Data protectioni Requirements for registration
The General Data Protection Regulation is implemented in Norway through the Personal Data Act of 2018. The new rules strengthen the rights of persons that have personal data registered.
The processing of personal data concerning employees must comply with the Personal Data Act. The employer is not required to register with the data protection authority or any other governmental body, but it must identify the information being processed concerning employees, and keep an overview of personal data on employees. The employees must be informed of what personal data the employer is processing. The employer is not allowed to process personal data on employees that is not necessary to achieve a legitimate purpose. Further, the employer must take all necessary measures to protect the personal data against unauthorised access and ensure that staff are sufficiently aware of data protection obligations.
Consent is highly unlikely to be a legal basis for processing personal data on employees, unless employees can refuse without adverse consequence. Employers will have to rely on another legal basis than consent, such as legitimate interest.
Any transfer of personal data on employees from the employer (controller) to a third party (processor) must be regulated by a data processing agreement. No data processor may process personal data in any other way than what is agreed in writing with the data controller.ii Cross-border data transfers
Any international transfer of personal data concerning employees shall take place only where an adequate level of protection is ensured, such as countries within the European Union or the EEA.
Transfer of personal data concerning employees to third countries or an international organisation may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question, ensures an adequate level of protection. Such transfers do not then require any specific authorisation. Transfer of personal data to other countries or international organisations is only allowed if the employer or the processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. A data processing agreement must be in place.
Employee notification is necessary.iii Sensitive data
Sensitive data is defined as information relating to a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation, health, or genetic or biometric data. Social security numbers are not regarded as sensitive data.
There are restrictions on processing sensitive data. Processing sensitive data on employees is only allowed when the processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment, social security and social protection law, in so far as it is authorised by Norwegian law or a collective agreement.iv Background checks
The employer may only perform background checks (e.g., credit checks and criminal record checks) if it is objectively justified. This will depend on the employee's position and the employer's business.
During recruitment of staff, the employer can only review information about a candidate on social media if this is necessary for the job, and the candidate is correctly informed. The candidate may be informed in the job advertisement.