NORWAY Law and Practice Contributed by: Kari Gimmingsrud, Stian Hultin Oddbjørnsen and Andreas Bernt, Haavind
data centre services. Notification must be sent without undue delay. Processing of Personal Data All processing of personal data is subject to the Norwegian Personal Data Act and the GDPR, which requires the data controller to have a legal basis for the processing of personal data, includ - ing the transfer of the data to the service pro - vider, and for any transfer of data to countries outside the EU/EEA. If the service provider pro - cesses personal data on behalf of the customer, a data processing agreement will be mandatory, pursuant to Article 28 of the GDPR. Article 32 of the GDPR requires the controller and the data processor to ensure the safety and integrity of the data processed through technical and organisational security measures. Appropri - ate measures may be encryption and the ability to restore the availability and access to personal data, as well as internal processes for regularly testing, assessing and evaluating the effective - ness of the measures. The requirements under Chapter 5 of the GDPR govern the transfer of personal data to third countries and are therefore relevant for cloud computing. The transfer of personal data to third countries requires a transfer mechanism, and the level of protection of the data must meet EU standards. Bookkeeping Act As a main rule, accounting documents shall be stored in Norway. However, since 27 January 2025, accounting documents can be stored in EEA countries, the UK and Switzerland if the organisation informs the Norwegian Tax Admin - istration in writing. This includes information regarding what accounting material is stored abroad, where the accounting material is stored,
and how the control authorities can gain access to the accounting material at any time. The accounting material must be available in readable form and must be able to be printed on paper from a terminal or similar in Norway throughout the storage period. The Financial Sector The Norwegian Regulation regarding the use of information communication technology (ICT) in the finance sector will also affect the use of cloud computing services in this business seg - ment. It sets out the requirements for ICT sys - tems used in the financial sector, and businesses will have to carry out risk assessments, ensure the Financial Supervisory Authority's right of inspection also applies to the provider, and assess whether outsourcing in general, or cloud computing services, meets the Regulation's requirements related to the systems’ quality and business continuity. The Norwegian Regulation was last updated in 2022, largely implementing guidelines from European authorities (the Euro - pean Banking Authority, the European Insur - ance and Occupational Pensions Authority and the European Securities and Markets Authority). Furthermore, the Digital Operational Resilience Act (DORA), which specifically aims to enhance cybersecurity within the financial sector, will also most likely be implemented in Norway. National Security The Security Act applies to all public bodies, and to companies involved in classified pro - curements or companies that for other reasons are subject to the Act’s requirements following a decision by the relevant ministry. The Act gener - ally allows for the use of cloud services for busi - nesses that are subject to the Act, but the use of cloud and edge services for information that could relate to national security interests needs
344 CHAMBERS.COM
Powered by FlippingBook