Updated 7. 6. 2018.
Iceland Post is concerned about personal privacy and wants all of our customers, users and those who visit the company’s websites (www.postur.is, www.stamps.is, minn.postur.is) to know how their personal information is collected, as well as how it is processed, stored and shared, whether the personal data is stored electronically, on paper or in any other way. Iceland Post hf., Stórhöfða 29, 110 Reykjavík, is the responsible party for the processing of personal information that customers, users or those who visit the company’s websites provide the company.
Iceland Post respects the right of privacy for individuals and emphasises that the processing of all personal data is always done in accordance with the basic principles and regulations on personal privacy and right to privacy, according to, amongst other things, Act No. 77/2000 on the Protection of Personal Privacy and Processing of Personal Data and the provisions of Regulation of the European Parliament and of the Council No. 2016/679, which is expected to be implemented in Icelandic legislation in the near future. Personal information or personally identifiable information is information that can be connected to, directly or indirectly, a particular individual.
In the processing of personal data, Iceland Post always adopts the following principles of the legislation, i.e.:
Iceland Post ensures that personal information is not communicated to third parties except with the consent of the person or in accordance with applicable personal privacy laws.
It is important that this privacy statement is read in conjunction with any other notices and/or information about the processing of personal information that the company may send out. The privacy statement is complementary to other notifications and is not intended to supersede them.
Iceland Post aims to limit the collection of personal data to the greatest possible extent and only stores the personal information necessary for the best service and operation of the company. Iceland Post emphasises built-in personal privacy with regular training to employees regarding personal data processing, regular monitoring of personal data processing and minimising employee access to personal information. Personal privacy is kept in mind and built-in from the outset when projects, procedures, products or systems are defined, to ensure that personal data processing complies with laws and regulations on personal data protection.
During its operation, Iceland Post collects the following types of personal data:
- Information about the person – such as ID number and name.
- Contact information – such as address, e-mail address and phone number.
- Financial information – payment information or other information necessary for charging a fee for the service provided by the company and reimbursing customers, if applicable. When customers pay by credit card at Iceland Post, credit card information is not registered, but the transaction goes through a secure service portal with the financial institution. Iceland Post has access to transaction information but not bank account numbers or credit card numbers (upon request, financial institutions provide Iceland Post with an encrypted bank account and credit card number when the information is requested from them). This may also include information that it is necessary to request in connection with non-payment by a customer.
- Usage information – login information and information on how customers utilize the Iceland Post website and other services offered by Iceland Post.
- Shipping details - information such as reception number, contents description, weight, quantity, value, type of shipment and shipping and receiving country.
- Technical information - information obtained from cookies on the Iceland Post websites: www.postur.is, www.stamps.is and www.mappan.is. This includes information about the IP address, type or version of browser used, timing and duration of the visit and which sub-pages the user visits on the website of Iceland Post.
- Contact information that may be used for marketing purposes - if a customer allows Iceland Post to send such notifications, the company will retain the address and telephone number of the person.
- Other information that customers may share with Iceland Post - customers may have shared information through social media, for example pictures, content that a customer has made available on social media and information about a third party.
Iceland Post may also collect and share statistical information about the company’s business. Such statistics are based on information about Iceland Post customers, but they are not personally identifiable and are therefore not classified as personal information within the meaning of the Act. However, if the company links statistical information with personally identifiable information about customers, this Privacy Statement applies to their treatment.
Iceland Post only processes personal information based on legal authorizations that are defined for each and every process. Iceland Post collects and processes personal information based on the following authorizations:
- When it is necessary to fulfil a contract between the client and Iceland Post.
- When it is necessary because of legal requirements.
- When it is necessary due to the legitimate interests of Iceland Post or a third party, but this must not outweigh the fundamental rights and freedoms of the customer.
- Once the client has approved the use of the information. The customer may terminate this agreement at any time.
The interests of Iceland Post in the above can be, for example, the following: to take care of claims that have been made; to protect interests, property or other rights of Iceland Post or any of its affiliated companies, customers, employees or if the public interest so requires; and to enable Iceland Post to use available resources or to minimise any damage that the company may incur. Such use of personal information may take place in order to guard against fraud or for the investigation of such criminal acts. Furthermore, personal information may be processed in connection with negotiations for the acquisition, merger or takeover of the company’s assets. These actions are necessary to manage the company’s operations and include the need to collect and process personal information.
Iceland Post aims to minimise the use of personal information in its operations without prejudice to the quality of service and/or obligations of the company to its customers. The company uses that personal information for the purpose of conducting its business and providing its customers with first-rate services.
Personal information is used for the following purposes:
- In connection with notifications (by text message, letter or e-mail) of the products and services offered by Iceland Post, together with information about the website, changes to terms and conditions and policies.
- In connection with goods and/or service purchases, e.g. confirmation, receipt of payment or delivery details
- To service customers and to answer queries and comments.
- To send customer service and quality surveys to customers.
- Iceland Post registers addresses and keeps track of changed addresses for the purpose of forwarding mail that is marked with an incorrect or old address.
- In order for a user to log in to Mappan and/or Gáttin, which are “My Pages” at Iceland Post.
- Shipping information is used to estimate shipping costs, to handle damage claims and to track shipments. In connection with foreign shipments, certain information about shipments are provided by the authorities in the country of dispatch and the recipient country, due to customs clearance or security, in accordance with the laws of the countries concerned. This information is in most cases: Name and address of the sender, name and address of the recipient, contents description, weight, quantity, value and type of consignment..
- In connection with marketing, e.g. promotional materials, offers and advertisements, provided that the person previously granted consent for such use. The person concerned may at any time opt out of such promotional material. Note that Iceland Post is not responsible for targeted mail that other companies send individuals and companies through the postal and distribution services of the company.
Iceland Post uses personal information about customers solely for the purpose that customers were informed about when collecting it. If the company thinks that the information must be used for other and unrelated purposes, customers will be informed and told on what legal basis the company considers such use is authorised.
Iceland Post collects information about their customers in the following ways:
- Information coming directly from customers: This may include information such as name, contact information and financial information that customers provide Iceland Post with to pay for a service. This can also be information provided by customers when they communicate with the company, when they agree to be on the mailing list or when answering questionnaires.
- Automatic data collection from the use of the Iceland Post website: The company collects this information by using so-called cookies. This is information about how customers use the Iceland Post website. This enables Iceland Post to design their websites to best serve their customers.
- Information from third parties:Iceland Post may in some cases receive information about customers from third parties, such as the credit rating of individuals with companies registered with their own ID number that enter into customer account transactions
- Other information about customers: Iceland Post information system collects information about customers when they: Buy/use the product or service of the company. Sign up for the receipt of information or information services from Iceland Post. Request additional information, services or provide suggestions or complaints. Participate in games, competitions or surveys conducted by Iceland Post.
The policy of Iceland Post is to not register, collect, process or store personal information for children under 13 years of age except with the consent of the guardian and in cases where this is necessary to deliver their parcels/letters. Iceland Post also seeks to prevent children under the age of 13 from sharing their personal information on websites or in Iceland Post’s systems. Iceland Post, nevertheless, encourages parents and guardians to monitor how their children use the Internet and teach them to use it responsibly and safely.
Iceland Post only discloses personal information to third parties, as required by law or in the case of a service provider, agent or contractor who is appointed by Iceland Post to work a predetermined task. In such cases, Iceland Post makes a processing agreement with the person receiving the personal information. Such agreements stipulate, inter alia, the obligation of processors to keep personal information safe and to not use it for other purposes. Iceland Post also shares personal information with third parties when this is necessary to protect the company’s critical interests, such as collecting on non-payments. Personal data may be transmitted to countries outside the European Economic Area (EEA) in connection with the distribution of letters and parcel shipments, but in this case, Iceland Post only transfers data if adequate measures have been taken for compliance with personal data protection legislation, such as by using standardised forms of agreement that have been approved by the European Commission or in another satisfactory manner.
The Iceland Post Privacy Statement does not cover information or processing by third parties of personal information that individuals provide directly to them without the involvement of Iceland Post. Iceland Post has, in these circumstances, no control over nor is responsible for its use, publication or other activities. In such cases, Iceland Post encourages the individual concerned to familiarise themselves with the policies that those parties have undertaken on the safety and processing of personal data.
As a responsible party for the processing of personal data, Iceland Post will ensure its safety with appropriate security measures, such as with external security, as well as organisational and technical security measures in accordance with current laws. Security measures are intended to protect personal information from being lost, misused, modified and accessed without authorisation and against any and all illegal processing.
Employees of Iceland Post have signed a confidentiality declaration stipulating that they are bound by confidentiality in relation to their knowledge and work at Iceland Post.
It should be kept in mind that no transfer of data on the Internet or kept in data storage can be considered 100% safe. If an individual has reason to believe that his/her communication with the company is no longer secure, the person concerned should immediately notify Iceland Post through the contact information given at the bottom of the statement.
Iceland Post has established response procedures in the event of a breach of security and will inform the person concerned of such a security breach in accordance with the obligations under the legislation on personal data protection
Customers, users and those who visit the company’s website are given the opportunity to acquaint themselves with the Iceland Post Privacy Statement and agree to the processing of personal information, terms and conditions, as appropriate, under applicable law.
Customers, users and those who visit the company’s website have, under special circumstances, based on the new personal privacy laws, the following rights:
And where applicable, to receive a copy of the personal information that Iceland Post is working with, in order to determine whether the company is doing so legally.
This allows the person to correct incomplete or inaccurate information, though Iceland Post may need to verify that the information provided by the person is reliable.
This allows the person to ask the company to delete or remove personal information when there is no longer a legitimate reason for the company to continue working with them. The person concerned also has the right to request that the company delete or remove information when the person has legitimately objected to the processing of personal information or if Iceland Post has processed the information unlawfully or has a legal obligation to delete the information. This right is, however, limited when Iceland Post is required, according to law, to keep the information.
When the company is processing the information on the basis of its or a third party’s legitimate interest and the circumstances of the person concerned is such that he/she wishes to object to the processing on the basis that the person believes that the processing affects his/her fundamental rights and freedoms. The person concerned also has the right to object when Iceland Post is processing personal information for marketing purposes. In some cases, the company may demonstrate that the interests of processing this information are much greater than the fundamental rights and freedoms of the person concerned and that there are legitimate interests for the processing.
This enables the person concerned to request that Iceland Post minimizes the processing of personal data in the following cases: a) if the person concerned challenges the accuracy of the personal information, until such time as the company has verified its accuracy; b) if the processing is illegal and the person concerned disputes the personal data being deleted and requests that its use is limited instead; c) if Iceland Post no longer needs to retain the personal information for processing but the person is in need of it to establish, exhibit or defend legal claims; and d) the person has objected to the processing, but Iceland Post is waiting for verification of whether the company’s legitimate interests overrule the interests of the person concerned.
This enables the person concerned to request that Iceland Post, or a third party designated by it, issue his/her personal information in a regulated, common, computer-readable format. This right, however, applies only in the case of information that the person initially has provided Iceland Post and the processing is based on an approval or it is necessary to make a contract with the person concerned.
I.e. in cases where the company builds the processing of personal data upon approval. This does not, however, affect the legality of processing that is carried out before the person withdraws the approval. If the authorization is revoked, it may mean that Iceland Post cannot provide a particular service, and the company will inform the person concerned at the time he/she revokes the authorization.
However, these rights are not unequivocal, and a request may be refused if authorised to do so by law or because the processing is considered necessary for the rights of the company which, in the opinion of Iceland Post, outweighs the right of the person. In the event that a request is rejected in whole or in part, the company will seek to explain on what grounds.
If there are any questions regarding the processing of personal information at the company and/or a person wishes to exercise his/her statutory rights, the contact details at the end of this statement can be used.
In general, it costs nothing to gain access to the data or to exercise their rights, but Iceland Post reserves the right to charge a reasonable compensation if the request is manifestly unfounded, repeated or extensive. The company may otherwise refuse to respond to the request in these cases.
In connection with the handling of such a request, Iceland Post may require additional information from the person concerned to confirm that the right party is involved, as it is part of the company’s security measures to ensure that the information is not disclosed to an unauthorized third party.
In general, Iceland Post tries to answer queries within a month, but in some cases, it may take longer, e.g. if it is complex or in the case of a number of requests from the same person; in these cases the requestor is notified specifically.
Individuals always have the right to complain to the Icelandic Data Protection Authority (www.personuvernd.is), but Iceland Post would, on the other hand, appreciate that the person concerned would give the company the opportunity to resolve the issue first before contacting the Data Protection Authority.
Iceland Post stores personal information for the time that is necessary in accordance with the objective and purpose of each process unless a longer storage time is required or permitted by applicable law. A review of the personal data stored is performed once a year. If it becomes apparent on review of the personal data stored that Iceland Post no longer requires the data for processing or due to a legal obligation to store personal information, Iceland Post will stop processing and storing personal information from that time. It is appropriate to point out that Iceland Post is bound by the Act on Public Archives No. 77/2014, which may limit the right to data deletion.
Google Analytics and Siteimprove is used for website use measurement. It collects information on each visit to the website, e.g. date and time of visit, how the user enters the website and what browser and type of device is used. It also checks whether search words are used. This data provides information on how to develop the website and improve its functionality based on user needs. This information is only used by Iceland Post for the marketing of its own products. IP address disclosure is made to Google Analytics in order to access information about access to and use of the Iceland Post website. No other personal information is forwarded to Google Analytics. If the person does not want their IP address to be shared in this way to Google Analytics, then they may request this by clicking here: request that IP address will not be shared.
It may be that customers share information with Iceland Post via social media, such as by sending a query. Iceland Post does not support the further distribution of such information, and the information is used only for the purpose of responding to user queries. Iceland Post is not responsible for the handling of social media services of customer information and encourages the customer to familiarize themselves with the privacy policies of those parties.
Iceland Post reserves the right to make changes to this Privacy Statement at any time. Information about such changes will be notified by referring to the date of the changes at the top of the page. Changes are subject to approval by the Executive Board of Iceland Post. Iceland Post encourages customers and individuals to carefully review the company’s Privacy Statement in order to be informed about how the company processes personal information. Should content changes be made to this Privacy Statement that changes the way in which Iceland Post uses personal information, the company will inform you of such changes.
Iceland Post strives to ensure that all information on the company’s website is correct. You can direct comments, queries, complaints and notifications to Iceland Post by telephone on 580 1000 or by sending an e-mail to the email address firstname.lastname@example.org.
If the case concerns personal privacy, you can send it directly to the e-mail address email@example.com.
Thus approved by the Executive Board of Iceland Post on 05.06.2018