Regarding the processing of personal data by public bodies

The government, like others, must process data in accordance with data protection laws. They must have appropriate legal grounds for processing personal data as well as comply with the data protection principles.

Legal grounds for processing of personal data on behalf of public bodies

It is unlikely that the authorities can base the authorization to process personal data on consent when they operate within their powers, as there is an imbalance of power between the controller and the data subject.

This is also clear in cases where the registered party has no possibility to agree to the terms of the administrator.

The sources that governments usually base their processes on are:

• that the processing is necessary to fulfill a legal obligation on the regulatory authority; or

• that the processing is necessary for a work carried out in the public interest or for the exercise of a public authority controlled by the administrative authority.

Other sources are also considered, such as that the processing is necessary to fulfill an agreement that the registered party is a party to.

The Icelandic Data Protection Authority has considered that the government can base its processing on the fact that it is necessary because of legitimate interests in the case of processing that is not directly related to the legal obligations of the relevant government, for example in the case of the planned launch of electronic monitoring by the relevant institution for general security and asset protection reasons.