ÁSKELL DATA PROTECTION POLICY

A) GENERAL

In the course of doing business, we inevitably gather various forms of information, some of which may involve natural persons. These data can, in some instances, be identifiable, or traceable to the persons which it they relate to (the data subjects). It is our policy to collect only such data as is necessary for the services we provide, in a transparent way and with respect for the rights of data subjects. This data protection policy is intended to promote the respectful treatment of the personal data that we process (of our employees, customers, and other stakeholders) and the confidential treatment of the data taking full regard of the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, integrity and confidentiality. The purpos of this policy is to explain: 1) Why we collect personal data, 2) the basis for collecting personal data, 3) What personal data we collect, and how we use it, 4) When do we share personal data, 5) the rights of data subjects, and 6) what measures we take to promote security of the data.

1 DATA WE PROCESS AND DATA PROCESSED BY OTHERS

1.1 When are we the data controller?

When we produce, market and service our solutions, we and our Affiliates get access to various categories of information and data. These include data that can be considered personally identifiable within the meaning of Data Protection Laws (as defined below). This Policy applies to these data.

1.2 When are we the data processor:

Our platform solutions store and assist in transmitting and backing up data that can be personally identifiable. In these instances, we can be considered a processor. Data such as these fall under the Processing Agreement concluded between us and the relevant customer. When appropriate, this Policy will also be taken into consideration in the handling of such data, to facilitate careful and respectful treatment of personal data.

1.3 When our solutions are used on the processing of others:

When our solutions are installed, run and hosted by our customers, we are neither a controller nor a processor – we simply provide a tool that others use.

This Data Protection Policy is subject to changes. If intended amendments are substantial, they will be notified specifically. Smaller changes will be implemented into the Policy and made available on our website.

2 DEFINITIONS

Data Protection Laws” refers to the Icelandic Act on Data Protection and the Processing of Personal Data no. 90/2018 (as in force at any given time and with subsequent amendments) and other Icelandic laws and regulations on the protection of personal data, as well as the legislation of the European Union on the protection of personal data, in particular the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April 2016). When the context provides for it, the term also covers legislation and regulations regarding the handling of, storing of (and limitations to storing), duty to preserve, duty to deliver, and duty to provide information on, personal data and documents containing such data.

Affiliate/ -s” (of a relevant party): refers an entity which, directly or indirectly, owns or controls that party, is owned or is controlled by that party, or is under that parties common ownership or control with other parties, where ´control´ means the power to direct the management or affairs of an entity, and ´ownership´ means the beneficial ownership of 50% (or, if the applicable jurisdiction does not allow majority ownership, the maximum amount permitted under such law) or more of the voting equity securities or other equivalent voting interests of the entity.

“Delicate information” are personal information that are, due to their nature, particularly sensitive because they relate to fundamental rights and freedoms, merit specific protection, or their processing can create significant risks to the fundamental rights and freedoms of the data subjects. By way of example, these can be data that relate to race, ethnic origin, political opinions, religious beliefs, health data, sexual orientation and similar matters.

Security Incident“ refers to a personal data breach, as that term is defined in Data Protection Laws.

The terms, “Data Subject”, “Member State”, “personal data”, “processing”, and “supervisory authority” have the meanings ascribed to the terms in the applicable Data Protection Laws.

In this Policy we will also refer to Overscast as “We”, “Our” or “Us”.

3 PERSONAL DATA PROCESSING PRINCIPLES

When processing personal data, We will strive to adhere to the following principles. These principles shall also be used to clarify and construe other parts of this Policy.

  • a) Personal data are collected in a lawful manner and processed in a fair and transparent way.
  • b) Personal data are collected to serve a legitimate purpose and only processed in connection to that purpose, and/or according to legal requirements or for archiving purposes.
  • c) Personal data shall be correct, accurate and sufficient for the processing they relate to. When it is possible to do so with reasonable and proportionate means, the accuracy and validity of data will be authenticated.
  • d) We do not collect more personal data then is reasonably needed to achieve the purpose behind their processing.
  • e) Personal data is not stored longer then needed to achieve the aim behind their processing and for archiving purposes compatible with that aim, or according to legal requirements.
  • f) The confidentiality of personal data shall be preserved. Technical and organisational measures shall be taken with the aim to achieve a level of security that is appropriate, taking into account the state of the art, costs of implementation, the nature, scope, context and purposes of the processing of the personal data.

B) WHY DO WE COLLECT PERSONAL DATA

The purposes for collecting personal data are different and depend on the type and categories of data. For example, we collect personal data that concerns our employees to be able to correctly perform our obligations in the employment relationship. We may collect, or be provided with, personal data regarding contacts and employees of our customers and users, or potential customers and users, in connection with providing them with services and solutions, for the purpose of entering into an agreement. We may also collect certain personal data in connection with enquiries, or service requests.

C) LEGAL BASIS FOR PROCESSING PERSONAL DATA

We only collect and process personal data as permitted by law. All our data processing will be based on one of the following legal basis:

Consent When the basis of intended processing is the consent of the data subject, we will only process the data when a satisfactory, informed consent has been granted.

Agreement If the processing of personal data is based on agreement, or is a required in order to enter into contract at the data subjects’ request, the processing should be justifiably required in the context of the performance of the agreement or in the process of concluding the agreement.

Legal obligation If the processing of personal data is based on a legal requirement or statutory obligation, we are subject to, or the orders of a competent court or authority, we will take into account the principle of proportionality and, if permitted, notify the data subject about the nature and scope of the processing.

Necessity If the purpose of the processing is to safeguard our or a third parties’ important legitimate interests, the scope of the processing shall be limited to what is necessary and, if permitted, the data subject will be informed about the purpose, scope and nature of the processing and informed of its rights.

D) WHAT PERSONAL DATA DO WE COLLECT AND HOW DO WE USE IT?

  • a) Data required to perform contractual duties. For example, data required for payroll processing and to make other payments to employees, contractors and advisors, and data required to interact with our users and their contacts.
  • b) To provide services, improve services and develop them further. This could for example apply to various information and inquiries that we receive in connection with our services and solutions, the frequency and type of certain operations and similar information. Usually, such information is not personally identifiable.
  • c) To ensure the logging and preservation of communication and facilitate more efficient resolution of inquiries and service requests.
  • d) Data from cookies are used to improve the functionality of websites and our platform to make their use more personal and convenient.
  • e) Personal data may be used in the interest of the data subject, to make his use of our solutions more efficient and intuitive, for example by auto populating certain documents or fields.
  • f) For business purposes such as to assist in the strategic planning, development of solutions, market research, to improve services, to identify patterns of use, assess efficiencies etc.
  • g) As deemed necessary to comply with legal obligations and instructions from competent authorities.
  • h) As deemed necessary to protect our operations.

We do not use personal data for other purposes, unless with the consent of the data subject.

E) HOW AND WHEN PERSONAL DATA IS SHARED

We generally do not share personal data. That may however occur in following instances. We may share personal data:

  • a) with our Affiliates, for purposes outlined in this Policy.
  • b) with processors that can be considered third parties, in connection with purposes outlined in this Policy, such as hosting, storing, processing payments, auditing and other ancillary services necessary to render our main services.
  • c) as we deem necessary to: (a) comply with laws and regulations, (b) comply with official requests from competent authorities, (c) to adhere to contractual terms in a specific instance, and (d) to protect our operations, the rights and security of our personnel and customers.
  • d) for other purposes with the consent of the data subject.
  • e) If we or our Affiliates take part in a restructuring, merger, acquisition or a similar process, if necessary, but confidentiality will be ensured.

We do not transfer personal data to third countries or international organisations outside the EEA, unless such transfers are a legal obligation, in accordance with the instructions of competent courts or authorities. We will not transfer personal data outside the EEA until a contract has been concluded that satisfies the requirements of Data Protection Laws and binding corporate rules have been concluded that ensure the security of personal data.

F) RIGHTS OF DATA SUBJECTS

  • a) Information rights. Data subjects have the right to know whether their personal data is collected and processed. Data subjects also have the right to information on the purpose of the processing, who has access to their data, how long the data will be stored (or according to which criteria the storage period is determined) and the origin of the data.
  • b) Right to rectification. Data subjects have the right to request that inaccurate or wrong personal data is rectified and, taking into account the purpose of the processing, to have more accurate and complete data filed when data is insufficient.
  • c) Right to erasure and to restrict processing. Data subjects have the right to require that their personal data be erased, and/or to restrict the processing of personal data, when legal conditions are met.
  • d) Right to portability. Data subjects have the right to receive their personal data on an appropriate format and to transmit such data as they wish, when legal conditions are met.

If data subjects want to utilize their rights and make requests concerning their personal data, they should send an e-mail to us: privacy@askell.is

G) MEASURES TO PROMOTE THE INTEGRITY OF DATA

1 Notices to data subjects

When it is compatible with the purposes and grounds for processing, we notify the data subject that his personal data is collected and processed. The form of the notice will differ from case to case. For example, employees are informed about the processing of their data in their employment contract.

2 Informed consent

When the collection and processing of personal data is not based on i) a request from a data subject, ii) an agreement with the data subject, iii) necessary to satisfy a legal requirement, or iv) necessary to protect legitimate interests, we will seek the consent of the data subject. We will inform data subjects that grant consent about their right to withdraw their consent at any time. The data subject will also be informed of its rights according to this Data Protection Policy and Data Protection Laws.

3 Accuracy and corrections

When we collect personal data, we try to have them as accurate and correct as possible. When a data subject so requests, inaccurate personal data are rectified without undue delay. When it is compatible with the purpose of the processing, the data subject shall have the right to request that incomplete data is completed or further elaborated.

When it is practicable, data shall be updated when the occasion arises. If data has proven wrong or inaccurate, it shall be deleted once it has been corrected.

If data has been shared before it is rectified or deleted, this shall be notified to the recipients, unless notifying constitutes a disproportionate burden.

Only employees that need to do so in the course of carrying out their jobs, for the purposes of processing, shall have access to personal data. Others shall not have access to change, amend, alter or delete personal data, or processing them in any other way.

4 Processing in accordance with a specific purpose

When decisions are taken regarding which parties are granted access to personal data and how such data is processed, care should be taken to make sure that such decisions reflect the purpose behind collecting and processing the data in question and that all handling of the data is compatible with that purpose.

H) SECURITY OF PERSONAL DATA

No data transfer is perfectly secure, no data storage is a hundred per cent safe. We endeavour to protect personal data and ambitiously strive to achieve that aim. We use realistic, operational, technical and organisational measures that are regularly reviewed and updated. Our measures are intended to promote data security while also being efficient and economically and operationally feasible.

1 Organisational and operational measures

1.1 Training and corporate culture.

Our people study our Data Protection Policy and get training and regular presentations on data security, tailored as appropriate to their position and responsibility. Our company culture is one of awareness and we emphasize the core values of confidentiality, responsibility and care in the handling all information. Our people (employees, executives and advisors) that have access to personal data are bound by contractual obligations of confidentiality. When additional confidentiality is required by law or specific circumstance, our people sign additional confidentiality undertakings that apply to related tasks.

1.2 Safe zones.

Our offices are defined a safe zone. Customers, advisors and other guests are only allowed access to the offices if escorted by an employee responsible for them while they are on the premises. The employee shall register the name of the guest and the time of arrival and departure.

1.3 Clear desk and blank screen policy.

If our people leave their workstation, they are to make sure that no personal data is visible on surfaces or screens. All screens shall be configured to automatically display a locked screensaver if they are not used for a period.

1.4 Deletion, destruction and retention periods.

Before storage media containing personal data is destroyed or disposed of, all personal data must first be securely deleted.

1.5 Remote work and work on own devices.

Our people are aware that particular care must be used when connected devices are used to work on personal data outside of our offices and our own servers, especially in public. Our personnel are permitted to work using their own devices. All data and information that are saved on, transferred through or worked on in own devices, remain the property of Áskell at all times and we retain full control and rights over all such data and information. Permission to use own devices is only granted when the devices have the technical requirements necessary to facilitate the safety of personal data.

2 Technical measures to protect and guard personal data

2.1 Access control.

Access to our systems, portals and databases is generally controlled and locked, unless access control is obviously not necessary. Access codes are only provided to our people that have a need for access to a particular system, portal or database due to work tasks. Logs are kept to record which people have access.

2.2 Passwords.

Personnel are not permitted to provide others with their passwords. It is not permitted to share passwords through any media. If there is any suspicion that a password has been compromised, it shall be changed without delay.

2.3 Data Retention policy.

Áskell retains personal data in compliance with EU data protection laws, specifically the General Data Protection Regulation (GDPR). Personal data is stored only as long as necessary to fulfill the stated purposes for which it was collected, including meeting accounting, auditing, tax, and legal obligations under applicable financial regulations, typically not exceeding seven years unless a longer retention period is required by law or justified for the defense or assertion of legal claims. After this period, data will be securely deleted or anonymized to protect individual privacy.

2.4 Response to Security Incidents

If a Security Incident arises, clear work processes are followed.

A Security Incident can entail that: 1) Confidentiality of personal data is breached and an unpermitted disclosure takes place, or a party not permitted to access data receives them, 2) data becomes inaccessible, or 3) personal data is altered or tampered with.

If a Security Incident arises, we take measures that are appropriate in scope and scale, to investigate the incident, minimize any damage and rectify the situation, without delay.

If a Security Incident arises, we report the incident to the appropriate supervisory authority without undue delay after we first becomes aware of the irregularity, unless it is unlikely to result in a risk to the rights and freedoms of the data subjects involved. Such reports follow a fixed procedure.

In instances where a Security Incident leads to a high risk to the rights and freedoms of data subjects, we notifies the data subjects directly, unless appropriate measures have been made that eliminate that risk. Such reports follow a fixed procedure.