(Act on the Protection of Personal Data, Act No. 80 of 7 June 2020)

The Act on the Protection of Personal Data, enacted as Act No. 80 on 7 June 2020, establishes the principal legal framework for safeguarding personal data in the Faroe Islands. The Act is designed to protect the fundamental rights and freedoms of individuals with respect to the processing of personal information, while also facilitating the free movement of personal data in compliance with international privacy standards. 
Dátueftirlitið - CDN

Purpose and Scope

The core objective of the Data Protection Act is to regulate how personal data — any information relating to an identifiable individual — may be lawfully collected, used, stored, and shared by organisations and public authorities. The law applies to automated processing as well as structured filing systems, and covers a wide array of data handling activities. 

The Act generally does not apply to purely personal or household activities or certain types of parliamentary processing. In addition, specific rights provisions may not fully apply to purely journalistic use, although key protections remain. 

Territorial and Personal Scope

The Act applies to data processing by:

Controllers and processors established in the Faroe Islands, irrespective of where data processing physically occurs, and

Entities not established in the Faroe Islands that process personal data of individuals located in the Faroe Islands if that processing relates to offering goods or services or monitoring behaviour within the Faroes. 

Key Principles and Rights (in Line with GDPR-Style Standards)

Although tailored to the Faroese context, the Data Protection Act closely reflects the principles of the European Union’s General Data Protection Regulation (GDPR). It emphasises:

Lawfulness, fairness, and transparency in processing personal data

Purpose limitation, data minimisation, and accuracy

Security and confidentiality of personal information

Accountability by organisations that collect or control data 

The Act also grants individuals a range of enforceable rights, including access to their personal data, the ability to request correction or deletion, and the right to object to certain forms of processing. 
Pandectes

Data Controllers, Processors, and Obligations

Under the Act, data controllers determine the purposes and means of processing, while data processors handle personal data on behalf of a controller. Both are responsible for implementing appropriate technical and organisational measures to protect personal data and to ensure lawful processing. 
Pandectes

Oversight and Enforcement

The Faroese Data Protection Authority (or equivalent supervisory body) is tasked with monitoring, advising, and enforcing compliance with the Act. It can investigate complaints, issue guidance, and impose sanctions where necessary. 

International Context

The Faroe Islands benefit from an adequacy decision under EU data protection standards, meaning that personal data can be transferred between the Faroe Islands and EU/EFTA countries without additional safeguards. This recognition underscores the Act’s alignment with international privacy frameworks.