Iceland Data Privacy Laws: Act 90/2018 and GDPR via EEA Guide (2026)

Overview of Iceland's Data Protection Framework

Iceland occupies a distinctive position in European data protection. Although not a member of the European Union, Iceland is a member of the European Economic Area (EEA) and the European Free Trade Association (EFTA). This membership obligates Iceland to incorporate EU legislation with EEA relevance into its national legal framework, including the General Data Protection Regulation (GDPR).

The GDPR was incorporated into the EEA Agreement through a Joint Committee Decision on 6 July 2018. To implement the regulation domestically, the Icelandic Parliament (Althingi) enacted Act No. 90/2018 on Data Protection and the Processing of Personal Data, which entered into force on 15 July 2018. This Act replaced Iceland's earlier data protection legislation, Act No. 77/2000.

The practical result is that Iceland's data protection framework is substantively equivalent to that of EU Member States. Organizations operating in Iceland or processing the personal data of individuals in Iceland must comply with both the GDPR and Act 90/2018.

Act No. 90/2018: Key Provisions

Structure and Scope

Act 90/2018 serves two primary functions. First, it formally incorporates the GDPR into Icelandic law. Second, it addresses areas where the GDPR permits or requires national supplementary legislation, including the establishment and powers of the supervisory authority, specific processing situations, criminal offenses, and certain derogations.

The Act applies to the processing of personal data by automated means and to manual processing where data forms part of a filing system. It covers both the private and public sectors, with additional provisions for law enforcement processing that transpose the EU Law Enforcement Directive.

Legal Bases for Processing

Iceland follows the six legal bases for processing established by Article 6 of the GDPR: consent, contractual necessity, legal obligation, vital interests, public interest, and legitimate interests. Act 90/2018 provides national context for how certain bases apply in Iceland, particularly for public sector processing and the processing of data in connection with Iceland's strong tradition of public access to official records.

Special Categories of Data

For special categories of data, including health data, genetic data, biometric data, and data revealing political opinions or religious beliefs, processing is subject to the additional conditions set out in Article 9 of the GDPR. Iceland's implementation addresses the processing of health data in the context of the country's national health system and the unique challenges posed by its small population size for data anonymization.

Children's Data

Iceland has set the age of digital consent at 13, the minimum threshold permitted under Article 8 of the GDPR. This means children aged 13 and above may provide valid consent for the processing of their personal data in connection with information society services. For children below 13, parental or guardian authorization is required.

Genetic Data and Biobanks

Iceland has a particularly notable framework for genetic data, reflecting the country's history as a leader in genetic research. The Act on Biobanks (No. 110/2000) and the Act on a Health Sector Database interact with data protection law to regulate the collection, storage, and use of biological samples and genetic information. These provisions are especially relevant given the Icelandic population's genetic homogeneity and the extensive genetic databases maintained in the country.

Personuvernd: Iceland's Data Protection Authority

Role and Independence

Personuvernd (the Data Protection Authority) is Iceland's independent supervisory authority for data protection. The authority operates independently of the government and is not subject to instructions in individual cases. Personuvernd was originally established under the 2000 Act and continued under Act 90/2018 with expanded powers aligned with the GDPR.

The authority is led by a board of three members appointed by the Minister of Justice. Personuvernd represents Iceland in the European Data Protection Board through EEA participation mechanisms and collaborates with other European data protection authorities on cross-border enforcement matters.

Investigative and Corrective Powers

Personuvernd exercises the full range of investigative and corrective powers set out in Articles 57 and 58 of the GDPR. These include the power to investigate complaints, conduct audits, access premises, issue warnings and reprimands, order compliance with data subject requests, impose temporary or permanent bans on processing, and issue administrative fines.

The authority also has advisory functions, issuing opinions on proposed legislation, codes of conduct, and matters of data protection policy.

Enforcement Activity and Caseload

Personuvernd has maintained an active enforcement posture despite Iceland's small population of approximately 380,000 people. The authority registered a total of 2,082 cases in 2023 and 216 new cases in 2024. As of February 2024, the authority had 350 cases under inspection at the administrative level.

In response to increasing case volumes, Personuvernd announced amendments to streamline its complaint-handling procedures in November 2023. These changes were aimed at reducing the authority's workload and decreasing processing times for complaints.

Notable Enforcement Actions

Personuvernd has imposed substantial fines for data protection violations. In 2023, a healthcare provider was fined ISK 100 million (approximately EUR 650,000) for insufficient security measures and unauthorized access to personal data. In 2022, a financial institution was fined ISK 75 million (approximately EUR 490,000) for failing to implement appropriate data protection measures.

These fines are significant in the context of Iceland's small economy and demonstrate the authority's willingness to impose meaningful penalties for non-compliance.

Data Subject Rights

Individuals in Iceland benefit from the full set of data subject rights provided by the GDPR. These rights are directly enforceable through complaints to Personuvernd and through the Icelandic courts.

Right of Access

Under Article 15 of the GDPR, individuals have the right to obtain confirmation of whether their personal data is being processed and to receive a copy of that data. The right extends to information about processing purposes, data categories, recipients, retention periods, and the source of the data.

Right to Rectification and Erasure

Data subjects may request the correction of inaccurate data under Article 16 and the deletion of data under Article 17 in specified circumstances. The right to erasure must be balanced against other rights and obligations, including freedom of expression and the retention requirements of Icelandic archival law.

Right to Data Portability

Article 20 grants individuals the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. This right applies where processing is based on consent or a contract and is carried out by automated means.

Right to Object

Data subjects may object to processing based on public interest or legitimate interest grounds under Article 21. They have an absolute right to object to processing for direct marketing purposes. When an objection is raised, the controller must cease processing unless compelling legitimate grounds override the individual's interests.

Cross-Border Data Transfers

Free Flow Within the EEA

As an EEA member, Iceland is part of the EU/EEA free data transfer zone. Personal data may flow freely between Iceland and all EU and EEA Member States without the need for additional transfer mechanisms. This is a significant practical advantage for organizations with operations in both Iceland and the EU.

Transfers to Third Countries

Transfers of personal data to countries outside the EEA are subject to Chapter V of the GDPR. The recognized transfer mechanisms include adequacy decisions, standard contractual clauses, binding corporate rules, and derogations for specific situations under Article 49.

Iceland recognizes the same adequacy decisions as EU Member States, including decisions for countries such as Japan, South Korea, the United Kingdom, and the EU-U.S. Data Privacy Framework.

Small Country Considerations

Iceland's small population creates unique considerations for international data transfers. The limited size of the domestic market means that many services used in Iceland are provided by international companies, making cross-border data flows an everyday reality for Icelandic data subjects. Personuvernd has addressed this through guidance on the use of international cloud services and social media platforms.

Penalties and Sanctions

Administrative Fines

The GDPR's two-tier fine structure applies in Iceland through Act 90/2018. For less serious infringements, fines of up to EUR 10 million or 2% of worldwide turnover may be imposed. For more serious violations, the maximum is EUR 20 million or 4% of worldwide turnover.

Given Iceland's relatively small business landscape, the turnover-based calculation is particularly relevant for international companies operating in the Icelandic market, while the fixed maximums serve as the effective ceiling for most domestic organizations.

Criminal Penalties

Act 90/2018 establishes criminal offenses for certain data protection violations, including intentional unauthorized processing and obstruction of supervisory authority investigations. Criminal penalties can include fines and imprisonment.

Coercive Measures

Personuvernd has the power to impose daily fines to compel compliance with its orders. This mechanism ensures that organizations cannot simply absorb a one-time fine and continue non-compliant practices.

Special Processing Situations

Health Data and the National Health System

Iceland's national health system generates significant volumes of personal health data. The processing of this data is governed by both data protection law and sector-specific health legislation. Healthcare providers must implement robust security measures and access controls, as demonstrated by Personuvernd's enforcement action against a healthcare provider for unauthorized data access.

Public Records and Freedom of Information

Iceland has a strong tradition of public access to government information, enshrined in the Information Act (Upplysingaloog). Data protection law must be balanced against this transparency principle, requiring public authorities to carefully assess when personal data in public records should be disclosed and when data protection rights prevail.

Research and Statistics

Act 90/2018 includes provisions for the processing of personal data for scientific research and statistical purposes, consistent with Article 89 of the GDPR. Iceland's position as a center for genetic research and epidemiological studies makes these provisions particularly important. Researchers may benefit from derogations from certain data subject rights where appropriate safeguards are in place.

Compliance Considerations for Organizations

Organizations processing personal data in Iceland should be aware of several practical matters. Personuvernd maintains a website with guidance documents in Icelandic and English, covering topics such as data breach notification, cookie consent, data protection impact assessments, and the use of surveillance cameras.

The small size of the Icelandic market and population means that data anonymization is more challenging than in larger countries. Information that might not identify an individual in a country of millions could readily identify someone in Iceland's small communities. Organizations should apply heightened scrutiny to anonymization and pseudonymization techniques.

Organizations should also note that Iceland's data protection authority, while well-resourced relative to the country's size, faces capacity constraints due to high caseloads. Planning for potentially longer response times on consultations and complaints can help organizations manage their compliance timelines.

This article is for informational purposes only and does not constitute legal advice. Data protection laws are subject to change, and organizations should consult with a qualified attorney for advice specific to their situation.