Privacy statement
of the Icelandic Road and Coastal Administration (IRCA)
General
The Icelandic Road and Coastal Administration (IRCA), national ID No.: 680269-2899, based at Suðurhraun 3, 210 Garðabær, cares about the privacy of individuals and takes privacy very seriously. IRCA attaches great importance to ensuring personal data are always handled in accordance with all data protection regulations in force.
IRCA operates in accordance with Act No. 120/2012 on the Icelandic Road and Coastal Administration, an executive agency for transport, and performs a variety of tasks in the field of transport. IRCA is a ‘national road operator' under Act No. 80/2007, which means it has ultimate control over roads and road areas, including road construction, services and road maintenance.
This Privacy Statement sets out what types of personal information IRCA collects concerning individuals and for what purpose. It identifies other recipients of said information and how long information is kept. It also describes the legal basis on which IRCA collects personal information, the rights of individuals in that context and other important information relating to Act No. 90/2018 on Data Protection and the Processing of Personal Information (hereinafter ‘the Data Protection Act').
What is personal information and the processing of personal information?
Personal information means any and all information which is traceable back to a given individual, such as name, national ID No., address, e-mail address, telephone number, financial information, health information, IP number, etc. A more detailed definition of personal information can be found in Article 3(1)(2) and (3) of the Data Protection Act.
Sensitive personal information means personal information subject to special protection under the Data Protection Act, i.e., information on ethnic origin or race, political or religious beliefs, trade union membership, genetics, health, sex or sexual orientation.
The processing of personal information means any and all types of handling and use of personal information, such as collection, registration, preservation, alteration or destruction. A more detailed definition of the processing of personal information can be found in Article 3(1)(4) of the Data Protection Act.
How does IRCA process personal information?
IRCA processes personal information on a lawful basis and in accordance with the Data Protection Act. IRCA also ensures that personal data are not processed to an extent incompatible with the original purpose of the processing. IRCA ensures that the following principles are adhered to:
- Personal information must be processed in a fair manner.
- Personal information will be collected only for a clear purpose.
- No more personal information is to be collected than is necessary.
- Personal information must be accurate and updated as necessary.
- Personal information will not be kept for longer than necessary.
- Appropriate precautions must be taken to ensure the security of personal information.
Automated decision-making
Automated decision-making is not involved in the processing of personal information by IRCA.
On whom does IRCA collect information?
IRCA's operations require the collection and use of personal information on various groups of individuals. The personal information held by IRCA may concern its staff, counterparties, customers and other third parties with whom it must work.
What personal information does IRCA collect?
IRCA collects various types of personal information on various groups of individuals, depending on the type of operations in question. IRCA seeks, in all circumstances, to collect only the personal data necessary in respect of the purpose of the processing.
We collect and use the following types of personal information on applicants, customers, suppliers, and past and present employees:
- basic information (name, address, e-mail address, etc.)
- facial photograph
- trade union membership
- bank details
- tax information
- education
- emergency contacts
information:
- from job applications
- from employment contracts
- from time registration records
- on salary payments
- on health
- from e-mail communications
- on annual leave
- on child support payments
- on project status
- from performance surveys
- from staff dialogues
- on reasons for reprimands/dismissal on telephone use (length and time of calls)
- on training course attendance
- on incidents involving damage
IRCA collects and uses the following types of personal information on staff, lessees and suppliers:
E-mail communications
E-mail is one of the channels we use to communicate with applicants, customers and supplier contacts. To that end, we collect contact information and the communications themselves.
Contracts
We collect basic information on landowners and other customers and counterparties in order to enter into contracts with them.
Invoicing
We collect basic information on landowners and other customers and counterparties and on invoice amounts in order to issue invoices and collect receivables.
Customer register
We collect basic information on our customers and former customers (e.g., suppliers and counterparties) and on our business history, in order to keep a customer register.
Contact via our website
We receive damage reports from drivers and other individuals via our website. In order to provide information on accidents and other incidents, we collect identification and contact information, vehicle registration numbers and the content of information reported.
Purpose of gathering personal information
Personal information is gathered in order to:
- discharge contractual obligations, e.g., in respect of staff.
- provide certain services, e.g., to road users.
- protect IRCA's legitimate interests.
- protect the legitimate interests of others.
- fulfil legal obligations.
Legal basis for the processing of personal data
IRCA collects and processes personal information on the following legal bases:
- to fulfil legal obligations.
- to fulfil contractual obligations.
- on the basis of individual consent.
- for projects in the public interest or in the exercise of official authority.
- to establish, exercise or defend legal claims.
How long does IRCA keep personal information?
IRCA is subject to the obligation to submit documentation under Act No. 77/2014 on Public Archives. It therefore may not destroy or dispose of any document covered by the scope of that Act, except with the permission of the National Archivist. As a rule, any personal data processed by IRCA are submitted to the National Archives of Iceland after thirty years. Material generated by electronic surveillance is kept in accordance with the rules laid down in Act No. 837/2006 on Electronic Surveillance. Personal information held by IRCA is otherwise kept for as long as it is necessary for IRCA to have it.
From whom does IRCA collect information?
As a rule, IRCA collects personal information directly from the individuals in question. It also uses public registers and information from other public authorities for the purposes of processing. If and when information is collected from other third parties, IRCA makes every effort to inform the individual in question thereof.
When does IRCA share your personal information with third parties and why?
IRCA shares personal information with third parties contracted to work on a predetermined project, such as service providers, who are responsible for storing data, and contractors. In such cases, IRCA enters into a processing agreement with the party in question. Such agreements include provisions on the duty of the provider to follow IRCA's instructions on handling personal information. The provider may not use such information for any other purpose. In addition, the provider is under obligation to appropriately ensure the security of the information.
In other cases, it may be necessary for IRCA to share personal information with third parties, e.g., when legally obliged to do so. This may involve sharing information with archives under Act No. 77/2014 (the Public Archives Act), with the public under Act No. 140/2012 (the Information Act) or with administrative parties under Act No. 37/1993 (the Administrative Procedures Act). IRCA is also authorised to share information with the police and the Icelandic Transportation Safety Board in the context of an investigation concerning criminal cases, disappearances or transport accidents (cf. Act No. 120/2012 on the Icelandic Road and Coastal Administration, an executive agency for transport).
Transfer of personal data outside of the European Economic Area
IRCA is conscious that strict conditions apply to the transfer of personal information to countries outside the European Economic Area. IRCA does not perform such transfers under any circumstance, unless adequate authorisation exists in accordance with the Data Protection Act.
Information security
IRCA endeavours to take appropriate technological and organizational security measures to ensure the security of personal information in accordance with the Data Protection Act. One such measure is that only those staff who need personal information due to the nature of their work are granted access to such.
IRCA also supports raising awareness among staff by means of regular training on ensuring the safety of personal information.
IRCA webcams
In order to monitor driving conditions, weather, traffic and the road network and thereby work towards greater traffic safety, IRCA conducts electronic surveillance of transport infrastructure, as authorised by Article 4(4) of Act No. 120/2012 on the Icelandic Road and Coastal Administration, an executive agency for transport. Some of the information gathered by such surveillance is shared with road users on IRCA website, but efforts are made to ensure that published footage is not personally identifiable.
Individuals' rights
Individuals who have consented to the processing of certain personal information are entitled under the Data Protection Act to withdraw such consent at any time. The right to withdraw consent does not, however, affect the legitimacy of any processing performed before consent is withdrawn. Other rights include: the right to be informed about processing, the right to access to data, the right to have incorrect or misleading information corrected, the right to have personal information destroyed, the right to prevent the processing of the personal information and the transfer one's own information. It should be borne in mind that individuals' rights are not always unambiguous and may be subject to various conditions.
IRCA contact information
Name: Vegagerðin [Icelandic Road and Coastal Administration]
Address: Suðurhraun 3, 210 Garðabær
E-mail: vegagerdin@vegagerdin.is
Telephone: 522 1000
Data Protection Officer
If you have further questions regarding this Privacy Statement, you can always contact IRCA's Data Protection Officer.
Name: Dattaca Labs Iceland ehf.
Address: Kalkofnsvegur 2, 101 Reykjavík
E-mail: dpo@dattacalabs.com
Telephone: 517 3444
The right to file a complaint with the Data Protection Authority
If you suspect that IRCA is not handling personal information in accordance with the Data Protection Act, you have the right to report such to the Data Protection Authority (www.personuvernd.is).
Reviewing this Privacy Statement
This Data Protection Policy may be reviewed periodically in line with changes to the relevant legislation and regulations or in light of changes to how IRCA handles personal data. Any changes made to this Privacy Statement will be announced on IRCA's website (www.vegagerdin.is).
Updated versions of this Privacy Statement enter into force upon publication.
Last updated: October 2021
