Privacy Policy
Issue 3.0 – 3 July 2024
This Privacy Policy describes how Sensa ehf., ID no. 480202-2520, Lyngháls
4, 108 Reykjavík (hereinafter „Sensa„), processes the personal data of its
clients who are individuals, clients’ representatives, suppliers and partners,
individuals who visit Sensa’s place of business and/or website, job applicants and individuals who contact Sensa or engage with Sensa in other respects.
In this Policy, all of these individuals are collectively referred to as „you“ or „data subjects.“ More specifically, this Privacy Policy describes how Sensa processes your personal data, on which legal basis, and how Sensa strives to ensure the security of your personal data. The Policy is based on Act No. 90/2018 on Data Protection and the Processing of Personal Data (hereinafter referred to as the „Data Protection Act„).
Sensa’s different roles on the basis of data protection legislation
Sensa’s role in the processing of personal data depends on the task being carried out at any given time. In this regard, Sensa may, on the one hand, play the role of data processor and, on the other hand, act as a data controller, in accordance with the Data Protection Act. Different obligations apply to the company depending on the role it is playing.
When it is necessary for Sensa to process personal data in connection with the services provided to its clients, the company acts as a processor. Such processing is subject to Sensa’s Data Processing Agreement Terms, and as further stipulated therein, Sensa only processes personal data in such circumstances on the basis of instructions from its clients.
In cases where Sensa is reselling services and/or licenses from third parties to clients, such third parties may also act as processors within the meaning of the Data Protection Act vis-à-vis clients, without Sensa acting as an intermediary. This may apply, for example, in cases where the client is granted permission to use third-party software that also hosts the client’s personal data.
In other instances, Sensa acts as the controller of processing, which is the processing described in this Privacy Policy.
Personal data processed by Sensa
• Clients and their representatives
In order to be able to communicate with clients, in connection with existingor planned business transactions, it is necessary for the company to processpersonal data. In such cases, Sensa primarily processes contact information provided to Sensa by the client or which is made public by other means, e.g. on the client’s websites or in the telephone directory, in particular name, telephone number and e-mail address. Sensa may also process data on the status of the individual in question and a copy of the communication history, as appropriate.
Such processing primarily takes place for the purpose of verifying transactions requested by the client, managing and ensuring secure communication between the client and Sensa, communicating messages to the client regarding the services the client purchases from Sensa, and where applicable, to charge for services. The processing is thus based on Sensa’s agreement with the client, or the latter’s request to enter into a contract, and the processing related to the client’s representatives is based on Sensa’s legitimate interests.
Sensa’s communication with clients’ contacts may also take place for marketing purposes, where Sensa introduces its services to its clients or to others who may have subscribed to Sensa’s mailing list, in accordance with the provisions of the Data Protection and Telecommunications Act. Recipients of such emails always have the option to opt-out of such communications by contacting Sensa or clicking on „Unsubscribe from mailing list“ in an email received from Sensa. The processing that takes place for marketing purposes is based on Sensa’s legitimate interests.
• Representatives of suppliers and partners
In order to be able to communicate with suppliers and partners, the company is required to process the contact information of the representatives of such parties. Information on name, telephone number, e-mail address and position is processed, as well as a copy of communication history as appropriate. This processing takes place on the basis of Sensa’s legitimate interests.
• Electronic monitoring
Electronic surveillance is conducted at and around Sensa’s office building, as well as its machine shop, by surveillance cameras for security and asset protection purposes. Neither video nor audio material is disclosed to third parties unless permitted to do so by law, e.g. to the police if suspicion of criminal conduct arises and it proves necessary to investigate the case on the basis of the above-mentioned data. Sensa’s processing is related to electronic monitoring and is based on Sensa’s legitimate interests.
• Job applicants
If an individual applies for a job at Sensa, the company is required to process the person’s personal data for the purpose of assessing whether an employment contract should be concluded. The data that is processed is contact information, i.e. information on name, ID number, e-mail address and telephone number, data on education and work experience as well as the other personal data applicants choose to provide to Sensa. Sensa may also process data about referees and public information, e.g. information that can be accessed on social media about the person in question. Sensa’s processing of data on applicants is based on the applicant’s request to enter into an agreement with Sensa.
In connection with individual jobs, the applicant’s criminal record is also processed and such processing is based on Sensa’s legitimate interests.
• Sensa’s website and other processing
Sensa’s website, www.sensa.is, uses cookies and in connection with such use, personal data, such as IP address, is processed. Sensa’s use of cookies is further stipulated in a separate policy in this regard. In part, the processing is based on the consent of individuals who visit the website, and individuals can withdraw such consent at any time.
In the event that an individual visits Sensa’s place of business, e.g. for the purpose of attending a meeting, Sensa processes specific contact information on the individual, in particular information about the name. Such data is processed on the basis of the company’s legitimate interests, including for security purposes ensuring that Sensa has information on who is in the building in the event of a security incident.
Security of personal data
Information security is a top priority in Sensa’s operations. Sensa ensures the protection of personal data, e.g. by following approved procedures on information management and central access control. Sensa is also certified according to the ISO 27001:2013 standard on information security management systems.
To ensure the security of personal data at the company, Sensa hasestablished a security policy, carried out risk assessments that are subject to regular review and implemented numerous security measures to mitigate any risks that could pose a threat to the data. Such security measures are of both an organisational and technical nature to protect personal data against loss, accidental alteration and against unauthorised access, copying, use or disclosure.
Among the main measures applied by Sensa are the following:
• Sensa’s certification in accordance with the ISO/IEC 27001:2013 standard on information security management systems, to ensure, among other things, the confidentiality, correctness, completenessmand availability of data,
• requiring employees and contractors to sign confidentiality agreements,
• the development of procedures and processes regarding the security of personal data and the response to security incidents and data breaches,
• access control to information systems and premises,
• supervision and security of premises and machine shops,
• entering into processing agreements with suppliers or other service providers working on behalf of Sensa, and
• educating employees on the lawful and safe handling of personal data.
Sensa ensures, through internal control, that work is carried out in accordance with the above-mentioned security measures and to ensure that they are satisfactory and reliable.
How long does Sensa store personal data?
Sensa only stores personal data for as long as it is deemed necessary and objective to achieve the purpose pursued by the processing at any given time, as described above, or if Sensa’s legitimate interests require it, e.g. to establish, exercise or defend legal claims.
As a general rule, data is stored for the duration of the contractual relationship, but a limited set of core data on clients’ transaction history is retained indefinitely for the benefit of Sensa’s legitimate interests. In addition, special time limits may be specified in law for the storage of data that Sensa must comply with, e.g. regarding the storage of data that is considered accounting data for seven years.
Material collected by Sensa for the purpose of electronic monitoring is deleted after 30 days, unless otherwise permitted by law, and data on applicants is generally deleted after six months, unless the applicant has specifically agreed to a longer retention period.
Sharing of personal data with third parties
Sensa may use external service providers in its operations. If deemed necessary to process personal data in connection with such services, the parties in question may act as Sensa’s processors. In such cases, Sensa ensures that a satisfactory agreement is concluded with such parties and that the security of the personal data they are entrusted with processing is ensured.
Sensa may also be obliged to process or disclose personal data to supervisory authorities in cases where such processing is required by law, administrative orders or court rulings. This could in particular apply to the delivery of data to supervisory authorities on the basis of a legitimate request, such as to the police, the cyber security team of CERT-ÍS, the Directorate of Internal Revenue or the Financial Supervisory Authority.
What are the rights of individuals?
Under the Data Protection Act, individuals have the right to:
• access personal data about themselves and obtain information about the processing, including whether and which categories of personal data are processed, for what purpose and for how long the data is stored,
• have information about themselves delivered in a commonly used machine-readable format or, where applicable, transferred to another service provider,
• demand the rectification and/or deletion of inaccurate personal data concerning him/herself;
• object to or restrict the processing of personal data about him/herself and
• withdraw the consent given for the processing of personal data about him/herself.
It is important to emphasize, however, that the above rights are subject to certain limitations, e.g. if data could concern the personal data of another individual. Requests from individuals must therefore be assessed on a case- by-case basis, with regard to the scope of the request, the personal data in question and the purpose of their processing by Sensa.
Sensa will respond to requests in writing within 30 days of receipt. In the event of an excessive or unfounded request, Sensa reserves the right to charge a reasonable fee for processing the request. Sensa will notify the person in question of this separately before proceeding with the request.
Inquiries and complaints to the Data Protection Authority
If a data subject wishes to exercise his/her rights on the basis of data protection legislation, such inquiries shall be directed to Sensa’s Security Manager. The same applies to any kind of enquiries regarding privacy-related matters. It is best to send a request to personuverndarfulltrui@sensa.is.
Sensa has also appointed a Data Protection Officer whose role is, among other things, to monitor Sensa‘s compliance with laws and regulations on data protection in its operations and to be the contact person for the Data
Protection Authority and data subjects regarding matters related to the processing of personal data by the company. Sensa’s Data Protection Officer is bound by confidentiality regarding the execution of its tasks. The Data Protection Officer’s email address is personuverndarfulltrui@sensa.is.
In cases where a data subject believes that there is a dispute between him/her and Sensa regarding the processing of his/her personal data, he/she has the right to send a complaint to the Data Protection Authority, Laugavegur 166, 105 Reykjavík. See further information on the Directorate’s website, www.personuvernd.is.
Privacy Policy Review
Sensa reserves the right to revise this Privacy Policy on a regular basis and whenever deemed necessary.
The date at the top indicates when the Policy was last updated. All changes to the Policy will be published on this website and they will take effect upon publication on Sensa’s website.
Sensa may also send data subjects an e-mail to notify them of changes to the company’s Privacy Policy or any other changes that may concern the individual in particular.
