City of Reykjavik Privacy Policy

The City of Reykjavik (“City”) strives to ensure, in every respect, the reliability, confidentiality and security of all personal data processed by the City. Therefore, the City has adopted the following Privacy Policy, in accordance with the provisions of Act No. 90/2018 on Data Protection and the Processing of Personal Data (“Data Protection Act”).

With this Policy, the City emphasizes the importance of ensuring that all processing of personal data within the municipality is carried out in accordance with the provisions of the Data Protection Act, as well as the policy development of departments and offices in the central administration. The Policy applies to all processing of personal data by the City, including activities on the City's councils and committees, as well as those activities where third parties have been entrusted with carrying out tasks on behalf of the City.

This Policy shall also be introduced to those who collaborate with the City before they are tasked with the processing of personal data. The City attaches particular importance to the processing of personal data in a lawful, fair and transparent manner and that the City complies fully with its obligations as data controller.

Handling of Personal Data

The City of Reykjavik (“City”) strives to ensure, in every respect, the reliability, confidentiality and security of all personal data processed by the City. Therefore, the City has adopted the following Privacy Policy, in accordance with the provisions of Act No. 90/2018 on Data Protection and the Processing of Personal Data (“Data Protection Act”).

With this Policy, the City emphasizes the importance of ensuring that all processing of personal data within the municipality is carried out in accordance with the provisions of the Data Protection Act, as well as the policy development of departments and offices in the central administration. The Policy applies to all processing of personal data by the City, including activities on the City's councils and committees, as well as those activities where third parties have been entrusted with carrying out tasks on behalf of the City.

This Policy shall also be introduced to those who collaborate with the City before they are tasked with the processing of personal data. The City attaches particular importance to the processing of personal data in a lawful, fair and transparent manner and that the City complies fully with its obligations as data controller.

Processing of Personal Data

Any type of information that may be used to personally identify data subjects, directly or indirectly, is considered to be personal data. When processing anonymized data, care shall always be taken that it cannot be attributed to the data subject, should it be made public.

Processing of personal data includes any use and processing of personal data, such as collection, recording, retention and destruction. Any processing of personal data shall be carried out lawfully and for explicit purposes. Care shall be taken that personal data is not processed further in a manner that is incompatible with the original purpose of the processing, and that the processing of personal data does not go beyond what is necessary to achieve the objective pursued.

In order to ensure that personal data is processed in accordance with the principles of data protection law, the City offers employees the option of regular education and training with the aim of creating a general and sound knowledge of the principles of data protection law, and how the security of personal data within the City as a workplace and as a service provider may be ensured. The City is also committed to developing central procedural rules for the handling and processing of personal data, as well as other documents related to privacy and data protection. Such rules shall then be communicated to staff to the extent necessary, taking the nature of their duties into account.

Collection of Personal Data and Purpose of Processing

In carrying out its statutory and legitimate tasks, the City must collect personal data about residents and other recipients of services, the City’s employees, persons residing outside Reykjavik who communicate with the municipality, as well as about other contacts of customers, suppliers, contractors, consultants, institutions and other legal entities with which the City has established contractual relationships.

The collection of personal data shall nonetheless be limited to the information necessary and appropriate for the purpose of each processing activity. Thus, different categories of personal data are collected about different groups of individuals and the processing and collection of personal data depends on the nature of the role, communication and, as applicable, of the business relationship that exists between the City and the data subjects. However, the City may collect more extensive information about the City’s residents, employees and recipients of services than others who interact with the City, depending on the nature of the tasks. Even so, the collection of this information shall never exceed what is considered necessary and appropriate for the purpose of the processing.

The City primarily processes personal data to carry out its statutory and legally permitted tasks. The City may also process personal data in connection with statistical, historical or scientific research. When processing information about suppliers and others who are in contact with the City in order to purchase products or services, this processing takes place for the purpose of fulfilling the contract in question. In some cases, personal data is processed on the basis of consent, i.e. when individuals give their consent or on behalf of others, such as their children, that the City may process personal data for clearly specified purposes.

In addition, the City may need to process personal data to establish, maintain or defend legal claims so that the City may protect its interests before the courts or other administrative authorities, as appropriate. The City will not use the personal data in its possession for any purpose that is incompatible with the initial purpose of the processing, without obtaining consent from the data subjects.

The City will always exercise special care in the processing and retention of sensitive personal data, such as information regarding health, religion, trade union membership and ethnic origin, having regard to the provisions of Articles 3, item 1, and 11 of the Data Protection Act. In general, the City collects personal data directly from the individuals to whom the data relates. In cases where information comes from external parties, the City will seek to inform the data subjects about the processing of personal data, as appropriate. The City takes special care when collecting personal data about children and other persons without legal competence. The City’s guiding principle is to safeguard the personal data of these persons in the school community and in the field of welfare services, including in the use of social media and other information technology.

Sharing of Personal Data with Third Parties

The City may need to share personal data with other parties. Parties providing IT services and other services to the City may access personal data intended for processing by the City in accordance with service agreements and data processing agreements. The City may be required by law to disclose personal data processed by the municipality to third parties.

The City will not transfer personal data outside the European Economic Area unless permitted by law. Data processing agreements to which the City is a party shall include provisions on the retention and storage of personal data. The City will not use personal data for any other purpose, nor disclose it to third parties, except on the basis of a legal authorisation, administrative order, court order, written data processing agreement or consent of the data subject. However, the City reserves the right to disclose anonymized information to third parties for scientific and research purposes as permitted by law.

Retention of Personal Data

The City is an entity subject to an obligation of transfer in accordance with Act No. 77/2014 on Public Archives. This entails that the municipality is prohibited from destroying or disposing of any record that falls within the scope of the Act, except by special authorisation from the National Archivist. In general, personal data processed by the municipality is therefore disclosed to the Reykjavik Municipal Archives after a certain period of time according to the City’s record filing policies. As a rule, records in the City’s possession are handed over to the Municipal Archives after 30 years in accordance with paragraph 1 of Article 15 of the Public Archives Act, whereas electronic records and other materials in electronic form shall be handed over to the Municipal Archives after five years.

Accuracy and Reliability of Personal Data

The City shall take appropriate measures to ensure the reliability and accuracy of the data and information processed on behalf of the City. These measures are intended to protect personal data against accidental loss or alteration and against unauthorised access, copying, use or sharing thereof. If personal data is found to be unreliable, inaccurate or incorrect, the City will seek to correct it within the limits permitted by law and taking the purpose of the processing into account.

Security of Personal Data

The City protects the security of personal data through appropriate technical and organisational measures to ensure the security of personal data, inter alia with the aim of preventing human error, theft, fraud or other misuse of information. The City emphasises that access to information shall be limited to those employees who require such access to achieve the purpose of the processing. Reykjavik City staff is also informed of their obligation to maintain confidentiality and to ensure the security of personal information when they are engaged.

Rights of Data Subjects

The City takes appropriate measures to enable data subjects to exercise their right of information as well as their right of access to personal data during all processing of personal data by the City. Data subjects shall be able to object to the collection of personal data by the City, if applicable. Data subjects shall be able to request information on the processing of personal data relating to them, provided that the interests of others are not prejudiced by such a request. If a data subject’s request can be complied with, it shall be processed as soon as possible and generally no later than one month after receipt of such request. Data subjects also have the right to request that inaccurate, misleading or incomplete personal data relating to them be corrected, blocked from use or erased, as allowed by Act No 77/2014 on Public Archives.

Complaints, Requests, and Suggestions

Inquiries regarding the processing of personal data may be addressed to the City by contacting its Data Protection Officer (personuverndarfulltrui@reykjavik.is). You can also contact the service center by sending an email to upplysingar@reykjavik.is or by following the communication links on the City’s website (“Contact us” or “Online Chat”). In addition, you can call Customer Service at 411-1111.

The City of Reykjavik shall respond to issues raised by residents and service users as soon as possible in writing in accordance with the diligent administrative practices and laws applicable to the City's operations.

Safety tips, e.g. for weaknesses or safety deficiencies at the City of Reykjavik, can also be directed to the Reykjavik City IT Department by sending an email to utr@reykjavik.is.

Version

This Privacy Policy was approved by the City Council on 19 March 2019 and is effective from that date until a new Privacy Policy comes into effect.