Privacy Policy

Rafeyri ehf. VAT 430594-2229, Norðurtanga 5, 600 Akureyri (also referred to as "the company" and "we") is committed to ensuring the reliability, confidentiality, and security of personal information processed within the company.

This privacy policy extends to personal information concerning Rafeyri's customers, representatives of customers, and other partners, as well as other individuals who interact with the company, such as in relation to inquiries or support requests (hereinafter collectively referred to as "customers" or "you").

This privacy policy is intended to inform you about the types of personal information the company collects, how the company uses such personal information, and who has access to the information.

If you have any questions or concerns about how this policy applies to you, please contact Rafeyri at personuvernd@rafeyri.is for further information. Detailed contact information is provided at the end of this policy.

1. Purpose and Legal Basis

Rafeyri strives to comply with applicable data protection legislation, and this policy is based on Act No. 90/2018 on Data Protection and the Processing of Personal Data (the Data Protection Act), as amended.

2. What are Personal Information?

Personal information, as understood in this policy, refers to any information relating to an identified or identifiable individual, i.e., information that can be directly or indirectly linked to a specific person. Non-personal, anonymized data is not considered personal information.

3. Personal Information Processed by Rafeyri about Customers, Contractors, and Partners

We collect and retain various types of personal information about our customers. The specific personal information collected about you may vary depending on whether you are involved in business transactions with the company or if you are acting on behalf of a legal entity in relation to the company, such as a contractor.

Video Surveillance: At Rafeyri's premises at Norðurtanga 5 in Akureyri, there may be surveillance cameras (digital cameras), and visitors to our premises may be recorded. The processing of information obtained through video surveillance is based on the legitimate interests of the company, as the processing is carried out for the purposes of property and security protection.

Customers: If you act on behalf of a business partner of Rafeyri, such as a contractor, subcontractor, or business contact, Rafeyri may process your contact information, such as name, telephone number, and email address. Additionally, Rafeyri may process communication history and, as applicable, account-related information. This processing is necessary for the company to fulfill its obligations under the relevant agreement with the respective business partner. The company may also be required to process information based on legal obligations, such as accounting regulations and the security management system of electrical contractors.

Complaints and Notifications: If you submit a complaint or notification to us, Rafeyri will generally process your contact information, such as name and email address, as well as the content of the complaint or notification that you choose to disclose.

Grant Applications: In connection with grant applications, Rafeyri processes contact information, such as name, national identification number, email address, and telephone number, as well as other information provided to the company in such applications. This processing is carried out based on your request to enter into a grant agreement with the company.

First and foremost, Rafeyri obtains personal information directly from customers or representatives of customers. However, information may also come from third parties. If personal information is obtained from a third party, the company will endeavor to inform its customers accordingly.

Information about customers and representatives/contacts of customers is retained for a minimum of 4 years after the end of the business relationship. If the information falls under accounting regulations, it will be retained for a minimum of 7 years from the end of the respective accounting year. Certain information may need to be retained for a longer period, for example, if there is a likelihood that Rafeyri may need to establish, exercise, or defend legal claims. In such cases, the retention period will be based on the rules regarding the limitation period for claims.

4. Disclosure to Third Parties

Rafeyri may disclose your personal information to third parties in relation to their contractual relationship with the company, such as collection agencies or providers of information technology services or other types of consultancy on behalf of the company.

Your personal information may also be disclosed to third parties to the extent permitted or required by applicable laws or regulations, such as to the National Tax Authority or other supervisory authorities. The same may apply to disclosures required based on court orders or if disclosure is deemed necessary for the company to safeguard its interests in disputes or legal proceedings.

However, Rafeyri will not transfer personal information outside the European Economic Area unless it is permitted under relevant data protection legislation, such as based on standard contractual clauses, your consent, or the advertising of Data Protection authorities regarding countries that provide adequate protection for personal information.

Finally, your personal information may be disclosed to the extent permitted or required by applicable laws or regulations, or to respond to lawful actions such as searches, subpoenas, or court orders.

5. How is the security of personal information ensured?

Rafeyri takes appropriate technical and organizational measures to protect personal information, considering their nature. These measures are intended to safeguard personal information against accidental loss or alteration and unauthorized access, copying, use, or disclosure. Changes and corrections to personal information

It is important that the personal information Rafeyri processes is accurate and relevant. Therefore, it is crucial to notify the company of any changes that may occur regarding your personal information.

You have the right to have inaccurate personal information about you corrected. In light of the purpose of processing personal information, you also have the right to complete incomplete personal information about you, including by providing additional information. Please direct all updates to personuvernd@rafeyri.is.

Security breaches that result in accidental or unlawful destruction of personal information, whether sent, stored, or processed in any other way, or if they are lost, altered, disclosed, or accessed without authorization, are handled according to the instructions of the Data Protection Authority regarding notifications of security breaches: [URL]. If it is unlikely that a security breach poses a risk to the rights and freedoms of individuals, it is not mandatory to notify the Data Protection Authority. In such cases, it will be handled by Rafeyri's management as deemed necessary.

6. Your Rights Regarding the Personal Information Processed by the Company

You have the right to confirm whether we process your personal information or not, and if we do, you can request access to the information and information about how it is processed. You may also have the right to receive a copy of the information. In certain circumstances, you may request that we transmit the information, which you have provided to us or which is derived from you, directly to a third party.

In certain circumstances, you may request the erasure of your personal information when the retention of the information is no longer necessary for the purpose of processing or when there is no other legal basis for its retention. If the processing is based on consent, you have the right to withdraw your consent at any time.

In employment contracts concluded after July 1, 2020, employees have the option to consent to the retention of educational achievements, course certificates, and similar data related to their employment. However, the retention of professional certificates relevant to the position is necessary and their storage remains the same.

If you do not want your information to be erased, for example, because you need to keep it to defend a legal claim, but still want the processing to be restricted, you can request limited processing of your information.

If the processing of your personal information is based on the legitimate interests of the company, you also have the right to object to such processing.

However, the aforementioned rights are not absolute. There may be legal obligations that require the company to reject a request for erasure or access to data. The company may also reject your request due to its rights, such as intellectual property rights, or the rights of other parties, such as the privacy of personal life, if the company considers those rights to outweigh your rights.

If there are circumstances where the company cannot comply with your request, the company will strive to explain the reasons for rejecting the request, taking into account the limitations imposed by legal obligations.

7. Inquiries and Complaints to the Data Protection Authority

If you wish to exercise the rights described in Section 7 of this policy or if you have any questions regarding this privacy policy or how the company processes your personal information, please contact us at personuvernd@rafeyri.is.

Contact information for the company:

Rafeyri ehf. Norðurtanga 5 600 Akureyri

If you are dissatisfied with the company's processing of your personal information, you can send a message to personuvernd@rafeyri.is with a subject related to your complaint.

8. Review

Rafeyri may amend this privacy policy from time to time in accordance with changes to applicable laws or regulations or due to changes in how the company processes personal information.

Any changes that may occur to the policy will take effect after an updated version has been published on here on our website.