11 - 19

Smára­lind's Pri­vacy Pol­icy

Smáralind ehf. (hereinafter "Smáralind") in its role as controller strives to ensure the protection of personal data and that its processing is in accordance with Act No. 90/2018 on the Protection of Personal Data and the Processing of Personal Data, as amended, as well as other laws and regulations issued on the same basis.

This Privacy Policy applies to the collection and processing of personal data in Smáralind's interactions with its customers. The purpose of the Privacy Policy is to inform Smáralind's customers about how and why personal data is collected and how it is processed. Smáralind only processes personal data for legitimate purposes and either in accordance with legal obligations, with informed consent or on the basis of legitimate interests that we may have.

What is personal information?

Personal data is any personally identifiable information that can be directly or indirectly traced to a specific individual. Examples of personal data include names, social security numbers, email addresses, telephone numbers, etc. Non-personally identifiable data is therefore not considered personal data. For a more detailed definition of what constitutes personal data and what constitutes sensitive personal data, please refer to Sections 2 and 3 of Article 3 of Act No. 90/2018.

For what purpose does Smáralind process personal information?

Smáralind processes personal data for clear and stated purposes, as required by data protection laws, regulations and internal rules. In most cases, the information is collected directly from Smáralind's customers. The main purpose of processing personal data is to provide services requested by customers. Examples of purposes for such information collection are:

  • to send customers who register their email address on Smáralind's mailing list information about offers and events organized by Smáralind.
  • to issue gift cards that customers have purchased on Smáralind's website or at the service desk.
  • to lend strollers and wheelchairs that can be obtained at Smáralind's service desk.
  • to communicate with Smáralind's customers via the email address smaralind@smaralind.is.
  • to take necessary action if appropriate due to damage and theft in Smáralind, including through security camera monitoring.
  • to receive grant applications received via Smáralind's website.
  • to analyze visits to Smáralind's website.
  • to record IP addresses when customers log in to Smáralind's wireless network (wifi), but this information is not used for marketing purposes.
  • to create events on social media, e.g. on Smáralind's Facebook page, such as a giveaway, where individuals can like or comment on a status update and thus have the chance to win, for example, a gift card to Smáralind.

What permissions does Smáralind have for processing personal information?

Smáralind's authorizations for processing personal data are based on contract, consent, law or legitimate interests. More specifically, the authorizations for processing personal data are as follows:

  • Execution of a contract for the purchase of gift cards by customers, in which case the registration of personal data is necessary to provide the requested service.
  • Registration on Smáralind's mailing list is carried out on the basis of the customer's consent.
  • Smáralind also has a legitimate interest in maintaining a register of individuals registered on Smáralind's mailing list and updating it in accordance with the registrations and deregistrations of individuals from Smáralind's mailing list.
  • Processing of personal data in connection with the receipt and response to inquiries from individuals, including grant applications, is carried out on the basis of the consent of the individual who contacts Smáralind.
  • Smáralind has a legitimate interest in keeping track of who has borrowed strollers and wheelchairs owned by Smáralind in order to be able to track the strollers and wheelchairs if they are not returned.
  • Individuals who log in to Smáralind's wireless network hereby consent to the processing of personal data collected during such login.
  • The processing of personal data in connection with theft or damage in Smáralind, including security camera monitoring, is carried out on the basis of Smáralind's legitimate interests for security and property protection purposes.
  • In some cases, sensitive personal data may be processed in connection with such matters, such as health information. The processing of sensitive personal data may be necessary in such cases to establish, exercise or defend legal claims.
  • Smáralind has a legitimate interest in maintaining a register of its tenants and their contact details, service providers, users and other individuals with whom the company communicates in order to contact them and maintain the business relationship. Smáralind also has a legitimate interest in conducting statistical or other operational analyses of its operations for internal use.
  • Smáralind’s processing of personal data pursuant to the Act on Measures Against Money Laundering and Terrorist Financing, such as conducting due diligence and customer identification, is carried out solely for the purpose of preventing money laundering and terrorist financing and is always in accordance with the Act on Privacy and the Processing of Personal Data.
  • Job applicants are deemed to consent to the personal data they provide to Smáralind being used in the recruitment process, provided that the processing of personal data is not carried out for any purpose other than to assess the applicants’ qualifications and whether they are suitable for a position at Smáralind. If an applicant is hired, such processing is based on a contract, i.e. an employment contract between the applicant and Smáralind, to the extent that the processing is necessary for the performance of such a contract.

How and for how long is personal information stored?

Smáralind stores personal information securely and in accordance with applicable laws and regulations on data protection, including the Data Protection Authority's rules on electronic monitoring. Technical and organizational measures have been taken to protect personal information against, for example, destruction and unauthorized access. Smáralind stores personal information in accordance with this Privacy Policy for as long as necessary to fulfill the purpose of its processing. The following table describes the retention period criteria for each type of processing in more detail:

Processing

Retention time (reference)

Calls

The telephone numbers of those who call the Smáralind switchboard are not automatically recorded. If an individual wishes to leave a message for Smáralind employees, their name, telephone number and, if applicable, the nature of the message are recorded. This information is deleted at the end of the day. No sensitive personal information is recorded.

Issuing gift cards

Personal information related to gift card purchases is retained until all of a customer's gift cards are deleted.

Smáralind mailing list

Customers are registered on Smáralind's mailing list until they unsubscribe. Their personal information is deleted from Smáralind's systems upon unsubscribing.

Receiving and processing grant applications

Grant applications that result in a grant being awarded are stored in Smáralind's systems in accordance with the provisions of the Accounting Act. Grant applications that do not receive a positive response are stored in Smáralind's systems for as long as necessary based on the purpose of the processing in each case, however, no longer than 12 months.

General reception and response to email messages

General email communications are retained for as long as necessary for the purpose of the processing.

Outdoor maintenance with stroller and wheelchair loans

Personal information related to the lending of strollers and wheelchairs is deleted at the end of each day.

Cases due to damage and/or theft

Security camera footage is retained for four weeks. Footage that needs to be used as evidence in police cases is retained until the footage has been handed over to the police.

Excluded from the above criteria are accounting records, which are retained for seven years from the end of the relevant financial year, in accordance with the Accounting Act. Also excluded from the above criteria are records that the company may be required to retain for a longer period based on legal obligations, litigation, at the request of authorities or on other comparable grounds.

Security cameras (electronic monitoring)

Electronic surveillance with security cameras in and around Smáralind's premises is based on legitimate interests and is deemed necessary for security and asset protection purposes. The purpose of the surveillance is to prevent property from being stolen, damaged or entered without permission. The security cameras are located in many places in Smáralind, such as at entrances, in corridors, and in open spaces. Smáralind's grounds and parking lots are also monitored in selected locations. Special markings are placed at the boundaries of the grounds and entrances so that those passing through the area are aware of the presence of the cameras. The footage is only viewed if there are incidents related to asset protection or security, such as theft, vandalism or accidents. The footage is stored for 30 days and is automatically deleted. Footage created during monitoring is not given to others and is not processed without the consent of the person being recorded or with the authorization of the Data Protection Authority. An exception to this is that recordings may be handed over to the police or an insurance company if they contain information about accidents or criminal conduct, as provided for in regulations no. 50/2023 on electronic monitoring.

Who can be the recipients of personal information?

Smáralind may share personal information in accordance with this Privacy Policy with consultants and service providers, such as those who host the software systems used by the company and those who handle the issuance of gift cards. These consultants and service providers are bound by confidentiality. In connection with such sharing, no personal information is shared outside the EEA, except when using MailChimp to send information about offers and events by email to members of Smáralind's mailing list, in which case the recipient of the personal information is The Rocket Science Group LLC d/b/a MailChimp, which is located in the United States and complies with the EU-U.S. Data Privacy Regulation. Smáralind may provide law enforcement authorities and other competent third parties with personal information about its customers if necessary, such as due to legal requirements or by law. Smáralind may also provide personal information to third parties in connection with mergers, acquisitions, company dissolutions and other similar events.

What are the rights of individuals?

Individuals under this Privacy Policy have the right to receive information about and access to personal data about themselves that Smáralind holds. They also have the right to withdraw their consent for the processing of personal data based on consent at any time. They also have the right to request that such personal data be corrected, in some cases erased or restricted, or to object to such processing. These rights are further described in the Data Protection Act, cf. now Articles 17 and 20 of Act No. 90/2018. In certain cases, individuals may have the right to have their personal data that they provide to Smáralind transferred to another controller. However, the aforementioned rights may be subject to limitations in applicable laws and regulations. If individuals believe that Smáralind's processing of personal data does not comply with applicable data protection laws, they are advised that they can file a complaint with the competent supervisory authority, the Icelandic Data Protection Authority. Further questions about individual rights or Smáralind's processing of personal information should be directed to personuvernd@heimar.is.

Web analytics and cookies

Cookies are small text files that are stored on your computer or other smart device when you visit a website. Our website works best when the use of cookies is accepted. Cookies are small text files that are stored on a computer or smart device when an individual visits the Smáralindar website. All personal information that may be generated through the use of cookies is handled in accordance with privacy laws and regulations. Cookies are used, among other things, to measure traffic on the Smáralindar website and to improve user service. The following information is collected on the Smáralindar website:

  • Number of visitors to the website
  • Length of visits to the website
  • Time and date of visit to the website
  • Web traffic from web boards and social media to specific parts of the website
  • What content is viewed on the site and how often
  • Age range, gender and geographical location of users
  • Type of browsers, operating systems and devices that users use on the site

Changes

Smáralind reserves the right to change this Privacy Policy at any time, such as if there are changes to the processing of personal information as described in this Privacy Policy or if this becomes necessary based on changes in laws or regulations regarding privacy and the processing of personal information. Notice will be given of any material changes to this Privacy Policy. In addition, the latest version of the policy can always be accessed on Smáralind's website, www.smaralind.is.

The Privacy Policy is reviewed annually or more frequently if specifically needed.

This Privacy Policy is effective as of September 17, 2024.

Smáralind ehf.
Hagasmára 1,
201 Kópavogi

personuvernd@smaralind.is