Personal Data Protection Policy of the University of Akureyri

The University of Akureyri is permitted to register personal data, and personal data protection and security of personal data are implemented in accordance with the Act on Data Protection and the Processing of Personal Data no. 90/2018 (Icelandic). The University operates according to the Act on Public Higher Education Institutions no. 85/2008.

The Personal Data Protection Policy of the University of Akureyri extends to personal data, whether it is acquired and preserved electronically, on paper or in another comparable manner. This Policy covers how the University treats personal data, that is, how it is acquired, disseminated, registered, processed, preserved and how its security is maintained in accordance with the Act on Data Protection and the Processing of Personal Data. The employees of the University of Akureyri shall use the Personal Data Protection Policy as a guiding principle when working with personal data.

The University of Akureyri is the responsible party for the processing of personal data carried out on the behalf of the University. All treatment of personal data is subject to the Act on Data Protection and the Processing of Personal Data. The University takes care that all processing of personal data is within the framework of the Act on Data Protection and the Processing of Personal Data and ensures that processing agents granted access to personal data also adhere to the legislation.

Personal data processed by the University

What is personal data?

Personal data is data on an identified or identifiable individual. The data is considered identifiable if it is possible to identify an individual, directly or indirectly, such as with a reference to an identifier, for example, name, national identification number, online identifier or one or more factors that identify an individual.

Where does personal data originate from?

Personal data that the University works with is usually collected directly from the data subject but personal data is also processed which the University receives via other means, for example, through access to public registers, such as Registers Iceland, Icelandic Student Loan Fund, etc.

What personal data does the University work with and what authority does it have to do so?

In order to attend to its statutory role, the University of Akureyri potentially manages or has access to the following information:

  • Public information, that is, national identification number, address, gender, nationality, phone number, email address, etc.
  • Academic record
  • Professional record
  • Complaints from students and staff
  • Committee work of both staff and students

Processing of personal data is only permitted if any of the following factors is in place:

  • If the University must fulfil injunctions in laws, regulations or regulatory acts
  • If the processing is necessary on the basis of lawful interests, or to protect vital interests of the data subject or a third party
  • The processing is based on permission in an agreement which the data subject is a party to, or the processing is necessary in order to take measures at the request of the data subject prior to an agreement being concluded
  • The processing is based on the approval of the data subject, and the processing is needed to attain one or more specific goals

The University of Akureyri works with the personal data of its employees; the data is, for example, necessary in order to pay salaries to employees for their work. Other data is processed to fulfil an agreement, for example, an employment agreement, which the data subject is a party to.

The University stores all data received by it, including personally identifiable data, such as job applications and applications for admission to the University.

How do we ensure the boundaries of personal data?

The University of Akureyri is obligated to maintain a register of its processing operations. The processing register contains all information on the personal data managed by the University.

Processing of personally identifiable information between UNAK and a third party

The University of Akureyri does not hand over personal data to a third party unless it is legally obligated to do so, a data subject has requested this or given an informed and unforced approval for doing so.

Rights if an individual concerning the personal data that UNAK processes

The objective of the Act on Data Protection and the Processing of Personal Data is to enhance the protection and rights of the individual. According to the legislation, individuals are entitled to make use of these rights through contacting the Data Protection Officer of the University of Akureyri via email at personuvernd@unak.is.

It should be kept in mind that in some instances, the rights of the data subject may possibly be restricted for some reason; for example, the University does not have permission to delete data sent to it because of legal obligation on preservation of data at public institutions, cf. the Public Archives Act no. 77/2014. Furthermore, the right of an individual can be restricted by the protection of another data subject, vital public interest or fundamental rights of others.

Rights of an individual according to the Act on Data Protection and the Processing of Personal Data are categorised in the following manner:

Right to access

All data subjects have a right to know what personal data is registered on them and how it came about, and to have access to and receive all copies of all personal data which the University processes. In some instances, exemptions from rights may apply, for example, because of others’ rights which shall take precedence, but as a general principle, an individual shall be granted access.

Data subjects can also have a right to access data according to Article 15 in the Administrative Procedures Act no. 37/1993, which covers the right of a party to a case to access documentation and other material bearing on the case, and according to Article 14 in the Information Act no. 140/2012.

The University of Akureyri works with a large amount of data and is permitted to request that parties specify further what data or processing actions a request concerns, prior to granting the data.

 

Right to correction

If an individual believes that some of the data stored by the University on the individual is incorrect, then he/she has a right to have the data corrected.

Right to restriction of processing of personal data

If an individual believes that data concerning himself/herself is incorrect and disputes the data or if the individual believes that processing of the data is unlawful then he/she has a right to request that the University of Akureyri restrict the processing of personal data until it has been confirmed that the data is correct or that an applicable permission is in place concerning its processing.

Right to protest processing and withdrawal of approval

In those instances when the approval of the data subject is a prerequisite for processing of personal data, the individual has a right to withdraw approval. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

Right to deletion

The University of Akureyri is bound by legal obligation on preservation of data and obligation of return according to the Public Archives Act no. 77/2014. Therefore, the University can not comply with requests for deletion of data if this is requested on the basis of the Act on Data Protection and the Processing of Personal Data.

How is the security of personal data ensured and how is oversight carried out?

Personal data is only processed in a lawful, fair and transparent manner in regard to data subjects within UNAK.

The University of Akureyri obligates itself to preserve all personally identifiable data as securely as possible and to only process personal data in such a way that applicable security of the data is ensured. Furthermore, the University takes all appropriate measures, technical as well as organisational, which shall be based on the nature, extent, context and purpose of the processing and risks relating to the rights and freedoms of data subjects, in order to ensure and demonstrate that the processing fulfils the requirements of the Act on Data Protection and the Processing of Personal Data.

The University of Akureyri ensures the security of personal data with data security systems. Data security within the University is ensured with consideration given to the latest technology, cost of implementation, as well as nature, extent, risk and purpose of processing.

Furthermore, the University has adopted an Information Security Policy which is also accessible on the website of the University.

 

The Centre of Teaching and Learning at the University of Akureyri attends to the computer systems of the University and ensures data security within the University.

Data Protection Officer

A data protection team operates at the University of Akureyri and working with the team is the Data Protection Officer of the University.

Communication between UNAK and the Data Protection Authority

The Data Protection Officer of the University of Akureyri is the contact person between UNAK and the Data Protection Authority and works with that institution. The Data Protection Officer has the role of educating, training and informing staff members of the University about their obligations according to the Act on Data Protection and the Processing of Personal Data. The Data Protection Officer carries out appraisals and is responsible for internal oversight of personal data protection. Furthermore, he/she provides consultation if matters of dispute arise in the area of personal data protection.

Enquiries and complaints

The Data Protection Officer receives enquiries and requests from data subjects.

The Data Protection Officer can be contacted directly by sending an email to personuvernd@unak.is

The Personal Data Protection Policy of the University of Akureyri was approved in the University Council on 24 April 2019.