Bifröst University Privacy Policy

1. Responsible party – purpose and legal obligation

Bifröst University (hereafter BU) operates in accordance with the Higher Education Act No. 63/2006 and is the party responsible for the recording, storage and processing of personal data that have been provided to BU by individuals and/or come into being during the course of their studies. BU resolves to guarantee security and confidentiality in the control and processing of personal data handled within BU and thereby seeks to comply with Act No. 90/2018 on Data Protection and the Processing of Personal Data, as well as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, as implemented into Icelandic law. The purpose of this privacy policy is to inform students and staff about what personal data are collected and how they are used.

2. What are personal data?

Personal data as defined in this policy are all types of information relating to an identified or identifiable natural person, i.e., information that can be linked directly or indirectly to a specific individual, cf. Article 3 of Act No. 90/2018 on Data Protection and the Processing of Personal Data. Non-personally identifiable information is not considered to be personal data.

3. Collection and handling of personal data

BU collects and preserves certain personal data on applicants to BU’s study programmes and employees. Data collection extends, for instance, to all applications, contact information, CVs, cover letters and information on prior education, etc., as well as sensitive personal data in the form of medical certificates and information on special needs that students or guardians have provided to BU. Photographs taken at events relating to BU’s educational activities are the property of BU and may be used for marketing purposes. BU also collects cookies on its website.

The list above is not exhaustive, since other factors may affect the forms of data that need to be collected in order for BU to carry out its activities. Data are processed for the purpose of allowing BU to fulfil its duties as an educational institution, but processing may also take place on the basis of other legitimate interests.

4. Provision of personal data to third parties

BU may provide personal data to third parties where a service contract has been established or a legal obligation exists, or for other necessary reasons for operational purposes.

5. Data security

BU endeavours to store all data in secure locations within recognised computer systems, where emphasis is placed on the protection of personal data. Access controls to systems are one example of such security measures. BU endeavours to protect personal data from loss or alteration and likewise to protect data from unauthorised access, use, copying or sharing. BU is bound by the provisions of the Public Archives Act No. 77/2014, which takes precedence over the Data Protection Act. BU is thereby not permitted to alter or destroy data on request, except after having received special permission to do so. Comments regarding misleading or incorrect information shall accompany the data on being archived, as applicable.

6. Individuals’ rights

Individuals are entitled to receive confirmation as to whether their personal data is being processed or not. BU is bound by the Public Archives Act No. 77/2014, which prohibits the alteration or destruction of data on request. However, individuals have the possibility to submit corrections with comments in the event that data are deemed to be incorrect, and this information shall accompany data as applicable. The right to erasure of data or the right to be forgotten does not apply to personal data at BU, since the institution is required under the Public Archives Act to preserve all data that it receives.

7. Review of privacy policy

This privacy policy is reviewed regularly and may be amended as appropriate.

8. Inquiries and complaints

BU’s Data Protection Officer is Ragnheiður Á. Birgisdóttir, lawyer. Questions or comments relating to data protection at BU may be sent to the Data Protection Officer at personuvernd@bifrost.is.

Reviewed at a meeting of the University Council, 14 October 2019

Approved by the Rector, 23 October 2019

This is a translation of the document persónuverndarstefna. In the event of any discrepancies between the translation and the original text, the original shall take precedence.