Norway: Updated Guidance on Data Transfers Outside the EEA

Datatilsynet, the Norwegian data protection authority, has updated its guidance on transfer of personal data outside the EEA in relation to the GDPR following the CJEU's 'Schrems II' decision, which, while not binding on Norway, still has important implications for the interpretation of the GDPR. According to the updated guidance, companies transfering personal data outside the EEA can be subject to additional requirements of due diligence to ensure that data protection in the third country is practically equivalent to the level of protection within the EEA. If a third country does not provide sufficient protection, the company must implement additional measures of a technical, legal or organizational nature to ensure protection EEA-equivalent protection. If no such measures are possible, the transfer may no be made. Further, companies should regularly re-evaluate the situation of a third country for legal or other potentially relevant changes.