertain situations.
Next Steps
We regularly assist foreign businesses with GDPR and Norwegian data protection compliance, including structuring compliance programmes for Norwegian entities, advising on employee monitoring frameworks, reviewing HR documentation, and providing guidance on dealings with the Norwegian Data Protection Authority.
Contact us today for an informal discussion on how we can assist you.
Last updated: 06 July 2026


