1. Responsible party – purpose and legal obligation
2. What are personal data?
Personal data as defined in this policy are all types of information relating to an identified or identifiable natural person, i.e., information that can be linked directly or indirectly to a specific individual, cf. Article 3 of Act No. 90/2018 on Data Protection and the Processing of Personal Data. Non-personally identifiable information is not considered to be personal data.
3. Collection and handling of personal data
BU collects and preserves certain personal data on applicants to BU’s study programmes and employees. Data collection extends, for instance, to all applications, contact information, CVs, cover letters and information on prior education, etc., as well as sensitive personal data in the form of medical certificates and information on special needs that students or guardians have provided to BU. Photographs taken at events relating to BU’s educational activities are the property of BU and may be used for marketing purposes. BU also collects cookies on its website.
The list above is not exhaustive, since other factors may affect the forms of data that need to be collected in order for BU to carry out its activities. Data are processed for the purpose of allowing BU to fulfil its duties as an educational institution, but processing may also take place on the basis of other legitimate interests.
4. Provision of personal data to third parties
BU may provide personal data to third parties where a service contract has been established or a legal obligation exists, or for other necessary reasons for operational purposes.
5. Data security
BU endeavours to store all data in secure locations within recognised computer systems, where emphasis is placed on the protection of personal data. Access controls to systems are one example of such security measures. BU endeavours to protect personal data from loss or alteration and likewise to protect data from unauthorised access, use, copying or sharing. BU is bound by the provisions of the Public Archives Act No. 77/2014, which takes precedence over the Data Protection Act. BU is thereby not permitted to alter or destroy data on request, except after having received special permission to do so. Comments regarding misleading or incorrect information shall accompany the data on being archived, as applicable.
6. Individuals’ rights
Individuals are entitled to receive confirmation as to whether their personal data is being processed or not. BU is bound by the Public Archives Act No. 77/2014, which prohibits the alteration or destruction of data on request. However, individuals have the possibility to submit corrections with comments in the event that data are deemed to be incorrect, and this information shall accompany data as applicable. The right to erasure of data or the right to be forgotten does not apply to personal data at BU, since the institution is required under the Public Archives Act to preserve all data that it receives.
8. Inquiries and complaints
BU’s Data Protection Officer is Ragnheiður Á. Birgisdóttir, lawyer. Questions or comments relating to data protection at BU may be sent to the Data Protection Officer at firstname.lastname@example.org.
Reviewed at a meeting of the University Council, 14 October 2019
Approved by the Rector, 23 October 2019