This policy is based on Act no. 90/2018 on personal data protection and the processing of personal data (hereinafter referred to as the "Personal Data Protection Act") and covers the collection and processing of HS Orka's personal data in connection with the company's communication with customers, stakeholders, contractors, consultants, suppliers and other individuals who may business relations or communication with the company. Personal information refers to all data that can identify a specific individual directly or indirectly, as further defined in item 2. Article 3 Privacy Act.
2. Processing of personal information
2.1. Customers and potential customers
In order to be able to establish business or provide services and on the basis of the company's agreements with customers, it may be necessary to process personal information about customers and the contacts that represent legal entities in business with the company. The company also processes various personal information about potential or potential customers for the purpose of forming business relationships. Examples of the processing of personal information include information on name, ID number, address, e-mail address, telephone number, information on electricity consumption, financial information, etc. information on solvency incl. information on defaults, as well as other information from the customer's business and communication history.
HS Orka strives to have close relations with the company's stakeholders. Stakeholders include e.g. refers to landowners, residents of a specific area, municipalities and NGOs. In order for the communication to be as smooth as possible, the company processes various personal information about stakeholders and their contacts, e.g. contact information and contact history information. This processing is based on the company's legitimate interests.
2.3 Contractors, consultants and suppliers
On the basis of a contractual relationship with contractors, consultants and suppliers, the company is required to collect the contact information of those who represent these legal entities. The company therefore processes personal information about contacts as well as preserving information from their communication history with the company. The company has set rules to ensure that everyone who works for the company has direct or
indirectly, in a contractor, subcontractor or through temporary staffing enjoys rights and terms in accordance with Icelandic law and wage agreements. For this purpose, the company may request information on the terms of employment of those with whom the company has a contractual relationship. This is done on the basis of the company's legitimate interests. Due to the company's legal obligation and policy on safety in construction areas, the company collects information on accidents and other mishaps that occur there. After analysis of such information, appropriate remedial action is taken if necessary. Furthermore, registration may be required
on the presence or location of individuals on the company's premises. This is done on the basis of the company's legitimate interests.
In order for regular communication with the various institutions, authorities, associations and other parties to be as smooth as possible, HS Orka collects contact information when necessary. Such collection is based on agreements and legitimate interests. In principle, HS Orka collects personal information directly from all of the above parties or their contacts. Information may, however, come from third parties and the company then seeks to inform parties of such.
In the company's facilities, as well as on business premises, the company has set up camera surveillance to ensure safety and property on the basis of legitimate interests. Special markings are made at the places where such inspections take place. If parties pass through the area, information about their travels may be collected through such monitoring. The company has also set up an access control system in the company's real estate and on its premises that registers personal information about the parties' travels. Such information is generally kept for 90 days unless the law permits otherwise or other legitimate interests justify its retention for a longer period.
4. Disclosure of personal information to third parties
The company may need to share personal information with third parties on the basis of their contractual relationship with the company. Examples include debt collectors, auditors of consulting firms and parties that provide the company with services in the field of information technology. In such cases, third parties have access to the personal information of individuals for the sole purpose of
performs certain tasks on behalf of the company. They are not allowed to hand over the information and use it for any other purpose. Furthermore, the company may be obliged to disclose personal information to the government, courts or other parties on the basis of applicable laws and regulations.
5. Security of personal information
To ensure the security of personal information against unauthorized access, use or dissemination, the company uses a variety of technical and systematic measures, e.g. access controls in the company's systems.
6. Retention period
The retention period of personal information depends on the type of information. Information about customers, contractors, consultants, suppliers, stakeholders and their contact is generally stored for 4 years from the end of the business relationship. However, it may be that information is stored longer on the basis of claims law, just as it may be that information is deleted earlier on the basis of operational efficiency. This policy does not imply an independent obligation on the part of the company to store information for the maximum time allowed under the policy. The personal information covered by the Accounting Act is stored for 7 years from the person's end
financial year in accordance with applicable law. The company strives to store personal information no longer than necessary in accordance with the purpose of the processing as described above. The company may, however, be obliged to keep personal information longer on the basis of a legal obligation, at the request of the authorities or due to disputes.
7. Right to access personal information, objections, deletions and corrections
According to the Data Protection Act, all individuals have the right to receive confirmation of whether the processing of personal information about them takes place. The company responds to inquiries requesting information on the processing of personal information and, as the case may be, access to it. To a certain extent
provided that the conditions are met, individuals have the right to object to the processing of personal information by the company and can demand that it be deleted permanently.
Furthermore, individuals have the right to have unreliable personal information about themselves corrected and updated. It is important to the company that the personal information it holds is accurate and reliable. For this reason, the company requests that all changes to personal information be notified to the company. Inquiries and notifications regarding privacy can be directed to the company at the e-mail address email@example.com. HS Orka points out that individuals can lodge a complaint with a competent authority such as
Privacy if they believe that the company's processing of personal information does not comply with the applicable regulations of privacy legislation.
8. Amendments and entry into force