a€?Controllera€? means the natural or appropriate individual, general public authority, institution or other looks which, by yourself or collectively with other people, determines the needs and ways the operating of private facts.
„Processora€? implies an all-natural or appropriate person, general public power, department or any other looks which processes personal information on the part of the control.
The definition of used in the private facts operate, such as the GDPR, are a€?special categories of personal dataa€?; these are individual data revealing racial or ethnic origin, governmental views, spiritual or philosophical thinking, trade-union account, data regarding fitness or sex-life and intimate orientation, genetic data or biometric information.
a€?Data Breacha€? suggests a violation of protection ultimately causing the accidental or unlawful devastation, reduction, alteration, unauthorised disclosure of, or access to, personal facts carried, put or else processed.
The non-public fitness information submitting program Act of 2014 identifies a€?characteristics that directly identify an all natural persona€? (direkte personidentifiserende kjennetegn). The expression try, but maybe not identified and ought to be grasped in light from the meaning of a€ https://www.datingmentor.org/escort/alexandria/?personal dataa€? during the GDPR additionally the brand-new private Data operate; discover additionally the phrase a€?indirectly identifiable wellness dataa€? under. Likewise, some sector-specific health laws, such as the wellness employees work, relates to a€?characteristics that immediately identify an all-natural persona€? (direkte personentydige kjennetegn).
The non-public fitness Data processing System work of 2014 refers to the phrase a€?indirectly identifiable health dataa€? (indirekte identifiserbare helseopplysninger) as a€?health facts in which the term, national character numbers alongside qualities that decide people [personentydige kjennetegn] include eliminated, but where the information may nevertheless become connected to an individuala€?.
3. Territorial Extent
3.1 Do the data protection statutes apply to businesses established in more jurisdictions? In that case, as to what circumstances would a small business established in another legislation become subject to those laws and regulations?
The Personal Data operate relates to the processing of private information this is certainly completed relating to those activities of a facilities of a control or processor in Norway, and no matter whether or perhaps not the handling occurs inside the EEA or not.
A business that is not created in Norway but is at the mercy of the guidelines of Norway by advantage of general public international laws can be subject to the non-public facts work.
The non-public information operate applies to businesses outside the EEA when they (either as controller or processor) processes personal facts of Norwegian residents in relation to: (i) the supplying of goods or service (if in return for cost) to Norwegian residents; or (ii) the monitoring of the conduct of Norwegian owners (toward extent that these habits happens in Norway).
4. Trick Axioms
Individual information must be processed lawfully, relatively and also in a clear manner. Controllers must make provision for specific lowest suggestions to data subject areas in connection with range and further operating of these private information. These types of records need to be supplied in a concise, clear, intelligible and easily easily accessible type, using obvious and simple code.
Handling of individual data is legal on condition that, and the degree that, it’s allowed under EU data defense legislation. The GDPR supplies an exhaustive range of appropriate angles upon which private facts could be processed, of which listed below are by far the most related for enterprises: (i) previous, easily offered, specific, updated and unambiguous permission of data topic; (ii) contractual requirement (for example., the handling is necessary for the performance of an agreement to which the information topic was a celebration, or even for the purposes of pre-contractual actions taken from the data topic’s consult); (iii) conformity with appropriate duties (in other words., the controller has actually an appropriate duty, under the regulations on the EU or an EU user condition, to do the relevant operating); or (iv) genuine passion (for example., the processing is required your purposes of legitimate interests pursued by operator, except where the controller’s hobbies were overridden because of the interests, fundamental rights or freedoms on the influenced facts subject areas).