Dr. Jón Atli Benediktsson, Rektor

Web analytics and use of cookies*

The University of Iceland utilises the analytics services Matomo.  Each time the University’s website is accessed, certain details are recorded, such as time and date, search strings, the redirecting website as well as the browser and operating system. This information can be used to improve and further develop the website, e.g. regarding the content most frequently accessed by users. No attempts are or will be made to obtain additional information. Nor will the data collected be connected with other personally identifiable information.

By rejecting cookies, only cookies that are necessary for the website to function are used. Matomo is not used if you reject cookies on this website. If the use of cookies or block cookies entirely. 

* „cookies“ – a packet of data sent by an Internet server to a browser, which is returned by the browser each time it subsequently accesses the same server, used to identify the user or track their access to the server.

1. General information on the University of Iceland Data Protection Policy

On 15 July 2018, the Act on Data Protection and the Processing of Personal Data no. 90/2018 entered into force (the Data Protection Act). In accordance with the provisions of the law, the University of Iceland has established the following policy for data protection and the processing of personal data. Personal data is information that identifies a particular individual or could be used for this purpose.

Staff at the University of Iceland shall keep the Data Protection Policy in mind at all times when working with personal data. Steps shall be taken to ensure that all personal data gathered, used or processed at the University of Iceland is handled in accordance with the new law.

2. Processing of personal data must be satisfactorily supported by the law

University of Iceland staff shall not process personal data unless there is satisfactory justification for the work in the Data Protection Act.

In accordance with the Data Protection Act, personal data may only be processed if one of the following criteria is met:

The data subject has consented to the processing of their personal data for one or more specific purposes.
The processing is necessary in order to honour a contract, to which the data subject is a party, or to take measures at the request of the data subject before entering into a contract.
The processing is necessary in order to comply with a legal obligation to which the controller is subject.
The processing is necessary to protect the vital interests of the data subject or another individual.
The processing is necessary for a task that is carried out in the public interest or in the exercise of official authority vested in the controller.
The processing is necessary for the pursuit of legitimate interests by the controller or a third party, except where overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, especially when the data subject is a child.
3. Handling of sensitive personal data
University of Iceland staff shall always take the utmost care when processing and storing sensitive personal data. Item 3 of paragraph 3 of the Data Protection Act lists the kind of information that should be considered sensitive personal data in a legal sense. For example, information about race, origins, health etc. is classed as sensitive personal data.

4. Education and training for staff

The University of Iceland shall regularly provide staff with education and training on how to handle personal data.

5. Security, reliability and the limits of processing

The University of Iceland shall guarantee the security of any personal data the institute works with. The University of Iceland is responsible for ensuring that technical and organisational safeguards are in place, designed to prevent unlawful or unauthorised access. The University of Iceland is also responsible for ensuring that personal data is reliable and updated as required. If any personal data proves to be inaccurate, it must be deleted or corrected without delay. The University of Iceland will, in accordance with the Data Protection Act, report any security breaches that may occur in the processing of personal data to the Data Protection Authority. The University of Iceland will also inform the data subjects of any security breaches if necessary. When the University is involved in processing personal data, the institution will also make the controller aware of any security breaches.

The University of Iceland shall also ensure that personal data is only processed to the extent considered necessary. Personal data shall be stored in a form that means it is not possible to identify data subjects any longer than necessary in accordance with the purpose of the work.

6. Communication of personal data to outside parties

In certain circumstances, the University of Iceland may need to pass personal data on to an outside party, for example on the basis of a service contract. In such circumstances, the University of Iceland must ensure that appropriate safeguards are in place.

7. The rights of data subjects

Individuals may request a copy of any of their personal data held by the University of Iceland. Such requests shall be submitted to the University of Iceland Service Desk (University Centre, Sæmundargata 4, 102 Reykjavík). To request a copy of their personal data, individuals must sign a form and show ID. To apply for a copy of someone else’s personal data, the applicant must show a statement giving them the authority to do so, signed by the individual. The University of Iceland shall respond to such requests in a timely fashion, generally within a month. It may take longer to respond to a particularly large number of requests or a particularly complicated request.

8. Publication

This Data Protection Policy was approved by the University Council on 4 April 2019.