1. General information on the University of Iceland Data Protection Policy
On 15 July 2018, the Act on Data Protection and the Processing of Personal Data no. 90/2018 entered into force (the Data Protection Act). In accordance with the provisions of the law, the University of Iceland has established the following policy for data protection and the processing of personal data. Personal data is information that identifies a particular individual or could be used for this purpose.
Staff at the University of Iceland shall keep the Data Protection Policy in mind at all times when working with personal data. Steps shall be taken to ensure that all personal data gathered, used or processed at the University of Iceland is handled in accordance with the new law.
2. Processing of personal data must be satisfactorily supported by the law
University of Iceland staff shall not process personal data unless there is satisfactory justification for the work in the Data Protection Act.
In accordance with the Data Protection Act, personal data may only be processed if one of the following criteria is met:
- The data subject has consented to the processing of their personal data for one or more specific purposes.
- The processing is necessary in order to honour a contract, to which the data subject is a party, or to take measures at the request of the data subject before entering into a contract.
- The processing is necessary in order to comply with a legal obligation to which the controller is subject.
- The processing is necessary to protect the vital interests of the data subject or another individual.
- The processing is necessary for a task that is carried out in the public interest or in the exercise of official authority vested in the controller.
- The processing is necessary for the pursuit of legitimate interests by the controller or a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, especially when the data subject is a child.
3. Handling of sensitive personal data
University of Iceland staff shall always take the utmost care when processing and storing sensitive personal data. Item 3 of paragraph 3 of the Data Protection Act lists the kind of information that should be considered sensitive personal data in a legal sense. For example, information about race, origins, health etc. is classed as sensitive personal data.
4. Education and training for staff
The University of Iceland shall regularly provide staff with education and training on how to handle personal data.
5. Security, reliability and the limits of processing
The University of Iceland shall guarantee the security of any personal data the institute works with. The University of Iceland is responsible for ensuring that technical and organisational safeguards are in place, designed to prevent unlawful or unauthorised access. The University of Iceland is also responsible for ensuring that personal data is reliable and updated as required. If any personal data proves to be inaccurate, it must be deleted or corrected without delay. The University of Iceland will, in accordance with the Data Protection Act, report any security breaches that may occur in the processing of personal data to the Data Protection Authority. The University of Iceland will also inform the data subjects of any security breaches if necessary. When the University is involved in processing personal data, the institution will also make the controller aware of any security breaches.
The University of Iceland shall also ensure that personal data is only processed to the extent considered necessary. Personal data shall be stored in a form that means it is not possible to identify data subjects any longer than necessary in accordance with the purpose of the work.
6. Communication of personal data to outside parties
In certain circumstances, the University of Iceland may need to pass personal data on to an outside party, for example on the basis of a service contract. In such circumstances, the University of Iceland must ensure that appropriate safeguards are in place.
7. The rights of data subjects
Individuals may request a copy of any of their personal data held by the University of Iceland. Such requests shall be submitted to the University of Iceland Service Desk (University Centre, Sæmundargata 4, 101 Reykjavík). To request a copy of their personal data, individuals must sign a form and show ID. To apply for a copy of someone else's personal data, the applicant must show a statement giving them the authority to do so, signed by the individual. The University of Iceland shall respond to such requests in a timely fashion, generally within a month. It may take longer to respond to a particularly large number of requests or a particularly complicated request.
This Data Protection Policy was approved by the University Council on 4 April 2019.