On this page
Terms and Conditions of the Island.is authentication system
About the terms and conditions
These terms are applicable to an agreement between the Icelandic Ministry of Finance and Economic Affairs (hereafter also "system operator") and the legal entity or individual intending to use the system operator's authentication system (hereafter "service provider") to authenticate users on a service website. These terms and the service provider's applications, as well as, depending on circumstances, other communication between the agreeing parties are the base of the agreement of the use of the Island.is authentication system between the system operator and the service provider.
The system operator's current authentication system is a central authentication interface where electronic ID or IceKey can be used for authentication. The service provider's logo is displayed in the interface as well as the Island.is logo. After authentication the user is returned to a website of the service provider's choosing, e.g. a service website. If needed, authentication can be provided for more than one site.
Where context permits, the following terms are defined as follows:
Auðkenni: "Auðkenni hf.", a company that specialises in issuing and developing electronic certificates. The system operator has a contract with "Auðkenni" for validation of electronic identification.
The system operators authentication system: The Island.is central authentication interface operated by the Ministry of Finance and Economic Affairs.
IceKey: IceKey (I. Íslykill) is a password linked to the official Icelandic identification number of an individual or a legal entity.
Electronic ID: Electronic personal identification. Electronic IDs are available for smartphones or as a smartcard.
System operator: The Ministry of Finance and Economic Affairs.
Service provider's representative: An employee of the service provider overseeing the service provider's usage of the authentication system.
User: An individual or a legal entity using the service provider's access controlled web service.
Service provider: Legal entity or individual using the system operator's system to authenticate users.
Web service: The service provider's access controlled website that uses the system operator's authentication system to authenticate users.
Security breach: A breach in the service provider's security measures detected under other circumstances and not during a security assessment according to article 1.3.
1.2 Duties of the agreeing parties
Based on the agreement with the system operator, the service provider is given access to information from the system operator's authentication system to authenticate users on a secure website.
A service provider using the system operator's authentication system is responsible for the protection of data within the service provider's systems, including correctness, confidentiality, and traceability. The service provider guarantees that they, their representative, and other employees that have access to the data provided by the system operator's authentication system, have read these terms and are committed to ensuring data security. If the service provider decides to outsource their systems or system administration, the outsourced work is always the service provider's responsibility. The service provider is responsible for data security and the prevention of data leaks to unrelated parties.
User authentication is always via the system operator's secure portal. The service provider is not permitted to request that any personal information required for authentication is typed into forms on their website. The service provider is not allowed to alter or cover the system operator's login window in any way.
All security measures must be according to the latest technology, installation cost, scope, coherence, purpose, and risk of security breaches.
When transferring data, a general data network is used. User authentication requires the user to use electronic ID or an IceKey. Data is then transferred via an encrypted channel directly to the service provider. All security measures aim to keep data unreadable during transfer, even if communication is intercepted by an unrelated party or the equipment malfunctions.
When data security is assessed any risk related to data processing must be taken into consideration, especially regarding unintentional or illegal deletion of data, either sent, stored or processed in other way, or regarding data loss, alteration, publication, or access provided.
The service provider shall make sure that any information received via the system operator's authentication system is encrypted in transfer and storage. The service provider's security measures must be in compliance with the latest technology and fulfil all requirements stipulated by the system operator, accessible on Island.is. The system operator can request that the service provider's security setup is assessed regularly and automatically by a third party. If a security assessment shows that the service provider's measures do not fulfil the system operator's security requirement or that the service provider's measures have weaknesses that can affect data security, the service provider will be notified in an verifiable manner and given 10 days to make sufficient improvements. The service provider will be notified in writing. If sufficient improvements are not made within the deadline, the system operator will close the service provider's access to the login service.
The service provider is required to notify the system operator as soon as possible of any suspicion of unintentional, unauthorised or illegal processing of data or a suspicion of a security breach during the processing of data provided by the system operator's authentication system. The notification should be sent to firstname.lastname@example.org. The notification must include a description of the breach, including an estimate of how many individuals might be affected and how the data is processed. The notification should also include a description of likely consequences and the measures planned or taken due to the security breach.
The system operator is not liable for any damages, claims, measures, loss, liability, fines, penalties and cost (incl. legal fees) that the system operator may sustain due to the service provider's actions or lack thereof, whether caused by negligence, intent or recklessness of the service provider or users when using the authentication system or as a consequence of a breach of the agreement between parties. This exemption from liability does not limit in any way other contractual or legal rights of the system operator with respect to the service provider, and possible compensation or indemnification does not justify any violation of obligations and duties of the service provider.
The service provider is responsible for any damage caused by their, or their users, use of information transferred between the system operator and the service provider.
The system operator is not responsible for damage caused by the service provider or users' lack of knowledge, misunderstanding or misuse of the login service. The system operator is not responsible for damage due to malfunction of the service provider's hardware.
The system operator is neither directly nor indirectly responsible for damage caused by an unexpected shutdown of the authentication system, e.g. malfunction of the system operator's hardware or software, or hardware or software of related third parties, or of other causes. If any mistakes, interruptions, or delays of the system operator's service occur, the system operator's liability is limited to correcting those mistakes, interruptions or delays as soon as possible.
The system operator is only responsible for damage caused by great negligence or intent of the system operator's employees. The system operator's liability in those cases only covers direct damage and never derived damage, such as suspension of operations, loss of business or prestige.
The service operator can, during the period of agreement, charge the service provider for use of the authentication system according to a price list.
If a fee will be collected based on this agreement the price list will be published and accessible on www.island.is.
Any changes to the price list will be announced 30 days before they take effect. In case payments are overdue, the service provider shall pay late interest according to the provisions of chapter III of laws no. 38/2001 on interests and indexation, as well as cost due to late payment a stipulated in the system operator's price list.
1.6 Operational security
The service provider and the system operator are obliged to contribute to safe operation of the authentication system and work together on repairs if needed due to disruption of services.
If the service provider notices any disruption to the authentication system, they must alert the system operator without delay. While the system operator investigates, the service provider is not allowed to use the authentication system.
If it is necessary to shutdown the system temporarily due to maintenance, updates, and/or other technical issues, the system operator will notify the service provider in advance. In general the notice is 24 hours.
The system operator reserves the right to shutdown the service provider's access to the authentication system without notice if necessary due to suspicion of a security breach or if the system operator believes the service provider's equipment does not fulfil security requirements for use of the system.
If either service provider or system operator are obstructed from fulfilling the agreement for reasons beyond their control, their duties will be deferred until both parties can fulfil their agreed upon obligations.
1.7 Termination of the agreement
Both parties, the system operator and the service provider, can terminate the agreement. Termination shall be in writing and with two (2) months notice from the moment when a letter of termination is received by either party. During the period of notice, both parties shall fulfil their duties according to the agreement.
The system operator can terminate the agreement without notice if:
The system operator is obliged by law or government regulation to terminate all business dealings with the service provider and/or it would be illegal to provide service to the service provider.
The service provider is in default of their duties or in violation of the agreement in any way.
Any information or declaration provided by the service provider before or during the agreement proves to be wrong, misleading, or in any way insufficient in the system operator's opinion, or the ongoing obligation to inform has not been fulfilled in accordance to the agreement.
Any operational events or behaviour by the service provider that can, in the system operator's unilateral opinion, give Island.is bad reputation or lead to suspicion of fraud or illegal activities in the service provider's operations.
The service provider's account has been inactive for 6 months.
The system operator is not required to specify a reason for termination nor are they responsible for any cost that may arise due to their decision.
Notification of termination will be sent to the service provider's registered email address and considered received on the same day.
The service provider should in every way treat their users' data as confidential. The service provider is prohibited from requesting or processing data they receive via the authentication system for other purposes than authenticating users on their website.
1.9 Personal Data Protection
Both system operator and service provider shall ensure that all processing of personal data is in accordance to the cardinal rules of protection of privacy and personal data processing. This especially refers to the General Data Protection Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, cf. Icelandic laws no. 90/2018 on personal data protection and the processing of personal data.
The purpose of processing personal data is to authenticate users via the system operator's authentication system. The processing of data according to these terms is limited to necessary data for authentication.
Both parties are responsible for making any technical and organisational security arrangements needed to ensure the safety of the processed personal data.
1.10 Transference of the agreement
The service provider is prohibited from transferring their rights, either in whole or partly, and/or obligations according to the agreement, unless the system operator has given their written consent.
The system operator reserves the right to transfer their rights and obligations, partly or in whole, without consent from the service provider or others.
The system operator is also free to use services of representatives, agencies, or subcontractors to fulfil their obligations according to the agreement. In those cases, the system operator is responsible for the services provided by a third party with respect to the service provider.
1.11 Changes to the agreement
The system operator reserves the right to make changes to the agreement's terms and conditions. The system operator will notify the service provider in advance via email to the service provider's email address or in another verifiable manner before new or changed provisions are implemented. In addition, new terms are announced in advance on the system operator's website, www.island.is.
Changes are implemented within two (2) weeks from the date of notification.
The system operator's notice can be shorter if the change is necessary for legal reasons. In cases where the notice is shorter, the system operator will notify service providers as soon as possible.