The Data Protection Authority is the controller of the processing of personal data carried out by the Authority. The Data Protection Authority is an authority that operates under the Data Protection Act, No. 90/2018. Main role is to monitor that the processing of personal data by public bodies, companies and other parties is in accordance with the Data Protection Act.

The Data Protection Authority is located at Laugavegur 166, 4th. floor, 105 Reykjavík.

The telephone number is 510 9600 and its email address is postur@personuvernd.is

More information about the Data Protection Authority

You can contact the Data Protection Officer by sending an email to pvf@personuvernd.is

You can also send a letter to the Data Protection Authority, in which case the envelope shall be addressed to the Data Protection Officer.

Laugavegur 166, 4th floor

105 Reykjavik

In most cases, the Data Protection Authority will receive personal data directly from you when:

• you complain to the Data Protection Authority, submit a query, tip, request permission for processing personal data or send in other communications

• you have requested access to data according to the Administrative Procedures Act, the Information Protection Act or the Data Protection Act

• you have registered for a seminar held by the Data Protection Authority

• you have applied for a job with us, a summer job or an internship

• The Data Protection Authority has a contract with you to perform certain tasks for the Agency, for example in security audits

• you come to the Data Protection Authority for a meeting and register on the visiting form

The Data Protection Authority also accepts personal data from others than you in the following cases:

• The Data Protection Authority has had contact with the company or government for which you work and the party in question has provided your personal data in its answers

• Your personal information is included in a notice of a security breaches or in a tip to the organisation

• The party who makes a complaint or other communication to the Data Protection Authority refers to you in their communications with the Authority

• The Data Protection Authority receives a notification that you have violated the Data Protection Act

• The Data Protection Authority obtains your personal data when carrying out an audit

• The Data Protection Authority receives your personal data from other government authorities

• You represent a company or an authority, for example in responding to a request for a comment and so forth

• You have been notified as a company or government privacy officer

• Applicants for a job refer to you as a recommendation

According to the Data Protection Act, you have certain rights and you can exercise them by sending an email request to postur@personuvernd.is or sending a letter to the Data Protection Authority.

You don't have to pay anything to exercise your rights.

The Data Protection Authority has up to one month to respond to your request, but the deadline can be extended by two months if the request is particularly extensive.

a. Access rights

You have the right to access and copy all personal data that the Data Protection Authority processes about you. In some cases, exceptions to the right may apply, such as because of the rights of others that should be given greater weight, but the general rule is that access should be granted.

You may also have the right to access your data under the administrative law and/or the information law. There may be a certain overlap between the various legal acts that need to be evaluated at each time.

b Right to correction

You have the right to have data about you corrected, when you believe it to be incorrect. According to the Act on Public Archives, the Data Protection Authority may, in some cases, not be allowed to the change data. However, you may wish to have a correction, with a comment, attached to the data, when appropriate, and/or to add information to the personal data that the institution has about you and you consider to be insufficient.

***More on your right to correct you data

c. Right to delete data / Right to be forgotten

The right to delete or the right to be forgotten does not apply to the processing of personal data at the Data Protection Authority, as the institution is bound by the law on public archives to preserve all information received.

***More on your right to have data deleted and exceptions to that right

d. Right to limit processing

You are entitled to request that processing of your personal data be limited in certain cases.

e. Right to object to processing

You have the right to object to the processing of personal data about you when the Data Protection Authority processes them on grounds of public interest, that is, legal authority, or in the exercise of public authority.

More on your right to object processing

f. Right to transfer own data

This right applies only when information is processed on the basis of consent or in regards of a contract. The Data Protection Authority operates on the basis of law and therefore very little part of its processing of personal data is based on consent or agreement. Therefore, it is unlikely that this right applies to the processing carried out by the Data Protection Authority, as it is almost only carried out on the basis of legal obligation or the public interest.

***More on your right to transfer

g. Complaints regarding the processing of personal data

If you believe that the Data Protection Authority has not processed your personal data in a lawful manner, contact the authority's data protection officer.

View the privacy policy of Ísland.is

Calls

The phone numbers of callers to the Data Protection Authority switchboard are not automatically registered with the Authority. If you wish to leave a message for the Data Protection Authority staff, you will be registered with your name, phone number and, when it is applicable, the nature of your inquiry. This information is kept for 60 days.

Sensitive personal data are not recorded.

The number of calls received by the Data Protection Authority is recorded each month and the length of each call.

When you contact the Data Protection Authority by telephone and request advice or guidance, the staff/legal advisers of the Authority record the contents of the call in a special call list. Your name and other contact information are only recorded if you provide it. However, this is not necessary in order for the Data Protection Authority's experts to provide you with information and advice over the phone.

The purpose of recording the content of telephone calls is twofold:

• To keep track of the nature of the calls received during telephone time, as this may indicate that education on certain issues needs to be improved, for example on the Data Protection Authority website.

• To be able to verify what was stated on the call in case of a dispute between you and the Data Protection Authority.

The Data Protection Authority does not record calls.

When you call the Data Protection Authority outside of telephone time in connection with a specific case undergoing processing by the Data Protection Authority, the contents of the call and your contact information are recorded in a memo underneath the case.

The Data Protection Authority is obliged under the Information Act to record information on the facts of the case that is provided orally. The Data Protection Authority is also obliged to keep important information, including information on communication with the public.

Email

When you contact the Data Protection Authority via email, you should be aware that your e-mail may be unencrypted, which means that it is possible for unauthorised persons to read the mail in an item. Therefore, avoid the message containing sensitive personal information about yourself or others. If you need to send the Data Protection Authority sensitive data, it is best to use registered mail or bring the data to the Data Protection Authority office.

The Data Protection Authority does not send sensitive personal data by e-mail, since the security of the data in such a transmission cannot be guaranteed.

All emails received by the Data Protection Authority are screened for computer viruses and stored in the case file of the Data Protection Authority.

Questions sent through the Data Protection Authority website

You can send the Data Protection Authority requests through the website, in which case you must provide the name, email address and nature of the request. You can also provide a telephone number, but it is optional. The purpose of registering information on your name, email address and telephone number is to make it possible for the Data Protection Authority staff to contact you, whether by e-mail or telephone, and information on the content of the request is necessary in order for the Data Protection Authority to reply to it.

The request is saved in the database of the Data Protection Authority's web service provider for 6 months and then deleted.

When the request is sent, it is sent as an email to the general mailbox of the Data Protection Authority and it is then registered in the case file of the Authority along with the contact information provided.

When an inquiry is registered in the case file, it is saved in accordance with the Public Archives Act.

Letter mail

The Data Protection Authority shall preserve all correspondence received by the Authority in the archives of the Authority, as well as all correspondence that is scanned and stored in the case file.

Visit to the Data Protection Authority office

In general, the Data Protection Authority does not accept people in the office of the Data Protection Authority unless they have an appointment.

However, it is always possible to arrive at the office of the Administration during the opening hours and deliver or retrieve documents.

The Data Protection Authority shall enter the names of parties who arrive at the office, e.g. for meetings or repairs, and information on which company/institution the party in question comes from. This information is kept for 30 days.

If an individual arrives at a meeting, information on the meeting may be recorded in minutes or a meeting memo.

Questions and advice

When you contact the Data Protection Authority with a request or ask for advice, the Data Protection Authority works with your personal data to be able to answer you. The Data Protection Authority only processes information that is necessary to work with in order to answer your questions. For example, the Data Protection Authority processes information about your e-mail address and name when answering e-mail requests.

Personal data in inquiries are kept for 30 years by the Data Protection Authority, after which time data is returned to the National Archives of Iceland in accordance with the duty of preservation under the Public Archives Act. The Data Protection Authority delivers electronic copies of data to the National Archives of Iceland every 5 years in accordance with the Act on Public Archives.

The above information may be processed on the basis of a legal obligation which rests with the Data Protection Authority, cf. Point 3 of Article 9 of Act No. 90/2018, cf. item c of paragraph 1 of Article 6 of the data privacy regulation.

Complaints to the Data Protection Authority

When the Data Protection Authority processes complaints, personal data is processed, for example contact information and other information necessary to process the case.

Personal data in complaints cases are kept for 30 years by the Data Protection Authority, after which time data is returned to the National Archives of Iceland in accordance with the duty of preservation under the Public Archives Act. The Data Protection Authority delivers electronic copies of data to the National Archives of Iceland every 5 years in accordance with the Act on Public Archives.

The Data Protection Authority may process the above-mentioned information because it is necessary in the exercise of official authority vested in the Data Protection Authority, according to Point 5 of Article 9 of Act No. 90/2018, cf. Article 6(1)(e) of the Act No. 9 of the GDPR. Sensitive personal data may be processed in connection with complaints if such processing is necessary for reasons of substantial public interest and is carried out on the basis of law, according to Point 7 of Paragraph 1 of Article 11 of Act No. 90/2018, cf. Article 9(2)(g) GDPR.

Licensing

When the Data Protection Authority receives an application for a permit to process personal data, it processes the contact details of the individual applying for the permit, if applicable, and, as appropriate, the contact details of the person acting on behalf of the person who provides the information, for example an employee of the authority. Other personal data provided in the application are also processed, as appropriate, particularly the names, telephone numbers and email addresses of other individuals involved in the application. The Data Protection Authority has a legal obligation to process applications for licences received and the contact information is necessary for the right person to be granted a licence.

The same applies to applications submitted to the Data Protection Authority for a comment regarding scientific research in the health sector.

Applications for licences, together with supporting documents, are kept for 30 years by the Data Protection Authority, after which time data is returned to the National Archives of Iceland in accordance with the duty of preservation under the Public Archives Act. The Data Protection Authority delivers electronic copies of data to the National Archives of Iceland every 5 years in accordance with the Act on Public Archives.

All processing of personal data in connection with permitting and comments regarding scientific research in the health sector is based on a legal obligation that rests with the Data Protection Authority, according to Point 3 of Article 9 of Act No. 90/2018, cf. Article 6, Paragraph 1, point c, GDPR.

Tips

The Data Protection Authority shall record all tips for possible violations of the Data Protection Act which it receives in the case file of the Authority. If the tip is received by e-mail, the e-mail address and name of the sender are recorded. If the Data Protection Authority receives a written communication which does not concern its field of work, it shall forward the communication to the correct location as soon as possible, cf. paragraph 2 of Article 7 of the Administrative Procedures Act. This is generally done after consultation with the person who sent the message, if at all possible. If the tip-off is received during telephone time, without you giving your name, only the substance of the tip-off is registered.

Tips are kept for 30 years by the Data Protection Authority, after which time data is returned to the National Archives of Iceland in accordance with the submission obligation under the Public Archives Act. The Data Protection Authority delivers electronic copies of data to the National Archives of Iceland every 5 years in accordance with the Act on Public Archives.

The above information may be processed because it is necessary in the exercise of official authority exercised by the Data Protection Authority, according to Point 5 of Article 9 of Act No. 90/2018, cf. Article 6(1)(e) of the Act No. 90/2018. The authorization to process sensitive personal data is in point 7 of paragraph 1 of Article 11 of Act No. 90/2018, cf. item g of Article 9 GDPR.

Requests for access to documents or information

The Data Protection Authority shall record all requests from individuals for access to information, whether they are based on the Data Protection Act, the Administrative Procedures Act or the Information Law.

Access rights requests are kept for 30 years by the Data Protection Authority, after which time data is returned to the National Archives of Iceland in accordance with the submission obligation under the Public Archives Act. The Data Protection Authority delivers electronic copies of data to the National Archives of Iceland every 5 years in accordance with the Act on Public Archives.

The above information may be processed because it is necessary in the exercise of official authority exercised by the Data Protection Authority, according to Point 5 of Article 9 of Act No. 90/2018, cf. Article 6(1)(e) of the Act No. 90/2018. The authorization to process sensitive personal data is in point 7 of paragraph 1 of Article 11 of Act No. 90/2018, cf. item g of Article 9 GDPR.

Registration at a seminar organised by the Data Protection Authority

When the Data Protection Authority holds a seminar, it asks those who intend to attend to register by sending an e-mail to a specific e-mail address. The purpose of this is to keep track of the number of people who intend to attend the seminar and to estimate the size of the meeting place based on this. Individuals are, however, always free to attend a seminar even if they have not registered specifically, as long as room permits.

Registrations to a seminar run by the Data Protection Authority are kept for 30 years by the Data Protection Authority, after which time data is returned to the National Archives of Iceland in accordance with the submission obligation under the Public Archives Act. The Data Protection Authority delivers electronic copies of data to the National Archives of Iceland every 5 years in accordance with the Act on Public Archives.

The above information may be processed on the basis of consent, pursuant to point 1 of Article 9 of Act No. 90/2018, cf. item a of paragraph 1 of Article 6 GDPR.

Notifications sent on the basis of previous legislation

Under the Data Protection Act, No. 77/2000, it was required to notify the Data Protection Authority of certain types of processing. This obligation to report has now expired, but the Data Protection Authority remains obliged to keep the information received in the notifications. The personal data included in notifications are in particular the name, address, telephone number, e-mail address and identification number of the natural person, if he was the controller himself, and, if the controller was a legal person, the name of the person making the notification was also recorded. The name and position of the person responsible for security measures were also registered.

The aforementioned notifications are kept for 30 years by the Data Protection Authority, after which time data is returned to the National Archives of Iceland in accordance with the submission obligation under the Public Archives Act. The Data Protection Authority delivers electronic copies of data to the National Archives of Iceland every 5 years in accordance with the Act on Public Archives.

The information above may be kept on the basis of a legal obligation which rests with the Data Protection Authority, according to Point 3 of Article 9 of Act No. 90/2018, cf. item c of paragraph 1 of Article 6 GDPR.

Notifications of security breach

The Data Protection Authority maintains all reports of security breaches in the case file. Such notifications shall include information on the contact person of the organisation in question and information on the security breach.

The aforementioned notifications are kept for 30 years by the Data Protection Authority, after which time data is returned to the National Archives of Iceland in accordance with the submission obligation under the Public Archives Act. The Data Protection Authority delivers electronic copies of data to the National Archives of Iceland every 5 years in accordance with the Act on Public Archives.

The information above may be kept on the basis of a legal obligation which rests with the Data Protection Authority, according to Point 3 of Article 9 of Act No. 90/2018, cf. item c of paragraph 1 of Article 6 GDPR.

List of Data Protection Officers

According to paragraph 7, Article 37 GDPR. controllers and processors shall send the Data Protection Authority the contact details of their Data Protection Officer. This shall be the case if a Data Protection Officer has been appointed, irrespective of whether this is mandatory or optional. For this reason, the Data Protection Authority maintains a special register of notified data protection officers, stating their name, who they work for, their e-mail address and telephone number.

The purpose of the registry is for the Data Protection Authority to have an overview of the incumbent Data Protection Officer, for example so that they can be contacted in connection with the supervision of the Authority or complaints that may arise. In addition, the Data Protection Authority can communicate information to the public on the identity of the data protection officer of the controller or processor in question. The Data Protection Authority can also use the files to communicate important information to the Data Protection Officers.

The above information is kept for 30 years by the Data Protection Authority, after which time data is returned to the National Archives of Iceland in accordance with the submission obligation under the Public Archives Act. The Data Protection Authority delivers electronic copies of data to the National Archives of Iceland every 5 years in accordance with the Act on Public Archives.

The above information may be kept on the basis of Point 3 of Article 9 of Act No. 90/2018, cf. Article 6(1)(c) GDPR.

Information security

The Data Protection Authority has created an information security system to ensure the protection of personal data in accordance with the rules on personal data security, no. 299/2001. The Information Security System covers all major key systems of the Agency. The Data Protection Authority has thus established an information security policy, conducted risk assessments and appropriate security measures to ensure the security of the institution's systems.

Processing agent use

The computer systems of the Data Protection Authority are operated within the Authority and housed with one external service provider, Opin Kerfi hf.

The largest processor is Opin Kerfi hf. Opin Kerfi hf. services terminals, AD servers, firewall and mail server.

The case file system GoPro Foris is developed by the institute's processor, Hugviti hf. The case file system is operated on the Opinna Kerfa hf. All communication between the Data Protection Authority and the server terminals is done through an encrypted connection.

Email server is also operated on the Opin Kerfi hf. server.

The security failure reporting portal is operated jointly for the Data Protection Authority, PTA/CERT-IS and the Police. The notification portal is programmed, hosted and managed by Advania hf. Copying is under the supervision of Opin Kerfi hf.

The company Halló ehf. handles telephone answering for the Data Protection Authority. Employees there only record the name of those who request a conversation with the Data Protection Authority, telephone number and, as appropriate, email address and a brief description of a message. All employees of Halló ehf., who handle telephone answering, have signed a declaration of confidentiality with regards to the Data Protection Authority.

The Data Protection Authority uses Microsoft Teams software as a teleconference. Teams may not be used to discuss sensitive issues related to the activities of the Data Protection Authority. The online chat in Teams may not be used to discuss matters under consideration by the Data Protection Authority.

The director is responsible for the policy and for ensuring that it is implemented. The policy shall be reviewed annually, or more often if there is cause to do so.