Publication
Publication
Contacts
LOGOS - Legal Services
Hjördís Halldórsdóttir
Áslaug Björgvinsdóttir
Tel: +(354) 5 400 300
www.logos.is
Supervisory Authority
National Legislation
Data Protection Act (Unofficial translation and not updated)
(Please note these links are provided for information only. Any translations may not be accurate and the text may not include amendments to that legislation).
Contributed by LOGOS - Legal Services
Last updated June 2026
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
General data protection laws
The General Data Protection Regulation (EU) (2016/679) (“GDPR”).
The EU is currently considering the Digital Omnibus (2025/0360 (COD)). This proposes a number of amendments to the GDPR including: (a) protection from abusive subject access requests; (b) extending the deadline to notify breaches to a supervisory authority to 96 hours and only applying that notification to high risk breaches; (c) codifying the “relative” approach to the concept of personal data; (d) ensuring a consistent approach to DPIAs; and (e) providing an express legal basis for the training of AI systems. However, some changes are controversial, and it is not clear if they will all be adopted.
The Icelandic Parliament passed Act 90/2018 on data protection and processing of personal data (“the Data Protection Act”) in July 2018 to implement the GDPR.
Entry into force
The GDPR has applied since 25 May 2018.
The Data Protection Act entered into force on 15 July 2018.
Details of the competent national supervisory authority
The Data Protection Authority will continue to act as the supervisory authority in Iceland.
The Data Protection Authority (the “Authority”)
Laugavegur 166
105 Reykjavík
Iceland
The Authority will represent Iceland on the European Data Protection Board.
Notification or registration scheme and timing
There is no obligation to notify regulators of any processing under the GDPR. However, controllers and processors must keep a record of their processing and make it available to their supervisory authority on request (subject to limited exemptions).
According to the Data Protection Act, the Authority can require that it be consulted regarding, and give prior authorisation to, processing for the performance of a task carried out in the public interest, in contexts where such processing poses a special risk to the rights and freedoms of data subjects.
The Authority has issued Rules no. 811/2019 which state that prior authorisation is required for the following types of processing: (i) combination of a file that contains sensitive personal data with another file, whether the latter file contains general or sensitive personal data; (ii) processing of personal data on criminal conduct or criminal history, drug and alcohol use and sex and sexual behaviour; (iii) collection of personal data on financial matters, credit standing and creditworthiness of an individual for the purpose of transferring the data to others; (iv) processing of data on social problems or other private issues such as marriages, divorce, dissolution, adoption and fostering agreements; (v) processing of personal data which entails that a person's name is entered on a list according to predetermined criteria and the data transferred to a third party in order to deny the person of a particular loan or service; (vi) transfer of sensitive personal data for the benefit of scientific research which falls outside the scope of the Act on Scientific Research in the Health Sector, no. 44/2014; (vii) transfer of sensitive personal data stored by the government for the purpose of investigation; and (viii) the transfer of personal data stored by the government for the purpose of investigations, when the transfer presents a special risk of infringing the rights and freedoms of data subjects.
Prior authorisation is however not required where the processing takes place based on the data subjects’ consent or where it is provided for by law.
Exemptions to notification
Not applicable.
What is the territorial scope of application?
The GDPR applies to the processing of personal data in the context of the establishment of a controller or processor in the EU.
It also contains express extra-territorial provisions and applies to controllers or processors based outside the EU that: (i) offer goods or services to individuals in the EU; or (ii) monitor individuals within the EU. Controllers and processors caught by these provisions will need to appoint a representative in the EU, subject to certain limited exemptions.
The European Data Protection Board has issued Guidelines on the territorial scope of the GDPR (3/2018).
Is there a concept of a controller and processor?
Yes. The GDPR contains the concept of a controller, who determines the purpose and means of processing, and a processor, who just processes personal data on behalf of the controller.
The European Data Protection Board has issued Guidelines on the concepts of controller and processor in the GDPR (7/2020).
Both controllers and processors are subject to the rules in the GDPR, but the obligations placed on processors are more limited.
Are both manual and electronic records subject to data protection legislation?
Yes. The GDPR applies to both electronic records and structured hard copy records.
Are there any national derogations?
The GDPR does not apply to law enforcement activities which are instead subject to the Law Enforcement Directive. The GDPR also does not apply to areas of law that are outside the scope of Union law, such as national security, and does not apply to purely personal or household activity.
The Data Protection Act also applies to deceased people for 5 years from their death. However, this period will be longer in the case of personal data that is reasonably considered to be confidential.
The Data Protection Act also contains some national derogations, in connection to journalism, judicial acts and projects of the Parliament.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
It is not permitted to make direct marketing calls to individual subscribers who have: (i) previously objected to such calls; or (ii) requested not to receive such direct marketing calls by a listing in the National Registry or the telephone directory.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
It is not permitted to make direct marketing calls to corporate subscribers who have either: (i) previously objected to such calls; or (ii) requested not to receive such direct marketing calls by a listing in the Company Registry or the telephone directory.
Exemptions and other issues
No exemptions apply.
Contents