GDPR and AI create uncertainty in many Norwegian businesses. What is actually permitted? What requires special measures? And what happens if you get it wrong? Here is a practical and up-to-date overview.
The Basics: GDPR Applies in Norway
GDPR was incorporated into the EEA Agreement and has applied in Norway since 20 July 2018. Norway treats GDPR the same way as EU member states: Datatilsynet is the supervisory authority and has the power to impose fines of up to €20 million or 4% of global turnover.
All Norwegian businesses processing personal data about employees, customers, or others are bound by GDPR. This applies regardless of whether they use AI or not.
What Datatilsynet Is Focusing on in 2025
Datatilsynet has publicly announced that artificial intelligence is a priority supervisory area in 2025, alongside data sharing and privacy security in the municipal sector.
This means:
- Increased risk of supervisory visits and requests from Datatilsynet
- Active monitoring of AI providers' data processing practices
- Focus on automated decisions about individuals (GDPR Article 22)
Be prepared to document which AI tools you use and how these process personal data.
The Three Most Common Use Cases and What They Require
1. ChatGPT, Claude, and Similar Tools in Daily Work
Employees use AI assistants to write emails, summarise documents, generate presentations, and similar tasks.
Is it legal? Yes, but with important caveats:
- Do not send personal data into the general AI chat. Name + email + detailed information about customers/employees constitutes personal data.
- Use business versions. ChatGPT Teams, Claude for Business, and equivalents have data processing agreements where OpenAI/Anthropic do not train models on the business's data.
- Check data storage. Free versions typically store data in the US. Business versions offer EU data storage.
2. AI Chatbot on the Website for Customer Service
A chatbot that collects names, emails, and questions from customers.
Requirements:
- Data processing agreement with the chatbot provider
- Privacy notice that includes the chatbot's data processing
- Informing users that they are communicating with AI (required by the EU AI Act from 2025)
- Storage time limitation: do not retain chat logs longer than necessary
3. AI for Automated Decisions
Using AI to screen job applicants, score customers, or make automated credit decisions.
This is strictly regulated. GDPR Article 22 gives individuals the right not to be subject to automated decisions with legal or similarly significant effects. This requires:
- Explicit consent from the person concerned
- Information about the automated logic
- The right to human review of the decision
For autonomous AI agents in HR, credit assessment, or similar: legal review is necessary before implementation.
EU AI Act: What Is Coming from 2025 and 2026
The EU AI Act is a new regulation that governs AI systems by risk category:
From February 2025: Prohibited AI practices are in force. This includes manipulative AI systems, general social scoring of citizens, and mass biometric surveillance.
From August 2025: Obligations for providers of general-purpose AI (LLMs). This primarily applies to providers, not Norwegian SMB customers.
From August 2026: Full entry into force for high-risk AI systems (Annex III). Includes AI used in recruitment, credit assessment, critical infrastructure, and medical diagnostics. Fines: up to €35 million or 7% of global turnover for serious violations.
Most Norwegian SMBs using AI for text generation, automation, and analysis will not fall into the high-risk category. But check whether your solution involves recruitment, financial decisions about individuals, or health data.
Practical GDPR Checklist for AI Use
For AI tools for internal purposes:
- Use the business version with a data processing agreement (DPA)
- Choose EU data storage where available
- Create an internal policy: what can employees use AI for, and what is prohibited
- Do not paste sensitive personal data into AI chats
For AI chatbot facing customers:
- Enter into a data processing agreement with the provider
- Update your privacy notice to include the chatbot's data processing
- Inform users that they are communicating with AI
- Limit storage time for chat logs
For AI for automated decisions:
- Conduct a DPIA (Data Protection Impact Assessment)
- Ensure the right to human review
- Document the logic of decisions
- Obtain legal assessment
What Are the Consequences of Non-Compliance?
Datatilsynet can impose:
- Warning or order to rectify
- Temporary or permanent ban on processing
- Fines: up to €20 million or 4% of global turnover
In practice, large fines are rare for Norwegian SMBs that are genuinely trying to comply. Datatilsynet's focus is primarily on large actors and systemic violations. But documented lack of effort carries far higher risk than a well-considered setup with some imperfections.
AIKI's AI Kickstart always includes a review of privacy consequences and data processing agreements as part of the project.
FAQ: AI and GDPR in Norway
Can we use ChatGPT at work without breaching GDPR?
Yes, with conditions. Use ChatGPT Teams or Enterprise (not the free/plus version) so OpenAI does not train the model on your business's data. Do not send personal data about customers or employees. Read the data processing agreement and check that data storage is in the EU.
Do we need a data processing agreement with the AI provider?
Yes, if the AI tool processes personal data on the business's behalf. This applies to chatbots, CRM integrations, email analysis systems, and similar. Most established AI providers offer a DPA as part of their business agreements.
What is the EU AI Act and does it apply to Norwegian SMBs?
The EU AI Act is an EU regulation governing AI systems by risk category. It applies in Norway via the EEA. For most SMBs, the consequences are limited until 2026 when high-risk requirements come into force. The exception is businesses using AI for recruitment, credit assessment, or similar.
Can we use AI to screen job applicants?
Automated screening is possible but strictly regulated. GDPR gives applicants the right to human review of AI-based decisions. AI can support the recruitment process (summarising CVs, putting questions to candidates), but the final decision must always be made by a human.
What does Datatilsynet say about AI?
Datatilsynet has AI as a priority area in 2025 and actively publishes guidance. They conduct supervisory reviews and can issue orders. Updated guidance is available at datatilsynet.no. Datatilsynet emphasises that GDPR applies in full to AI systems processing personal data.
GDPR and AI are not incompatible. Most use cases are legal with the right measures in place. The key is to document what you do, choose providers with clear data processing agreements, and avoid sending sensitive personal data into public AI services.
