The Data Protection Act and General Data Protection Regulation (GDPR) do not apply to the processing of personal data by the judiciary in the performance of its judicial tasks, cf. Article 4, paragraph 4 of the Act on Data Protection and the Processing of Personal Data No. 90/2018 (the Data Protection Act).

The term judicial power has in Icelandic courts been deemed to extend to acts of judicial procedures, i.e. the processing of individual cases in courts based on law. In the judgement of the European Court of Justice in case No. C-245/20 from 24 March 2022 the term judicial power was, in view of the independence of the court system, given a wider meaning than when the Data Protection Act was made. Current interpretation of the Data Protection Act is now based on the understanding that the term judicial power not only refers to the processing of individual cases but also to activities of the courts that are deemed so closely related to judicial procedures, e.g. the delivery of documents and the publishing of court agendas and decisions on the websites of the courts, that they influence the independence of judicial power.

The submission of court documents

Procedural law provides for the processing of personal data in court cases. Courts only provide information on individual cases and access to documents as far as provided for in laws and regulations. This applies to all kinds of information from the records of the relevant court, including about whether a particular individual or legal person is or has been party to a court case.

The rules of the Judicial Administration No. 6/2024 on the access of the public to documents and information on individual cases at the Court of Appeal and the district courts once they are finally completed, provide for the right of individuals, who are not party to the court case to which the request pertains, to access to documents and information at the courts (published in the Government Gazette of Iceland with No. 433/2024).
The Act on Public Archives No. 77/2014 applies to the retention, deletion and safe handling of documents.

The publication of agendas

Each district court publishes an agenda indicating a list of court cases for which the hearing date has been decided. The agenda includes information on the names of judges, parties to the case and solicitors, cf. rules of the Judicial Administration No. 7/2024 on publication of the courts´ agendas (published in the Government Gazette of Iceland with No. 761/2024).

Publication of court decisions

Decisions and orders at all court levels shall be published on the courts’ websites as provided for in Article 7, paragraph 6 and Articles 20, 28 and 38 of the Judiciary Act No. 50/2016 and the rules of the Judicial Administration No. 3/2022 on the publication of decisions and orders on the courts’ websites (published in the Government Gazette of Iceland with No. 1178/2022). The publication of court decisions aims to shed light on the courts’ activities and ensure the right of the public in a democratic society to access to information on judicial implementation. In addition, the publication is intended to support provisions in Article 70, paragraph 1 of the constitution and the principle of legal procedure for public process, which is intended, among other things, to provide restraint to the courts and promote that citizens can trust that everyone enjoys equality in the resolution of court cases. When publishing court decisions, care must be taken to respect the constitutionally protected right of individuals to the protection of privacy and the principles of data protection when processing personal data.

Companies such as Fons Juris collect published court decisions and publish on their website, bearing responsibility for the processing of personal data relating thereto.

Companies such as CreditInfo Lánstraust hf. collect, process and disseminate information on the financial matters of individuals based on a license from the Data Protection Authority.

The companies bear responsibility for the processing of personal data relating thereto.
Although the Data Protection Act does not apply to the processing of personal data by the judiciary in the performance of its judicial tasks, great emphasis is placed on personal data being processed in a legal, fair and transparent manner and its security being always guaranteed.

The Data Protection Act applies to the activities of the Judicial Administration as well as those tasks of the courts that do not embody the application of judicial power. Processing by courts and the Judicial Administration of personal data when performing other tasks than applying judicial power, shall be in accordance with fundamental considerations of data protection and the protection of privacy expressed in the Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

The Judicial Administration, the Supreme Court, the Court of Appeal, the district courts and the Court of Restitution are the responsible parties for the processing of personal data at their hands.

• The Judicial Administration, Suðurlandsbraut 14, 108 Reykjavík.

• The Supreme Court of Iceland, the courthouse by Arnarhóll, 101 Reykjavík.

• The Court of Appeal, Vesturvör 2, 200 Kópavogur.

• The District Court of East Iceland, Lyngás 15, 700 Egilsstaðir.

• The District Court of Northeast Iceland, Hafnarstræti 107, 600 Akureyri.

• The District Court of Northwest Iceland, Skagfirðingabraut 21, 550 Sauðárkrókur.

• The District Court of Reykjanes, Fjarðargata 9, 220 Hafnarfjörður.

• The District Court of Héraðsdómur Reykjavíkur, dómhúsið við Lækjartorg, 101 Reykjavík.

• The District Court of South Iceland, Austurvegur 4, 800 Selfoss.

• The District Court of the Westfjords, Hafnarstræti 9, 400 Ísafjörður.

• The District Court of West Iceland, Bjarnarbraut 8, 310 Borgarnes.

• The Court of Restitution, located at the Judicial Administration.
  

According to the Judiciary Act No. 50/20, two committees are related to the activities of the courts, and they are the responsible parties for the processing of personal data at their hands. The committees are:

• The selection committee on the qualifications of candidates for the post of judge discusses the qualifications of candidates for the post of Supreme Court judges, Court of Appeal judges and district court judges as well as post of judges at the Court of Restitution. The selection committee submits to the minister a written and reasoned review of candidates for the post of judges. The selection committee resides with the Judicial Administration.

• The committee on judicial work supervises the secondary occupation of judges and their shares in companies and businesses in accordance with rules No. 1165/2017. The committee resides with the Judicial Administration.
  

The tasks of the courts and the Judicial Administration and committees residing with the Judicial Administration that require the processing of personal data are primarily based on law. In general, it is not possible to ask to be exempt from such processing. The main laws used as a basis are:

• The Judiciary Act No. 50/2016

• The Code on Civil Procedure No. 91/1991

• The Code on Criminal Procedure No. 88/2008

• The Enforcement Act No. 90/1989

• The Act on Bankruptcy etc. No. 21/1991

• The Administrative Procedures Act No. 37/1993

• The Information Act No. 140/2012

• The Act on Data Protection and the Processing of Personal Data No. 90/2018

• The Act on Public Archives No. 77/2014
  

The courts and the Judicial Administration process personal data in relation to their statutory role and tasks such as when processing cases in court, processing communication and inquiries received, as well as in the collection and dissemination of statistical information. Personal data is normally processed based on consent, i.e. a person gives their consent for the courts or the Judicial Administration to process personal data for a clearly defined purpose.

When carrying out statutory and legitimate tasks, the courts and the Judicial Administration must record in their records management systems information about, e.g., parties to the case, solicitors, legal advisors, defenders, prosecutors, judges, employees of the courts and the Judicial Administration, committee members, witnesses, expert co-judges, assessors, individuals who are communicating with the courts or the Judicial Administration, as well as about other contacts of customers, suppliers, contractors, consultants, institutions and other legal entities with whom the courts or the Judicial Administration has entered into a contractual relationship. It depends on the nature of the case and the tasks of the courts and the Judicial Administration which personal data is processed at any given time.

The courts and the Judicial Administration record communication information of individuals obtained from themselves and Registers Iceland, such as name, address, ID number, phone number, email address etc.

The courts and the Judicial Administration also record other information, such as:

• the subject of the communication

• communication with individuals

• all data and documents attached to the communication
  

It depends on each individual case or field which personal data is collected additionally. The processing of personal data includes, among other things, that the courts and the Judicial Administration collect, record, store, delete, deliver and coordinate information. Great care is taken to record only the personal data that is necessary for the processing of the tasks that are assigned to the courts and the Judicial Administration according to the law.

The courts and Judicial Administration generally receive personal data directly from the individuals to whom the information relates. In cases where information comes from a third party, the courts and Judicial Administration inform the individuals about the processing of personal data, as appropriate.

The courts and Judicial Administration put a lot of effort into ensuring the security of personal data. The Judicial Administration is in charge of managing and developing the records management system of the district courts, the Court of Appeal, the Court of Restitution and the Judicial Administration, GoPro Foris. The company Hugvit is responsible for the hosting and operation of the system. The day-to-day responsibility for the system rests with the director of the Judicial Administration. The Supreme Court manages and develops its records management system, which is called CoreData, and the company CoreData Solutions handles the hosting and operation of the system. The president of the Supreme Court is responsible for the court’s records management system on a daily basis.

All staff members are bound by the law to remain confidential, even if they have retired. In particular, the confidentiality of the staff of the courts and the Judicial Administration is subject to the provisions of Article 18 of the Government Employees Act No. 70/1996 and the provisions of Chapter X of the Administrative Procedures Act No. 37/1993. Court staff must also respect the code of ethics for court staff No. 3/023.

Personal data is stored for as long as it is needed and there are objective reasons to do so, or as required by law if a retention period is prescribed by law. The courts and the Judicial Administration are submission parties according to Act No. 77/2014 on Public Archives. It follows that they are not allowed to destroy documents and data that they receive or that are created by them except with the permission of the National Archives of Iceland. The submission obligation also includes that documents and data received by the courts or the Judicial Administration or created by them must be submitted to the National Archives of Iceland according to the rules of the National Archives No. 573/2015 and 877/2020, where they will be kept indefinitely. Further information on the National Archives of Iceland is available at.

• National Archives of Iceland

The retention, deletion and safe handling of documents is subject to Act No. 77/2014 on Public Archives.

As previously stated, the data protection act does not apply to the processing of personal data that takes place when the courts exercise their jurisdiction, see discussion on Judicial procedures. The following discussion of an individual´s rights therefore takes into account he processing of personal data at the Judicial Administration and in the activities of the courts that do not fall under judicial authority.

On the basis of the data protection act, an individual can request information about the processing of their personal data at the courts and the Judicial Administration. An individual can also request to be informed about the processing of personal data that concerns them, as long as the interests of others do not stand in the way.

An individual has the right to access to and copy of all personal data that the courts and the Judicial Administration process about them, as long as the interests of others do not stand in the way.

An individual can request that incorrect, misleading or incomplete information about them be corrected, blocked from being used or deleted, in accordance with Act No. 77/2014 on Public Archives. The data protection act specifically states that the right to delete personal information and to be forgotten does not apply when the law requires that the information be retained.

The courts and the Judicial Administration make great efforts to ensure the security of personal data with appropriate technical and organisational measures.

The service provider of the courts and the Judicial Administration are certified according to the standard ISO/IEC 27001 – Information security, cybersecurity and privacy protection - Information security management systems – Requirements.

The Judicial Administration has established an information security policy for itself and the courts. The Judicial Administration has a technical and information security manager who supervises the IT security of the Judicial Administration and the courts.

To ensure the security of personal data, organizational and technical measures have been implemented, such as:

• the encryption of databases, communication and data during transfer

• access controls to systems aimed to ensure that only those who need personal data for their work have access to it

• activity records to ensure the traceability of activities

• multi-factor authentications

• general computer protection, such as anti-virus protection and firewalls, which are regularly updated

• active security monitoring of service providers and recording of security breaches

• training for staff on security issues
  

The data protection officer supervises compliance with the applicable laws and regulations on personal data protection at the courts and the Judicial Administration. Inquiries, comments and suggestions regarding personal data and data protection should be directed to the data protection officer.

The data protection officer of the courts and the Judicial Administration can be contacted by calling 432 5010 or by sending an email to domstolasyslan@domstolasyslan.is . It is also possible to send a letter to the Judicial Administration at Suðurlandsbraut 14, 108 Reykjavík, marking the envelope to the Data Protection Officer.