Frameworks Index
Norwayregulation

Norwegian Personal Data Act (Personopplysningsloven)

Datatilsynet is one of Europe's most active enforcement authorities—Norwegian fines follow full EU GDPR scales, with landmark actions exceeding NOK 65 million.

Mapped to Microsoft controls
Effective Date20 July 2018
Enforcement BodyDatatilsynet (Norwegian Data Protection Authority)
Penalty FrameworkDatatilsynet can impose administrative fines in line with GDPR Article 83 - up to EUR 20 million or 4% of annual global turnover. Notable Norwegian fines include NOK 65 million against Grindr (2021) and NOK 5 million against the Municipality of Bergen. Datatilsynet also issues injunctions, reprimands, and processing bans.

The Norwegian Personal Data Act (Personopplysningsloven) implements the EU GDPR in Norway through the EEA Agreement. Norway is not an EU member state but applies the GDPR in full as part of the European Economic Area, with supplementary national provisions.

Datatilsynet (the Norwegian Data Protection Authority) is one of Europe's most proactive supervisory authorities, known for landmark enforcement actions including the record Grindr fine and the Meta behavioural advertising ban that was subsequently adopted across the EU.

For Microsoft 365 environments, compliance mirrors EU GDPR requirements: Purview sensitivity labels for data classification, DLP policies for data protection, Conditional Access for access management, and Norwegian data residency considerations. StremarControl engineers and operates the Microsoft-native controls required for Norwegian GDPR mandates, translating obligations into enforceable Microsoft-native controls, structured evidence, and ongoing assurance discipline for Datatilsynet compliance reporting.

Why This Matters Now

Norway implements the EU GDPR through its Personal Data Act (Personopplysningsloven), making GDPR directly applicable as part of the EEA Agreement. Datatilsynet has been one of the most active European DPAs, issuing significant fines and enforcement decisions. For M365 environments, compliance requires the same controls as EU GDPR plus Norwegian data residency considerations, Conditional Access for access management, and Purview for data classification. Norway's sovereign wealth fund and energy sector make robust data protection compliance essential.

Scope & Applicability

Applies to all data controllers and processors established in Norway, or processing personal data of individuals in Norway. As an EEA member, Norway applies the EU GDPR in full with minor national supplementary provisions. Special provisions exist for research, journalism, and employment context. M365 tenants processing Norwegian personal data must comply with full GDPR requirements plus Norwegian supplementary rules.

Core Obligations

01
EU GDPR Articles 5–11

GDPR Compliance (via EEA)

Full compliance with EU GDPR data protection principles, lawful bases for processing, and data subject rights as implemented through the EEA Agreement.

02
EU GDPR Articles 37–39

Data Protection Officer

Appoint a DPO where core activities involve regular and systematic monitoring at scale, or large-scale processing of special category data.

03
Personopplysningsloven Chapter 2–6

Norwegian Supplementary Provisions

Comply with Norwegian-specific provisions for employment context processing, research exemptions, and national identification numbers.

04
EU GDPR Articles 33–34

Breach Notification

Notify Datatilsynet of personal data breaches within 72 hours where feasible. Notify data subjects where the breach poses a high risk.

Microsoft 365 Control Mapping

How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.

Obligation

GDPR Data Protection Controls

M365 Control

Purview sensitivity labels for data classification. DLP policies for data protection. Conditional Access with MFA and risk-based policies.

Evidence

Label usage analytics, DLP incident logs, Conditional Access evaluation reports.

Obligation

Norwegian Data Residency

M365 Control

M365 data residency configuration for Norwegian/Nordic regions. Multi-Geo where required. DLP geo-fencing for cross-border restrictions.

Evidence

Data residency configuration exports, Multi-Geo assignment reports, DLP cross-border logs.

Obligation

72-Hour Breach Notification

M365 Control

Defender XDR incident detection with Sentinel playbooks for Datatilsynet notification. Automated breach assessment workflows.

Evidence

Incident timeline reports, breach notification records, Datatilsynet submission logs.

Implementation Timeline

July 2018
Norwegian Personal Data Act enters into force, implementing EU GDPR via EEA Agreement
December 2021
Record NOK 65 million fine issued against Grindr
2023
Datatilsynet issues ban on Meta behavioural advertising, later adopted EU-wide
Ongoing
Active enforcement programme including AI and children's data focus areas

Related Frameworks

European Union
EU GDPR

With fines exceeding EUR 1.2 billion for major infractions, GDPR non-compliance is a material financial risk that demands board-level ownership.

Switzerland
Swiss nDSG

Criminal fines up to CHF 250,000 target responsible individuals personally—not the organisation—making Swiss data protection compliance a direct executive liability.

United Kingdom
UK GDPR

Post-Brexit divergence means UK organisations must now navigate two parallel GDPR regimes, with the ICO imposing fines up to GBP 17.5 million or 4% of global turnover.

Ready to get Norway PDL-ready?

Start with a fixed-scope sprint. We assess your Microsoft 365 controls against Norway PDL requirements, close gaps, and produce audit-ready evidence.

Start a readiness sprint Book a readiness call