Privacy policy.
Overview of the collection, processing, and retention of personal data — in compliance with the General Data Protection Regulation (GDPR) and the Icelandic Act on Personal Data Protection and the Processing of Personal Data No. 90/2018.
This is an English translation of the Icelandic privacy policy. In the event of any discrepancy, the Icelandic version is authoritative.
1. Scope and responsibility
Hagsmunasamtök Æskunnar, registration no. 600426-0600 (HÆ), is a public-benefit association under Icelandic law. This policy describes how the organization processes personal data in accordance with Act No. 90/2018 and Regulation (EU) 2016/679 (GDPR).
The policy applies to all interactions with HÆ, including via the website, email, telephone, and in person.
- Data controller: Hagsmunasamtök Æskunnar, reg. no. 600426-0600
- Privacy contact: personuvernd@
hagsmunasamtokaeskunnar.is
The Executive Director is responsible for overseeing privacy matters on behalf of the organization.
2. Collection of personal data
2.1 When registering on the website
HÆ operates several types of registrations, including for volunteers, the professional advisory council (fagráð), sponsors, the fundraising team, financial donations, and the newsletter.
For all registrations we collect:
- Name and email address
- Consent to the privacy policy
Additional information may be recorded depending on the nature of the request:
- Phone number, location, areas of interest, and estimated contribution (volunteers)
- Profession and place of work (professional advisory council)
- Company name and contact information (sponsors)
- National identification number (kennitala) — only in connection with financial donations and where required by law
Many fields are optional, and disclosure of that information is at each individual's discretion.
Double opt-in confirmation: Upon initial registration, an automatic confirmation email is sent to the email address provided. Registration does not take effect until the confirmation link has been activated. The link is valid for 48 hours; if it is not used within that period, the data is automatically deleted and no records are kept. This process is in place to prevent unauthorized registrations.
2.2 When receiving correspondence
When inquiries are received by email, the messages and the sender's email address are retained to ensure proper processing and follow-up.
2.3 Website visits
The organization's website uses only technically necessary cookies. No personal data is collected about visitors through analytics or advertising cookies.
2.4 Listing on the professional advisory council page
When registering for the HÆ professional advisory council (fagráð), members are given the option to consent to the public listing of their name, profession, and (optionally) place of work on the council page of the website. Consent to public listing is voluntary — members can fully participate in the council's work without being publicly named.
Consent to public listing may be withdrawn at any time by sending a message to
personuvernd@
3. Purposes and legal bases for processing
HÆ processes personal data for the following purposes:
- To communicate with registered individuals about projects, partnerships, or inquiries.
- To issue receipts and maintain accounting records as required by law.
- To distribute the newsletter to those who have requested it.
- To process and respond to data subject requests.
The processing is based on the following legal grounds:
- Consent — for registrations, newsletter subscriptions, and inquiries.
- Legal obligation — for accounting, issuing receipts, and processing data subject requests.
- Legitimate interests — for routine communications with sponsors.
4. Data retention periods
| Type of data | Retention period |
|---|---|
| Registrations (volunteers, council, fundraising, sponsors) | Up to 5 years from the last interaction |
| Accounting records and receipts | 7 years (per the Icelandic Accounting Act No. 145/1994) |
| Newsletter subscriptions | Until subscription is withdrawn |
| General email inquiries | Up to 2 years |
| Data subject requests | 3 years |
After the retention period, data is deleted or anonymized in a secure manner.
5. Access and disclosure of data
5.1 Within the organization
- The Executive Director has full access to all personal data processed by the organization.
- Project managers have limited access to information necessary for their respective projects.
- The Board of HÆ has access only to summaries and anonymized information, except where required by law or contract (e.g. for the approval of major contracts or assessment of conflicts of interest).
5.2 Processors
HÆ uses third-party services for website hosting, email distribution, and bookkeeping. All such providers are bound by data processing agreements that ensure compliance with GDPR and that data transfers are made under either the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs) approved by the European Commission.
| Processor | Function | Data location |
|---|---|---|
| Netlify, Inc. | Web hosting, form intake, confirmation tokens (Netlify Blobs) | United States (SCCs) |
| Resend, Inc. | Delivery of confirmation and notification emails | United States (SCCs) |
| Google Ireland Ltd. | Email infrastructure (Google Workspace) | Ireland (EEA) |
| ISNIC | Domain registration and DNS management | Iceland (EEA) |
| Plausible Analytics | Anonymous web usage analytics | European Union (EEA) |
| Icelandic accounting system | Accounting and annual reporting | Iceland (EEA) |
Confirmation tokens in Netlify Blobs are retained for up to 48 hours and are automatically deleted if confirmation does not take place, in accordance with section 2.1.
The list of processors is updated as needed. Inquiries regarding processors should be directed to
personuvernd@
5.3 Public authorities
HÆ shares data with public authorities where required by law, such as with Iceland Revenue and Customs (Skatturinn) for receipts or with auditors for the preparation of annual financial statements.
5.4 Other disclosures
HÆ does not sell personal data under any circumstances and does not share it with third parties for marketing purposes.
6. Security measures
The organization applies recognized technical and organizational security measures, including:
- Two-factor authentication on all systems that store personal data.
- Encryption of data in transit (HTTPS) and at rest.
- Access controls that limit data access to those who genuinely require it.
- Periodic review of access permissions.
In the event of a personal data breach, the Icelandic Data Protection Authority (Persónuvernd) is notified within 72 hours, and affected individuals are informed of the breach if it is likely to affect their rights.
7. Rights of data subjects
Registered individuals have the right to:
- Request access to the personal data HÆ holds about them.
- Request the rectification of inaccurate or incomplete information.
- Request the erasure of data (except where retention is legally required).
- Request the restriction of processing in certain circumstances.
- Receive their data in a machine-readable format (data portability).
- Withdraw consent to processing.
- Object to processing based on the organization's legitimate interests.
These rights can be exercised through the following channels:
- Request form: hagsmunasamtokaeskunnar.is/en/privacy-request
- Email: personuvernd@
hagsmunasamtokaeskunnar.is
Requests are responded to no later than within 30 days, free of charge.
Right to lodge a complaint: Individuals who believe their rights have been violated may lodge a complaint with the Icelandic Data Protection Authority
(personuvernd.is,
postur@
8. Information about children and youth
Services on the organization's website are intended for individuals of legal age. HÆ does not knowingly collect personal data from individuals under the age of 18 through the website. If such information is received, it will be deleted immediately.
9. Whistleblowing process
The organization operates a separate reporting channel for individuals who wish to share information regarding the welfare of children and youth. The process follows specific confidentiality rules set out in the relevant procedures.
10. Changes to the policy
HÆ reserves the right to update this privacy policy. Material changes are announced on the website and communicated to registered individuals if they directly affect their rights.