Terms of service of the Digital Iceland application system
General
Digital Iceland on behalf of the The Ministry of Finance and Economic Affairs (‘The service provider') is the operator of the application system for Iceland.is (‘the service'). Government agencies, ministries and other public entities (‘service recipients') have access to the Iceland.is application system in order to transfer requests such as applications and forms to a digital form inside Iceland.is. Such requests may, for example, be processing of certificates, applications for licences, changes to registration, receipt of a communication and so forth. The application system of a service provider is twofold: - Applications are installed with an application builder that uses a pre-formatted module to set up simple service processes, which in turn are used in the recipient's case or work system. - Structured applications that incorporate complex service processes that cannot use structured entities to provide the service. These conditions frame the relationship between the recipient and the service provider for the application system. The terms are intended to define the parties' responsibilities when it comes to operations, maintenance and other aspects of the application system.
1. Definitions
For the purposes of these terms, where the context of a text permits, the following terms shall be defined as follows:
Members: Service provider and recipient.
Request: A user's request for a public service that is communicated through an application.
Simple application: An application made with a tool that is made available to the service recipient's representative. Such applications are configured with the pre-formatted modules of the application system and do not require custom modules.
User: The natural or representative of the legal entity sending the request with an application.
Application: A digital application process that receives and communicates user requests to the appropriate entity.
Application system: A system of service providers that gives the user access to the environment to submit requests for public services to the recipient of the service.
Customised application: An application that falls outside of the formatted units and requires analysis and special adaptations made by the service provider team.
Task Annex: A specific annex to the terms in which specific analysis, design and installation of new units is needed where an application is described, a division of costs is decided and specific provisions that may apply to each individual application are made, such as the lifetime of requests and user payments.
The service: The service provider's operation of application systems and assistance with teaching applications makers.
Service provider: Digital Iceland on behalf of the Ministry of Finance and Economic Affairs.
Beneficiary: A legal entity using an application to receive a request.
2. Request for services
The service provider accepts the service recipient's request for the provision of the service and access to the application system and identifies the main applications to be imported into the service provider's application system. The service provider subsequently offers courses in building simple applications, analysing service processes and presenting the tool.
If the analysis of the application reveals the need for custom modules for the construction of the application, the recipient may request the service provider to examine the application with that regard. The service provider always decides whether to undertake such a project and may request further documentation to support this decision. If the result is a custom application, a special project is created and a project annex made for that project.
The service provider may refuse a request for the provision of the service if the service provider considers, for example, that the nature of the public service is incompatible with the application process, does not meet the policy of Digital Iceland for the public service or if the service recipient does not have sufficient technical infrastructure to use the application system.
3. Project Annex
The parties shall prepare a special project annex for custom applications, specifying and outlining the division of responsibilities.
Before drawing up a project annex, the service recipient shall verify whether legal issues hamper the digital processing of applications.
4. Role of parties
The service provider is responsible for the basic operation of the service. Basic operations include regular software upgrades, minor changes in appearance, general safety inspections and failure monitoring of the application system.
The service recipient handles and is responsible for all information and communication with users. The service recipient is responsible for general education on the functioning, use and reliability of the systems as well as the information provided on his/her own website and on the service provider's website regarding applications.
The recipient of a service must familiarise himself with the provider's content policy and ensure that applications are submitted with it as far as possible.
Tests of standardised applications are conducted by the service recipient. Testing of custom applications is carried out by both parties. After receiving the approval of the service recipient and following tests, the service provider issues applications.
5. Security
It is the responsibility of the service provider to apply appropriate technical and organisational measures to ensure the safety of the service. Security measures shall take into account the state of the art, implementation costs, scope, context, purpose of the processing and risk of security failures.
A public data transmission network is used for data transmission. The user identification for the service is done using the login and agency service of the service provider.
All data communication between the service recipient and the service provider is carried out through an encrypted channel. Security measures are based on information being unreadable during transport, even if unauthorised persons enter internet communications or equipment malfunctions.
Safety measures taken by the recipient of a service shall take into account the latest technology and meet the requirements set out at any given time by the service provider. A service provider may request that third parties conduct regular automatic safety inspections of the installation of a recipient. If the outcome of a safety audit demonstrates that measures taken by a service provider do not meet the providers safety requirements as they are at any given time, or that there are other serious weaknesses affecting safety, the service recipient shall be verifiably informed and given a 10-day period, beginning at the time the notification is sent, to take adequate corrective action. If the safety audit concludes that the mentioned vulnerability is minor, the recipient shall be granted a 30-day respite. Is the recipient notified of this in writing. If the vulnerability in question has not been rectified after the period notified, the service provider may interrupt the service recipient's access to the service without further notification, until the defect has been rectified.
Should a recipient of a service be found in violation of these terms or of applications in any other manner, or if it is evident that he is unable or intends to comply with these conditions, the provider may at any time, and without notice, suspend access to the service for the recipient in question until the recipient of the service has demonstrably rectified the defect. In such a case, the service provider shall send a demonstrable notification to the recipient of the service in question.
6. Responsibility
The service provider shall not be liable for damage resulting from use of the service which results from ignorance, misunderstanding or abuse by the service recipient or the applicant. The service provider shall not be liable for damage caused by the failure of the service recipient's or applicant's equipment to function properly.
The service provider is not liable for damage caused by unauthorised use, for example if unauthorised parties have gained access to the service from a recipient, or if the recipient of the service has failed to notify the Service provider of any abuse of the service, or if there is suspicion of such.
The service provider shall not be directly or indirectly liable for damage caused by unexpected termination of service, such as failures due to breakdown of communications, breakdown of communications or other disruption of the operation of the web service which are unforeseeable or unavoidable due to force majeure. In the event of any error, interruption or delay of the service resulting from the above circumstances, the liability of the service provider shall be limited to remedying such errors, interruptions or delays as soon as possible.
The service provider shall be liable for damage suffered by a recipient only if this is attributable to gross negligence or intentional action by the service provider''s employees. The liability of the Service provider shall in such cases cover only direct losses, and never any consequential losses, such as stoppages of operations, loss of business or loss of opinion.
A service recipient shall keep a service provider in harmless from any loss, claim, damage, action, damage, guarantees, fines, penalties and costs (including legal costs) which the service provider may incur as a result of, or in connection with, the service recipient''s action or omission, whether it is due to the service recipient''s negligence, intent or negligence in connection with the use of a digital mailbox or resulting from a breach of an agreement between the parties. This indemnity shall not in any way limit any other contractual or statutory rights which the Service provider may enjoy in relation to a recipient of a service and the possible compensation or non-payment of an injurious sum does not justify a breach of the obligations and obligations of the recipient of the service.
Damage resulting from a violation of the Data Protection Act, No. 90/2018, and the processing of personal data is subject to Article 51 of the Act and Article 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council.
7. Cost
The service provider shall meet the basic costs of the service.
If, for whatever reason, an application requires more work and/or a recipient of a service makes more stringent safety demands than those generally made by a service provider, this shall be agreed in a project annex. Any additional costs arising from such costs shall be borne by the recipient of the service.
The service provider reserves the right to review the allocation of costs to cover basic costs, cf. Article 10 of this term.
8. Data protection and processing
In accordance with the Data Protection Act No. 90/2018 as well as Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, the recipient is the controller and the service provider of the processor of personal data that are created and processed in applications.
The controller determines the purposes and methods of processing personal data and guarantees that it is authorised to process the personal data which it entrusts to the processor in connection with the service. The Processor processes personal data, f.h. the controller, which are necessary for the Processor to provide services according to this Agreement. The controller is responsible for, among other things, the lawfulness of the processing of personal data and the support of Article 9 and, where applicable, Article 11 of the Act, and the compliance of the processing of personal data with the principles of the Act, cf. Article 8 of the Act.
9. Operational security
The parties undertake to promote the safe operation of the service and at the same time work jointly on repairs in the event of operational interruptions.
The party must notify the other party without delay if there is suspicion of unintentional, unauthorised or illegal processing of information or if there is suspicion of any security failure in the handling of information derived from the service. The notification shall be sent to the public e-mail address of the party in question. In such notification, the party concerned shall describe the nature of the failure, including the estimated number of registered individuals concerned and the use of the information. The party in question shall also describe the likely consequences of the failure and the measures it has taken or envisaged to take in the event of the security failure.
The service provider will notify the recipient if breakdowns or necessary updates concerning the service come up. In the event that the service is terminated for uncontrollable reasons, the service provider will also notify the recipient. Service providers generally operate during office hours, but in the event of interruption of connection, the service provider shall respond to a notification to this effect as soon as possible.
A service provider may suspend access by a recipient of a service without warning if there is reasonable suspicion that unauthorised processing of information, security breaches or if the service provider is of the opinion that the recipient's equipment does not meet the service provider's requirements for use of the service.
If the interruption of operations leads to a failure to communicate the application, the service provider shall advise the applicant to contact the recipient of the service.
If the service provider or the recipient encounters any obstacles in the performance of the arrangements to the counterparty due to circumstances beyond his control, the responsibilities in question shall be suspended until the time such obstacles have expired and the parties to the agreement are able to fulfil their agreed obligations.
10. Changes to the terms
A service provider reserves the right to make changes to these conditions and shall be notified to the service recipient in an electronic notification sent to the recipient's designated e-mail address or by other verifiable means at least six months before the new or amended provisions enter into force. Furthermore, www.island.is announces new and/or updated terms before they take effect.
A service provider may make changes to the terms of the service in shorter time if such changes to the terms are necessary under law. In such cases where the duration of the notice period may be shorter, the service provider shall endeavour to notify such changes as soon as possible.
Please note that these terms have been automatically translated using a Natural language processing system.