Terms and conditions regarding access to the Island.is inbox service
Following are the terms and conditions of an agreement between the Icelandic Ministry of Finance and Economic Affairs (hereafter also known as "service operator") and the government agencies and legal entities that use or intend to use the service operator's web service (hereafter also "Island.is inbox) to send documents (hereafter also "document provider") to individuals, legal entities and government agencies that have an Island.is inbox to receive documents (hereafter "recipient").
These terms were published 9 February 2021, and valid from the same day.
These terms apply to the document provider from the moment they confirm that they have read and understood the terms or when they use the service for the first time, whichever happens first.
Wherever the context permits, the following terms are defined as follows:
IceKey: An IceKey is a password which is linked to the official Icelandic identification number of an individual or legal entity.
Electronic ID: Electronic personal identification used for sign-in to digital services.
Service operator: Digital Iceland on behalf of the Ministry of Finance and Economic Affairs.
Document provider: Government agencies or other public service agencies that use or intend to use the Island.is inbox to deliver documents to recipients.
Recipient: Individuals, legal entities and government agencies that have their own Island.is inbox.
The web service: Internet access to a data transmission system via the Island.is inbox. Island.is inbox: The service operator's central web service that provides individuals, legal entities and government agencies with a digital inbox where they can access documents from government agencies and municipalities.
Access and data transmissions
The document provider gains the right to access and permission to transmit data via the Island.is inbox once they have agreed to these terms. This permission includes direct access to the "system". This direct access means that the document provider can link their data system to the inbox, in accordance to the inbox backend design description, and then send documents to recipients.
Digital inbox description can be found in the backend design description.
Backend design description
It is extremely important that all communication via the Island.is inbox fulfills the requirements of the backend design description.
The document provider logs in to the web service using electronic ID or IceKey for authentication via the Island.is login service, when a user has been authenticated they are returned to their Island.is inbox.
The document provider is responsible for controlling the access of their individual users, and their actions when using the web service.
All actions are in the name of the document provider.
Responsibility for authenticating information
The document provider is responsible for the authenticity of the information provided via the digital inbox.
Mutual information obligation
If the document provider becomes aware of misuse of the web service, or data connected to it, they must inform the service operator immediately. In case of a cyber attack or data being leaked to unauthorised parties, or a suspicion of such events to have happened or imminent, they are also required to alert the service operator without hesitation. If the document provider becomes aware of bugs or other problems when using the service, they are required to inform the service operator as soon as possible via email to email@example.com. Any events or changes, e.g. new Internet service provider, new software, computer systems etc., that can affect the web service should also be reported.
The service operator will notify the document provider of any failures or necessary updates to the service. If the service becomes inactive due to circumstances beyond the service operator's control, the service operator will notify the document provider. Generally, the system is serviced during the service operator's office hours, but in cases where the connection to the service is cut of, the service operator will react as soon as possible.
Data security and responsibility of the document provider
A document provider using the Island.is inbox service is responsible for the security of data, provided by the web service, in their systems, including correctness, confidentiality, and traceability.
The document provider guarantees that they, their representative or employee that has access to the service, have read these terms and conditions and are committed to ensure data security. The document provider is responsible for keeping information safe and controlling access to the service through their systems, as well as monitoring the use as stated in the chapter "Access control"
Responsibility of the service operator
The service operator is not responsible for damage caused by unauthorised use, e.g. if an unrelated party has gained access to the document provider or a recipient's account, or if the document provider or recipient have not notified the service operator of such an event or their suspicion of an event.
The service operator is not responsible for damage caused by lack of knowledge, misunderstanding or misuse by the document provider or the recipient. The service operator is also not responsible for damage due to malfunction of the document provider or recipient's hardware or software.
The service operator is neither directly nor indirectly responsible for damage due to unexpected shutdown of the web service, e.g. caused by malfunction due to outage, loss of communication or other interference, that is unforeseeable or unavoidable due to circumstances beyond control (force majeure). Under those circumstances the service operator's responsibility is limited to correcting any mistakes, interference or delays as soon as possible.
The service operator is only responsible for damage caused by great negligence or intent of service operator's employees. The service operator's responsibility in such cases only covers direct damage and never derived damage, such as suspension of operations, loss of business or prestige.
Personal data protection
The document provider must have familiarised themselves with rules and regulations regarding processing of personal data, including the provisions of laws no. 90/2018 on data protection and the processing of personal data, especially provisions relating to processing and transmission of information and data.
Both parties are considered responsible when it comes to personal data processing for the Island.is inbox service. The document provider is responsible for processing data in relation to their use of the Island.is inbox service, including sending, storing and publishing personal data in the inbox. The service operator is responsible for processing personal data relating to managing the inbox service, i.e. information about inbox users and event logs. Personal data processing in relation to the service is further defined in Digital Iceland's data protection policy, accessible on the agency's website Island.is.
Personal data processing shall be in accordance to laws on data protection and processing of personal data. Parties have a responsibility to make sure their processing of personal data is legal and in compliance with article 9 and, depending on the circumstances, article 11 and consistent with the laws' main articles, cf. article 8.
Together, both parties must commit to the principle of protection by design and by default. If needed, they will evaluate the effect data processing will have on personal privacy and consult with the Data Protection Authority prior to processing, as stipulated in article 30 of laws no. 90/2018. Both parties are required to do a risk assessment and make arrangements to minimize diagnosed risks.
Both parties are responsible for demonstrating their compliance with laws no. 90/2018. When needed, parties will assist each other with demonstrating compliance, e.g. by providing necessary documents to establish compliance and assist in appraisals of the data processing.
Parties are mutually responsible for providing individuals with information regarding the processing of their data, as stipulated in article 17 of laws no. 90/2018 and articles 12-15 of EU regulation 2016/679. This responsibility is further explained in Digital Iceland's personal data protection policy, which is accessible to recipients on Island.is.
In other respects, personal data processing, e.g. notifications of security breaches and individual rights, is according to Digital Iceland's data processing terms or data processing agreements. The provisions of these terms and conditions overrule provisions of other terms or agreements.
The provisions of these terms regarding personal data processing and the division of responsibility between parties are available to the individuals concerned by request.
Payments for use of the web service
No fee is charged for the use of the service.
Transfer of rights
The document provider is prohibited from transferring their rights, in whole or partly, or duties according to these terms unless the service operator has given their written consent.
Changes to the terms and conditions
The service operator reserves the right to unilaterally change the terms and conditions. Any changes will be announced and document providers notified electronically in a verifiable manner with 30 days notice before the changes come into effect. New or updated terms will also be published on the service operator's website.
Notice of change can be shorter if the change is necessary for legal reasons. In cases where the notice is shorter, the service operator will notify document providers as soon as possible.
Violation of the terms
If a document provider is found to be in breach of these terms or misusing the web service in any way, or it is clear that they can not nor intend to honour these terms, the service operator can at any time, and without notification, shut down the document provider's access to the service. If that happens, the service provider shall then notify the document provider in a verifiable manner.