Last review date: 30 December 2024
The Icelandic Data Protection Authority ("DPA") is the regulator for data privacy. However, for cybersecurity, the regulator is the Electronic Communication Office (“ECOI”).
The Central Bank of Iceland is the regulator for cybersecurity in the financial sector, and is expected to play an increasingly significant role with the implementation of DORA.
Last review date: 30 December 2024
We expect the Icelandic DPA to carry out random audits to check compliance with data protection law. We expect these to be carried out in particular, if triggered by individual complaints.
The DPA has not yet issued an educational plan or any other plan for 2025. In the government’s fiscal plan for 2025, the importance of Data Protection is highlighted. Targets have been put forward for:
- Increased transparency and efficiency, lawful and fair processing to ensure consistent protection of individuals in the EEA;
- Increased public trust in the security of personal data and processing in the business sector and by government authorities; and
- Improved policy-making, more thorough planning, and more targeted performance evaluation.
To reach these targets, smaller milestones have been set, one of which is to increase the number of concluded random audit checks from 23 in 2023 to 30 in 2025. This indicates an even greater emphasis on such checks.
On 15 April 2024 the ECOI’s new procedures for uniform data collection entered into force. ECOI is actively engaged in various projects aimed at developing the electronic communications market. These projects, including the promotion of competition for consumer benefit, enhancing public access to high-speed data transfer services, and bolstering the security of electronic communications networks, have seen a notable increase in recent years. Numerous projects necessitate extensive data collection, covering aspects such as the telecommunications infrastructure, market conditions, competitiveness, operational performance of telecommunications companies, and information about information security management systems and security measures.
The ongoing and regular collection of information has become so extensive that a revised procedure was deemed necessary. These procedures aim to enhance the efficiency of the ECOI’s regular data collection, reinforce data security, and provide greater transparency and predictability for involved parties.
As part of the revised approach to data collection, to the ECOI shall annually publish an overview of anticipated data requests for the upcoming year. This initiative aims to enhance transparency and predictability in the data collection process by the ECOI. While the intention is for data collection to occur through an electronic information portal.
The procedures primarily center on the internal activities of ECOI, focusing on the organization, implementation, and execution of data collection following pre-defined processes. the objective is to simplify the process.
Last review date: 30 December 2024
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Increasing
Class actions/group actions under data or cyber regulation are:
☒ Rare
Last review date: 30 December 2024
There are:
☒ administrative remedies from regulators and law enforcement
On the basis of the Data Protection Act, in an amount of up to ISK 2.4 billion (approximately EUR 16 million) or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
On the basis of the Electronic Communication Act administrative fines can amount to up to 4% of the total turnover of the last operating year for each telecommunications undertaking, or other company involved in the violation. As for individuals, fines can range from ISK 10,000 to ISK 10 million (approx. EUR 66 to EUR 66,000).
☒ criminal penalties from regulators and law enforcement
Pursuant to Article 48 of the Data Protection Act, certain data protection infringements are considered criminal offences.
It is punishable with imprisonment of up to three years or a fine to knowingly and without authorization transfer to a third party or otherwise make accessible for commercial purposes the personal data of a large number of people where such data was not publicly accessible.
Violation of confidentiality, as defined in the Data Protection Act, can result in fines or imprisonment of up to one year. If it was for commercial purposes, the violation can result in imprisonment of up to three years.
On the basis of the Electronic Communications Act violations can result in imprisonment of up to two years or three years if conducted for commercial purposes.
☒ private remedies
Individuals may, for example,
- file complaints with the data protection authorities
- claim damages for material or non-material damages