NTÍ emphasises that personal data collected by the institution are obtained for a clear and legitimate purpose.

NTÍ collects, stores and analyses data through NTÍ's operations for the following purposes:

• To provide the service - To enable NTÍ to fulfil its legal role and provide individuals with the services to which they are entitled according to Act No. 55/1992, the Administrative Procedures Act, the Data Protection Act and the Processing of Personal Data, the Information Act, the Public Archives Act and other statutory provisions. This is in accordance with item 3. Article 9 of the Data Protection Act, No. 90/2018.

• Performance measurement - NTÍ uses personally identifiable information for statistical purposes, in order to improve the service provided by the institution, for the benefit of NTÍ customers.

• Deviation logs - NTÍ records all deviations from approved procedures to learn from them and assess whether preventive measures are needed. Thus, NTÍ makes use of the anomaly to improve procedures and prevent further deviations.

• Other services - NTÍ uses personal data for other uses as necessary and is permitted by law.

NTÍ collects and processes personal data that is necessary for the organization to be able to process claims, which is the main function of NTÍ. The provisions of the Administrative Procedures Act apply to the handling of claims. NTÍ records information on all cases and documents handled by NTÍ under a unique case number according to the rules of the National Archives of Iceland.

Personal information concerning the treatment of benefits

The notifier shall give information on the damaged property (property constant number and address), date of the damage event and type of damage event which caused the damage, as well as a description of the damage and the circumstances.

Contact information

The notifier is requested to choose between electronic or paper communications and provide appropriate contact information so that the person concerned can be contacted when the case is being processed. The contact details in question are a postal address for paper communications and an e-mail address for electronic communications. In addition, the notifier provides information on the telephone number to enable contact to be made by telephone with regard to the handling of the case. If the notifier chooses to appoint an agent to communicate with NTÍ, he/she provides the agent's personal identification number and email address. Contact information is deleted from the database tables after the case has been closed, but remains in the case documents and case log if it has been used for communication.

Banking information

Bank account information is recorded by the notifier to enable compensation for the loss, as the case may be. In case payment be made, the information will be available in the case receipt, but the bank account information is deleted from the database tables after the case has been completed.

Processing of data during processing period

If data is received from the injured party, it is saved along with other documents in the case. Various documents will be produced during the processing of the case, such as letters between the owners and NTÍ, assessments, notes, photographs from damage assessments, measurements and other work papers of assessors, and communication between NTÍ and assessors. If an individual contacts NTÍ for any reason, the contact history is stored, along with data and contact information that is generated during the processing of the case. This applies whether you contact them by letter mail, e-mail, phone call or by other means.

Building

If damage is reported to a building, the notifier calls for further information on the property from the Register of Real Estate of the National Registry of Iceland through the NTÍ reporting page. Information is sought on the identity of the owners of the property (identity number, name, ownership ratio, purchase and delivery date) and information on the building (valuation part number, description of the assessment part, year of construction, building stage, area and fire compensation assessment).

Contents and liquidity

If damage is reported to the estate or movable property, the notifier shall inform the policyholder of the policyholder's ID number in order for NTÍ to call for a copy of the insurance policy to the insurance company that insure the property in fire.

Personal data of the insured

NTÍ maintains a register of all insurance policies covered by the insurance coverage of NTÍ. The information is obtained from the insurance companies and contains information on the insurance location of assets. From that point on, the location of assets is obtained from the Address Book and saved in the Register.

Personal data of representatives of public works owners

NTÍ maintains communications with representatives of the owners of public installations insured directly by NTÍ. Such communications may contain the sender's personal data, such as name, telephone number and email address, and are stored in the relevant case.

Enquiries and other matters

The information that NTÍ is required to register in all administrative matters includes the name of the parties to the case, as well as the sender or recipient of documents.

Accounting

Under the Accounting Act, the SIA shall preserve the accounts of the Institute, including the names and ID numbers of issuers of accounts.

As a public institution, the SIA is required to comply with the Public Archives Act, No. 77/2014. This means that NTÍ should save all data received or created in the operation, except for working documents. All data, other than working papers, are therefore stored at NTÍ until they are returned to the National Archives of Iceland for permanent custody when they have reached the age of 30. All NTÍ electronic data are stored in the EU.

• Backup - NTÍ follows the FME's Guideline Recommendation No. 1/2019 for risks in the operation of information systems of regulated entities, requiring NTÍ to provide a backup of data and information systems.

• Destruction of data - Since the provisions of the Act on Public Archiving are special, they are more correct in the protection of personal data and the processing of personal data, and therefore NTÍ is completely prohibited from deleting data from its databases without the gauze permit of the National Archives. NTÍ destroys the accompanying documents at the end of the seven-year period of attachment, except for samples of the accompanying documents as prescribed by the National Archives.

NTÍ is obliged to store information collected about individuals in an organised manner. It is also incumbent on the NTÍ to correct incorrect information if it is discovered.

• Registered individuals have the right to request that NTÍ share information on, or restrict its processing.

• Individuals may request to know what information NTÍ possesses, about the individual in question and obtain a copy of it.

• Registered individuals shall have the right to request a correction of registration at any time.

NTÍ reserves the right to receive remuneration for such processing, as authorised in the Information Act. If a fee is due, the individual will be notified of it before the processing takes place.

• If a data subject considers that the processing of personal data by NTÍ is not based on legal grounds and/or contractual provisions, they have the right to object to the processing or to withdraw consent for the processing of personal data by NTÍ.

• They are also entitled to submit a complaint concerning the processing of personal data by NTÍ to the Data Protection Authority.

Access to and rectification of information - All data that are generated in the processing of compensation cases, as well as all the personal data recorded by the notifier, are accessible following the notification at nti.is/minarsidur. There, the notifier can correct and/or update the personal data that have been recorded.

Copy of their own information - NTÍ allows individuals to make copies of their own information stored in the NTÍ damage file. Information regarding claims reported after 16.2.2015 is available at nti.is/minarsidur. Requests for other personal data shall be sent to nti@nti.is.

NTÍ is supervised by the Central Bank of Iceland Financial Supervisory Authority and other supervisory bodies and strives to comply with all laws, rules and guidelines applicable to the Authority. Close cooperation with regulators is required to ensure the security of data. A service provider who provides overall IT systems operations is certified according to the ISO27001 information security standard. Information technology service providers are required under the Data Protection Act to ensure the default and built-in level of personal data protection in information systems to the extent possible, taking into account the latest technology, implementation costs, scope, context and purpose of processing and risk.

NTÍ strives to protect individuals from unauthorised access or unauthorised changes, disclosure or sabotage of personal data in the custody of NTÍ. In particular, it can be mentioned that:

• In many cases, the NTÍ sites are encrypted with SSL (identified in the browser by an "https" prefix before the URL and a padlocked image).

• When individuals log on to My pages, they use IceKey or electronic identification for login.

• NTÍ regularly reviews processes for the collection, storage and processing of information, including technical security measures to protect from system access without authorisation.

• NTÍ limits access to personal data to staff of NTÍ and processors who have signed a processing agreement that complies with the Act on the Protection of Privacy as well as the Contracting Parties that have signed a confidentiality agreement for the processing. Access is always limited to those who need the access to perform their tasks for NTÍ.

• NTÍ regularly updates its security measures to protect against cyber-attacks, unlawful deletion or changes to personal data.

• NTÍ has carried out aggressive tests of the NTÍ system to ensure that known methods could not be used to break into the NTÍ's web servers.

• Processors are required to notify NTÍ without delay of any security breaches under the Data Protection Act and the Processing of Personal Data.

• Access controls are provided for all personal data and the parties that have access to the data are subject to an obligation of confidentiality.

NTÍ outsources part of its operations to perform its legal functions in a safe and efficient manner. Activities outsourced include damage assessment, internal audit, IT services and data hosting. Processing agreements are in effect with processors as appropriate and they determine the authorisations and obligations of processors when it comes to processing personal data. The disclosure of personal data to a third party is limited as far as possible. Processing agreements with independent controllers are not required, e.g. with law firms and audit firms.

NTÍ does not disclose personal data to a non-contractual third party unless this is legally required. NTÍ is a government agency and is therefore subject to the Information Act and the Act on the Protection of Privacy as regards the Processing of Personal Data. NTÍ shares personal data with individuals, companies or organisations outside NTÍ only if access to, use of, or disclosure is necessary to:

• they shall comply with relevant laws and regulations, in connection with procedures and requests from authorities.

• detect, prevent or otherwise respond to fraud, safety or technical problems.

• protect the rights, assets and safety of our customers or the public from acts of sabotage, as prescribed by law or permitted by law.

NTÍ is considered a party obliged to submit documents under the Public Archives Act and therefore returns documents required to the National Archives of Iceland (ÞÍ) for permanent storage in accordance with rules relating thereto. The records are submitted to you every five years for preservation. NTÍ will provide access to the data for 30 years, after which you will have access to the data. All access to data is subject to the Information Act and the Act on the Protection of Privacy as regards the Processing of Personal Data.

The Processor is not permitted to shed the processing of personal data to another party without the consent of the NTÍ.

NTÍ reserves the right to share non-personal data with third parties for research purposes.

Questions or complaints concerning this privacy policy and/or concerning the processing of personal data shall be directed to NTÍ, Hlíðasmára 14, 201 Kópavogur or via the e-mail address nti@nti.is