Iceland Revenue and Customs processes personal data such as:

• Personal identifiers, for example name, national ID number, gender, marital status and citizenship

• Contact details and residence, such as postal address, home address, email and phone number

• Family relations, based on family number, such as marital status, spouse and children

• Financial information, such as assets and liabilities

• Income information, including wages, benefits in kind, capital income and similar

• Special category data, such as health information and information about accidents, for example when assessing eligibility for reliefs

• Business-related information, such as industry classification codes and VAT registration status

Processing of personal data may include collecting, recording, storing, using, sharing, combining and deleting data.

Iceland Revenue and Customs only collects and processes personal data that is necessary to carry out its legal obligations.

Iceland Revenue and Customs processes personal data in order to carry out its legal obligations. This mainly includes the following activities:

• Ensuring accurate records, including maintaining correct information in the company register

• Ensuring the correct assessment of taxes and charges

• Providing services and carrying out tax monitoring and audits

• Investigating tax offences and determining penalties

• Collecting assessed taxes and charges

• Carrying out customs control, including facilitating lawful cross-border movement of goods and preventing illegal imports and exports

In addition to its core functions, Iceland Revenue and Customs processes personal data for other activities within its mandate, such as statistical processing, analysis and research or disclosure of information to third parties, where permitted by law

All processing is based on a legal basis and necessity, in line with applicable data protection legislation.

The processing of personal data by Iceland Revenue and Customs is primarily based on legal obligations set out in law. In general, it is not possible to opt out of such processing where it is required by law.

The main laws governing the activities of Iceland Revenue and Customs include:

• Act No. 45/1987 on Withholding of Public Levies

• Act No. 55/1989 on Value Added Tax

• Act No. 113/1990 on Social Security Contributions

• Act No. 4/1995 on Local Government Revenues

• Act No. 150/2019 on the Collection of Taxes and Public Charges

• Act No. 94/1996 on Withholding Tax on Capital Income

• Act No. 90/2003 on Income Tax

• Act No. 111/2016 on Support for the Purchase of a First Home

• Act No. 82/2019 on the Register of Beneficial Owners

• Act No. 17/2003 on the Register of Enterprises

• Customs Act No. 88/2005

• Administrative Procedures Act No. 37/1993

• Information Act No. 140/2012

• Criminal Procedure Act No. 88/2008

• Instructions of the Director of Public Prosecutions No. 6/2021

• Act No. 140/2018 on Measures Against Money Laundering and Terrorist Financing

All processing of personal data must also comply with applicable data protection legislation, including requirements on lawfulness, necessity and proportionality.

Processing personal data is necessary for Iceland Revenue and Customs to carry out its legal obligations.

Personal data is collected from a variety of sources, including both private and public entities, for example:

• The data subject, for example when submitting a tax return

• Employers

• Pension funds

• Banks and other financial institutions

• Other public authorities, such as:

  • Social Insurance Administration

  • Directorate of Labour

  • Directorate of Immigration

  • Financial Management Authority

  • Registers Iceland

• Foreign tax authorities

• The data subject’s legal representatives, such as lawyers and/or auditors

Employees of Iceland Revenue and Customs only access personal data when necessary to perform their authorized duties. All processing is carried out in accordance with applicable data protection laws and regulations. Employees are bound by confidentiality obligations regarding all information obtained in the course of their work. This obligation continues to apply even after employment ends. All employees receive appropriate training in data security and data protection. The data subject has access to their own personal data, and authorised representatives may also access the data on their behalf. In addition, the Director of Internal Revenue may be required by law to disclose information upon request, in accordance with specific legal provisions.

Iceland Revenue and Customs processes large volumes of personal data and therefore applies strict security requirements. To ensure data security, the organisation operates in accordance with a defined information security policy and established requirements covering physical security, IT system security, business continuity planning and incident response. The same requirements apply to service providers working on behalf of Iceland Revenue and Customs. Specific procedures are in place for handling personal data breaches, and appropriate organisational and technical security measures have been implemented in accordance with laws and regulations on data protection and information security. Examples of such measures include general IT security controls, access management to systems, logging to ensure traceability, encryption of data and transmissions, and multi-factor authentication.

Iceland Revenue and Customs discloses personal data to other public authorities when required by law, for example to Statistics Iceland, the Ministry of Finance and Economic Affairs, the Local Government Collection Center and the Icelandic Student Loan Fund. Personal data may also be shared with third parties, such as financial institutions and credit information agencies (e.g. Creditinfo), based on the informed consent of the data subject.

In addition, personal data is disclosed to foreign tax authorities on the basis of international agreements to which Iceland is a party.

Iceland Revenue and Customs retains personal data for as long as necessary in accordance with applicable laws and regulations, to fulfil its legal obligations. Under the Public Archives Act, records and data must be transferred to the National Archives of Iceland after a certain period. Destruction of records is not permitted without the approval of the National Archivist. Therefore, Iceland Revenue and Customs does not delete personal data unless authorized by law or with the required approval.

The Director of Internal Revenue is the data controller for the processing of personal data at Iceland Revenue and Customs. Iceland Revenue and Customs works with various service providers, for example in relation to tax assessment processing, information security and the publication of data in the government’s digital mailbox. Data processing agreements are concluded with these processors. Strict requirements are imposed on processors to ensure they comply with data protection legislation and safeguard personal data through appropriate technical and organisational security measures.

Under data protection legislation, individuals have the right to know what personal data Iceland Revenue and Customs processes about them and to access that data, within the legal limits that apply to such disclosures.

Individuals are entitled to information on whether their personal data is being processed and, if so, to receive information about:

• The purpose of the processing

• The categories of personal data concerned

• The recipients, or categories of recipients, of the personal data

• Their rights

• The right to lodge a complaint with the Icelandic Data Protection Authority

• Whether automated decision-making is involved