The Data Protection Authority

The Icelandic Data Protection Authority

Data Protection Commissioner - Helga Þórisdóttir
Address: Rauðarárstígur 10, 105 Reykjavík, Iceland.
Tel. +354 510 9600
E-mail: postur [at] personuvernd.is

General Introduction

General Introduction concerning Act no. 90/2018 on Data Protection and the Processing of Personal Data, as well as on the functions of the Data Protection Authority.

The Data Protection Act and other relevant Acts and Rules:

Act no. 90/2018 on Data Protection and the Processing of Personal Data

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Act no. 77/2000 on The Protection of Privacy as regards the Processing of Personal Data; as amended (repealed)

Biobanks Act no. 110/2000 
Act on the Schengen Information System in Iceland, no. 16/2000. 

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. (EUR-Lex) (repealed) 

Rules no. 837/2006 on Electronic Surveillance.

Rules no. 299/2001 on security of personal data
Regulation no. 322/2001 on Management of Personal Information by the Police 

Patients' Rights Act no. 74/1997

Rules no. 698/2004 on The Obligation to Notify and Processing which requires a Permit (repealed)

Rules no. 231/2012 on the division of tasks between the Board and the employees of the Data Protection Authority.

Translations are unofficial and non-verified, unless otherwise stated.

Information on the Schengen Information system

Information on the Schengen Information system

Information on the Visa Information System

Information on the Visa Information system

EURODAC - The EU Asylum Fingerprint Database

EURODAC - The EU Asylum Fingerprint Database

General overview on the conduct of audits


Monitoring data controllers and ensuring that they take appropriate security measures, in accordance with law, is an important part of the DPA´s work on law-enforcement. Further information on the subject can be found here.
The audits are conducted within the framework of rules no. 299/2001, on security of personal data, which incorporate, in a very simplified form, the methodology of the International Standard ISO/IEC 17799 "Information Technology - Code of Practice for information security management".

Miscellaneous; answers to inquiries, opinions, rulings, etc.:


The Data Protection Authority has given the following answers to a questionnaire from the International Bioethics Committee (UNESCO), concerning the Revised Outline of the International Declaration on Human Genetic Data. 
The Data Protection Authority´s reply of May 14, to a JSB-Europol questionnaire "Data Protection and the Police".

For further information regarding the Schengen Information System, see the website of EU Migration and Home affairs

Information Brochure on the Schengen Information System (pdf)

The Data Protection Authority's answers to a questionnaire on the processing of medical data by pharmaceutical companies, mainly concerning conditions under which clinical trials, safety surveys and post-market studies are allowed.

Answers about the right to privacy and judgements given by the Supreme Court on that matter.

The Icelandic Data Protection Authority's Opinion on political parties' use of social media before parliamentary elections – Guidance and proposals.

Personal data breach at the National Center of Addiction Medicine – Administrative fine

Personal data breach at the Breiðholt Upper Secondary School – Administrative fine

Personal data breach in the information system Mentor – Administrative fine

Information/Documents concerning the Icelandic Health Sector Database:

An excerpt from a judgement by the Supreme Court of Iceland, of November 27, 2003, concerning The Health Sector Database (HSD)  Act on a Health Sector Database no. 139/1998 in Icelandic (repealed in 2014)

Governmental Regulation on the Health Sector Database

General security terms set by the Icelandic Data Protection Commission

Methodology

Security Target

Legal disclaimers:

The Icelandic Data Protection Authority (DPA) strives to ensure that the information supplied on this website and references to laws, regulations and information databases are accurate and right. However, the DPA cannot be held responsible for any errors or omissions. Under no circumstances can the DPA be held responsible for any damage resulting from the use of information presented on this site.

Legal disclaimer regarding e-mails from the Data Protection Authority and its staff.



Was the content helpful? Yes No