GDPR Related National Laws & Modifications
The European Union’s General Data Protection Regulation (GDPR) sets a common standard for protecting personal data across the EU. It also allows member nations some flexibility to create additional provisions and limitations. Some examples, which may impact HR teams, include the ability for EU member states to:
- provide “specific rules to ensure the protection of…employees’ personal data in the employment context” (Art. 88);
- limit the transfer of “specific categories of personal data to a third country or international organization” if the country (or international organization) is deemed not to have adequate protections in place (Art. 49, (5)); and,
- “determine the specific conditions for the processing of a national identification number or any other identifier of general application” (Art. 87).
Derogations in Norway
Norway implemented the GDPR through the Law on the processing of personal data (Personal Data Act, 2018). Under this law, employees’ personal information may be processed when necessary to meet labor law requirements and the rights of employees.
One aspect of the Personal Data Act which may impact Norway employers is the additional limitations on processing unique identifiers, including birth IDs. Employers (and others who manage data) can only use birth IDs to identify individual employees when there is a need for secure identification and the method used by employers is necessary to achieve such identification.