Iceland Data Privacy Laws: GDPR via EEA, Act No. 90/2018, and Persónuvernd (2026 Guide)

Iceland applies the full GDPR through EEA Joint Committee Decision No. 154/2018 and Act No. 90/2018 on Data Protection and the Processing of Personal Data, which entered into force on 15 July 2018. Persónuvernd enforces the law, with fines reaching 4% of global annual turnover. Article 71 of the Icelandic Constitution provides the constitutional privacy foundation.

Quick Answer: Iceland Data Privacy at a Glance

Iceland applies the full GDPR through its EEA membership, supplemented by Act No. 90/2018 on Data Protection and the Processing of Personal Data. Persónuvernd, the independent national supervisory authority, handles thousands of cases annually and imposes fines up to 4% of global turnover or ISK 2.4 billion. Article 71 of the Icelandic Constitution enshrines the right to privacy, providing the constitutional foundation for the data protection regime. For businesses, Iceland operates as if it were an EU Member State for data protection purposes: the same rules, the same rights, the same penalties apply.

This article covers the legal framework, Persónuvernd's powers and recent enforcement, data subject rights, breach notification, DPO requirements, cross-border transfer rules, the EU AI Act's pending EEA incorporation, and compliance considerations for organisations processing Icelandic personal data.

---

The Constitutional and Legal Foundation

Article 71 of the Icelandic Constitution

Article 71 of the Constitution of Iceland (Stjórnarskrá lýðveldisins Íslands) states that everyone shall enjoy freedom from interference with their privacy, home, and family life. The provision expressly covers the examination of documents and mail, telephone communications, and any comparable interference with a person's privacy. Restrictions are permissible only where urgently necessary to protect the rights of others, and examination of communications requires either a judicial decision or specific statutory authority.

This constitutional guarantee predates the GDPR and provides the domestic human rights foundation on which data protection legislation rests. The right to privacy under Article 71 is not absolute, but any statutory interference must satisfy proportionality requirements.

How the GDPR Applies in Iceland Through the EEA Agreement

Iceland is not an EU Member State. It is, however, a member of the European Economic Area under the EEA Agreement of 1994. The EEA Agreement extends the EU Single Market to three EFTA states: Iceland, Liechtenstein, and Norway. EU legislation with EEA relevance does not automatically apply in EEA EFTA states; it must first be incorporated into the EEA Agreement by a Joint Committee Decision.

For the GDPR (Regulation (EU) 2016/679), the EEA Joint Committee adopted Decision No. 154/2018 on 6 July 2018. The decision amended Annex XI of the EEA Agreement to include the GDPR and simultaneously repealed references to the earlier Data Protection Directive (95/46/EC). The GDPR entered into force in Iceland, Liechtenstein, and Norway on 20 July 2018.

The incorporation involved EEA-specific adaptations. References to "Member State" in the GDPR are read as references to the relevant EEA EFTA state for the purposes of EEA application. The EEA EFTA national supervisory authorities participate in the European Data Protection Board as full members for matters affecting EEA EFTA states, and as observers for matters purely internal to the EU.

Act No. 90/2018 on Data Protection and the Processing of Personal Data

The Icelandic Parliament (Althingi) enacted Act No. 90/2018 on 27 June 2018. The Act entered into force on 15 July 2018, replacing Act No. 77/2000 on the Protection of Privacy as Regards the Processing of Personal Data.

Act 90/2018 serves two distinct functions. First, it formally transposes and domesticates the GDPR as required by the EEA Agreement; the GDPR does not apply as binding domestic law in Iceland without a national implementing act. Second, the Act exercises the national derogations and specifications the GDPR explicitly permits, including the establishment and powers of the supervisory authority, the digital age of consent, derogations for public interest processing, and criminal penalties for deliberate violations.

The Act applies to automated processing and to manual processing where data forms part of a filing system. It covers both public and private sectors. Separate provisions within the Act address law enforcement processing, transposing the EU Law Enforcement Directive (2016/680/EU).

---

Key Provisions of Act No. 90/2018

Legal Bases for Processing

Act 90/2018 mirrors the six lawful bases in Article 6 of the GDPR: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. The Act provides national context for certain bases, particularly processing by public authorities. Iceland's tradition of public access to government information under the Information Act (Upplýsingalög, Act No. 140/2012) creates a practical tension with data protection that Persónuvernd has addressed through published guidance.

For special category data, Article 9 GDPR conditions apply. This includes health data, genetic and biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, and criminal conviction data. Iceland's national health system and extensive biobanks make these rules particularly relevant in the Icelandic context.

The Age of Digital Consent: 13

Article 8 of the GDPR allows EEA states to set the age of digital consent between 13 and 16. Iceland chose 13, the minimum permitted threshold. Article 10(5) of Act No. 90/2018 provides that children aged 13 and over may give valid consent for information society services. For children under 13, a parent or legal guardian must provide or authorise consent. Iceland set this threshold reflecting high rates of youth digital literacy and technology engagement.

Children's Data: Nordic Coordination

In May 2024, the Nordic Data Protection Authorities met in Oslo and adopted joint principles on children and online gaming. Persónuvernd participated alongside the data protection authorities of Denmark, the Faroe Islands, Finland, Norway, Sweden, and Åland. The joint principles address lawfulness of processing, safeguards in game design, and parental consent in gaming environments, reflecting Iceland's active participation in regional enforcement coordination beyond its formal EDPB observer role.

Genetic Data and Biobanks

Iceland has a globally significant framework for genetic research. Act No. 110/2000 on Biobanks governs the collection and use of biological samples and associated data. This statute interacts with Act 90/2018 to impose additional conditions on genetic data processing. Iceland's small population and extensive genetic databases mean that genetic data carries particular re-identification risk; Persónuvernd has issued guidance on pseudonymisation and anonymisation in research contexts, noting that population homogeneity makes true anonymisation more difficult than in larger, more diverse countries.

Electronic Communications and Cookies

The Electronic Communications Act No. 70/2022 entered into force on 1 September 2022, implementing Directive (EU) 2018/1972 (the European Electronic Communications Code). Under this Act, processing of electronic communications data is prohibited, including storage, listening, recording, or interception, unless the user provides informed consent or law expressly authorises it.

For cookies, Iceland treats them as falling within the definition of terminal equipment in the Electronic Communications Act. Consent is required for all non-essential cookies. Where cookie use involves processing of IP addresses or other personal data, Act 90/2018 and the GDPR apply in parallel. Legitimate interests does not serve as a legal basis for cookie consent under this framework.

Electronic Surveillance and Workplace Monitoring

Rules No. 50/2023 on Electronic Surveillance, issued by Persónuvernd under Article 14(5) of Act 90/2018, govern CCTV cameras, GPS tracking, remote monitoring equipment, and similar technologies in public spaces, workplaces, and schools.

Key requirements under Rules No. 50/2023 include:

• Transparency: employers must inform employees of all monitoring, its purpose, who has access, and retention periods before monitoring begins.
• Covert surveillance is prohibited in employment contexts, absent legal authority or a court order.
• Data retention: footage must be deleted after 30 days unless a specific documented reason justifies longer retention.
• Employee consent is presumptively invalid as a legal basis for workplace monitoring because the power imbalance between employer and employee means such consent cannot be considered freely given in most workplace contexts.

---

Persónuvernd: Iceland's Data Protection Authority

Structure and Independence

Persónuvernd (literally "personal protection") is Iceland's independent supervisory authority for data protection, established under Act No. 90/2018. The authority is headquartered at Laugarvegur 166, 105 Reykjavík. It is led by a board of three members appointed by the Minister of Justice for renewable terms. The board operates independently; the government may not instruct Persónuvernd in individual cases.

Persónuvernd participates in the European Data Protection Board as an observer for purely intra-EU matters, and as a full participant for matters affecting Iceland, Liechtenstein, or Norway. The authority cooperates with other EEA data protection authorities through the EDPB's consistency mechanism and mutual assistance procedures.

Investigative and Corrective Powers

Persónuvernd holds the full suite of powers in Articles 57 and 58 of the GDPR. These include:

• Conducting audits and investigations, whether complaint-triggered or on the authority's own initiative.
• Accessing premises and requiring controllers and processors to provide information.
• Issuing warnings, reprimands, and orders to comply with data subject requests.
• Imposing temporary or permanent processing bans.
• Ordering the suspension of cross-border data flows.
• Imposing administrative fines.
• Issuing prior consultation opinions on Data Protection Impact Assessments.

The authority also exercises advisory functions, consulting on proposed legislation and issuing guidance on codes of conduct.

2024 Caseload and Nordic Cooperation

Persónuvernd's 2024 annual report recorded 1,924 completed cases, a substantial volume for a supervisory authority serving a population of approximately 380,000. The authority highlighted expanded cooperation with Nordic DPAs on complaint handling, children's data protection, and the development of coherent administrative fine practices across the Nordic countries. This regional coordination reflects a deliberate strategy to harmonise enforcement priorities and reduce inconsistency across the Nordic EEA countries.

---

Penalties and Enforcement

Administrative Fine Framework

Act 90/2018 establishes a two-tier fine structure aligned with GDPR Article 83:

Lower tier (Article 83(4) violations): Fines from ISK 100,000 to ISK 1.2 billion, or up to 2% of global annual turnover, whichever is higher. This tier covers violations of controller and processor obligations, including security requirements, breach notification failures, DPO appointment failures, and record-keeping breaches.

Upper tier (Article 83(5) violations): Fines from ISK 100,000 to ISK 2.4 billion (approximately EUR 15.85 million), or up to 4% of global annual turnover, whichever is higher. This tier covers violations of core processing principles, data subject rights, transfer restrictions, and processing without a valid legal basis.

Daily fines: Persónuvernd may impose daily compulsion fines of up to ISK 200,000 (approximately EUR 1,320) per day to compel compliance with its orders.

Criminal penalties: Act 90/2018 provides criminal sanctions for the most serious violations. Intentional unlawful processing and deliberate obstruction of Persónuvernd investigations carry fines and imprisonment of up to three years. Breach of confidentiality obligations by DPOs carries fines or imprisonment of up to three years.

Notable Enforcement Actions

2025: Capital Area Primary Health Care Centre (ISK 5,000,000)

In 2025, Persónuvernd fined Heilsugæsla höfuðborgarsvæðisins (the Capital Area Primary Health Care centre, which operates 15 health centres in the Reykjavík area) ISK 5,000,000 (approximately EUR 33,854). The authority found the controller had entered into record-sharing agreements with eleven parties, including the Icelandic Football Association and the Transport Authority, without obtaining the required ministerial authorisation and Persónuvernd security confirmation under Article 20(2) of Act No. 55/2009 on Medical Records. The joint system gave access to records of approximately 450,000 individuals. Persónuvernd found violations of GDPR Articles 5(1)(a), 6(1), and 9(1), noting that the obligation was clearly stipulated in law and that health data as a special category warranted elevated sanction weight.

2023: Office of the National Medical Examiner / Heilsuvera (ISK 12,000,000)

In July 2023, Persónuvernd fined the Office of the National Medical Examiner ISK 12,000,000 (approximately EUR 82,000) following a security breach on Heilsuvera, Iceland's online healthcare and prescription portal. A security vulnerability allowed unauthorised access to patient data. The authority found violations of GDPR Articles 5(1)(f) and 32, concluding that adequate technical and organisational measures had not been implemented and that privacy by design and by default requirements had not been met.

2024: Google Workspace for Education (Multiple Municipalities)

Following the EDPB's 2022 Coordinated Enforcement Action on cloud use in the public sector, Persónuvernd investigated Google Workspace for Education across Iceland's five largest municipalities. In 2024, fines were issued to multiple municipalities for student data being processed for Google's own purposes beyond the stated educational purpose. The municipality of Reykjavík was fined ISK 2,000,000 (approximately EUR 13,270); Kópavogur was fined approximately EUR 19,907; Hafnarfjörður was fined approximately EUR 18,580; Reykjanesbær was fined approximately EUR 16,590; and Garðabær was fined approximately EUR 16,590. These decisions illustrate the compliance risk in using commercial cloud providers for processing children's data in public sector contexts without adequate contractual controls on secondary processing.

2022: City of Reykjavík / Seesaw Educational System (ISK 5,000,000)

In May 2022, Persónuvernd fined the City of Reykjavík ISK 5,000,000 (approximately EUR 35,840) for GDPR violations related to the Seesaw educational platform. Children's personal data had been processed without a lawful basis, and the municipality had failed to comply with its controller obligations, including ensuring adequate data processing agreements.

2020: National Center of Addiction Medicine (ISK 3,000,000)

In March 2020, Persónuvernd fined the National Center of Addiction Medicine ISK 3,000,000 (approximately EUR 20,643) after a former employee received boxes that contained health records of 252 former patients and names of approximately 3,000 individuals who had attended alcohol rehabilitation. The authority found failures in data protection policies and security measures under GDPR Articles 5(1)(f) and 32.

---

Data Subject Rights

Individuals in Iceland hold the full set of data subject rights under GDPR Chapter III, enforceable through complaints to Persónuvernd or the Icelandic courts.

Right of access (Article 15): Data subjects may request confirmation of whether their data is processed, a copy of the data, and information about processing purposes, recipients, retention periods, and data sources. Controllers must respond within one month, extendable by two further months for complex requests.

Right to rectification (Article 16): Inaccurate data must be corrected without undue delay. Incomplete data may be supplemented by the data subject providing additional information.

Right to erasure (Article 17): Data subjects may request deletion where the data is no longer necessary for its original purpose, where consent is withdrawn, or where processing was unlawful. Erasure may be refused where retention is required for a legal obligation, public interest archiving, scientific research, or legal claims.

Right to restriction (Article 18): Processing may be restricted while accuracy is contested, while a controller determines whether legitimate grounds override an objection, or where the data subject requires data for legal claims rather than erasure.

Right to data portability (Article 20): Where processing is consent-based or contract-based and is automated, data subjects may receive their data in a structured, commonly used, machine-readable format and transmit it directly to another controller.

Right to object (Article 21): Data subjects have an absolute right to object to direct marketing processing. For processing based on public interest or legitimate interests, they may object and the controller must cease unless it demonstrates compelling legitimate grounds. Iceland's strong information access tradition means public-sector controllers routinely receive objections from individuals whose data appears in administrative records.

Rights related to automated decisions (Article 22): Data subjects may not be subjected solely to automated decisions with significant legal or similarly significant effects, unless the decision is necessary for a contract, authorised by law with appropriate safeguards, or based on explicit consent. Where such decisions occur, individuals have the right to human review, to express their point of view, and to contest the outcome.

---

Breach Notification Requirements

Notification to Persónuvernd

When a personal data breach occurs, the controller must notify Persónuvernd without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach. Where notification is delayed beyond 72 hours, the controller must provide documented reasons for the delay.

Notification is not required where the breach is unlikely to result in any risk to the rights and freedoms of natural persons. This exemption is narrow; Persónuvernd expects controllers to document their risk assessment in the internal breach register required by GDPR Article 33(5) regardless of whether formal notification is triggered.

The notification must cover the categories and approximate number of individuals affected, the approximate number of records involved, the name and contact details of the DPO or other contact point, the likely consequences of the breach, and the measures taken or proposed to mitigate harm.

Notification to Affected Individuals

Where a breach is likely to result in a high risk to individuals' rights and freedoms, the controller must communicate the breach directly to affected individuals without undue delay. High-risk indicators include exposure of health data, financial data, or data enabling identity theft, fraud, or physical harm.

Processor Obligations

Processors must notify the responsible controller immediately upon discovering a breach. The 72-hour clock for notifying Persónuvernd runs from the moment the controller becomes aware. Contracts between controllers and processors must specify breach notification procedures and escalation paths.

---

Data Protection Officer Requirements

Act 90/2018 implements GDPR Article 37's DPO requirements without significant national expansion. A DPO must be appointed in three circumstances:

1. The controller or processor is a public authority or body (other than courts acting in their judicial capacity).
2. The core activities of the controller or processor consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale.
3. The core activities consist of large-scale processing of special category data or data relating to criminal convictions and offences.

Iceland did not extend mandatory DPO requirements beyond these GDPR Article 37 categories, though Persónuvernd encourages voluntary appointments for organisations with significant processing activities.

DPO requirements include:

• Appointment based on professional qualities and expert knowledge of data protection law and practices.
• Adequate resources, access to data, and access to processing operations necessary to perform tasks.
• Direct reporting line to the highest level of management.
• Operational independence; no instructions in performance of DPO tasks.
• Confidentiality obligations under Act No. 37/1993 on Administrative Procedures apply to DPOs.
• No conflict of interest; a DPO may not hold other positions within the organisation that create a conflict with data protection responsibilities.

DPOs may be employed or contracted externally. Their contact details must be published and communicated to Persónuvernd.

---

Cross-Border Data Transfers

Free Flow Within the EEA

As an EEA member, Iceland is part of the EU/EEA internal market for personal data. Data may flow between Iceland and all 27 EU Member States and between Iceland and Norway and Liechtenstein without any additional transfer mechanism under GDPR Chapter V. This is a significant practical benefit for multinational organisations: data processed about Icelandic individuals in Germany, the Netherlands, or Ireland faces no Chapter V restrictions.

Transfers Outside the EEA

Transfers to countries outside the EEA require one of the mechanisms in GDPR Chapter V:

• Adequacy decisions: Iceland recognises the same adequacy decisions as EU Member States, implemented through Article 16 of Act 90/2018 and Advertisement No. 1155/2022. Countries with current adequacy decisions include Japan, South Korea, the United Kingdom, Canada (commercial organisations under PIPEDA), Argentina, Israel, Switzerland, New Zealand, and countries covered by the EU-U.S. Data Privacy Framework.
• Standard contractual clauses: The European Commission's 2021 SCCs are the most common mechanism for transfers to non-adequate countries.
• Binding corporate rules: Available for intra-group transfers; must be approved by the competent supervisory authority.
• Article 49 derogations: Available for transfers on the basis of explicit consent, contract performance, important public interest, legal claims, vital interests, or data from public registers, subject to specific conditions.

Practical Considerations for Small Jurisdictions

Many services used daily in Iceland are provided by international companies headquartered outside the EEA. Persónuvernd has published guidance on international cloud platforms and social media services, emphasising that controllers remain responsible for GDPR compliance even when using processors established outside the EEA. Controllers cannot contract away their Chapter V obligations.

---

The EU AI Act and Iceland

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. For EU Member States, the Act applies progressively: prohibited AI practices became enforceable from 2 February 2025, rules for general purpose AI models from 2 August 2025, and most remaining provisions from 2 August 2026.

For Iceland, the position is different. As an EEA EFTA state, Iceland is not automatically bound by new EU regulations. The EEA Joint Committee must adopt a Joint Committee Decision incorporating the AI Act into the EEA Agreement, following the same process used for the GDPR in 2018. As of mid-2026, no such Decision had been adopted. Iceland, Norway, and Liechtenstein participate in EU AI Board meetings as observers and engage in the incorporation process, but the formal EEA Decision remained pending.

The practical consequence is that the EU AI Act did not apply as binding domestic law in Iceland as of mid-2026. However, Icelandic organisations placing AI systems on the EU market, or deploying AI systems that affect individuals in EU Member States, remain subject to the AI Act for those EU-connected operations regardless of where the provider is established.

Persónuvernd has noted publicly that high-risk AI systems involving biometric identification, workplace monitoring, and automated decision-making with significant effects on individuals are likely to engage both existing GDPR obligations and future AI Act requirements once incorporated. The authority has begun preliminary analysis of AI governance issues in its published guidance materials.

---

Compliance Considerations for Organisations

Organisations processing the personal data of individuals in Iceland, or operating in Iceland, should address the following practical compliance areas:

Records of processing activities: Article 30 requires controllers with 250 or more employees, and those processing sensitive data or posing significant risks, to maintain written records of processing activities. These must be made available to Persónuvernd on request.

Privacy notices: GDPR Articles 13 and 14 require comprehensive transparency information at the point of collection (Article 13) or within a reasonable time for data collected indirectly (Article 14). Notices must cover legal basis, purpose, retention periods, international transfers, and data subject rights. Notices directed at Icelandic consumers should be available in Icelandic.

Data Protection Impact Assessments: Article 35 requires DPIAs for processing likely to result in high risk to individuals. Persónuvernd maintains a list of processing types requiring mandatory DPIAs. High-risk types include large-scale processing of health or genetic data, systematic monitoring of publicly accessible areas, and processing using new technologies with uncertain risk profiles.

Small population anonymisation challenge: Iceland's population of approximately 380,000 means that demographic combinations of age, gender, postal area, and occupation can readily identify individuals in small communities. Organisations should apply higher anonymisation thresholds than they would in larger markets and document their anonymisation assessments carefully.

Language: Persónuvernd publishes guidance in both Icelandic and English. Privacy notices directed at Icelandic-speaking consumers should be available in Icelandic.

---

Related Laws and Connected Topics

Iceland's data protection regime intersects with several other legal frameworks of relevance to organisations operating in the country:

Act No. 55/2009 on Medical Records: Governs the creation, content, storage, and access to medical records. Article 20(2) requires ministerial authorisation and a Persónuvernd security opinion before medical record systems may be integrated or shared with additional parties. The 2025 Capital Area Primary Health Care fine arose from non-compliance with this specific provision.

Act No. 110/2000 on Biobanks: Regulates the collection, registration, storage, and use of biological samples and genetic information for research and healthcare.

Act No. 140/2012 on Information (Freedom of Information): Governs public access to government information. Public-sector controllers must balance this Act against data protection obligations when responding to information access requests.

Act No. 77/2019 on Cybersecurity: Transposes the NIS Directive (2016/1148) into Icelandic law and imposes incident reporting obligations on operators of essential services and digital service providers.

Electronic Communications Act No. 70/2022: Governs electronic communications services, including cookie consent, location data processing, and the prohibition on intercepting communications content.

For Icelandic recording law, see Iceland Recording Laws.

---

This article provides general legal information about Iceland's data protection framework as of May 2026. It does not constitute legal advice. Iceland's data protection laws are subject to change, and Persónuvernd guidance evolves with enforcement experience. Organisations and individuals should consult a lawyer qualified in Icelandic law for advice specific to their situation.