Hopp til hovedinnhold
Go to front page
Back
Chapter 3 / Part 2 of 2 / Topic 1

The GDPR

At first glance, the General Data Protection Regulation might seem like a cumbersome chore. More rules! Complex legal texts! Loads of stuff! But actually, there are many good reasons to appreciate the GDPR.
One thing is our rights as individuals. Not only are these strengthened, they are the same everywhere. The same rules apply whether we are—or leave digital footprints—in Norway, Sweden, Portugal, Hungary, Poland, the Czech Republic or anywhere else in the EU/EEA.
In many ways, the law also makes things simpler for businesses. It clarifies what's acceptable and what isn't. An important purpose of the legislation is actually to enable free flow of personal data within the EU and EEA. The desire for open borders and an open market applies here just as it does in other areas.
Moreover, the law can provide a competitive advantage to European companies, as consumers can trust that they uphold their privacy. In the worst-case scenario, violations can be penalised with large fines—up to 20 million euros, or four per cent of global turnover.

What is considered personal data?

Obvious examples of personal data are things like names, personal numbers, addresses, and telephone numbers. The same applies to location and various tracking technologies and identifiers that make it possible to track your activity online.
But as we've already seen, the term’s scope is even broader. It applies to all information specific to a person's physical, physiological, genetic, mental, economic, cultural or social identity—including health information, fingerprints, IP addresses, social media profiles, DNA, and so on.
Sometimes we may have information that is not immediately clear who it concerns. This can still be personal data, because it can be linked to a person when the information is combined with other data sets—like a puzzle falling into place.

The GDPR: Who's who and what's what

There are some terms and expressions you will undoubtedly encounter in connection with the General Data Protection Regulation. Let's quickly go through some of the most important ones before we continue, so that we all have the same vocabulary.

Data controller and data processor

A data controller is the entity that determines the processing of personal data and is primarily responsible for complying with the GDPR. They decide the purpose of the processing and the means to be used.
This is in contrast to a data processor—such as an IT provider—who processes personal data on behalf of the data controller. Between these, a data processing agreement should exist.
The data processor can be seen as a kind of subcontractor, and they often have their own subcontractors under them—who are also data processors. It is important to remember that as a data controller, you are responsible for everything that happens down this chain.

Data processing agreement

A data processing agreement ensures that the data processor cannot do as they please with the personal data they have access to, and that they may only process it according to the data controller's directives.
The data processing agreement should specify the processing, the data controller's obligations and rights, and the data processor's duties. The EU has a standard agreement template that one can base this on.

National data protection authorities (DPA)

DPAs are the supervisory authorities for the General Data Protection Regulation in each EU/EEA member state. They ensure that the law is upheld within each country, and can impose fines.
There are also other instances like Norway’s Privacy Appeals Board (Personvernnemda), to which one can make complaints about a decision from the DPA.

The data subjects

The GDPR has a term called “the data subjects"—referring to those to whom the information can be linked. Think of it as a different way to say “those it concerns”.

Data protection officer

A Data Protection Officer is simply a company's privacy expert. All data controllers can have a Data Protection Officer, but for some it is mandatory—for example, businesses who process personal data on a large scale.

When and where does the GDPR apply?

Are you breaking the law if you share a colleague's phone number with others at work? Or if you write someone's name on a birthday present? Of course not. But if the General Data Protection Regulation does not apply in all contexts, where is the line drawn?
The legislation is hard to sum up in a couple of sentences, but we can give some rules of thumb for when and where GDPR applies—and does not.

When does the GDPR apply?

The GDPR typically applies in cases where one or more of the following are true:
  • The processing is entirely or partially automated (typically processing done by computers or integrated into digital systems)
  • The personal data is structured; it is part of a register
  • The processing is linked to commercial activity
You should be most aware of the GDPR if you work with digital data where the processing is entirely or partially automated. But note that it can also apply for manual processing, as the regulation covers information in registers too. In other words, the GDPR does not only apply to digital data—although we rarely have such registers on paper these days.
An exception to these rules is if the processing is linked to purely personal or family-related activities. You are still perfectly entitled to write down who you want to invite to your birthday party—with full name and phone number—without worrying about the Data Protection Authority knocking on your door.
Cases like investigation, prosecution, and national security may also be exempt from the GDPR.
The General Data Protection Regulation was, as mentioned, introduced in the EU/EEA in 2018. All data controllers established in the EU/EEA are obliged to follow the legislation. But what if you, for example, use websites and services from companies and servers in Turkey, Russia, the USA, or China?
The GDPR is designed to protect your rights in these instances too. If companies from other parts of the world want to offer goods and services within the EU/EEA—or they want to track, monitor or target messages towards European citizens—they also must comply with the General Data Protection Regulation.