Act of 14. April 2000 No. 31 relating to the processing of personal data (Personal Data Act)Chapter I Purpose and scope of the Act Chapter I Purpose and scope of the ActSection 1 Purpose of the ActThe purpose of this Act is to protect natural persons from violation of their right to privacy through the processing of personal data. The Act shall help to ensure that personal data are processed in accordance with fundamental respect for the right to privacy, including the need to protect personal integrity and private life and ensure that personal data are of adequate quality. Section 2 DefinitionsFor the purposes of this Act, the following definitions shall apply:
Section 3 Substantive scope of the ActThis Act shall apply to This Act shall not apply to processing of personal data carried out by a natural person for exclusively personal or other private purposes. The King may prescribe regulations to the effect that this Act or parts of this Act shall not apply to specified institutions and administrative spheres. The King may prescribe regulations regarding the processing of personal data in special activities or sectors. As regards the processing of personal data in connection with credit information services, provisions may be laid down in regulations regarding inter alia the type of data that may be processed, the sources from which personal data may be obtained, the persons to whom credit information may be disclosed and how such disclosure may be effected, the erasure of negative credit information and the obligation of professional secrecy of the employees of the credit information agency. Rules may also be prescribed to the effect that the Act or individual provisions laid down in or pursuant to the Act shall apply to the processing of credit information relating to persons other than natural persons. Section 4 Territorial extent of the ActThis Act shall apply to controllers who are established in Norway. The King may by regulations decide that the Act shall wholly or partly apply to Svalbard and Jan Mayen, and lay down special rules regarding the processing of personal data for these areas. This Act shall also apply to controllers who are established in states outside the territory of the EEA if the controller makes use of equipment in Norway. However, this shall not apply if such equipment is used only to transfer personal data through Norway. Controllers such as are mentioned in the second paragraph shall have a representative who is established in Norway. The provisions that apply to the controller shall also apply to the representative. Section 5 Relationship to other ActsThe provisions of this Act shall apply to the processing of personal data unless otherwise provided by a special statute which regulates the method of processing. Section 6 Relationship to the statutory right of access to information pursuant to other statutesThis Act shall not limit the right of access to information pursuant to the Freedom of Information Act, the Public Administration Act or any other statutory right of access to personal data. If another statutory right of access provides broader access to information than this Act, the controller shall on his own initiative provide information concerning the right to request such access. Section 7 Relationship to freedom of expressionThe processing of personal data exclusively for artistic, literary or journalistic, including opinion-forming, purposes shall only be governed by the provisions of sections 13-15, 26, 36-41, cf. Chapter VIII. Chapter II General rules for the processing of personal dataSection 8 Conditions for the processing of personal dataPersonal data (cf. section 2, no. 1) may only be processed if the data
subject has consented thereto, or there is statutory authority for such
processing, or the processing is necessary in order Section 9 Processing of sensitive personal dataSensitive personal data (cf. section 2, no.8) may only be processed if the
processing satisfies one of the conditions set out in section 8 and Non-profit associations and foundations may process sensitive personal data in the course of their activities even if such processing does not satisfy one of the conditions laid down in the first paragraph, litra a-h. Such processing may apply solely to data relating to members or to persons who, on account of the purposes of the association or foundation, voluntarily have regular contact with it, and solely to data which are collected through such contact. The personal data may not be disclosed without the consent of the data subject. The Data Inspectorate may decide that sensitive personal data may also be processed in other cases if this is warranted by important public interests and steps are taken to protect the interests of the data subject. Section 10 Register of criminal convictionsA complete register of criminal convictions may only be kept under the control of official authority. Section 11 Basic requirements for the processing of personal dataThe controller shall ensure that personal data which are processed Subsequent processing of personal data for historical, statistical or scientific purposes is not deemed to be incompatible with the original purposes of the collection of the data, cf. first paragraph, litra c, if the public interest in the processing being carried out clearly exceeds the disadvantages this may entail for natural persons. Section 12 Use of personal identity numbers, etc.Personal identity numbers and other clear means of identification may only be used in the processing when there is a objective need for certain identification and the method is necessary to achieve such identification. The Data Inspectorate may require a controller to use such means of identification as are mentioned in the first paragraph to ensure that the personal data are of adequate quality. The King may by regulations prescribe further rules regarding the use of personal identity numbers and other clear means of identification. Section 13 Data securityThe controller and the processor shall by means of planned, systematic measures ensure satisfactory data security with regard to confidentiality, integrity and accessibility in connection with the processing of personal data. To achieve satisfactory data security, the controller and processor shall document the data system and the security measures. Such documentation shall be accessible to the employees of the controller and of the processor. The documentation shall also be accessible to the Data Inspectorate and the Privacy Appeals Board. Any controller who allows other persons to have access to personal data, e.g. a processor or other persons performing tasks in connection with the data system, shall ensure that the said persons fulfil the requirements set out in the first and second paragraphs. The King may prescribe regulations regarding data security in connection with the processing of personal data, including further rules regarding organisational and technical security measures. Section 14 Internal controlThe controller shall establish and maintain such planned and systematic measures as are necessary to fulfil the requirements laid down in or pursuant to this Act, including measures to ensure the quality of personal data. The controller shall document the measures. The documentation shall be accessible to the employees of the controller and of the processor. The documentation shall also be accessible to the Data Inspectorate and the Privacy Appeals Board. The King may prescribe regulations containing further rules regarding internal control. Section 15 The processor's right of disposition over personal dataNo processor may process personal data in any way other than that which is agreed in writing with the controller. Nor may the data be turned over to another person for storage or manipulation without such agreement. It shall also be stated in the agreement with the controller that the processor undertakes to carry out such security measures as ensue from section 13. Section 16 Time limit for replying to inquiries regarding data, etc.The controller shall reply to inquiries regarding access or other rights pursuant to sections 18, 22, 25, 26, 27 and 28 without undue delay and not later than 30 days from the date of receipt of the inquiry. If special circumstances should make it impossible to reply to the inquiry within 30 days, implementation may be postponed until it is possible to reply. In such case, the controller shall give a provisional reply stating the reason for the delay and when a reply is likely to be given. Section 17 PaymentThe controller may not request compensation for providing data pursuant to Chapter III or for meeting demands of the data subject pursuant to Chapter IV. Chapter III Information on processing of personal dataSection 18 Right of accessAny person who so requests shall be informed of the kind of processing of
personal data a controller is performing, and may demand to receive the
following information as regards a specific type of processing: a) the categories of data concerning the data subject that are being processed, and The data subject may demand that the controller elaborate on the information in the first paragraph, litra a-f to the extent that this is necessary to enable the data subject to protect his or her own interests. The right to information pursuant to the second and third paragraphs shall not apply if the personal data are being processed exclusively for historical, statistical or scientific purposes and the processing will have no direct significance for the data subject. Section 19 Obligation to provide information when data is collected from the data subjectWhen personal data is collected from the data subject himself, the
controller shall on his own initiative first inform the data subject of Notification is not required if there is no doubt that the data subject already has the information in the first paragraph. Section 20 Obligation to provide information when data is collected from persons other than the data subjectA controller who collects personal data from persons other than the data subject shall on his own initiative inform the data subject of which data are being collected and provide such information as is mentioned in section 19, first paragraph, as soon as the data have been obtained. If the purpose of collecting the data is to communicate them to other persons, the controller may wait to notify the data subject until such disclosure takes place. The data subject is not entitled to notification pursuant to the first
paragraph if When notification is omitted pursuant to litra b, the information shall nonetheless be provided at the latest when the data subject is contacted on the basis of the data. Section 21 Obligation to provide information in connection with the use of personal profilesWhen a person contacts the data subject or makes decisions to which the data
subject is subject on the basis of personal profiles that are intended to
describe behaviour, preferences, abilities or needs, for instance in connection
with marketing activities, the controller shall inform the data subject of Section 22 Right to information regarding automated decisionsIf a decision has legal or another significant effects for the data subject and is based solely on automated processing of personal data, the data subject who is subject to the decision may demand that the controller give an account of the rules incorporated in the computer software which form the basis for the decision. Section 23 Exceptions to the right to informationThe right to access pursuant to sections 18 and 22 and the obligation to
provide information pursuant to sections 19, 20 and 21 do not encompass data
Data pursuant to the first paragraph, litra c, may nonetheless on request be made known to a representative of the data subject when there are no special reasons for not doing so. Any person who refuses to provide access to data pursuant to the first paragraph must give the reason for this in writing with a precise reference to the provision governing exceptions. The King may prescribe regulations regarding other exceptions from the right of access and the obligation to provide information and regarding conditions for the use of right of access. Section 24 How the information shall be providedThe information may requested in writing from the controller or from his processor as mentioned in section 15. Before providing access to data relating to a data subject, the controller may require that the data subject furnish a written, signed request. Chapter IV Other rights of the data subjectSection 25 Right to demand manual processingAny person who is subject to a fully automated decision such as is mentioned in section 22 or to whom the case otherwise directly relates may demand that the decision be reviewed by a physical person. The right pursuant to the first paragraph shall not apply if the data subject's interests in terms of protection of privacy are adequately safeguarded and the decision is authorized by statute or is related to the performance of a contract. Section 26 Right to be excluded from direct marketingThe King may prescribe regulations regarding a central marketing exclusion register with further rules governing the register. The data subject may demand that his name be blocked as regards use in direct marketing, irrespective of the medium. Such blocking may be demanded in both the central marketing exclusion register and in the marketer's register of addresses. Controllers who engage in direct marketing shall update their register of addresses in relation to the central marketing exclusion register prior to sending out mailings for the first time and at least four times yearly. Any person who receives direct advertising shall be informed as to who provided the personal data on which the mailing was based. The right to request blocking in the central marketing exclusion register does not apply to marketing of the products of controllers with whom the data subject has a current customer relationship. Section 27 Rectification of deficient personal data If personal data which are inaccurate or incomplete or of which processing is not authorized, the controller shall on his own initiative or at the request of the data subject rectify the deficient data. The controller shall if possible ensure that the error does not have an effect on the data subject, for instance by notifying recipients of disclosed data. The rectification of inaccurate or incomplete personal data which may be of significance as documentation shall be effected by marking the data clearly and supplementing them with accurate data. If weighty considerations relating to protection of privacy so warrant, the Data Inspectorate may, notwithstanding the second paragraph, decide that rectification shall be effected by erasing or blocking the deficient personal data. If the data may not be destroyed pursuant to the Archives Act, the Director General of the National Archives of Norway shall be consulted prior to making an administrative decision regarding erasure. This decision shall take precedence over the provisions of sections 9 and 18 of the Archives Act of 4 December 1992 No. 126. Erasure should be supplemented by the recording of accurate and complete data. If this is impossible, and the document which contained the erased data therefore provides a clearly misleading picture, the entire document shall be erased. The King may prescribe regulations containing supplementary provisions as regards how to effect rectification. Section 28 Prohibition against storing unnecessary personal dataThe controller shall not store personal data longer than is necessary to carry out the purpose of the processing. If the personal data shall not thereafter be stored in pursuance of the Archives Act or other legislation, they shall be erased. The controller may, notwithstanding the first paragraph, store personal data for historical, statistical or scientific purposes, if the public interest in the data being stored clearly exceeds the disadvantages this may entail for the person concerned. In this case, the controller shall ensure that the data are not stored in ways which make it possible to identify the data subject longer than necessary. The data subject may demand that data which are strongly disadvantageous to
him or her shall be blocked or erased if this After the Director General of the National Archives of Norway has been consulted, the Data Inspectorate may decide that the right to erase data pursuant to the third paragraph shall take precedence over the provisions of sections 9 and 18 of the Archives Act of 4 December 1992 No. 126. If the document which contained the erased data gives a clearly misleading picture after the erasure, the entire document shall be erased. Chapter V Transfer of personal data to other countriesSection 29 Basic conditionsPersonal data may only be transferred to countries which ensure an adequate level of protection of the data. Countries which have implemented Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data meet the requirement as regards an adequate level of protection. In assessing the adequacy of the level of protection, emphasis shall be placed, inter alia on the nature of the data, the purpose and duration of the proposed processing and the rules of law and the professional rules and security measures which apply in the country in question. Importance shall also be attached to whether the country has acceded to the Council of Europe's Convention No. 108 of 28 January 1981 on the protection of individuals with regard to the automatic processing of personal data. Section 30 ExceptionsPersonal data may also be transferred to countries which do not ensure an
adequate level of protection if The Data Inspectorate may allow transfer even if the conditions of the first paragraph are not fulfilled if the controller provides adequate safeguards with respect to the protection of the rights of the data subject. The Data Inspectorate may stipulate conditions for the transfer. The King may prescribe regulations regarding the transfer of personal data to another country, including regarding stopping or limiting transfers to specified countries which do not satisfy the requirements set out in section 29. Chapter VI Obligation to give notification and to obtain a licenceSection 31 Obligation to give notificationThe controller shall notify the Data Inspectorate before Notification shall be given not later than 30 days prior to commencement of processing. The Data Inspectorate shall give the controller a receipt of notification. New notification must be given prior to processing that exceeds the limits for processing provided for in section 32. Even if no changes have taken place, new notification shall be given three years after the previous notification was given. The King may prescribe regulations to the effect that certain methods of processing or controllers are exempted from the obligation to give notification, subject to a simplified obligation to give notification or subject to an obligation to obtain a licence. For processing that is exempt from the obligation to give notification, regulations may be prescribed to limit the disadvantages that processing otherwise may entail for the data subject. Section 32 Content of the notificationThe notification shall provide information regarding The King may prescribe regulations regarding the data which notifications shall contain and the implementation of the obligation to give notification. Section 33 Obligation to obtain a licenceA licence from the Data Inspectorate is required for the processing of sensitive personal data. This does not apply, however, to the processing of sensitive personal data which have been volunteered by the data subject. The Data Inspectorate may decide that the processing of data other than sensitive personal data shall also be subject to licensing, if such processing otherwise will clearly violate weighty interests relating to protection of privacy. In assessing whether a licence is necessary, the Data Inspectorate shall, inter alia take account of the nature and quantity of the personal data and the purpose of the processing. The controller may demand that the Data Inspectorate decide whether processing will be subject to licensing. The obligation to obtain a licence pursuant to the first and second paragraphs shall not apply to the processing of personal data in central government or municipal bodies when such processing is authorized by special statute. The King may prescribe regulations to the effect that certain processing methods are not subject to licensing pursuant to the first paragraph. As regards processing methods which are exempt from licensing, regulations may be prescribed to limit the disadvantages which processing may otherwise entail for the data subject. Section 34 Decision as to whether to grant a licenceWhen deciding whether to grant a licence, it shall be clarified whether the processing of personal data may cause disadvantages for an individual which are not remedied by the provisions of Chapters II-V and conditions pursuant to section 35. In such case, an assessment must be made as to whether the disadvantages are offset by considerations that favour the processing. Section 35 Conditions laid down in the licenceIn the licence, an assessment shall be made as to whether to lay down conditions for processing when such conditions are necessary to limit the disadvantages the processing would otherwise entail for the data subject. Chapter VII Video surveillanceSection 36 DefinitionThe term "video surveillance" shall mean the continuous or regularly repeated surveillance of persons by means of a remote-controlled or automatically operated video camera, camera or similar device. Section 37 ScopeThe provisions of sections 38-41 shall apply to all video surveillance. The same applies to sections 8, 9, 11, 31 and 32. However, video surveillance of which the purpose is to uncover such data as are mentioned in section 2, no. 8, litra b, is permitted even if the conditions set out in section 9, first paragraph, are not fulfilled. When image recordings from video surveillance are stored in a way that makes it possible to retrieve data relating to a specific person, cf. section 3, first paragraph, the other provisions of this Act shall also apply. However, the obligation to obtain a licence pursuant to section 33 shall not apply to video surveillance of which the purpose is to uncover data such as are mentioned in section 2, no. 8, litra b. Section 38 Basic requirements for surveillanceVideo surveillance of a place which is regularly frequented by a limited group of people is only permitted if there is a special need for such surveillance in the interests of the said activities. Section 39 Disclosure of image recordings made in connection with video surveillancePersonal data which are collected by means of image recordings made in connection with video surveillance may only be disclosed to a person other than the controller if the subject of the recording consents thereto or if there is statutory provision for such disclosure. However, unless the statutory obligation of professional secrecy prevents disclosure, image recordings may be disclosed to the police in connection with the investigation of criminal acts or accidents. Section 40 Notification that surveillance is being carried outWhen a public place or a place which is regularly frequented by a limited group of people is subject to video surveillance, attention shall be drawn clearly by means of a sign or in some other way to the fact that the place is under surveillance and to the identity of the controller. Section 41 RegulationsThe King may prescribe regulations containing further provisions regarding video surveillance and image recordings in connection with such surveillance, and regarding the protection, use and erasure of image recordings made in connection with video surveillance and on the right of the surveillance subject to have access to the portions of the image recordings in which he or she appears. Regulations may also be prescribed to the effect that image recordings may be disclosed in circumstances other than those mentioned in section 39. Chapter VIII Supervision and sanctionsSection 42 The organization and functions of the Data InspectorateThe Data Inspectorate is an independent administrative body subordinate to the the King and the Ministry. The King and the Ministry may not issue instructions regarding or reverse the Data Inspectorate's exercise of authority in individual cases pursuant to statute. The Data Inspectorate is headed by a director who is appointed by the King. The King may decide that the director shall be appointed for a fixed period of time. The Data Inspectorate shall Decisions made by the Data Inspectorate pursuant to sections 9, 12, 27, 28, 30, 33, 34, 35, 44, 46 and 47 may be appealed to the Privacy Appeals Board. Decisions made pursuant to sections 27 or 28 may be further appealed to the King if the decision concerns personal data which are processed for historical purposes. Section 43 Organization and functions of the Privacy Appeals BoardThe Privacy Appeals Board shall decide appeals against the decisions of the Data Inspectorate, cf. section 42, fourth paragraph. The Board is an independent administrative body subordinate to the King and the Ministry. Section 42, first paragraph, second sentence, shall apply correspondingly. The Privacy Appeals Board consists of seven members who are appointed for a term of four years with the possibility of reappointment for a further four years. The chairman and deputy chairman are appointed by the Storting. The other five members are appointed by the King. The Privacy Appeals Board may decide that the chairman or the deputy chairman together with two other board members may deal with appeals against decisions that must be decided without delay. The Privacy Appeals Board shall give the King an annual report on its hearing of appeals. Legal action regarding the validity of the decisions made by the Privacy Appeals Board shall be addressed to the State as represented by the Privacy Appeals Board. The King may prescribe further rules regarding the organization and administrative procedures of the Privacy Appeals Board. Section 44 Access of the supervisory authorities to dataThe Data Inspectorate and the Privacy Appeals Board may demand any data necessary to enable them to carry out their functions. In connection with its verification of compliance with statutory provisions, the Data Inspectorate may demand admittance to places where personal data filing systems, surveillance equipment and image recordings such as are mentioned in section 37, personal data that are processed automatically and technical aids for such processing are located. The Inspectorate may carry out such tests or inspections as it deems necessary and may demand such assistance from the personnel in such places as is necessary to carry out the tests or inspections. The right to demand information or admittance to premises and aids pursuant to the first and second paragraphs shall apply notwithstanding any obligation of professional secrecy. The King may prescribe regulations regarding exemptions from the first to third paragraphs in the interests of the security of the realm. The King may also issue regulations concerning the reimbursement of expenses incurred in connection with inspections. Recovery of any amount outstanding in the reimbursement of such expenses may be enforced by execution. Section 45 Obligation of professional secrecy for the supervisory authoritiesEmployees of the Data Inspectorate, members of the Privacy Appeals Board and other persons who are in the service of the supervisory authorities shall be subject to the provisions regarding the obligation of professional secrecy laid down in sections 13 ff. of the Public Administration Act. The obligation of professional secrecy shall also apply to information concerning security measures, cf. section 13. The Data Inspectorate and the Privacy Appeals Board may, notwithstanding their obligation of professional secrecy pursuant to the first paragraph, give information to the supervisory authorities of other countries when this is necessary in order to be able to make administrative decisions in connection with supervisory activities. Section 46 Orders to change or cease unlawful processingThe Data Inspectorate may issue orders to the effect that the processing of personal data which is contrary to provisions laid down in or pursuant to this Act shall cease or impose conditions which must be fulfilled in order for the processing to be in compliance with the Act. Section 47 Coercive fineIn connection with orders pursuant to sections 12, 27, 28 and 46, the Data Inspectorate may impose a coercive fine which will run for each day from the expiry of the time limit set for compliance with the order until the order has been complied with. The coercive fine shall not run until the time limit for lodging an appeal has expired. If the administrative decision is appealed, the coercive fine shall not run until so decided by the Privacy Appeals Board. The Data Inspectorate may waive a coercive fine that has been incurred. Section 48 PenaltiesAnyone who wilfully or through gross negligence In particularly aggravating circumstances, a sentence of imprisonment for a term not exceeding three years may be imposed. In deciding whether there are particularly aggravating circumstances, emphasis shall be placed, inter alia on the risk of great damage or inconvenience to the data subject, the gain sought by means of the violation, the duration and scope of the violation, manifest fault, and on whether the controller has previously been convicted of violating similar provisions. An accomplice shall be liable to similar penalties. In regulations issued pursuant to this Act, it may be prescribed that any person who wilfully or through gross negligence violates such regulations shall be liable to fines or imprisonment for a term not exceeding one year or both. Section 49 CompensationThe controller shall compensate damage suffered as a result of the fact that personal data have been processed contrary to provisions laid down in or pursuant to this Act, unless it is established that the damage is not due to error or neglect on the part of the controller. Controllers who provide credit information and who have communicated information which proves to be inaccurate or obviously misleading shall compensate any damage that has been suffered as a result of the erroneous communication, regardless of whether the damage is due to error or neglect on the part of the controller. The compensation shall be equivalent to the financial loss incurred by the injured party as a result of the unlawful processing. The controller may also be ordered to pay such compensation for damage of a non-economic nature (compensation for non-pecuniary damage) as seems reasonable. Chapter IX Commencement. Transitional provisions. Amendments to other statutes.Section 50 CommencementThis Act shall enter into force from the date decided by the King. The King may decide that the individual provisions of the Act shall enter into force on different dates. Section 51 Transitional provisions 1. In respect of processing of personal data which commenced prior to the
entry into force of this Act and which is subject to notification and licensing
pursuant to the provisions of Chapter VI, notification shall be sent pursuant
to section 31 or an application shall be made to the Data Inspectorate for a
licence pursuant to section 33 not later than one year after the entry into
force of this Act. If the processing is being carried out in accordance with a
licence pursuant to section 9 of the Personal Data Filing System Act, the time
limit for sending notification or applying for a licence shall be two years
from the date of entry into force. Until notification has been sent or the Data
Inspectorate has granted a licence, the personal data may be processed in
accordance with the provisions of the Personal Data Filing System Act. Section 52 Amendments to other statutesThe following amendments shall be made to other statutes: 2. Act of 9 June 1978 No. 48 relating to Personal Data Filing Systems, etc. is repealed. 3. Section 202 a, first paragraph, of Act of 22 May 1981 No. 25 relating to Legal Procedure in Criminal Cases shall read as follows: If there is just cause to suspect that one or more criminal acts punishable pursuant to statute with imprisonment for a term exceeding six months have been committed, the police may carry out concealed video surveillance of a public place as specified in section 40 of the Personal Data Act if such surveillance will be of essential significance for the investigation. Section 196 shall apply correspondingly. 4. Section 22, second paragraph, of Act of 13 May 1988 No. 26 relating to Recovery of Debt shall read: The first paragraph shall not prevent data from being turned over to or lawfully used in credit information activities which are carried out in accordance with the Personal Data Act. 5. Act of 4 December 1992 No. 126 relating to Archives shall be amended as follows: Section 9, litra c, third sentence, shall read: Personal data filing systems or parts of a personal data filing system may however be erased pursuant to the provisions of the Personal Data Act. Section 9, litra d, second sentence, shall read: Provisions regarding erasure prescribed pursuant to section 27, third and fifth paragraphs, and section 28, fourth paragraph, of the Personal Data Act, shall however apply in full. Section 18, second sentence, shall read: The provisions of the Personal Data Act regarding rectification and erasure of data shall however apply in full. 6. Section 11, third paragraph, of Act of 19 June 1997 No. 62 relating to Family Counselling Services shall read: The processing of clients' records is not subject to licensing pursuant to section 33 of the Personal Data Act. 7. Act of 26 June 1998 No. 47 relating to Leisure Boats and Small Craft shall be amended as follows: Section 13, second sentence, shall read: Compilation may otherwise only be effected when this follows from another statute or from an administrative decision pursuant to the Personal Data Act. Section 14 shall read: Section 14 Right of access Right of access pursuant to section 18, cf. section 23, of the Personal Data Act shall apply to the register of small craft. Section 16 shall read: Section 16 Responsibility of the registration authority The registration authority mentioned in section 3 shall ensure compliance with provisions laid down in or pursuant to sections 10 to15 of this Act and the Personal Data Act. 8. The Act relating to the Schengen Information System (SIS) shall be amended as follows: Section 3, second paragraph, third and fourth sentences, shall read: The documentation shall also be accessible to the Data Inspectorate and the Privacy Appeals Board. Employees of the Data Inspectorate, members of the Privacy Appeals Board or other persons in the service of the supervisory authorities shall prevent unauthorized persons from gaining access to information regarding security measures. Section 4, second paragraph, shall read: The controller shall document the measures. The documentation shall be made available to the employees of the controller and his processor. The documentation shall also be accessible to the Data Inspectorate and the Privacy Appeals Board. Section 22, first paragraph, first sentence, shall read: The Data Inspectorate and the Privacy Appeals Board may demand such data as are necessary to perform their functions. Section 23, second paragraph, shall read: The administrative decisions of the Data Inspectorate pursuant to the first paragraph may be appealed to the Privacy Appeals Board. |