Privacy and cyber security

Føyen has for many years been an important part of the privacy law community in Norway. After the transposition of the EU General Data Protection Regulation (GDPR) in 2018, the need and scope of our advice on privacy law is bigger than ever before. We help with the implementation of robust internal control systems and with carrying out risk assessments. We assist in dialogues with the Data Protection Authority and make assessments in relation to transfer of personal data to countries outside EU/EEA, use of new technologies, crisis management (security beach), and drafting of DPIA, BCR, and PBCR. Føyen is also an important adviser for actors within different business sectors that go through a digitalization process.

We have experience with privacy issues within a wide range of business sectors such as technology, media, health, public bodies, trade of goods, transport, industry, energy, etc. The scope of our experience enables us to quickly understand the questions that arise within privacy law, and to use our expertise to solve new challenges. Our customers thus get effective advice, no matter how complex the matter is.

Any businesses that process personal data must have a system for internal control, which documents the processing and that it complies with the GDPR. We can assist with the mapping of processing activities within the business and with the establishment of required routines. We also assist with the implementation of routines for deletion of personal data. We have a thoroughly prepared set of standard documents which we use when assisting with the above-mentioned issues.

In the GDPR, consent is an important legal basis for processing of personal data. Føyen assists with the assessment whether a consent is considered sufficient, or whether there is an alternative basis for the processing such as legitimate interest. In many business sectors, there are also specific laws that may serve as legal basis for the processing. Føyen’s lawyers are experienced with the assessment of such specific legal basis and have also assessed the need for and set forth proposals for such laws.

In order to be in compliance with the privacy laws and regulations, the data subjects must be informed about the processing in accordance with the requirements of the GDPR. Føyen has extensive experience with the drafting of privacy notices and other ways of providing the required information. It is also important that employees are aware of their obligations when processing personal data. Føyen thus regularly assists with the drafting of privacy policies and training of employees.

Risk assessments must be made in relation to all processing of personal data. In certain situations, a data processing impact assessment (DPIA) must also be carried out in accordance with article 35 of the GDPR.

Both the controller and the processor are required to enter into a data processing agreement if the processor shall process data on behalf of the controller. The data processing agreement must fulfil the requirements set out in article 28 of the GDPR and often raises questions of liability and claims for compensation. A data processing agreement shall not be entered into in situations where there is a transfer of personal data between two independent controllers or where there are joint controllers. It is thus important to be aware of the different roles related to the processing of personal data.

Businesses are required to identify all transfers of personal data to third countries outside the EU /EEA. There is also a transfer if a person outside the EU/EEA has access to the personal data, even if the personal data is stored within the EU/EEA. The general rule is that all transfers are prohibited unless there is a specific and sufficient legal basis for the transfer. The assessment of whether there is such a basis, is usually made in the form of a Transfer Impact Assessment (TIA). This is typically relevant when entering into agreements with international cloud service providers, in relation to agreements where cloud services form part of the value chain, or in relation to more traditional outsourcing. In these situations, it is vital to have knowledge of the various service models and to know what to do to comply with privacy laws and regulations in each specific situation.

Many businesses are obliged to have a data protection officer in accordance with the GDPR. The GDPR sets out requirements for when such data protection officer shall be appointed, which role the data protection officer shall have within the company, and which tasks the data protection officer shall perform. Føyen’s lawyers are experienced with and can offer to take on the role as data protection officer, or alternatively support internally employed data protection officers in their role.

The data protection authorities can impose fines for breach of the GDPR. The fines imposed on larger businesses have been very high, but we see that the fines imposed on regular Norwegian businesses are rising as well. However, by using the right tools and arguments, there are considerable leeway for arguing that there is no breach at all, or that the fine must be reduced. It is not uncommon for the authorities to reduce the fines after hearing the arguments submitted after notice of a potential fine.

BCR and PBCR are internally binding rules, agreements, and instructions within a group of companies which allow for the transfer of personal data between the affiliated companies even if this involves a transfer to third countries outside the EU/EEA. BCR apply where the companies are controllers, while PBCR apply where the companies are processors. The data protection authority must approve BCR and PBCR. This can be a long process which also involves the data protection authorities in other countries within the EU/EEA, but it ensures an approval from the data protection authorities. If BCR or PBCR are complied with after the approval, the likelihood of inspections and fines from the data protection authorities are reduced.

A personal data breach is defined in the GDPR as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Such breach must be handled correctly within the business and in accordance with the GDPR. A protocol documenting the processing must be established. It must be assessed whether there is a need to notify the data protection authority and potentially also data subjects affected by the breach. Cybersecurity is key when assessing which security requirements that must be made to the processing of personal data, especially in relation to a specific breach and how such incidents must be handled.

Use of cookies is a specific area of law with a huge practical impact. Today, the laws and regulations relating to cookies are divided between two supervisory authorities, which leads to uncertainty and misunderstandings amongst those who own and set up web pages. However, we know how to arrange for compliance with the laws and regulations.

Føyen’s lawyers frequently hold seminars and give speeches on various topics within privacy law. We have established a dedicated forum for data protection officers and others with responsibilities for privacy within businesses. This forum is arranged four times a year, where relevant topics are presented and discussed. We also give lectures for businesses who would like a presentation of or training sessions within specific topics.