EFLA´s Privacy Statement

Privacy Statement, GDPR, Private, Cookies, Personal information

EFLA is concerned about the security of the personally identifiable information of customers and its employees and is determined to ensure reliability and confidentiality, as well as the security of the personally identifiable information that is processed within the company. As a result, all personally identifiable information is treated in a lawful and fair manner and in accordance with personal data protection legislation in effect in Iceland, as well as the relevant provisions contained in the EEA Agreement. 

What personally identifiable information does EFLA collect about you?

The nature of the contract and other communications will dictate what information is collected.  Efforts are made to only collect personal information directly from customers and other stakeholders. EFLA collects, as applicable, the following personal information:

• Name
• E-mail
• Tel. No.
• ID No.
• Address
• Workplace
• Account No.
• IP numbers
• Signatures

EFLA's policy is to refrain from collecting personal information that can be classified as sensitive personal information, information on culpable offences or personal information on children under the age of 13.

The purpose of collecting personal information

The purpose of collecting personal information is to:

• Execute and fulfil the contracts that the company has entered into, such as project agreements, service agreements and employment contracts.
  
• Manage communications histories and ensure traceability as applicable.
  
• Engage in marketing and prepare marketing material in specific cases.

Legal grounds for processing

EFLA collects and process personal information based on the following authorisations:

• To fulfil contractual obligations
  
• On the basis of granted permissions
  
• To protect the legitimate interests of the company
  
• To fulfil legal obligations
  

The legitimate interests of EFLA involve actions that are necessary to manage the operation of the company and which necessitate the collection and processing of personal information, such as fulfilling the object of the company according to its Articles of Association, attending to business relations with our customers, managing employee issues and organising the execution of the work of the company, providing access to the appropriate information systems of the company, complying with internal and external rules, documentation requirements and handling of requests, complaints and claims from third parties.

Disclosure of personal data to third parties

Under no circumstances does EFLA sell personal information. EFLA only discloses personal information to third parties as required by law or in the case of a service provider, agent or contractor who is appointed by EFLA to work a predetermined task. An example of such are parties who are responsible for hosting information and telephone systems. In the event that a party with whom EFLA shares information is considered processor, EFLA makes a processing agreement with the party receiving your personal information. Such agreements stipulate, inter alia, the obligation of processors to keep your personal information safe and to not use it for other purposes. EFLA also shares personal information with third parties when this is necessary to protect the company's critical interests, such as collecting on non-payments. 

EFLA's personal privacy policy does not extend to information or processing by third parties; we have no control or responsibility for the use, disclosure or other work by them. We encourage you to familiarise yourself with the personal privacy policy of third parties, e.g. by the web hosting providers of sites that may refer to us, software companies such as Facebook, Apple, Google and Microsoft, along with the payment service you choose to use. 

Storage time of personal information

The storage time of personally identifiable information at EFLA is variable and depends on the nature of the information each time.  EFLA, however, endeavours to ensure that information is not kept for longer than necessary, unless there is legitimate reason to do so. EFLA, therefore, stores personal information for the time necessary to fulfil the object of the processing as described above and for as long as the information is necessary for the company so that it is able to fulfil its role or while such storage is obligatory according to law. Personal information stated on invoices is stored for seven years in accordance with accounting legislation. A review of the personal data stored is performed once a year. If it becomes apparent on review of the personal data stored that EFLA no longer requires the data for processing or due to a legal obligation to store your personal information, EFLA will stop processing and storing personal information from that time.

Your rights

You are entitled to receive:

• Information on what personal information EFLA has about you and their origin, as well as information on the manner in which your personal information is processed
  
• Access to the personal information processed about you and to request that such information is sent to a third party
  

You are also entitled to:

• Have your personal information updated and corrected if necessary
  
• Have EFLA delete your personal information if there are no objective reasons or legal obligations to store such information
  
• Submit your objections if you wish to limit or prevent the processing of your information
  
• Withdraw your approval that EFLA may collect, record, process or store your personal information when the processing is based on such approval
  
• Information on whether automatic decision making is carried out, what the reasoning is behind such decision making and a review made of such automatic decision making
  
• Submit a complaint to regulatory bodies should you see reason to do so

Request for access to information

All requests for access to your own information, demands for corrections or the deletion of personally identifiable information should be sent to the e-mail personuvernd@efla.is.

We will confirm receipt of the request and will normally respond to requests within a month from receipt. In the event that it is not possible to respond within one month, we will notify you of the delay within one month. 

The party making the request must be able to verify his identity before the request is taken into consideration.

Security of personal data and notifications of security breaches

Security during the processing of personal information is important to EFLA, and we have taken the appropriate technical and organisational security measures to ensure the protection of your personal information in tune with our policies on security. In the event of a suspected security violation, the IT Department, in co-operation with the information security team and the Managing Director of EFLA, will immediately embark on the appropriate measures to stop the security violations as soon as possible and minimise the damage as much as possible. In the event of a security violation involving your personal information and when such violation is considered to pose considerable risk to your freedom and rights, we will notify you without undue delay. In this sense, a security violation is considered an event that has the result that your personal information is lost or deleted, changed, disclosed or accessed by an unauthorised person.

The employees of EFLA have been informed about the correct response to suspected security violations.

Review and revision of the EFLA Privacy Statement

The EFLA Privacy Policy is under continuous review to ensure that the strictest requirements are always fulfilled. Customers are encouraged to find out about EFLA's working practices as regards personal data protection and contact us if any questions arise at the e-mail address personuvernd@efla.is.

The EFLA Privacy Policy is regularly reviewed and updated if necessary. The most recent update of the Policy was on 20 September 2018.