Answer ... Norway has implemented the General Data Protection Regulation (GDPR) through the Data Protection Act of 15 June 2018. Under the GDPR, fintech companies (as data controllers) must ensure that all data is processed in accordance with the fundamental data privacy principles set out in Article 5 (ie, lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality). Fintech entities must also comply with the principle of privacy by design set out in Article 25. As mentioned in questions 3.3 and 3.6, fintech companies are likely to be subject to the obligation to conduct a data protection impact assessment in accordance with Article 35 if the processing activity is likely to present significant risks to the rights of natural persons. If the risks revealed in the impact assessment are considered to be significant, in the absence of measures taken by the controller to mitigate them, the data controller must consult with the Norwegian Data Protection Authority prior to commencing processing activities. If a fintech company (as data controller) uses a data processor, it must ensure that the data processing agreement complies with Articles 28 and 29 of the GDPR. Prior to engaging a data processor, the data controller should conduct a risk assessment of the data processor to ensure that the appointment is within an acceptable level of risk.
Answer ... Article 32 of the GDPR obliges both data controllers and data processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing activity. Under the Information Communication and Technology Regulation, sector-specific requirements also apply to the use of information and communication technology in the financial sector.
The Information Communication and Technology Regulation obliges entities in this sector to implement written procedures to ensure the stable operation of IT systems. In addition to their reporting obligations under the GDPR, they are obliged to notify the Norwegian Financial Services Authority of certain events such as security breaches.
Norway has also passed a proposal for a new act that will implement EU Directive 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. It is not yet certain when the act will enter into force.