Privacy and Data protection - GDPR - Bachelor



Mål og innhald

The course studies legal rules on data protection, that is a set of norms that govern the processing of personal data with the view of protecting the privacy of individuals whose data is being processed. The EU General Data Protection Regulation 2016/679 (GDPR) defines personal data as any information relating to an identified or identifiable natural person such as a name, an identification number, location, an online identifier or any factor specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Given the digital technologies' encroachment into our lives, the right to privacy and the protection of personal data have become crucial to both individuals, communities and businesses. A proper understanding of the rules governing data protection is now also necessary when working with other fields of law such as administrative law, EU/EEA competition law, public procurement, intellectual property law, health law or labour law.

As regards the rules governing data protection, this course focuses on the GDPR, a landmark in both data protection law and EU/EEA law, the European Convention on Human Rights and Fundamental Freedoms (ECHR) Article 8, the EU ePrivacy Directive (Directive 2002/58/EC) and the relevant case law from the Court of Justice of the EU and the European Court of Human Rights. Students are also made aware of the necessity of consulting national legislation that supplements the GDPR.

The course provides students with a thorough knowledge of the principles governing the processing of personal data, the GDPR's territorial and material scope, rights and obligations of data subjects (i.e. individuals whose personal information is processed), controllers (natural or legal persons determining the purposes and means of the processing of personal data), processors (natural or legal person that processes personal data on behalf of the controller), Data Protection Authorities in the EU/EEA, such as the Norwegian Data Protection Authority (Datatilsynet) and the European Data Protection Board (EDPB), that issues guidelines on interpreting the GDPR.

Students will learn about the legal grounds for processing personal data, including sensitive types of such data, special considerations regarding the processing of personal data of children, data protection rules applicable in the context of employment, exceptions concerning academic, journalistic and research activities, and requirements concerning transfers of personal data to third countries, that it outside EU/EEA.

Special attention is also given to data protection issues raised by the use of Artificial Intelligence, such as the legality of technologies involving automated individual decision-making and profiling. The course also covers such topics as freedom of speech and the "right to be forgotten", global surveillance in situations such as the outbreak of COVID-19 or data protection risks raised by such technologies as face recognition.

During the course the students are encouraged to identify privacy and data protection issues that are raised in other fields of law such as the above-mentioned administrative law, EU/EEA competition law, public procurement, intellectual property law, health law or labour law.



By the end of the course, the students have a general knowledge and understanding of legal policies on privacy and data protection, particularly in the context of the rapid process of digitalization, implementing Artificial Intelligence solutions in both public and private sectors, not to mention the distributed computer networks such as the Internet.

The students have a general knowledge and understanding of the principles, rules and logic governing the GDPR.

The students are familiar with the role of the GDPR in the EU's digital agenda.

The students can update the acquired knowledge by using different resources.


Given the two-fold aim of the GDPR, that is the protection of personal data and contributing to the accomplishment of the EU/EEA internal market, the students are able to correctly balance the right to data protection with other rights, freedoms and interests.

The students can elaborate on different topics in the field of data protection.

The students are able to apply the GDPR provisions in different situations when personal data are processed.

The students can communicate their findings both orally and in writing.

By the end of the course the students should be able to

- Cooperate with law students from other countries, and gain perspectives on common legal challenges from students from a legal background different than their own,

- Contribute with perspectives from their own country and legal background.

General competencies
By the end of the course, the students can identify and discuss the relevant legal framework and provide its critical assessment.

By the end of the course the student should be able to

Present and evaluate legal analyses and points of view in English, both orally and in writing

The students can solve varied assignments alone or in a group while providing arguments for the chosen conclusions.

The students can see the relevance of the acquired knowledge to other fields of law.

Studiepoeng, omfang


Studienivå (studiesyklus)

Bachelor level




Faculty of Law, University of Bergen
Krav til forkunnskapar
Two years of law studies.
Tilrådde forkunnskapar
Good level of English language.
Combined with JUS294-2-A Privacy and Data Protection - GDPR or JUS3503 Privacy and Data Protection - GDPR, this course will generate no new credits.
Krav til studierett

The course is available for the following students:

  • Admitted to the five-year master programme in law
  • Exchange students at the Faculty of Law

The pre-requirements may still limit certain students' access to the course.

Arbeids- og undervisningsformer


Teaching involves 10 lectures during which students are presented with theory and its application (short assignments).

Obligatorisk undervisningsaktivitet
Compulsory attendance at lectures/seminars

Four hour digital school exam.

Information about digital examination can be found here:

Exam language:

  • Question paper: English
  • Answer paper: English
A-E for passed, F for failed.
The reading list will be ready 1 December for the spring semester.
According to the administrative arrangements for course evaluation at the Faculty of Law
Hjelpemiddel til eksamen

Support materials allowed during exam:

See section 3-5 of the Supplementary Regulations for Studies at the Faculty of Law at the University of Bergen.

In addition: A printed out copy of the GDPR (in English) will be provided by the Faculty of Law for the exam.

Special regulations about dictionaries:

  • According to the Regulations for Studies, one dictionary is permitted support material during the examination. Bilingual dictionaries containing for example both Norwegian-English and English-Norwegian are considered as one dictionary.
  • Bilingual dictionaries to/from the same two languages - for example Norwegian-English/English-Norwegian - in two different volumes are also considered as one dictionary (irrespective of publisher or edition).
  • Dictionaries as described above cannot be combined with any other types of dictionaries.
  • Any kind of combination which makes up more than two physical volumes is forbidden.

In case a student has a special need for any other combination than the above mentioned, such combination has to be clarified with/approved by the course coordinator minimum two weeks before the exam. Students who have not been granted permission to have a special combination minimum two weeks before the exam will be subject to the usual regulations (Section 3-5) about examination support materials.

The Academic Affairs Committee (Studieutvalget) at the Faculty of Law is responsible for ensuring the material content, structure and quality of the course.
Associate Professor Malgorzata Agnieszka Cyndecka
Administrativt ansvarleg
The Faculty of Law¿s section for students and academic affairs (Studieseksjonen) is responsible for administering the programme.