General Introduction
On 15 July 2018, a new Act on Data Protection and the Processing of Personal Data, No. 90/2018, entered into force. The act substitutes the Act no. 77/2000 on the Protection of Privacy as regards the Processing of Personal Data.
The Act implements the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
The purpose of the Act is to promote the practice of personal data being processed in conformity with the fundamental principles of data protection and the right to privacy, and to ensure the accuracy and quality of personal data and the free movement of personal data within the EEA. The Act applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to for part of a filing system.
The Icelandic Data Protection Authority consist of a Board and a Secretariat. A managing director (Data Protection Commissioner) is in charge of daily management of the Secretariat.
The decisions made by the Icelandic Data Protection Authority are final and may not be brought before any other administrative authority. The Authority's decisions, on the other hand, can be taken to the courts, and complaints concerning the administration of the Authority can be addressed to The Parliamentary Ombudsman.
The Icelandic Data Protection Authority exercises surveillance over processing of data to which the Act applies. With proper identification, the staff of the DPA is admitted to any and all premises where personal data is being processed without a court order.
The authority mainly deals with specific cases on the basis of inquiries from public authorities or private individuals, or cases taken up by the Authority on its own initiative. Persons domiciled abroad may also obtain assistance from The Icelandic Data Protection Authority (requests should preferably be made in Icelandic or English).
Pursuant to the Act, the Ministry of Justice has issued a statutory order concerning Credit information agencies, namely a Regulation on Credit Reporting, No. 246/2001. The regulation was issued on 13 March 2001 by the Ministry of Justice. It has not been translated into English.