Guide to Faroe Islands Data Protection Act

The Faroe Islands Act on the Protection of Personal Data (Data Protection Act) establishes comprehensive rules to protect the personal data of Faroese people. 

Effective date: January 2001

Official text: The Faroe Islands Data Protection Act

The Faroe Islands Data Protection Act is the primary legislation governing data protection and privacy in the Faroe Islands. It updates and strengthens data protection standards in line with the EU’s General Data Protection Regulation (GDPR), giving Faroe Islands individuals enhanced rights over their personal data and imposing stricter regulations on the organization’s processing.

The independent authority Data Protection Authority is responsible for monitoring the processing of personal data under this Act.

The Faroe Islands Data Privacy Act applies to:

• Private organizations that process personal data are established on the Faroe Islands, regardless of whether the processing takes place on the islands or not.
• Organizations that process personal data are established on the Faroe Islands and within the home rule authority, regardless of whether the processing takes place on the islands or not.

The law also applies to the processing of personal data of individuals located on the Faroe Islands, carried out by an organization not established on the islands that determines the purposes and means of the processing, if the processing activities relate to:

• Offering goods or services to individuals on the Faroe Islands, regardless of whether payment is required.
• Monitoring the behavior of individuals as far as their behavior takes place on the Faroe Islands.

Personal data under the Act refers to any information related to an identified or identifiable natural person, known as the individual.

The law applies to the processing of personal data:

• Wholly or partly by automated means
• That forms part of a filing system or is intended to form part of one

It does not apply to processing for purely personal or household activities, Parliament data, or data processed exclusively for artistic, literary, journalistic, or information database purposes.

The Act defines sensitive personal data as data related to racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data to uniquely identify a person, health data, sex life/orientation data, criminal convictions/offenses data, material social problems, and other purely private matters.

Personal data must be:

• Processed lawfully, fairly and transparently
• Collected only for specific, explicit, and legitimate purposes. Further processing for incompatible purposes is prohibited.
• Adequate, relevant, and limited to what is necessary for the purposes collected
• Accurate and kept up-to-date
• Stored only as necessary for the purposes collected
• Processed to ensure security including protection against unauthorized/unlawful processing and accidental loss

Organizations must be responsible for and able to demonstrate compliance with these principles.

Lawful basis for processing

For the processing of personal data to be lawful under the Act, at least one of the following conditions must apply:

• Consent: The individual has unambiguously given consent to their personal data being processed for one or more specified purposes.
• Contract performance: Processing is necessary to take steps and actions to enter into a contract with the individual, or perform contractual obligations for a contract they are party to.
• Legal obligation: Processing is necessary for the organization to comply with a domestic or EU legal obligation mandated on them by law.
• Vital interests: Processing is necessary to protect the vital interests of the individual or other natural persons. This involves life or death-type situations.
• Public task: Processing is necessary to perform a task in the public interest or under governmental/official authority vested in the organization by law.
• Legitimate interests: Processing is necessary for the legitimate interests of the organization or third party, as long as it does not disproportionately affect privacy rights. This does not apply to public authorities.

At least one of those six lawful grounds must be applicable for any processing of personal data to take place under the Act. Relying on the legitimate interests of government authorities is prohibited.

Consent must be freely given, specific, informed, and unambiguous. This means consent requires a clear, affirmative action that indicates the individual’s agreement.

Here are the conditions of consent:

• The organization must be able to demonstrate valid consent has been obtained. This accountability requires them to have a record showing the individual actively agreed.
• Consent requests must be presented in clear standalone language if included within broader declarations. They cannot be “bundled” in confusing terms and conditions.
• individuals can withdraw consent at any time, and this withdrawal does not undermine prior lawful processing. Withdrawing consent must be as easy as giving it.
• Before consenting, individuals must be informed about their right to withdraw consent. 

Specific consent situations

• Children under 13 years cannot legally consent, so parental/guardian consent is required for information society services. Extra steps are expected to verify this.
• Explicit consent is required for processing sensitive categories of data.
• Consent can enable overseas data transfers lacking adequacy decisions or required safeguards, provided individuals are informed of risks. This does not apply to public authorities.

Right to Information

The data protection law grants individuals the right to receive transparent information on the processing of their personal data.

Organizations must provide information to individuals in a concise, transparent, intelligible, and easily accessible form using clear language. It should be free of charge and should be processed within 4 weeks of a request (extendible by 8 weeks).

If collecting data directly from individuals, organizations must provide:

• Identity/contact information
• Purposes of collection
• Legal basis for the collection
• Legitimate interests (if applicable)
• Recipients of data and transfer details (if applicable)

If not collecting directly from individuals, organizations still must provide all the necessary information.

Additional information must be provided for any further processing for other purposes beyond what data was originally collected for.

Right to access

Upon request, the organization must confirm if the individual’s personal data is being processed and provide access. 

Additionally, the organization must share details on:

• Processing purposes
• Data categories
• Recipients (including those abroad)
• Storage duration
• Right to rectify, erase, restrict processing, or to complain
• Data source (if not collected from the subject) 
• Automated decision-making consequences

If data is transferred internationally, the basis must be disclosed. 

The organization must provide a copy of the data, with additional copies incurring a reasonable fee.

Right to rectification

The individual has the right to request the correction of inaccurate personal data by the organization. Furthermore, the individual can request the completion of incomplete personal data, including the addition of a supplementary statement.

Right to erasure

The organization must promptly erase the individual’s personal data when:

• It is no longer necessary for the intended purposes.
• The individual withdraws consent without an alternative legal basis.
• The individual objects, to processing personal data.
• The personal data is unlawfully processed.
• Erasure is essential for legal obligation compliance.
• Personal data is linked to information society services under Article 10(1).

Exceptions include cases where erasure conflicts with freedom of expression, legal obligations, archival needs, or the establishment, exercise, or defense of legal claims.

Right to restrict processing

Upon request, the organization must restrict processing if:

• The individual questions data accuracy for verification.
• Processing is unlawful, and the individual prefers restriction.
• Personal data is no longer needed, but the individual requires it for legal claims.
• The individual objects to processing pending verification of the organization’s grounds.

During restriction, the data can be processed with consent, for legal claims, to protect others’ rights, or for important public interest. The organization must inform the individual before lifting the restriction.

Right to data portability

The individual can receive personal data provided to an organization and transmit it to another organization if the processing is based on consent or a contract and carried out by automated means. The received personal data should be in a structured, commonly used, and machine-readable format. If technically feasible, the individual can request direct transmission between organizations.

Right to object

The individual has the right to object, based on their particular situation, to personal data processing. The organization must cease processing unless compelling legitimate grounds override the individual’s interests, rights, and freedoms or for legal claims.

For personal data processed for direct marketing, the individual can object at any time, resulting in the termination of processing for marketing purposes.

The individual must be explicitly informed about the right to object at the latest during the initial communication. This information should be presented clearly and separately from other details.

Automated individual decision-making, including profiling

Individuals can object to decisions solely based on automated processing or profiling if they have legal or significant impacts. Exceptions exist for decisions necessary for contracts, authorized by law, or based on explicit consent. Organizations must implement measures to safeguard rights, and decisions on sensitive personal data require specific conditions and adequate protections.

The Data Protection Act imposes a responsibility on organizations to implement appropriate technical and organizational measures. This involves considering the nature, scope, context, and purposes of processing, along with the risks to individuals’ rights. The goal is to ensure that processing aligns with the provisions of the Act.

Here are certain obligations that organizations must implement:

Data Protection by Design and by Default

Organizations must incorporate data protection measures during the design phase and throughout the processing. The aim is to ensure that data protection principles are effectively implemented.

Organizations must set defaults to process only the personal data necessary for each specific purpose. 

Records of processing activities

Organizations must maintain detailed written records of their processing activities. This includes information on data categories, recipients, transfers, envisaged erasure timelines, and security measures.

These records must be made available to the supervisory authority upon request.

Security of processing

A thorough risk assessment is essential, considering the state of the art, implementation costs, and the nature of processing. This informs the selection and implementation of appropriate security measures.

Measures may include pseudonymization, encryption, system resilience, and regular testing of security measures. The goal is to protect against accidental or unlawful destruction, loss, alteration, or unauthorized access to personal data.

Notification of personal data breach

Organizations must notify the Data Protection Authority of a personal data breach within 72 hours of becoming aware of it. If not feasible within this timeframe, the notification should be accompanied by reasons for the delay.

Notifications must include detailed information about the breach, such as the nature, categories of individuals affected, and the measures taken.

Organizations must document any personal data breaches, facilitating the supervisory authority’s verification of compliance.

When a breach is likely to result in a high risk to individuals, the organization must communicate the breach to them without undue delay. Communication should be clear and provide information on the nature of the breach and potential consequences. 

There are exceptions where communication may not be required, such as when the organization has implemented effective protective measures or if communication involves disproportionate effort. 

If the organization has not communicated the breach, the Data Protection Authority may intervene and require communication if it deems necessary.

Data Protection Impact Assessment (DPIA)

DPIAs are required for processing likely to result in a high risk to individuals’ rights and freedoms. This includes:

• Systematic evaluations based on automated processing
• Large-scale processing of sensitive data
• Systematic monitoring on a large scale.

The Data Protection Authority establishes and makes public a list of processing operations subject to the DPIA requirement. The Authority may also list processing operations for which no DPIA is required.

DPIAs must contain:

• A systematic description of processing operations
• An Assessment of necessity and proportionality
• A risk assessment related to data rights
• Proposed measures to address risks

In case of a change in the risk associated with processing operations, a review is necessary to ensure ongoing compliance with the DPIA.

Designation of Data Protection Officer (DPO)

The organization must appoint a DPO when:

• Processing is conducted by a public authority or body.
• Core activities involve large-scale, regular, and systematic monitoring of individuals.
• Core activities involve large-scale processing of sensitive data.

DPO is designated to:

• Inform and advise on the Act obligations
• Monitor compliance
• Provide guidance on DPIAs 
• Collaborate with the Data Protection Authority
• Act as a contact point for processing issues

The Act sets rules for personal data transfers to third countries outside the EU/EEA, requiring safeguards. While transfers to EU/EEA countries are unrestricted, those to third countries face additional measures to ensure adequate data protection.

In specific situations where neither adequacy decisions nor appropriate safeguards are available, personal data transfers to third countries can take place based on derogations, such as:

• Explicit consent of the individual
• Transfer necessary for contract performance or in vital interests of the individual
• Public interest derogations for public authorities

The Authority has a role in assessing adequacy, approving appropriate safeguards where required, and may also exceptionally prohibit certain data transfers on a case-by-case basis to protect individuals.

Organizations may face a fine or imprisonment for up to six months if they violate various provisions, including obligations of data organizations, fundamental principles of processing, and rights of individuals.

Every individual has the right to complain to the Authority concerning the processing of their data. The organization is obligated to compensate for damages resulting from unlawful processing or any processing contrary to the law unless it is proven that such damage could not have been avoided with due diligence.

Data Protection Authority can issue notices for minor infringements, allowing settlements without legal proceedings.

• Implement processes to ensure personal data is processed lawfully, fairly, and transparently
• Obtain clear, informed, specific, and unambiguous consent for processing personal data
• Maintain records demonstrating valid consent
• Inform individuals about their right to withdraw consent and facilitate easy withdrawal
• Establish processes for fulfilling data subject rights
• Implement Privacy by Design and by Default principles
• Maintain detailed records of processing activities and make them available for audit
• Implement security measures to protect personal data
• Notify the Data Protection Authority of personal data breaches within 72 hours
• Conduct DPIAs for high-risk processing activities
• Appoint a DPO if your organization meets the criteria outlined in the Act
• Seek appropriate safeguards or derogations for transfers to third countries