Datatilsynet is Norway's personal data protection authority, and GDPR (the Personal Data Act) gives you concrete rights: access to all personal information stored about you, correction of errors, and deletion of data that is no longer necessary. This guide shows you how to exercise these rights in 2026 — against both public and private actors.
Legal basis: GDPR and the Personal Data Act
Norway is bound by the EU's General Data Protection Regulation (GDPR) through the EEA Agreement and has implemented it nationally through the Personal Data Act (2018). The law came into force on 20 July 2018 — at the same time as GDPR became enforceable in the EU.
Key provisions in GDPR
- Art. 15 — right of access
- Art. 16 — right to rectification
- Art. 17 — right to erasure ("right to be forgotten")
- Art. 18 — right to restrict processing
- Art. 20 — right to data portability
- Art. 21 — right to object
- Art. 77 — right to lodge a complaint with the authority
Datatilsynet's role
Datatilsynet (datatilsynet.no) is the Norwegian supervisory authority under art. 51 GDPR:
- Supervises that organizations comply with the law
- Handles complaints from individuals
- Can impose corrections, deletions, and fines (up to 4% of global revenue)
- Advises organizations and the public
Right of access (GDPR art. 15)
What the right of access covers
You have the right to know:
- Whether personal data about you is being processed (yes/no)
- The purpose of the processing
- The categories of personal data
- Recipients or categories of recipients
- The storage period or criteria for determining it
- Your rights (correction, deletion, objection, complaint)
- Source of the information if not collected directly from you
- Automated decision-making, including profiling
- Transfers to third countries (outside EU/EEA)
- A copy of the personal data being processed
How to request access
- Written request to the organization — email, letter, contact form
- Confirm your identity — BankID or copy of ID
- Wait for response within 30 days (can be extended to 90 days for complexity)
- Free first copy — subsequent copies may incur a reasonable fee
Template for access request
"Under GDPR art. 15, I request access to all personal data you process about me. Please include: purpose, categories, recipients, storage period and source. Send me a copy of the information within 30 days."
Right to rectification (GDPR art. 16)
If you discover inaccurate or incomplete personal data, you have the right to have it corrected.
Examples
- Incorrect name or date of birth
- Wrong address or phone number
- Incorrect income or credit information
- Outdated information about health or family relationships
Process
- Contact the organization with documentation of the correct information
- Request for correction shall be complied with without undue delay
- The organization must also notify third parties who have received the incorrect data
Right to erasure (GDPR art. 17)
"Right to be forgotten"
You can request erasure when:
- The purpose is fulfilled — the information is no longer necessary
- You withdraw consent
- You have objected to processing based on legitimate interest
- The processing is unlawful
- Erasure is required by law
- Child under 16 — protection of minors' data
Exceptions to the right to erasure
- Freedom of expression and information
- Legal obligation — accounting, tax (7 years after Accounting Act)
- Legal claim — ongoing legal proceedings
- Archiving, research or statistics
Datatilsynet's sectors and supervisory areas
Public sector
Datatilsynet supervises:
- NAV — [unemployment benefits, occupational rehabilitation benefit, disability pension]
- Norwegian Tax Administration — source tax PAYE
- Immigration Directorate (UDI) — immigration matters
- Police — criminal reports
- Municipal services — kindergarten, school, municipal housing
- Health enterprises — patient records
Private sector
- Banks and insurance companies
- Credit bureaus — Experian, Creditsafe, Bisnode (see payment defaults)
- Telecom operators — Telenor, Telia, Ice (see NRK licence and subscription)
- E-commerce and social media
- Employers
- Landlords and real estate agents
How to complain to Datatilsynet
Step 1: Contact the organization first
Datatilsynet normally requires that you first try to resolve the matter directly with the organization.
Step 2: File a written complaint
Visit datatilsynet.no and fill out the complaint form, or send a letter to:
Datatilsynet P.O. Box 458 Sentrum 0105 Oslo
Include:
- Your name and contact information
- Name of the organization
- Description of the case
- Documentation (email, letter, rejection)
- What you want Datatilsynet to do
Step 3: Processing time
- Simple cases: 1–3 months
- Complex cases: 6–12 months
- Decision sent via Digipost/eBoks
Step 4: Sanctions
Datatilsynet can impose:
- Warning — mild sanction
- Order to correct or delete
- Administrative fine — up to 20 million euro or 4% of global revenue
- Prohibition of processing
Special rights
Right to data portability (art. 20)
You can demand that your data be provided in structured, machine-readable format and transferred to another provider. Applies when processing is based on consent or contract.
Right to object (art. 21)
You can object to:
- Direct marketing — absolute right
- Legitimate interest processing — evaluated on a case-by-case basis
- Automated decision-making that has legal or significantly affecting consequences
Right to information (art. 13–14)
When data is collected, the organization must inform you about:
- Identity and contact information
- Purpose and legal basis
- Categories and recipients
- Storage period
- Your rights
- Complaint options
Special considerations for immigrants
Immigration Directorate (UDI) and residence matters
UDI processes large amounts of personal data. You can request:
- Access to your case — including notes, correspondence, rejections
- Correction of errors — particularly important for family immigration
- Access before appeal — use the access right strategically
Police registers
The police maintain several registers:
- Criminal register — access at politiet.no
- DNA register
- Entry and exit register
See report to police.
Norwegian Tax Administration and PAYE
The Tax Administration stores extensive data. Access can reveal errors in your tax card.
Language barriers
You have the right to information in a language you understand. Organizations are not required to translate responses, but must provide interpretation where reasonable.
Frequently asked questions
Can I get access to my own notes from my doctor?
Yes — patient record via helsenorge.no. See the Patients' and Users' Rights Act.
Do I get access to everything Facebook/Google has stored about me?
Yes — GDPR applies to all organizations processing data about EU/EEA citizens. Use "Download my data" or send a written access request.
What if the organization refuses?
Complain to Datatilsynet. For unjustified refusal, they can impose a fine.
Can my employer monitor me?
Only with a legal basis and after a proportionality assessment. Monitoring must be announced in writing before it occurs.
How long can data be stored?
No longer than necessary for the purpose. Different sectors have their own rules:
- Accounting/tax: 5–7 years
- Employment relationship: current period plus reasonable time
- Credit information: see payment defaults (4-year rule)
Can I get compensation for a breach?
Yes — art. 82 GDPR provides a right to compensation for both material and non-material damage (e.g., distress). Compensation amounts: 5,000 – 100,000 NOK in Norwegian cases.
Summary
GDPR and the Personal Data Act (2018) give you extensive rights against both public and private actors in Norway: access (art. 15), rectification (art. 16), erasure (art. 17), portability (art. 20) and objection (art. 21). Send a written request to the organization, which must respond within 30 days. If they don't comply: complain to Datatilsynet at datatilsynet.no or P.O. Box 458 Sentrum, 0105 Oslo. Datatilsynet can impose administrative fines up to 20 million euro or 4% of annual revenue. Particularly relevant for immigrants: access to UDI cases, police registers and PAYE tax. Compensation for breach under art. 82 GDPR — 5,000–100,000 NOK in Norwegian case law. See also payment defaults and Digipost/eBoks.




