Internal data protection

Internal data protection at Premium

General
In the operations of Premium ehf. it is necessary to collect and process personal data about individuals. Personal information refers to all information that can be traced directly or indirectly to a particular individual, such as name, social security number, address, e-mail address, telephone number, financial status, health, IP address and more. The personal information that Premium holds may be about its employees, contractors, customers and other third parties with whom it is necessary to communicate.

This Privacy Policy sets out how Premium is to collect, store and otherwise handle personal information in accordance with the Privacy and Processing of Personal Data Act No. 90/2018 (hereinafter "Data Protection Act").

This Privacy Policy is primarily intended to ensure that Premium: 
  • processes personal data in accordance with data protection laws and follows accepted procedures to ensure their security; 
  • safeguard the rights enjoyed by individuals under data protection law; 
  • handle personal data in a transparent manner; 
  • and minimize the risks that data protection violations may pose.

Privacy law
Privacy laws stipulate how organizations may collect, store and handle personal information in other respects. Those rules apply regardless of the form in which information is stored, such as whether it is in electronic or paper form. 

It is prohibited to collect and process personal data unless permitted to do so according to the Data Protection Act. Furthermore, such collection and processing must also be carried out in a fair manner. In addition, personal data may only be stored in a secure place and may not be granted access to unauthorized parties. 

Premium will take the necessary measures to ensure that data protection laws are always authorized to process personal data. In addition, the company will take the necessary steps to ensure compliance with the six principles provided for in the legislation at all times. The principles referred to are, in summary, the following:
  1. Personal data are processed fairly and lawfully. 
  2. Personal data is collected only for clear and legitimate purposes. 
  3. No more personal data is collected and processed than necessary. 
  4. Personal data is accurate and updated when required. 
  5. Personal data is not retained longer than is necessary. 
  6. The security of personal data is ensured with appropriate precautions.

When handling sensitive personal data or information of a sensitive nature, Sparnaður shall ensure that the processing is always in accordance with the requirements of the Data Protection Act and that only those employees who need it, for their work, have access to such information.
  • Information on race, ethnic origin, political opinions, religion, beliefs and trade union membership.
  • Health information, i.e. personal data concerning the physical or mental health of an individual. 
  • Information on human sex and sexuality. 
  • Genetic information, i.e. personal data relating to the inherited or acquired genetic characteristics of a natural person which provide unique information on the physiology or health of the natural person and derives in particular from the analysis of a biological sample from that natural person. 
  • Biometric data, i.e. personal data obtained through specific technical processing, relating to the physical, physiological or ethical characteristics of a natural person and which enable the identity of a natural person to be unambiguously identified or verified, such as fingerprint data. 

Risk and responsibilities
Risk minimization
The risks involved in the processing of personal data must be minimized and the following prevented:
  • breaching the confidentiality obligations incumbent on the organization, such as not sharing personal information with unauthorized parties,
  • individuals do not have the choice of whether their personal data will be processed; 
  • that Savings' reputation will be damaged, but it is often possible to consider the consequences that the company would suffer if privacy laws are violated; 
  • and the persons to whom the information relates are not harmed. Here we must consider the consequences they might suffer if their personal data were to fall into the hands of unauthorized parties. 

Responsibility and roles
All managers and employees of Premium are responsible for how personal information is processed. The Board of Directors of Premium ehf. is responsible for ensuring that the company enforces privacy laws.

The role of a computer administrator is:
  • ensuring that all systems, services and equipment meet security requirements imposed by data protection laws,
  • periodically conduct audits designed to ensure that software and hardware function securely; and
  • evaluate the services that the organization intends to use from an external third party, for example, where data is to be stored. 
The role of the data protection officer is: 
  • ensuring that Premium administrators are regularly educated about their obligations under privacy laws,
  • regularly review processes and policies related to the processing of personal data;
  • to provide education and training for personal data handling personnel;
  • receive and answer questions from the persons to whom the information relates;
  • receiving requests from data subjects, such as their right of access to data, to object to processing or to be forgotten,
  • review and approve any agreements with third parties intended to process personal information on behalf of Premium,
  • consider whether a security breach needs to be reported to relevant parties; and
  • to handle communication with the Data Protection Authority.
General personal data processing procedures
The following procedures regarding personal data apply at Premium:
  • Only those employees who need to do so for their tasks shall have access to personal data.
  • Employees are not permitted to share personal information with each other informally. 
  • Employees shall at all times ensure a high level of security when handling personal data and follow the instructions set out herein. 
  • When processing personal data, employees shall always ensure that computer screens are locked when leaving the table. 
  • Employees shall never share personal information with unauthorized parties, regardless of whether they are another employee of the company or an outside party. 
  • Personal data shall be adequately erased or made anonymous if no longer needed. 
  • Personal data shall never be transmitted outside the European Economic Area unless specifically authorized by law. 
  • Employees shall consult the data protection officer if they are unsure how personal data should be handled. 

Procedures for handling non-electronic data
Storage of personal data on paper
  • Personal data stored on paper shall be kept in a secure place where it cannot be accessed by unauthorized parties.
  • Personal data stored on paper shall be in a locked filing cabinet or in a locked archive. 
  • Employees are responsible for ensuring that paper data where personal data can be found are not left where they can be seen by unauthorized parties. 
  • Paper data shall be adequately deleted when they are no longer needed. 

Processing of non-electronic, personal data to be delivered from the company
Sensitive personal data or information of a sensitive nature shall not be delivered by general post but shall be transmitted by secure mail.

Processing of non-electronic, personal data outside of Premiums facilities
Employees should, as far as possible, and as far as practicable, handle paper data containing personal information within the company. When employees take paper data containing personal information outside the Premium facility, the following procedures must be followed:
  • Sensitive personal information or information of a sensitive nature may not be transferred outside the organization unless a high level of security is ensured.
  • employee shall pay attention to his/her surroundings when working with the data and, when work has been completed, shall ensure that unauthorized persons cannot access the data. 
  • employee is not allowed to store non-electronic data outside the workplace, such as in the employee's home. 

Procedures for handling electronic data
  • Personal data stored electronically shall be protected from unauthorized access and care shall be taken not to erase them in error.
  • Personal data shall be protected by complex passwords and may never be shared. The minimum length of the password must be 12 characters and include an uppercase, lowercase, number, and symbol. Do not use a password that quotes personal data. The password shall be changed every 12 months.
  • If personal information is stored in a certain format, for example on a CD or USB flash drive, it should be stored in a locked location when it is not being used. 
  • Personal information should only be stored on specified drives and servers. Only cloud computing services that meet the conditions required by data protection law shall be used. 
  • Servers containing personal data shall be located in a secure location and away from public office space.
  • Data shall be backed up on a regular basis, as well as periodic checks for copies. 
  • All servers and computers that contain personal information shall be protected by appropriate security devices and firewalls. 
  • Employees shall not store copies of personal data on a computer, telephone or other private equipment. 
  • Clear distinction should be made between general personal data and personal data which are of a sensitive or sensitive nature. If possible, do not store the information in the same place, such as the same folder. 

Processing of electronic data outside of Premiums facilities
Employees should, as far as possible, and as far as practicable, process electronic data containing personal information within the company's walls. When processing electronic data outside the workplace, the following procedures must be followed:
  • Electronic data may not be processed outside the company unless a high level of security is ensured. 
  • Staff member shall pay attention to his/her surroundings when working with the data and, when work has been completed, shall ensure that unauthorized persons cannot access the data. 
  • Employees is not permitted to store electronic data outside the company, such as on a private computer. 

Procedures regarding personal data and E-Mail
E-Mail usage
When sending e-mails containing personal data, this may only be done if the security of the information is ensured and the following procedures are followed:
  • Personal data shall not be transmitted by electronic mail unless an adequate level of security can be ensured. 
  • Where sensitive personal or personal data of a sensitive nature are to be transmitted by e-mail, appropriate security measures shall be taken. 
  • Appropriate security measures mean, for example, locking a document with a password before it is sent. 
  • Once a document has been password-locked, the password shall not be sent via the same e-mail. If possible, call the recipient to provide the password. In the absence of this possibility, a separate e-mail message should be sent with no subject and no content in the e-mail except for the password. 
  • Before sending an e-mail, always ensure that the recipient is correct, that the content of the e-mail is correct and, if applicable, that the attachment to be provided with the e-mail is correct. 

Use of e-mail on personal devices owned by an employee
When an employee uses a privately owned computer, telephone, or other device to access the company's e-mail, this is permitted only if the following procedures are followed:
  • Work only through a secure network connection. For example, WIFI in public places such as airports, hotels and cafes is not considered a secure Internet connection and is therefore prohibited from opening or sending e-mail if an employee is connected to such a connection. 
  • Computer, telephone and other equipment privately owned by an employee must include a secure lock. 
  • An employee is not permitted to download attachments to a private device.

Security breach response
According to data protection law, a security breach constitutes a security breach when unauthorized persons gain access to personal information, and/or if data is lost or altered without authorization. The following rules shall apply to security breaches and the response to security breaches:
  • In the event of a security breach or suspicion of a security breach, notify the Premium board immediately. If there is a lack of control, contact the company's data protection officer immediately by sending an email to personuvernd@premium.is 
  • The Board of Directors of Premium, in consultation with the company's data protection officer, shall decide whether the breach needs to be reported to the Data Protection Authority, the data subject and, as the case may be, to the controller in cases where Premium acts as a processor.
  • The notification must be sent to the Data Protection Authority without undue delay and, if possible, no later than 72 hours after the breach was discovered.
  • All breaches in information security must be recorded, for example if personnel do not comply with personal data storage procedures. 
  • The data protection officer shall be notified of any breaches in information security, for example if personal data are acquired by an unauthorized person. 
  • Safety breaches shall be investigated and reasonable steps shall be taken to ensure that similar incidents are not recurring. 
Correctness of personal data
Privacy laws require organizations to take appropriate measures to ensure that personal information is accurate. The extent to which measures need to be taken depends on the extent to which inaccurate information may affect the person to whom the information is intended.

All Premium employees shall be reasonable for taking steps to ensure that personal information is accurate and up to date. The following procedures must be followed:
  • Personal data shall be stored in as few places as possible. 
  • Staff should take advantage of every opportunity to ensure that the information is accurate, such as requiring a customer to confirm that their contact information is correct. 
  • As far as possible, individuals should have easy access to update their personal information. 
  • Personal data shall be updated as soon as it becomes apparent that it is inaccurate. For example, remove an employee's old e-mail address from databases as soon as it is discovered. 

An individuals access to their personal data
All individuals for whom Premium has information are entitled to the following: 
  • To be informed of how the organization meets its obligations under privacy laws. 
  • To be informed of what information the company has about them. 
  • To be informed about why the company has them. 
  • Requiring the company to access its personal information. 

When you receive a request for access, forward the request to your organization's privacy officer at the e-mail address personuvernd@premium.isThe data protection officer is responsible for collecting and disclosure of the requestor's personal data. The data protection officer decides what information is to be disclosed. The right of access to personal data relating to individuals does not apply where the overriding interests of natural persons related to the data, including the natural person requesting the data, are overridden. Where the access request is made electronically, the information shall be provided in electronic format, unless otherwise requested by the person. Where there are serious doubts as to the identity of the person requesting access to personal data, additional information (identification) necessary to establish his identity may be requested. The access request shall be free of charge to the individual and shall be answered without undue delay and no later than within one month of receipt by the organization.

The right to be forgotten (deletion of personal information per request from the individual)
Individuals have the right to have their data deleted if: 
  • The personal data are no longer necessary for the purposes for which they were collected or other processed. 
  • If the processing of personal data is based on the individual's consent and the individual withdraws his/her consent, and there is no other legal basis for the processing. 
  • The individual objects to the processing and there are no legitimate prevailing reasons for it. 
  • The processing of personal data was unlawful. 
  • The personal data must be deleted in order to comply with a legal obligation. 
  • The personal data was collected in connection with the offer of information society services to a child. 
When an individual's request to exercise his/her forgotten right is received, Premium should forward the request to the company's data protection officer at personuvernd@premium.is. The data protection officer decides whether to delete information and is responsible for enforcing it. He is also responsible for responding to the request. 

If there is substantial doubt as to the identity of the person requesting the deletion of personal data, additional information (identification) necessary to establish identity may be requested.

Disclosure of information to individuals
Premiums goal is for individuals to be aware that the company processes personal information about them and that they understand: 
  • why the company collects personal information about them; 
  • how the organization uses their information; and 
  • how they can seek legal action if necessary. 

Premium has issued a privacy statement on how it processes personal information about individuals. Those parties and others can access that document on the company's website https://premium.is/
Leit