General Introduction
On 1 January 2001 a new Act on the Protection and Processing of Personal Data, No. 77/2000, entered into force. The act substitutes an Act Respecting Systematic Recording of Personal Data, passed in 1989.
The act implements Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
The purpose of the Act, is to promote the practice of personal data being processed in conformity with the fundamental principles of data protection and the right to privacy. The Act applies to any automated processing of personal data and to manual processing of such data if it is, or is intended to become, a part of a file.
The Icelandic Data Protection Authority consist of a Board and a Secretariat. A managing director (Data Protection Commissioner) is in charge of daily management of the Secretariat. The Authority has not yet laid down any rules of procedure.
The decisions made by the Icelandic Data Protection Authority are final and may not be brought before any other administrative authority. The decisions on the other hand can be taken to the courts, as well as complaints concerning the administration of the Authority can be addressed to The Parliamentary Ombudsman.
The Icelandic Data Protection Authority exercises surveillance over processing of data to which the act applies. With proper identification the staff of the DPA is admitted to any and all premises where personal data is being processed without a court order.
The authority mainly deals with specific cases on the basis of inquiries from public authorities or private individuals, or cases taken up by the Authority on its own initiative. Persons domiciled abroad may also obtain assistance from The Icelandic Data Protection Authority (requests should preferably be made in Icelandic or English).
The Act requires that the opinion of the Data Protection Authority must be obtained prior to passing new laws, orders and regulations concerning the protection of privacy.
Since the new Act entered into force the DPA has issued some public guidelines and regulations. Among others are rules on how to obtain an informed consent, rules concerning notification of processing of Personal Data, rules concerning security assessments and systematic safety measures. None of the public guidelines /regulations have been translated into English yet.
Pursuant to the Act on Processing of Personal Data the Ministry of Justice has issued 1 statutory order concerning Credit information agencies. It is a Regulation on Credit Reporting, No. 246/2001, it was issued on 13 March 2001 by the Ministry of Justice and entered immediately into force. This regulation has not been translated into English.