Scope of the Data Protection Act

The Data Protection Act states how organizations, companies and the government may work with personal data of individuals.

The Data Protection Act shall apply in general if the following conditions are met:

When working with information about individuals

• The Data Protection Act applies when information about individuals is processed. It does not matter whether the person who processes the information is a governmental, private or individual (except when individuals process information for personal use, as discussed below).

• The term ‘person may also include private individuals when information about the owner of the company cannot be distinguished as 0person and information about the company.

When the information is automatically processed or entered in a file

• When personal data is stored in a way that makes it easy and quick to look for and search for it, it is usually covered by the Data Protection Act.

• This means that the law covers the case where personal data are processed in part or in full automatically or when they are entered in a register.

When the information is processed in Iceland or within the territory of the European Union

• In the vast majority of cases, the processing of personal data that takes place in Iceland is covered by Icelandic data protection laws.

• The principle is that the company that processes the personal data, the controller, is established in Iceland and the processing of personal data takes place within the EU territory.

• This also applies if foreign parties work with information about individuals located in Iceland, if the processing is related to the supply of goods or services to individuals located in Iceland or if the behaviour of individuals in Iceland is monitored.

• However, situations may arise where the guarantor has established a business in another EU country. In this case, the law of that country shall apply.

• For example, Facebook is regulated by Irish law because Facebook is registered with a registered office in Ireland.

Data Protection Act applies only to information about individuals.

They therefore do not apply when:

• is processed with information about a legal entity such as a company or an administration

• is processed with information that cannot be attributed to individuals, such as statistics

• works with other types of businesses than private

• is processed with information about the authorities

• the state processes personal data for the purposes of security and defence

• is processing personal data for law enforcement purposes

• individuals process information for personal use

  • These include correspondence and holding of a register such as a Christmas card list with the names and addresses of the recipients, and to a certain extent activities on social media and the Internet in general.

In many cases, the processing of personal data by individuals is completely exempt from the law if it is not related to, for example, commercial or professional activities.