Role and legal basis

The role of Rannís is defined in the Act on the organisation and is according to it, to strengthen the foundations of Icelandic knowledge society by supporting research, innovation, education, and culture. Rannís operates on the basis of Act No. 3/2003 on Public Support for Scientific Research. In order to fulfil its statutory obligations, Rannís needs to process personal data

Rannís emphasizes the secure handling and storage of personal data and ensures that all processing of personal data complies with applicable data protection legislation. Processing of personal data is always limited as much as possible, and personal data is not collected beyond what is considered necessary. Personal data is most often processed in order to fulfil the statutory role of the organisation, and the authority of Rannís to process such data to the extent necessary is stipulated in Art. 12 of Act No. 3/2003.

Definition of personal Data

Personal data refers to any information that can be linked to an identifiable individual, such as name, identification number, location data, IP addresses/network identifiers, or one or more factors specific to the individual. Personal data does not generally include information relating to companies or animals.

See here for further information on personal data

Data Protection Officer

Ragnhildur Gunnarsdóttir is the appointed Data Protection Officer for Rannís. She can be contacted by phone +354-515 5800, by email at personuverndarfulltrui@rannis.is or by sending regular mail to:

Rannís
Attn: Data Protection Officer
Borgartún 30
IS-105 Reykjavík

Collection of personal data and purpose of processing

Rannís collects personal data in connection with tasks entrusted to the organisation under the applicable laws and regulations governing its operations. The organisation collects data either as a responsible party or as processing party.

Rannís processes personal data only where a lawful basis exists. The legal basis for processing may vary depending on the purpose of the processing. In nearly all cases, the legal basis is one or more of the following:

• Where processing of personal data is necessary for the assessment of grant applications andthe payment of grants.

• Where processing of personal data is necessary in connection with applications for advertisedpositions and when entering into employment contracts.

• Where Rannís is legally obliged to process personal data in order to comply with laws and/orregulations.

• Where an individual has provided consent for the processing of personal data for a specificpurpose.

• Where processing is governed by other legislation, the legal basis may differ from those listedabove. In such cases, processing may be subject to consent.

• A camera system in the reception area of Rannís monitors the arrival of visitors in real time toensure that they receive service. The pictures are stored for three months and are onlyreviewed in the event of a crime or suspicion of criminal activity.

What personal data is processed?

The specific personal data processed by Rannís depends on the matter or project concerned. In most cases, the data consists of information provided by the individuals themselves and Registers Iceland , such as name, home address, identification number, telephone number, email address, and similar information.

Processing of personal data is most often linked to applications for grants from funds administered by Rannís or applications for rights under its administration. When applying for a grant through Rannís, parts of the application process may involve participation of partners. In such cases, partners are defined as data processors in accordance with data protection legislation.

Rannís' data protection policy applies whenever an application is submitted to any fund or rights administered by Rannís. Personal data is collected upon receipt of applications for the purpose of assessing and processing the application. If an application is approved, additional terms and conditions may apply. It is important for applicants to become acquainted with the rules of the fund in question to determine whether additional conditions apply.

Further processing of personal data takes place for statistical analysis of applicants in order to fulfil statutory obligations imposed on Rannís. Rannís prepares statistics on fund applications for public authorities. Statistical analysis is based on information provided in applications. Examples of personal information that are used in statistical analysis are age, gender, education and location and similar data.

Disclosure of personal data to third parties

Rannís does not use personal data for purposes other than those for which it was collected. Personal data is not disclosed to third parties unless consent has been obtained or disclosure is permitted by agreements and/or law. Where a third party, acting as a data processor, is granted access to personal data, Rannís ensures confidentiality.

Further information on the handling of personal data in connection with application processes and administration of projects within funds.

Personal data used to evaluate applications for grants or rights may include:

• Name, address, email address, contact details, date of birth, and gender.

• Current employment, education, works, references, and research performance.

• Information on other members of a project team, if applicable.

• Project information.

• Other information related to the application.

Personal data collected for grant payments includes:

• Banking details, such as account information and other payment information.

Information on previous grants includes:

• Reports describing previous projects and grants that have been funded by Rannís and/orother parties.

Information on previous communications includes:

• Customer communication information may be recorded and saved

When and why is sensitive personal information collected

In certain cases, personal data that is considered to be ‘sensitive personal information’ is processed. Special categories of personal information, such as religion, ethnicity or health, require enhanced protection under data protection law. Rannís will only process such data under specific circumstances.

Examples include situations where applicants with disabilities may be entitled to additional grants. In order to assess such applications, Rannís may require applicants to provide information regarding their disability, cf. Art. 12 of Act 3/2003.

Retention of personal data and how long it is stored

Correspondence received by Rannís, such as applications, supporting documents, and other submissions, is stored in an electronic records management system under a specific case number, which contains all information related to the matter concerned

Rannís' operations are subject to Act no. 77/2014 on Public Archives. Rannís is required to retain grant applications indefinitely unless authorisation for disposal has been granted, cf. Art. 24 of the Act. The records management system of Rannís is hosted by Hugvit hf.

Legal dispute and Claim

Rannís may be required to provide personal data in cases of legal disputes, particularly where there is suspicion of unlawful activity or fraud.

Administrative Purposes

In certain cases, personal data, including information from applications, is stored for administrative purposes. This may include accounting, auditing, fraud prevention (including financial due diligence by competent authorities), system testing, maintenance, and development.

Cookies

Rannís uses cookies on its websites to collect and analyse information on usage and functionality, including Google Analytics for web analytics. Upon each visit to Rannís websites, information such as time and date, search terms, country of origin, browser type, and operating system is recorded. This information can be used for market analysis, website improvement, and development, for example to determine which content users access most frequently. No attempts are made, nor will be made, to obtain additional information about website visitors or to link it to personally identifiable information.

The new Rannís website on island.is, uses Plausible for web analytics.

Use of AI

Rannís places strong emphasis on ensuring that all use of artificial intelligence solutions is responsible and secure. This includes ensuring that the processing of personal data complies with fundamental data protection principles and applicable legislation.

Security of personal data

At Rannís, strong emphasis is placed on ensuring the security of personal data. Rannís' application and information system is hosted and operated by the information technology company Wise.

To ensure the security of personal data, organizational and technical measures have been implemented, such as:

• Encryption of databases, communications, and data in transit.

• Access controls ensuring that only persons who require access to personal data for their work have such access.

• General IT security measures, such as antivirus software and firewalls, which are updated regularly.

• Ongoing staff training on information security.

The duty of confidentiality rests on all Rannís employees according to Act no. 70/1996 on the Rights and Duties of Government Employees.

Withdrawal of consent

An individual who has given consent to the processing of personal data may withdraw that consent at any time. To withdraw consent, please contact Rannís by sending an email to personuverndarfulltrui@rannis.is or submit a request to:

Rannís
Attn: Data Protection Officer
Borgartún 30
IS-105 Reykjavík

Request for a copy of personal data and how to submit a complaint

According to the Icelandic Data Protection Act, it is possible to request a copy of the personal data that has been processed. Rannís will make every effort to respond to the request within 30 days of its receipt.

Requests must be submitted in writing and include:

• Name and home address.

• Specification of the data requested.

• Any information facilitating identification of the relevant data, such as application details orcorrespondence.

• Email address, telephone number, and other contact information.

The following must also be provided:

• A copy of valid identification, such as a passport or driver’s licence, to verify identity.

• Signature and date of the request.

• If the request is made on behalf of a third party, a signed power of attorney.

Requests for access to personal data and/or complaints should be sent to personuverndarfulltrui@rannis.is or submitted in writing to the following address:

Rannís
Attn: Data Protection Officer
Borgartún 30
IS-105 Reykjavík

Individuals who believe that the processing of personal data by Rannís violates their rights can submit a request or complaint to the Icelandic Data Protection Authority (Persónuvernd).

The Icelandic Data Protection Authority (Persónuvernd) can be contacted by sending an email to postur@personuvernd.is or by phone +354 510 9600. The institution is located at Laugavegur 166, 105 Reykjavík.

For further information go to the Data Protection Authority website at island.is

This Data Protection Policy is reviewed every two years or as necessary.

The Rannís Data Protection Policy was last updated and approved in April 2026.