Data subjects have the right to erase their personal data (the «right to be forgotten») if: (i) the data is no longer necessary for its original purpose (and no other legitimate purpose exists); (ii) the lawful basis for processing is the consent of the data subject, the data subject withdraws that consent and there are no other lawful grounds; (iii) the data subject exercises his or her right to object and the controller does not have compelling grounds for continuing the processing; (iv) the data has been unlawfully processed; or (v) erasure is necessary to comply with European or national data protection law. In accordance with Article 26 GDPR, Article 83(4) GDPR also applies to violations of Article 10 (i.e. the processing of personal data relating to criminal convictions and offences) and Article 24 (liability of the controller) of the GDPR. In addition, Datatilsynet may impose fines on public authorities pursuant to Article 83(7) GDPR. The exchange of personal data with diplomatic missions of foreign governments or international institutions in the Republic of Albania is considered an international transfer of data. 6.2 If such registration/notification is required, should it be specific (e.g. list of all processing activities, categories of data, etc.) or can it be general (e.g. a full description of the relevant processing activities)? Controllers are required by law to inform the data subject of the breach without undue delay if it is likely to result in a high risk to the data subject`s rights and freedoms. In December 2019, the Education Department of the City of Oslo was fined around €120,000 for inadequate technical and organisational measures to ensure information security. The lack of adequate security measures allowed unauthorized users to access up to 63,000 students` personal data via a mobile messaging app designed for Oslo schools. Automated decision-making shall not be based on sensitive personal data, unless the processing is based either on the consent of the data subject or on grounds of substantial public interest based on Union or national law, and appropriate measures have been taken to safeguard the rights and freedoms and legitimate interests of the data subject. The collection of personal data relating exclusively to a data subject is only permitted for direct marketing purposes if the data subject has expressly consented to this.

A DPIA should be carried out with the support of the Data Protection Officer when a publicly accessible area is systematically monitored on a large scale. If the DPIA considers that, without risk mitigation measures, the processing would pose a high risk to the rights and freedoms of natural persons, the controller must consult the data protection authority in accordance with Article 36 of the GDPR. In addition, the Commissioner has issued an opinion on the protection of personal data on the websites of public and private controllers (which is slightly outdated and, as mentioned above, does not have binding effect on controllers). In this notice, the controller reminds controllers of their obligations under data protection law and the rights of data subjects that apply to the online collection of personal data: The Personal Health Data File System Act 2014 refers to «characteristics that directly identify a natural person» (direct identification kjennetegn of the individual). However, the term is not defined and should be understood in light of the meaning of «personal data» in the GDPR and the new Personal Data Act. See also the term «indirectly identifiable health data» below. Similarly, some sectoral health laws, such as the Health Personnel Act, refer to «data that directly identifies a natural person» (opplysninger directly identifiable by a person). The term must also be interpreted in the light of «personal data». In any case, some of the safeguards provided by the GDPR, such as the establishment of BCRs, must first be approved by the competent data protection authority. Personal data collected for any purpose may be further processed for historical, scientific or statistical purposes, provided that the data is not processed to take actions or decisions concerning an individual.