Privacy in Norway means that you have the right to a private life and the right to decide over information that can be linked to you. That protection applies when the state processes data about you, and also when private companies, schools, banks, apps, and social media services do it. In a digital society, much of everyday life lives inside registers, logs, and traces. Privacy is therefore not just a legal term; it is a practical framework for how you are treated as a person.

What personal data is

Personal data is any information that can be linked to you directly or indirectly. It may be a name, address, phone number, email, national identity number, IP address, photos, audio, purchase history, location data, login logs, or a pattern in how you use an app. Assessments, profiles, and recommendations can also be personal data if they point back to you.

Some data has extra protection. Health information, genetic data, religious belief, political opinion, trade union membership, sexual orientation, and biometric traits used for identification are special categories. Such data cannot be processed freely. There must always be a clear legal basis, a defined purpose, and a real assessment of whether the processing is necessary.

It is also important to separate anonymised from pseudonymised data. Anonymised data should not be traceable back to a person. Pseudonymised data is only hidden behind codes or technical keys, but it can still be personal data because someone may be able to connect it back to you.

Which rules apply in Norway

The right to private life is rooted in Article 8 of the European Convention on Human Rights and in Section 102 of the Norwegian Constitution. In practice, this means that you are entitled to a private sphere where you can live, think, believe, speak, and choose without unnecessary interference. The state may only interfere if there is a legal basis, a legitimate aim, and a proportionate reason.

The Norwegian Personal Data Act of 2018 implements the GDPR in Norway. The rules apply when a business, municipality, school, employer, app, or website processes personal data. The Norwegian Data Protection Authority supervises the system and gives guidance. You therefore have more than an abstract right: you have concrete rights you can use in practice.

The most important rights are access, rectification, erasure, restriction, objection, and data portability. You can also ask where the data came from, who it has been shared with, and in many cases why it was collected. If someone processes your data incorrectly, you can ask them to correct it. If they do not follow the rules, you can complain to the Data Protection Authority.

Personal data in public registers

Many people think that “public register” means everything is freely available to anyone. That is not how it works. Public registers can contain personal data, but access is often divided into levels. Some information is open, some requires a justified need, and some is protected because it is confidential or especially sensitive.

The National Population Register is the clearest example. The Norwegian Tax Administration describes it as a public register over all people in Norway who have been assigned a national identity number or D-number. The register may contain names, addresses, date of birth, place of birth, citizenship, marital status, family information, and status. But that does not mean anyone can simply fetch everything. Identity numbers are only released when there is a justified need, and protected addresses and other shielded information have extra safeguards.

The D-number matters especially for people who are not permanently resident in Norway. A D-number can become inactive after a period, but it is not deleted just because it is inactive. The point is the same here: identity information is useful for public administration, but it is still personal data and must be handled carefully.

The Central Coordinating Register for Legal Entities and the Register of Business Enterprises is another place where personal data appears in public. The Brønnøysund Register Centre uses that information to keep track of companies and roles. Open APIs can show organisation numbers, names, addresses, and role information. For role holders, names and dates of birth may be included. That makes it possible to see who formally stands behind a company or association, but open data is still not the same as unrestricted use.

The Cadastre and the Land Register are important for property. The Norwegian Mapping Authority describes the Cadastre as the official register of Norwegian properties, with public information about boundaries, buildings, addresses, and ownership. As an owner or tenant, you can log in and view information about your own property. In some contexts, personal data from the Cadastre can be disclosed when the recipient has a right to receive it. Again, a register may be public in principle, yet still have clear limits on what can be shown, searched, and reused.

Public document journals and access tools, such as eInnsyn, can also reveal personal data. That may include names, roles, case numbers, dates, senders, recipients, or subject fields. At the same time, sensitive information must be redacted or withheld. Journals are important for transparency in public administration, but they are not a licence to publish everything about everyone.

Statistics and research are another key area. Statistics Norway and other public bodies often receive personal data so they can produce statistics, plan services, and follow developments in society. But when the data is published, it is normally aggregated or anonymised. There is a difference between using personal data for public administration and putting identifiable information in front of the general public.

What public does not mean

The key principle is this: the fact that information appears in a public register does not automatically mean it can be used for anything. The privacy rules always ask whether the purpose is lawful, whether the use is necessary, and whether the processing is proportionate. Information can be publicly available in one lawful context and still be improper to collect, store, or combine in another.

Even small details can become sensitive once they are combined. An address may be harmless on its own, but risky if it is used for harassment. A name may seem ordinary, but reveal more when linked with health data, court records, finances, or family relations. So “it is on the internet” is a weak argument. What matters is why the information is there, who can access it, and what it is used for.

What you can demand

You can demand access to the data a business or public body processes about you. You can demand correction if something is wrong. In some situations you can demand erasure, for example if the data is no longer needed for the purpose. You may also ask for restriction, object to certain uses, and request data portability when the conditions are met.

If you are unsure what is registered, start with the body that owns the register. At the Tax Administration you can see or order information from the National Population Register. At Brønnøysund you can check company data and roles. At the Mapping Authority you can review property data. If you think something is wrong, the register owner is usually the first place to contact.

If the matter is not resolved, you can complain to the Data Protection Authority. This is especially important when a company publishes data, combines datasets, or stores more than necessary. You are strongest when you can show exactly what is wrong, which register it concerns, and what you want them to do.

How to protect yourself in practice

The best privacy protection is usually not one big measure. It is the sum of many small choices. Share as little as possible, grant only necessary permissions, and always ask why an actor needs your data. Update your phone, browser, and apps. Use strong passwords and multi-factor authentication. Be careful with screenshots and forwarded documents that contain names, addresses, numbers, or dates of birth.

For children, older people, and people with protected information, caution matters even more. A photo, a school message, a change-of-address notice, or a screenshot can seem harmless but have very different consequences once it is spread further. Privacy is therefore not about hiding everything. It is about keeping control over what is shared, with whom, and for what purpose.

In short: in Norway, privacy is both a human right and a practical everyday issue. Public registers have an important function, but they do not remove the need for respect, confidentiality, purpose limitation, and control over your own data.