1. General information about the University of Iceland's privacy policy
On July 15, 2018, the Act on the Protection of Personal Data and the Processing of Personal Data No. 90/2018 (the Personal Data Protection Act) came into force. In accordance with the provisions of the Act, the University of Iceland has adopted the following policy on the processing of personal data. Personal data is information that identifies a specific individual or could be used for that purpose.
University of Iceland staff shall be guided by the Privacy Policy whenever working with personal data. It shall be ensured that all personal data collected, used or otherwise processed by the University of Iceland is handled in accordance with the new law.
2. The processing of personal data shall be based on sufficient authorization.
University of Iceland staff shall not process personal data unless there is sufficient authorization for the processing in the Personal Data Protection Act.
According to the Privacy Act, personal data may only be processed if any of the following factors are present:
- The data subject has given their consent to the processing of their personal data for one or more specific purposes.
- The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the data subject's request prior to entering into a contract.
- The processing is necessary for compliance with a legal obligation to which the controller is subject.
- The processing is necessary to protect the vital interests of the data subject or of another natural person.
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require protection of personal data are overridden, in particular where the data subject is a child.
3. Handling of sensitive personal data
University of Iceland staff shall always exercise the utmost caution when processing and storing sensitive personal information. Section 3, Paragraph 1, Article 3 of the Personal Data Protection Act outlines what information is considered sensitive personal information within the meaning of the Act. Sensitive information includes, for example, information about race, ethnic origin, health, etc.
4. Education and training of staff
The University of Iceland shall regularly provide its staff with education and training on how to handle personal data.
5. Security, reliability and limitation of processing
The University of Iceland shall ensure the security of the personal data that the institution processes. The University of Iceland guarantees that appropriate technical and organizational security measures are in place to prevent unauthorized or unlawful processing. The University of Iceland also guarantees that personal data is reliable and updated as needed. If personal data proves to be incorrect, it shall be deleted or corrected without delay.
The University of Iceland will, in accordance with the Data Protection Act, report any security breach that may occur during the processing of personal data to the Icelandic Data Protection Authority. The University of Iceland will also notify data subjects of a security breach if required. When the University is a processor of personal data, the institution will also notify the controller if a security breach has occurred.
The University of Iceland shall also ensure that the processing of personal data is limited to what is deemed necessary. Personal data shall be stored in a form that prevents the identification of registered individuals for no longer than is necessary for the purpose of the processing.
6. Disclosure of personal information to external parties
In certain cases, the University of Iceland needs to share personal information with external parties, for example on the basis of a service agreement. When this is the case, the University of Iceland must ensure that appropriate safeguards are in place.
7. Rights of data subjects
An individual may request a copy of personal information about themselves from the University of Iceland. The University of Iceland Service Desk (Háskólotorgi, Sæmundargata 4, 102 Reykjavík) accepts requests for a copy of personal information. A person requesting a copy of personal information must sign a form and present identification.
If personal information is requested on behalf of another party, a signed authorization from them is required.
The University of Iceland will respond promptly to requests for copies of personal information. In general, requests will be processed within one month. However, a longer period may be required in the case of particularly numerous or complex requests.
8. Edition
This privacy policy was approved by the University Council on April 4, 2019.