1.1 Data controller

Landspítali, Skaftahlíð 24, 105 Reykjavík, ID no. 500300-2130, is the data controller for the processing of personal data in its operations. As the data controller, Landspítali is responsible for determining the purposes and means of processing personal data and for ensuring that all processing is carried out in accordance with applicable laws and regulations.

1.2 Data Protection Officer

Landspítali has appointed an independent and autonomous Data Protection Officer (DPO) who oversees all processing of personal data within the hospital. The DPO reports to the Office of the CEO and is part of the hospital’s legal team but operates independently and without professional instructions from the head of the office.

Contact details of the Data Protection Officer:

• Email: personuvernd@landspitali.is

• Telephone: +354 543 1000

• Postal address: Data Protection Officer, Landspítali, Skaftahlíð 24, 105 Reykjavík

All enquiries, requests, or complaints regarding the processing of personal data shall be directed to the Data Protection Officer.

1.3 Legal framework

This policy is established with reference to the principle of accountability in data protection and Article 24 of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), which has been implemented through Act No. 90/2018. These provisions require the data controller to implement appropriate technical and organisational measures to ensure and demonstrate that processing is carried out in compliance with the law. This includes implementing a privacy policy and procedures that correspond to the scope of the hospital’s operations, risks involved, and the needs of patients, students, staff, and other individuals interacting with the hospital.

1.4 Scope and definitions

This policy applies to all processing of personal data carried out at Landspítali. This includes the processing of personal data relating to patients, employees, relatives, students, visitors, business partners, and other individuals who interact with the hospital.

Definitions:

• Personal data: Information that can be directly or indirectly linked to an identified or identifiable individual, such as name, national ID number, address, telephone number, medical record data, salary information, and other data describing personal circumstances.

• Sensitive personal data: Data relating to health, sexual orientation, religion, political opinions, race, etc., which enjoy special protection under the law. Health data are considered sensitive personal data.

• Processing: Any operation performed on personal data, such as collection, recording, storage, disclosure, alteration, or deletion.

• Data subject: The individual to whom the personal data relate, such as patients, employees, or students.

• Data controller: The party that determines the purposes and means of processing personal data, alone or jointly with others – in this policy: Landspítali.

• Data processor: An external party that processes personal data on behalf of the data controller – in this policy: on behalf of Landspítali under a contract.

• Personal data breach: A security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data that are transmitted, stored, or otherwise processed.

Landspítali processes extensive personal data relating to patients for the purpose of providing healthcare services in accordance with Act No. 40/2007 on Health Services and Act No. 55/2009 on Medical Records.

2.1 Categories of data collected

Personal data processed about patients may include, among other things:

• General personal data: Name, national ID number, address, telephone number, email address, primary care physician, and contact persons (e.g. relatives or legal guardians).

• Health data: Medical history, diagnoses, test results (e.g. blood tests, CT scans, imaging), information on previous treatments and hospital admissions.

• Data from third parties: Home nursing services, social services, or relatives, where applicable.

• Medical records: A structured collection of information relating to diagnosis, treatment, and services provided to the patient. All such data are considered sensitive personal data and are subject to special protection under the law.

2.2 Purpose of processing

Landspítali processes personal data relating to patients for the following purposes:

• Provision of healthcare services: To provide, organise, and document treatment, diagnoses, and follow-up. This may include communicating treatment-related information via SMS or email.

• Patient identification: To ensure that the correct treatment is provided to the correct individual and to enhance patient safety.

• Billing and payments: To manage billing and payments from patients and insurers.

• Operations and quality management: To assess service quality, analyse deviations and complaints, and support internal audits and statistics.

• Legal obligations: To comply with statutory reporting obligations to authorities such as the Directorate of Health, Icelandic Health Insurance, the Chief Epidemiologist, or child protection authorities.

• Education and research: For teaching, training, and scientific research. In most cases, data are anonymised unless otherwise specified and consent has been obtained.

• Development and innovation: To improve services and implement new solutions.

2.3 Source and disclosure of data

Landspítali obtains data from the patient, healthcare professionals, relatives, and other service providers.

Patient personal data are disclosed only in accordance with applicable laws and regulations or with informed consent, where appropriate. Disclosure may occur to:

• Healthcare professionals and institutions: To ensure continuity and quality of care, such as primary healthcare centres, laboratories, and other treatment providers.

• Authorities: Where Landspítali has a statutory obligation to provide information, such as to the Directorate of Health, Icelandic Health Insurance, child protection services, or the Chief Epidemiologist.

• Healthcare system databases: In accordance with laws and regulations, such as quality databases within medical record systems, international databases, quality registries, or health registers maintained by the Directorate of Health.

• Scientific research: Only with consent or pursuant to decisions by research ethics committees in accordance with legislation on health research.

• Data processors: For example, software or technical service providers under contract with the hospital, subject to security and confidentiality requirements.

• With patient consent: Where additional disclosure is required, such as to insurance companies.

Landspítali emphasises that only data necessary for the stated purpose are disclosed.

Landspítali processes personal data relating to employees in order to fulfil its statutory obligations as an employer and to manage organisation and operations. Approximately 7,000 individuals work at Landspítali, and the recording of data is necessary to ensure effective human resources management and employee welfare.

3.1 Categories of data collected

Data processed about employees may include:

• Personal data: Name, national ID number, address, email address, telephone number.

• Employment-related data: Employment history, education, professional development, internal recruitment history.

• Financial data: Salary terms, bank details, trade union membership, pension fund membership.

• Work-related data: Attendance, absences, leave, sick leave, working hours.

• Health data: Where necessary, for example in relation to occupational safety, health monitoring, workplace injuries, or work capacity.

• Criminal record information: For certain positions, especially where work involves children, vulnerable individuals, or sensitive environments.

3.2 Purpose of processing

Employee personal data are processed for the following purposes:

• Employment relationship management: Including salary payments, leave calculations, sick pay, and other employment-related communications.

• Legal obligations: Such as tax reporting, statutory reporting, social security, and occupational safety obligations.

• Legitimate interests of Landspítali: Including organisational improvement, HR planning, internal communication, and operational statistics.

• Health and safety monitoring: To ensure employee safety and compliance with occupational health and safety legislation.

• Incident response: Investigation of bullying, violence, or workplace accidents, often in cooperation with external specialists such as psychologists.

• Internal surveys: Such as employee satisfaction surveys, conducted via email or SMS.

3.3 Source and disclosure of data

Data are primarily obtained from the employee during recruitment and throughout the employment relationship. Data may also be obtained from previous employers, healthcare professionals (e.g. occupational physicians), or partners involved in incident investigations.

Disclosure occurs only when necessary and in accordance with applicable laws and regulations, to:

• Authorities: Such as the Directorate of Health, tax authorities, labour inspection authorities, or courts, where required by law.

• Data processors: Such as software providers or service providers involved in payroll or data processing under contract and confidentiality obligations.

• HR service providers: Such as psychology firms analysing workplace incidents under confidentiality agreements.

• With consent: In specific cases, with the consent of the individual concerned.

Landspítali receives a large number of job applications each year and processes applicants’ personal data for the purpose of recruiting qualified individuals to positions within the hospital.

4.1 Categories of data collected

• Personal data: Name, national ID number, address, telephone number, email address.

• Application materials: CV, cover letter, diplomas, references, and other supporting documents.

• Recruitment process data: Interview results, scoring, assessments, and evaluation tools used in recruitment.

If an applicant is hired, additional data are collected, such as bank details, trade union membership, and pension fund information.

4.2 Purpose of processing

Processing is carried out to:

• Assess suitability and qualifications for the position.

• Manage and document the recruitment process.

• Respond to enquiries and communicate with applicants.

Landspítali does not collect more data than necessary for these purposes.

4.3 Source and disclosure of data

Data are primarily obtained from the applicant. In some cases, data may be obtained from previous employers or referees with the applicant’s consent.

Applicant data are generally not disclosed to third parties except:

• With consent: For example, when contacting referees.

• To data processors: Where external parties assist with recruitment under contracts ensuring security and confidentiality.

Landspítali hosts a large number of healthcare students each year for clinical training and internships. To organise, document, and provide safe and effective supervision, certain personal data about students must be processed.

5.1 Categories of data collected

• Personal data: Name, national ID number, address, telephone number, email address.

• Educational progress and placement: Level of education, attendance, department placement, performance evaluations, supervision, and assessments.

• Health data: Where necessary, for example to meet occupational safety and health monitoring requirements.

5.2 Purpose of processing

Student personal data are processed to:

• Organise and manage clinical training.

• Assess educational progress and ensure professional supervision.

• Fulfil obligations towards partner educational institutions and students.

• Ensure the safety of students and others.

Processing is carried out in accordance with agreements between Landspítali and the relevant educational institutions.

5.3 Source and disclosure of data

Data are obtained from the student and from the educational institution responsible for the programme.

Disclosure occurs only to:

• Relevant educational institutions: To confirm performance, placement, and support assessment and graduation.

• Data processors: Where electronic systems operated by external parties are used under contract.

• With consent: In specific cases, such as disclosure outside the standard training framework.

Landspítali records information about patients’ relatives when necessary in connection with treatment and communication. Relatives are often recorded as contact persons or next of kin.

The following data may be processed:

• Name

• National ID number

• Address

• Telephone number

• Relationship

The data are recorded in the patient’s medical record and used to:

• Communicate with relatives, for example when a patient is unable to communicate.

• Obtain information about the patient’s health or circumstances, with consent or in emergencies.

Data relating to relatives are generally not disclosed outside Landspítali except in accordance with law or with the patient’s consent.

Landspítali also processes personal data relating to individuals acting on behalf of legal entities that conduct business with the hospital, such as suppliers, contractors, and service providers.

Processed data include:

• Name of contact person

• Job title

• Email address and telephone number

• Bank details (where applicable)

The purpose of processing is:

• To ensure operational communication and payment flows.

• To manage statutory accounting and contract records.

The data are stored in Landspítali’s accounting and procurement systems and retained in accordance with accounting and archival legislation.

Data subjects have certain rights under the Data Protection Act and the GDPR. These rights are not absolute, particularly where processing is based on statutory obligations of a public authority such as Landspítali.

8.1 Right to information

Data subjects have the right to know which personal data Landspítali processes about them, for what purpose, on what legal basis, and who has access to them. One aim of this policy is to provide such information.

Further enquiries may be directed to the relevant department or the Data Protection Officer at personuvernd@landspitali.is.

8.2 Right of access

Data subjects have the right to:

• Confirmation as to whether personal data are being processed.

• Access to the data themselves.

• Information about the purpose of processing, recipients, data sources, and retention periods.

Requests for access to medical records must be submitted using designated request forms:

• Copy of own medical record

• Copy of maternity record

• Copy of a child’s medical record

• Copy of a deceased relative’s medical record

• Overview of visits and admissions at Landspítali

Access may be restricted under medical records legislation if necessary to protect the health of the individual or the rights of third parties. Such decisions must be reasoned.

If unauthorised access to a medical record is suspected, it is possible to request an access log using a designated form.

Requests relating to other personal data (e.g. for employees) should be sent to the Data Protection Officer at personuvernd@landspitali.is.

Further information on access rights is available on island.is.

8.3 Right to rectification

Data subjects have the right to have inaccurate or misleading data corrected.

If incorrect information is recorded in a medical record, the data subject or their representative may request correction or the addition of a note by emailing the Medical Records Access Committee at nasu@landspitali.is, with justification.

Changes may be limited by archival legislation.

Data subjects are encouraged to notify Landspítali of changes to contact details such as telephone number or address.

8.4 Right to data portability

Where processing is based on consent or a contract and carried out electronically, data subjects may have the right to receive or transfer their data to another controller.

This rarely applies to processing at Landspítali, as most processing is based on statutory obligations of a public healthcare institution.

8.5 Right to object or request restriction

Data subjects have the right to:

• Object to processing if they believe it exceeds what is necessary.

• Request restriction of processing, for example where the accuracy of data is contested or where data are no longer needed but must be retained temporarily for other reasons.

Landspítali will assess such requests and provide a reasoned response if they cannot be granted, for example due to statutory obligations.

Where processing is based on consent, consent may be withdrawn at any time. Withdrawal does not affect the lawfulness of prior processing.

8.6 Right to erasure (“right to be forgotten”)

In certain cases, data subjects may request erasure of personal data, for example if:

• The data are no longer necessary for the purpose for which they were collected.

• Consent has been withdrawn and no other legal basis applies.

• The data have been processed unlawfully.

Limitations: Landspítali is subject to mandatory archival obligations under public records legislation and may not delete data without authorisation from the National Archivist. This generally means that medical records and other statutorily retained data cannot be erased.

8.7 Right to lodge a complaint

If a data subject believes that processing at Landspítali violates data protection rules or their rights, they may:

• Submit a complaint via the Landspítali website using a designated form on island.is (in Icelandic).

• Contact the Data Protection Officer at personuvernd@landspitali.is

• Lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd).

Landspítali places strong emphasis on data security, confidentiality, and access control. All staff are responsible for protecting the data they handle and must comply with laws, internal procedures, and statutory confidentiality obligations.

9.1 Confidentiality

All employees and students are subject to statutory confidentiality obligations under Act No. 34/2012 on Healthcare Professionals. Contractors and partners must sign confidentiality agreements before gaining access to personal or sensitive data.

Confidentiality obligations continue after employment ends and apply equally to patients, staff, relatives, and others interacting with the hospital.

9.2 Security measures

Landspítali operates in accordance with international standards ISO 27001 and ISO 27002 to ensure the security of personal data. This includes systematic risk management, implementation of appropriate safeguards, and regular monitoring to protect data against unauthorised access, alteration, deletion, or loss.

In the event of a data breach, incidents are handled in accordance with data protection legislation and hospital procedures.

9.3 Information security policy

Security measures are based on Landspítali’s approved Information Security Policy.

Landspítali is subject to mandatory archival obligations under Act No. 77/2014 on Public Archives. Personal data are retained for as long as necessary for the purpose of processing or as required by law.

10.1 Medical records

Medical records are retained in accordance with Act No. 55/2009 on Medical Records and related regulations. Deletion is prohibited without authorisation from the Directorate of Health.

10.2 Accounting records

Accounting records are retained for seven years in accordance with Act No. 145/1994 on Accounting.

10.3 Employee records

Employment-related records are retained in accordance with archival schedules and public records regulations. Certain records are transferred to the National Archives.

10.4 Job applications

Applications and related documents are retained in accordance with archival schedules and public records regulations.

10.5 Other data

Other personal data not subject to statutory retention are deleted or anonymised when no longer needed for their original purpose.

Landspítali’s telephone system always notifies callers when a call is being recorded.

The purpose of call recording is, on the one hand, to ensure that information is available regarding the facts of a case in connection with complaints or claims, and on the other hand to ensure the safety of Landspítali staff.

Recorded calls are retained for 90 days and are automatically deleted once that period has expired. Recordings are only disclosed to the police or the Directorate of Health, as applicable, in accordance with Regulation No. 50/2023 on electronic surveillance and the processing of personal data generated through electronic surveillance.

Access to call recordings is restricted through access controls and governed by defined procedures. All granted access permissions are documented.

Landspítali applies electronic surveillance using security cameras in specific areas within and around its premises. The aim of surveillance is to enhance the safety of patients, staff, and hospital property, as well as to respond to incidents related to safety or the legal protection of individuals.

12.1 Purpose of surveillance

Electronic surveillance is carried out for security and property protection purposes, including:

• Ensuring the safety of patients, staff, and visitors

• Preventing and investigating property damage, theft, vandalism, or violence

• Enabling review of incidents when necessary, for example in connection with complaints or injuries

• Protecting important equipment and facilities

Surveillance is based on the legitimate interests of Landspítali and takes into account Regulation No. 50/2023 issued by the Icelandic Data Protection Authority on electronic surveillance.

12.2 Location of surveillance equipment

Cameras are located in public areas and other areas where oversight is necessary, such as:

• Entrances, reception areas, waiting rooms, foyers, elevators, stairwells, and dining areas

• Parking areas and ambulance access zones

• Goods reception areas, larger storage facilities, and technical rooms

• Medication rooms and supply storage areas

Electronic surveillance is not carried out in patient rooms, examination rooms, or other sensitive areas where patients enjoy a heightened expectation of privacy, unless special circumstances or incidents require it, with clear justification and appropriate signage.

12.3 Personal data processed

The footage generated through surveillance shows individuals moving within the monitored areas and their activities.

12.4 Retention and recipients

Recordings are stored for 30 days, unless special circumstances require longer retention, for example in connection with a police investigation or an internal incident investigation.

Footage is only reviewed when incidents arise that justify such review, and access is then limited to authorised personnel.

Data are not disclosed to third parties unless required by law, for example to the police in the investigation of criminal offences. Data may also be disclosed to an insurance company where necessary in connection with an insurance matter.

This Privacy Policy may be amended due to legislative changes or changes in data processing practices. The latest version is always available on the hospital’s website.

13.1 Entry into force

This policy enters into force on 1 January 2026 and replaces previous versions.