Insight · Norway · Patrick Smith, CIPP/E
Does Your GDPR Representative Cover Norway?
The short answer: Article 27 of the GDPR — the duty to appoint a European representative — applies to companies targeting Norway, because Norway applies the GDPR through the EEA. But many representative arrangements are marketed, contracted, and scoped to "the EU." If your European users include Norwegians, that scoping question is worth five minutes of contract reading, because the gap is visible from the outside.
The duty
Article 27 reaches Norway
A company with no establishment in the EU or EEA that offers goods or services to people in Europe, or monitors their behaviour, falls under Article 3(2) of the GDPR — and Article 27 then requires it to appoint a representative established in Europe. Because Norway incorporated the GDPR through the EEA Agreement and the Personal Data Act, targeting Norwegian users triggers the duty just as targeting French or German users does. The narrow exemption — occasional, low-risk processing with no large-scale special-category data — is read strictly; an online business with ongoing Norwegian users rarely fits inside it.
The representative is the company's mandated European point of contact: data subjects and supervisory authorities can address it instead of the foreign company, and it holds the record of processing at the authorities' disposal. Its identity belongs in the privacy notice, which is what makes a missing appointment one of the few compliance defects visible from outside the company.
Where the Norway gap comes from
- EU-scoped services. Representative providers commonly market "EU representative" packages; whether the mandate extends to EEA states like Norway is a contract term, not a given.
- Location of the representative. Under EDPB guidance, the representative must be established in one of the states where the data subjects you serve are located — a point that matters for a company whose European users are mostly or only in Norway.
- Privacy-notice drift. Notices often name a representative "for users in the European Union," leaving Norwegian users formally unaddressed even where coverage exists.
- Advisor blind spot. EU-focused compliance programs treat Norway as covered by adjacency. The obligations are the same in substance, but they run through Norwegian law and Datatilsynet, and the paperwork should say so.
Closing it
The fix costs little when done deliberately: confirm whether Article 3(2) is actually triggered for Norway, check the existing representative's mandate and, where needed, extend it or appoint coverage that reaches the EEA, and correct the privacy notice so Norwegian users see whom to contact. Privello's Representation Advisory runs exactly that analysis across the GDPR, DSA, AI Act, and NIS2 duties together — scoping which apply, arranging appointments with established European providers, and keeping the records reconciled in one file. Norway is checked as a first-class jurisdiction, not an assumption.
Common questions
Questions on Article 27 and Norway
Does GDPR Article 27 apply to companies targeting Norway?
Yes. The GDPR — including the Article 27 duty to appoint a representative — applies in Norway through the EEA Agreement and the Norwegian Personal Data Act. A company with no establishment in the EU or EEA that offers goods or services to people in Norway, or monitors their behaviour, is within Article 3(2) and generally needs a representative, unless its processing is only occasional, low-risk, and involves no large-scale special-category data.
Our representative arrangement says “EU”. Is Norway covered?
Check the contract, not the assumption. Under EDPB guidance, the representative must be established in one of the states where the data subjects you serve are located. Many representative services are marketed and scoped to the EU; whether their mandate extends to Norway and the other EEA states is a term to verify. A company whose European users are mostly or only Norwegian should make sure the appointment explicitly reaches Norway.
What does a GDPR representative actually do?
The representative is the company's mandated point of contact in Europe for data subjects and supervisory authorities — able to receive inquiries, requests, and regulator correspondence on the company's behalf, and to hold the record of processing available to authorities. It is a formal role with its own exposure, which is why it must be a real, established entity rather than a mailbox.
Can Privello act as our Article 27 representative?
No — and any advisor established outside the EU/EEA who offers to should be questioned. A representative must be established in the EU/EEA. Privello scopes whether the duty applies, arranges the appointment with an established European provider whose coverage includes the states your users are in, and keeps the records behind the appointment reconciled with the rest of the compliance file.
What happens if we skip the representative?
The duty is directly enforceable, and failing to appoint can be sanctioned independently of any other violation — with fines up to the GDPR's standard ceilings. As importantly, it is a visible defect: the representative's identity is supposed to appear in your privacy notice, so its absence is the kind of gap a regulator, complainant, or diligence reviewer spots from the outside in minutes.
Begin
Five minutes of contract reading, done properly
Tell us where your European users are and who your representative is today. We will confirm which duties are triggered — Norway included — and close whatever is open.