Norway

Norway · Personal Data Act

Norway is not an EU member, but through the EEA agreement GDPR applies there in full — implemented domestically by the Personal Data Act (personopplysningsloven) and overseen by Datatilsynet. For Norwegian companies expanding to the U.S., the obligations are essentially the GDPR ones, with Norwegian specifics layered on top.

What it covers

GDPR, as it applies in Norway

Because Norway is part of the EEA, GDPR was incorporated into Norwegian law through the Personal Data Act. In practice this means Norwegian companies face the same core obligations — lawful bases, records, transfer rules — as their EU counterparts, supervised by the Norwegian Data Protection Authority, Datatilsynet.

What's the same, what's specific

The GDPR framework, the transfer regime, and individuals' rights all apply. Norwegian implementation and Datatilsynet's guidance shape some details and expectations, so a Norwegian company's compliance picture should reflect both the GDPR baseline and the national overlay.

The U.S. move

For Norwegian companies sending data to the United States, the same transatlantic transfer analysis applies — Data Privacy Framework, SCCs, and Transfer Impact Assessments. And because Norway holds a commercial treaty with the U.S., the immigration and data sides often advance together via the E treaty route.

What Privello handles

  • U.S.-side data-protection strategy for Norwegian companies
  • Transatlantic transfer mechanisms for Norway–U.S. flows
  • Coordination with qualified Norwegian counsel on local-law questions
  • Alignment with the E-1/E-2 treaty immigration route
  • A documented basis that reflects both GDPR and Norwegian specifics

Norwegian? See the E-1/E-2 treaty route

Scope: Privello does not claim any privacy certification. Patrick Smith is licensed in the State of Texas, United States; where the law of an EU/EEA member state or another jurisdiction governs, Privello coordinates qualified local counsel and does not practice the law of that jurisdiction.

Common questions

Questions European companies ask

Does GDPR apply to Norwegian companies?

Yes. Although Norway is not in the EU, GDPR applies through the EEA agreement and is implemented domestically by the Personal Data Act, overseen by Datatilsynet.

Do Norwegian companies face the same U.S. transfer rules?

Yes — sending personal data from Norway to the U.S. is a restricted transfer requiring the same kind of mechanism (DPF, SCCs with a TIA) as EU transfers.

Does Privello advise on Norwegian law directly?

No. Privello provides U.S.-side data-protection and immigration work and coordinates qualified Norwegian counsel where Norwegian law governs.

Begin

Talk through your move with Privello

Tell us what you're planning. We'll outline the realistic options — and how the immigration and data-protection steps line up — in a first conversation.

Request a Consultation Back to Data Privacy