top of page

ICELAND - Data Protection and GDPR Review

The history of data protection in Iceland has seen a steady evolution, reflecting changes in both technology and societal values regarding privacy. Here's an overview of key milestones and legislation:

Early Initiatives (Before 2000): The Privacy Act No. 121/1989 was one of the first pieces of legislation enacted in Iceland to govern personal data protection. It focused on regulating how public bodies collected, processed, and stored personal data.

Act on the Protection of Privacy (2000): In 2000, Iceland enacted the Act on the Protection of Privacy as Regards the Processing of Personal Data, No. 77/2000. This law marked a significant step toward modernizing Iceland's approach to data protection, outlining the rights of individuals and the responsibilities of data controllers and processors.

Data Protection Authority (DPA): Alongside Act No. 77/2000, Iceland established the Data Protection Authority (DPA), an independent body responsible for overseeing the implementation and enforcement of data protection laws.

Membership in the European Economic Area (EEA): Iceland's membership in the EEA has obliged it to adopt certain EU regulations and directives related to data protection. Though not an EU member, Iceland has aligned its data protection laws with EU standards, such as the EU Data Protection Directive 95/46/EC.

Revised Data Protection Act (2019): In response to the EU's General Data Protection Regulation (GDPR), Iceland revised its data protection laws with Act No. 90/2018, which came into effect on July 15, 2019. While Iceland is not a member of the EU, it is part of the EEA, and thus the principles and many of the provisions of the GDPR were incorporated into Icelandic law.

Alignment with GDPR: The revised Data Protection Act aligns closely with the GDPR, emphasizing transparency, the rights of individuals (such as the right to access, rectification, and erasure), and stricter obligations for data controllers and processors. The DPA continues to act as the regulatory body overseeing compliance.

Recent Developments: Iceland continues to actively engage with evolving data protection standards, regularly updating guidelines, and implementing regulations that reflect changes in technology and international standards.

Iceland's history of data protection reflects a trajectory from early privacy concerns to contemporary regulations that closely align with international standards, particularly those of the EU. Through EEA membership, Iceland has harmonized its data protection framework with major EU regulations, ensuring a modern and comprehensive approach to privacy and data protection in the digital age. The country's independent Data Protection Authority plays a crucial role in enforcing these standards and shaping the data protection landscape in Iceland.

Introduction to GDPR in Iceland

Though not an EU member, Iceland is a member of the European Economic Area (EEA) and has adopted many provisions of the GDPR into its national law. The revised Data Protection Act No. 90/2018, which came into effect on July 15, 2019, reflects the principles and provisions of the GDPR.

Key Principles of GDPR

  1. Lawfulness, Fairness, Transparency: Ensuring transparent, fair, and legal processing of data.

  2. Purpose Limitation: Collecting data for specific, explicit, and legitimate purposes.

  3. Data Minimization: Processing only the data necessary for the intended purpose.

  4. Accuracy: Keeping personal data accurate and up to date.

  5. Storage Limitation: Storing data no longer than necessary.

  6. Integrity and Confidentiality: Protecting data against unauthorized access and accidental loss.

Rights of Data Subjects

  1. Right to Information: Knowing why and how data is being processed.

  2. Right to Access: Accessing personal data held by data controllers.

  3. Right to Rectification: Correcting inaccurate personal data.

  4. Right to Erasure ("Right to be Forgotten"): Requesting deletion of data under specific circumstances.

  5. Right to Restrict Processing: Limiting the processing of personal data.

  6. Right to Data Portability: Transferring data from one controller to another.

  7. Right to Object: Objecting to processing under certain conditions.

Obligations of Data Controllers and Processors

  1. Data Protection Impact Assessment (DPIA): When necessary, to evaluate privacy risks.

  2. Data Breach Notification: Reporting breaches to the Data Protection Authority (DPA) and affected individuals within 72 hours.

  3. Appointment of a Data Protection Officer (DPO): Required for certain organizations.

  4. Compliance Documentation: Maintaining records of data processing activities.

Icelandic Data Protection Authority (DPA)

The DPA supervises and enforces data protection laws in Iceland. It offers guidance, handles complaints, and can impose sanctions for non-compliance.


Non-compliance can lead to substantial fines, up to €20 million or 4% of the global annual turnover, whichever is higher.

Specific Provisions in Iceland

Iceland's Act No. 90/2018 may contain specific national provisions that modify or complement the GDPR, such as regulations concerning the processing of children's data, public interest, research, or employment-related data.


Data protection in Iceland is governed by regulations closely aligned with the GDPR. Organizations operating within Iceland must adhere to these rules, recognizing both general GDPR principles and any specific Icelandic provisions. Regular consultation with legal experts specializing in Icelandic data protection law is often recommended.


  1. Icelandic Data Protection Authority (DPA): Website

  2. EU GDPR Portal: Website

  3. Official Text of Iceland's Data Protection Act No. 90/2018: Link (In Icelandic)

Please note that this guide is for informational purposes only and should not be considered as legal advice. Always consult with a legal professional specialized in Icelandic data protection law for specific guidance.


bottom of page