Personal Data Protection

The objective of the Central Bank of Iceland is to conduct the processing of personal data on behalf of the bank in accordance with the fundamental principles and rules regarding personal data protection and privacy. The Central Bank is responsible for monitoring that the processing of personal data complies with laws and regulations and for taking appropriate measures to ensure it is done.

This Personal Data Protection Policy is founded on the provisions of Act no. 90/2018 on Data Protection and the Processing of Personal Data and on the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

This Personal Data Protection Policy applies to all of the Central Bank’s processing of personal data and covers all natural persons whose personal data may be processed by the bank, including employees of customers and regulated entities, consultants or contractors who work for or on behalf of the bank, parties that have any kind of contact with the bank, visit it or its website, as well as employees of the bank itself, etc.

The policy applies both to personal data that individuals have provided to the Central Bank, and to personal data acquired by the Bank from third parties. Personal data on natural persons can be stored electronically or on paper, but the Personal Data Protection Policy applies equally to the electronic and manual processing of personal data.
This Personal Data Protection Policy only applies to natural persons and not to legal entities.

Personal data is to be understood as any data that can be used to identify individuals directly or indirectly. The processing of personal data refers to an operation or set of operations which are performed on personal data, whether or not by automated means, such as the collection, registration, storage, transmission and dissemination of data or other methods used to make data available, or connect, combine, restrict or erase them.

The Central Bank places emphasis on processing personal data with care and ensuring that it is reliable and accurate.

In most cases, the Central Bank is considered to be the Controller in accordance with Act no. 90/2018 when it comes to the processing of personal data. This means that in most cases the Central Bank determines, alone or in  consultation with others, in most cases the Processor, the purposes and methods applied to the processing of personal data.

The Central Bank receives data and information from both individuals themselves and external parties, e.g. public authorities, regulatory bodies, the bank's customers, regulated entities, etc., for its processing of personal data, and the information is received either by regular mail, e-mail, by telephone, through IT systems, the bank's web portals, etc.
The Central Bank makes every effort to uphold the principles of Act no. 90/2018:

• The rule of law: personal data must be processed in a lawful, fair and transparent manner in relation to the data subject.

• The purpose principle: personal data must be collected for specified, explicit, legitimate and objective purposes and not be further processed in a manner that is incompatible with those purposes.

• The principle of proportionality: personal data shall be sufficient, relevant and not exceed what is necessary for the purpose of the processing.

• The principle of reliability: personal data must be reliable and updated as necessary.

• The principle of conservation: personal data must be stored in such a way that it is not possible to identify data subjects for longer than is necessary based on the purpose of processing.

• The principle of security: personal data must be processed in such a way that the appropriate security of the personal data is ensured.

  Moreover, as the Controller, the bank must always be able to demonstrate that its processing of personal data meets the requirements of Act no. 90/2018.

Pursuant to Act no. 92/2019 on the Central Bank of Iceland, the bank shall, among other things, promote price stability, financial stability and sound and secure financial activities. The bank shall also undertake tasks consistent with its role as central bank, such as maintaining currency reserves and promoting an efficient and sound financial system, including domestic and cross-border payment intermediation. The execution of these statutory tasks of the Central Bank requires some processing of personal data, including the reception, storage, analysis and processing of data. However, this processing shall never exceed what is considered necessary and appropriate for the purpose of the processing.

The processing of personal data may also entail monitoring and follow-up by the Central Bank on the basis of Act no. 92/2019, Foreign Exchange Act no. 70/2021, Act No. 87/1998 on the Official Supervision of Financial Activities, Act no. 161/2002 on Financial Undertakings and rules issued on the basis thereof.

Other tasks of the Central Bank which may entail the processing of personal data, are the reception and processing of issues that have been submitted to it, communication with the Central Bank's customers, regulated entities and public authorities, the recording of phone calls for business and security reasons, surveillance cameras used by security guards, recruitment processes, registration of external parties on the bank’s mailing list, use of social media and web tracking, etc.

The Central Bank processes certain personal data on its employees, i.a. in connection with the conclusion of employment contracts, salary processing, the presence of employees on the premises, the management of access to the bank's premises, compliance, the recording of phone calls and video surveillance, cf. above, operation of the intranet, online security, storage of e-mails and chats, operation of employees’ mobile devices, career development and retirement.

The Central Bank places a great deal of emphasis on security in the processing of personal data and takes appropriate technical and operational measures that take into account the nature, scope, context and purpose of the processing and the risk to the rights and freedoms of data subjects to ensure and demonstrate that the processing of personal data meets the requirements of the law. These measures pertain to, among other things, data security and stability in the operation of online and IT systems at the bank.

The Central Bank ensures that the bank's processing of personal data, including its storage and other safekeeping, is in accordance with the provisions of Act no. 90/2018. Personal data is either stored in the bank's IT systems, hosted by service providers, on paper in locked filing cabinets, on the bank's mail servers and databases, or on tapes for backup.

The Central Bank does not provide personal data to third parties, e.g. public authorities, regulators, law enforcement authorities, the bank's customers, regulated entities, processors in the bank's service or others except in exceptional cases when the bank deems it necessary and has the right to do so, i.a. for the purpose of responding to requests and inquiries, to protect and secure the activities of the Central Bank and to carry out supervision in accordance with the law.

In connection with the employment agreement between the Central Bank and employees, it is necessary for the bank to share some personal information about employees with third parties, e.g. the commercial banks of employees, trade unions and pension funds.

The Central Bank neither shares nor sells personal data to third parties for marketing-related purposes.

Act no. 90/2018 provides for the rights of data subjects, including rights to education, information and access to their own personal data. The Act also stipulates the right of data subjects to correct, delete, transfer their own data, etc. However, these rights may be subject to restrictions that may derive from the law, the interests of other parties concerned by the data or important interests of the Central Bank, e.g. the bank's business or security interests. Data subjects must prove their identity when they wish to exercise their rights under Act no. 90/2018.

In accordance with Public Archives Act no. 77/2014, the Central Bank is an entity that is subject to an obligation of transfer, which applies to all data, regardless of its form, in the bank's custody. As an entity that is subject to an obligation of transfer, the Central Bank is not permitted to delete documents from its archives without the authorisation of the National Archives, cf. Article 24 of the Act.

The Central Bank places on emphasis on ensuring that personal data is handled in a secure and responsible manner. The obligation of confidentiality based on Act no. 92/2019 applies to all employees involved in the processing of personal data and they are informed of their obligation to maintain confidentiality and security to ensure that personal data is processed in a legal and responsible manner.

The Central Bank appoints a Data Protection Officer in accordance with the provisions of Act no. 90/2018. The Data Protection Officer is independent and impartial in his or her work within the Central Bank and his/her work falls directly under the Governor of the Central Bank. The role of the Central Bank's Data Protection Officer is, among other things, to monitor compliance with the provisions of Act no. 90/2018 in the bank's operations, provide Data Protection Impact Assessments and act as the bank’s contact person regarding data protection matters, i.a. towards the Data Protection Authority.

The Data Protection Authority supervises the implementation and performance of Act no. 90/2018 and every data subject or their representative, has the right to file a complaint with the authority if they believe that the processing of personal data about them by the Central Bank violates the Act. At the request of the Data Protection Authority, the Central Bank shall cooperate with the authority in carrying out its tasks.

The Central Bank reserves all rights to make amendments to this privacy policy as needed.
Amendments to this data protection policy must be advertised separately on the Central Bank's website (www.sedlabanki.is) and also on the intranet of the bank's employees.

Inquiries, comments and suggestions regarding this Data Protection Policy or the Central Bank's processing of personal data in other respects shall be addressed to the bank’s Data Protection Officer by letter to the bank, an e-mail to personuvernd@sedlabanki.is or by phoning 569-9600.