Skip to main content

The Ísland.is App

Digital Iceland Frontpage
Digital Iceland Frontpage

Digital Iceland

Terms and conditions for processing of personal data

1 Scope

These terms are considered to be the equivalent of a processing agreement according to Article 25(3) of the Data Protection Act, No 90/2018, and the Processing of Personal Data, cf. Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data and repealing Directive 95/46/EC. The conditions apply to services on my page and mailbox on the Iceland website, which involve processing of personal data. In such cases, Digital Iceland is considered a processor and the public entity that is the service owner is considered to be the controller. The service itself is further described in an agreement between the parties or other terms of Digital Iceland. In certain cases, Digital Iceland is the controller, along with a service provider, which is usually a public institution, and their agreement on the division of their responsibilities for the processing of personal data applies. If Digital Iceland facilitates third party services to a public entity without being involved in the processing of personal data, the designated third party processor and the public entity shall be considered as the controller. The public sector body is then responsible for ensuring that a processing agreement is concluded with the third party. These terms take precedence over general commercial terms, basic agreements and the service agreement with regard to the processing of personal data by Digital Iceland on behalf of a public entity and related obligations.

2 Purpose and duration of terms

The purpose of these terms is to specify the obligations of Digital Iceland towards the public entities that use the services on my page and in the mailbox on the Iceland website.is, which involve the processing of personal data. The meaning of terms in these terms shall be as defined in the provisions of Act No. 90/2018, cf. Article 3 of the Act. These conditions apply while a public entity makes use of services provided by Digital Iceland.

3 Process description

Further information on services and the processing of personal data relating to them may be obtained in agreements between the parties, their terms and data protection policies. The Digital Iceland Data Protection Policy is available on the website of Iceland.is.

4 Duties of Digital Iceland as a processor:

  • Digital Iceland undertakes to process personal data only in accordance with the purposes of the processing, the terms of this contract, the annexes to the terms and the documented instructions of the controller.

  • Digital Iceland shall make available to the controller all the information necessary to demonstrate compliance with the obligations laid down in those conditions, offer the possibility for, and contribute to, audits, including inspections, conducted by and on behalf of the controller or another audit body.

  • If Digital Iceland considers that an order by a public entity is inconsistent with the provisions of Act No. 90/2018, the provisions of Regulation (EU) 2016/679 or other relevant legal provisions relating to the processing of personal data, Digital Iceland shall inform it of this without delay.

  • If Digital Iceland is obliged to provide personal data to a third country or international organisation according to law, it shall inform the public body of this legal requirement prior to the processing / the dissemination, unless the law prohibits such disclosure in the light of important public interests. If an official regulator requests access to the data and information of a controller, Digital Iceland shall notify the official body of this as soon as possible and, if possible, before granting access, unless this is not legally permitted in Iceland.

  • Digital Iceland shall ensure the confidentiality of the processing of the personal data covered by these terms, service contracts and annexes.

  • Digital Iceland shall ensure that its staff and contractors who have access to personal data owned by a public entity in connection with the performance of a service have signed confidentiality declarations or are bound by law to observe confidentiality. Such confidentiality shall be maintained even if the employee or contractor leaves his post.

  • Digital Iceland shall ensure that staff who have access to personal data in connection with the implementation of services have received appropriate training and education on the protection of personal data.

  • Digital Iceland shall ensure appropriate security of data and ensure that tools and tools, products, applications and services are designed with privacy in mind by design and default. This does not apply, however, when Digital Iceland assists or facilitates the purchase by the controller of devices and tools, goods and services by a third party without being involved in the processing of personal data.

5 Obligations of a public entity as guarantor

  • All instructions concerning the processing that is directed to Digital Iceland shall be registered in writing by a public body.

  • A public entity shall ensure that, before and during the processing, it operates in accordance with the requirements made of it pursuant to Act No 90/2018 and Regulation (EU) 2016/679.

  • A public entity is responsible for and shall ensure that the processing of Digital Iceland on its behalf is provided with legal assistance in Article 9 and, as applicable, Article 11 of Act No. 90/2018, cf. Articles 6 and 9 of Regulation (EU) 2016/679, and otherwise complies with the principles of the Act in Article 8 thereof, cf. Article 5 of Regulation (EU) 2016/679.

  • The official body shall supervise the processing, including carrying out or having audits and inspections performed at Digital Iceland. Audits and inspections made by an independent third party at the initiative of Digital Iceland or other service recipients fulfil this obligation.

6 Sub-processor use

Digital Iceland may agree with another party (a sub-processor) to carry out certain processing operations, in whole or in part, which it carries out for a public entity. Before intended changes take effect, both when a subprocessor is added and when changes are made to the subprocessors already used, or when there are additions or changes to the existing processing operations arrangements, Digital Iceland shall inform the official body in writing of the changes. The subprocessor shall state in particular what processing operations the subprocessor intends to undertake, the name and contact details of the subprocessor and the date of the contract. A public sector body has twenty-two (22) working days as of the date of receipt of information on changes in the use of the subprocessor to oppose it. If the final day of the period is a public holiday, the period shall be extended until the following opening day. In other respects, holidays which fall within the time limit when the time limit is calculated shall be included. Use of a subprocessor is permitted if the public sector body has not objected within the time limit. Digital Iceland ensures that sub-processors comply with the same obligations regarding the processing of personal data as are stated in these terms and is responsible to the controller that the sub-processors fulfil their obligations. Digital Iceland shall maintain a list of sub-processors and publish them to public entities that receive their services. A public entity is responsible for ensuring that the processing by a processor on its behalf who has involvement in a project/service on its behalf complies with Act No 90/2018 and Regulation (EU) 2016/679, such as concluding a processing contract with the processor and ensuring that it provides sufficient guarantees that it makes appropriate technical and organisational arrangements so that the processing meets the requirements of Act No 90/2018 and Regulation (EU) 2016/679 and guarantees the rights of registered individuals.

7 Rights of the registered

A public entity is responsible for providing the data subject with information (education) on the processing operations before or as soon as processing begins, in accordance with the provisions of Regulation (EU) 2016/679 on information to be provided to the data subject, cf. Articles 13 and 14 thereof. Digital Iceland assists parties in providing this information and shall provide any information at its disposal to a public body in order for a party to fulfil its obligations under this provision. A public entity is also responsible for processing requests from individuals to exercise their rights under Chapter III of Act No. 90/2018 and Chapter III of Regulation (EU) 2016/679 for services provided by Digital Iceland. If individuals submit such requests to Digital Iceland, they shall forward such requests without delay to a contact or a public body's data protection officer as further agreed in a contract between the parties.

8 Assistance in meeting the requirements of Act No. 90/2018

Digital Iceland assists a public entity in carrying out an impact assessment on data protection, cf. further instructions from Article 29 of Act No. 90/2018 and Article 35 of Regulation (EU) 2018/679, and in fulfilling the provisions on prior consultation with the Data Protection Authority, cf. further instructions from Article 30 of the Act and Article 36 of the Regulation, when applicable. Digital Iceland shall also provide a public body with all documents necessary to demonstrate compliance and to enable it or an audit body to carry out audits, including inspections, and to assist in such audits. Digital Iceland shall in other respects assist parties in fulfilling their obligations under Act No. 90/2018 and Regulation (EU) 2016/679 as is reasonable and reasonable.

9 Security measures

Digital Iceland requires staff, partners, contractors and sub-processors to ensure that information security and data protection are integrated into projects, services and activities. Digital Iceland is responsible for ensuring that information security in connection with services under these terms is in accordance with the requirements of Act No. 90/2018 and Regulation (EU) 2016/679. The use of personal data shall always be minimised in scope and retention periods, taking into account other laws and regulations. Sensitive personal data shall be protected in particular from the outcome of a privacy impact assessment (MONP), where appropriate. • Digital Iceland is responsible for information security in relation to services provided and the identified staff member must be responsible for information security. • The employees of Digital Iceland are bound by confidentiality provisions in their employment contracts as well as confidentiality under the Act on the Rights and Obligations of Government Employees, No. 70/1996. • Members involved in the management and operation of Digital Iceland services have signed declarations of confidentiality. • Provisions on confidentiality are contained in service and hosting contracts. • Hosted in an accredited professional environment. • Information security and data protection design requirements are part of all the scope of projects in order to contribute to a default and inherent level of data protection and data security. • Security measures, such as access control and encryption of data, are implemented on the basis of the results of risk assessment, assessment of the impact on data protection as well as legal requirements. • Safety inspections are conducted on a regular basis by independent third party critical services. • Digital Iceland makes processing agreements between subprocessors and service providers subject to compliance with Act No. 90/2018 and Regulation (EU) 2016/679. Digital Iceland shall provide the official body with further information on security measures upon request. If a public entity requires additional security measures, e.g. due to the nature of personal data or the extent of processing, this can be laid down in a special agreement between the parties.

10 Security failures and their reporting

If Digital Iceland is aware of a security failure in connection with services to a public entity, it shall notify the party in question without undue delay after Digital Iceland becomes aware of the violation. The notification shall be accompanied by any documents or documents necessary for the controller to notify the violation to the appropriate regulatory body. A public entity is responsible for reporting security failures in the processing of personal data to the Data Protection Authority and other relevant supervisory authorities, unless it is considered unlikely that the failure will lead to risks for the rights and freedoms of individuals in accordance with paragraph 2 of Article 27 of Act No. 90/2018. If security failures in the handling of personal data are likely to pose a high risk to the rights and freedoms of individuals, the public sector body shall notify the data subject of the failure without undue delay, cf. paragraph 3 of Article 27 of Act No. 90/2018.

11 Personal data at the end of processing

When services terminate on contract, Digital Iceland shall assist in the transfer of data and information to a new service provider or return it in a commonly used machine-readable format, if requested. As Digital Iceland is a party required to deliver under Article 14 of the Public Archives Act, No. 77/2014, it is prohibited to delete data and information without the consent of the National Archivist, rules or on the basis of a special legal provision, cf. paragraph 1, Article 24 of the same Act. 12 Audits Should an official body so request, Digital Iceland shall grant it, or a third party designated on its behalf, access to data and information systems for conducting audits and security tests to ensure that Digital Iceland fulfils its obligations under these terms, agreements, annexes and in accordance with law. This applies, for example, to internal and external auditors as well as to the safety manager and/or security team. Digital Iceland also agrees to grant regulators such as the State Auditor, the police, the Financial Supervisory Authority of the Central Bank of Iceland and other supervisors access to its data and information systems if they so request in connection with an investigation into/involving a public entity. Audits and tests on the basis of this provision shall be conducted in consultation and with the knowledge of Digital Iceland. The parties shall agree on a date and measures to ensure security and confidentiality during an audit or test. Digital Iceland reserves the right to refuse an audit/testing body, but shall give factual reasons for such a rejection. Digital Iceland reserves the right to access and copy all audits, security tests, risk assessments and other similar procedures carried out on its systems and services, and to publish them to its recipients on their own initiative or at their request.

13 Data location

Digital Iceland shall inform the public entity where personal data are housed. Data and personal data in the custody of Digital Iceland or a sub-processor in connection with its services to a public entity will not be transferred or stored outside the European Economic Area except on the basis of instructions or consent of the party in question. If an official body requires that data be stored at national level, this shall be provided for in written instructions.

14 Responsibility

Liability, limits of liability and non-life shall be as provided in the contract or terms of reference. The liability of parties to violate Act No 90/2018 and Regulation (EU) 2016/679 is subject to Article 51 of Act No 90/2018 and Article 82 of Regulation (EU) 2016/679.

15 Contract return

These conditions shall be in place above any other agreements entered into between the parties with regard to the processing of personal data by Digital Iceland on behalf of a public entity. However, if the parties have annexed these terms to the processing of personal data, they shall take precedence over the provisions of these terms.


16 Review