General
The Data Protection Authority may decide that the processing of personal data for projects in the public interest may not begin until it has been examined and approved by the issuance of a special authorisation.
This is especially the case for projects that may involve the risk of violating people’s rights and freedoms. Whether the processing of personal data is subject to prior authorisation from the Data Protection Authority depends on the circumstances at hand.
The first thing to consider is whether it is a processing of personal data within the meaning of the Data Protection Act.
If information that is intended to be processed is completely non-personal, such as if a non-personal questionnaire is submitted to participants without an encryption key, the processing is not covered by the law and thus is not subject to authorisation from the Data Protection Authority.
Application for authorisation
The Data Protection Authority advises applicants to submit their application in time.
An application with the Data Protection Authority for authorisation to process personal data must be accompanied by a declaration by the record keeper. The Data Protection Authority has prepared instructions for the record keeper on the submission of data (in Icelandic).
Processing is subject to the Data Protection Authority's authorisation
The Data Protection Authority has established rules that stipulate that the following processing of personal data is subject to written permission from the Data Protection Authority:
A combination of a file containing sensitive personal data with another file, irrespective of whether that file contains general or sensitive personal data.
Processing of information on criminal offences and criminal history, information on drug, alcohol and drug use, sex and sexual behavior, unless the processing is necessary and a normal part of the activities of the person concerned.
Collection of personal information on financial matters and creditworthiness of individuals for the purpose of disclosing it to others.
Processing of information on social problems of people or other personal matters, such as divorce, break-up of a relationship, adoption and foster contracts, unless the processing is necessary and a natural part of the activities of the person concerned.
The processing of personal data that involves the inclusion of a person's name in a register according to pre-established criteria and the transfer of information to a third party in order to deny the person a particular service or arrangement.
The disclosure of sensitive personal data for the purpose of a scientific study that falls outside the scope of the Act on Scientific Research in the Health Sector, no. 44/2014, as the controller of the information that is disclosed does not participate in the conduct of the study.
The disclosure of sensitive personal data, which are kept by the government, for the purposes of investigations.
The disclosure of general personal data, which are kept by the government, for the purposes of investigations, when the dissemination involves a special risk of violation of the rights and freedoms of individuals.
The provision of biobanks with service samples with personal identifiers for the purposes of scientific research is always subject to the permission of the Data Protection Authority, see Article 9(5) of the Act on Biobanks and Health Information Banks, no. 110/2000.
Processing is not subject to the Data Protection Authority's authorisation
The Data Protection Authority's rules on the authorised processing of personal data provide that the following processing of personal data is not subject to the Data Protection Authority's authorisation:
If the processing of personal data is based on informed consent or legal provisions.
The combination of records is not required if the information on telephone numbers or from the national register of name, ID number, company number, address, place of residence and postal code is merely combined or if the records of the same controller are combined, except for central records containing sensitive personal data.
Processing of information on criminal offences and criminal history, information on drug, alcohol and drug use, sex and sexual behavior if the processing is necessary and a normal part of the controller's activities.
Processing of information on social problems of people or other personal matters, such as divorce, break-up of a relationship, adoption and foster contracts, if the processing is necessary and a normal part of the controller's activities.
If the processing of personal data is carried out in accordance with the code of conduct adopted by the Data Protection Authority, see Article 40(5) of Regulation (EU) 2016/679.
