Efling Privacy Policy

1. General

The Efling Trade Union (hereinafter referred to as “Efling” or “the Union”) makes every effort to ensure the security of personal data of its members and other individuals associated with the Union’s activities, aiming to protect human rights and the right to personal life integrity. This Privacy Policy explains how Efling stéttarfélag ehf., kt.  701298-2259, Guðrúnartún 1, 105 Reykjavík collects, records, processes, stores, and shares personal data of its members and individuals visiting the website www.efling.is, regardless of whether the personal data is stored electronically, on paper, or by other means.

All processing of personal data within the activities of the Union must comply with the provisions of Act No. 90/2018 on the protection and processing of personal data. To achieve this, the employees of the Union have been trained in the protection and handling of personal data.

If you have any questions regarding the processing of personal data by Efling or this Privacy Policy, please send them to the email address personuvernd@efling.is.

2. What personal data does Efling collect and for what purpose?

Efling ensures that only the personal data necessary for the achievement of the purpose for which they were collected are member processed. If personal data will be processed in a manner other than specified in this Privacy Policy or for other purposes, Efling will make every effort to inform the member.

a. Efling collects the following personal data:

• Basic data: name, identification number (kennitala), address, telephone number, email address, place of work, marital status, family number, contributions.
• Communication information: all your communication with the Union; written, oral, email, or through social media.
• Data concerning members who use the Efling Employment Law Department services: bank data, payslips, employment contracts, and other data related to their employment matters.
• Data concerning members using sickness benefits and educational funds services: medical certificates and salary information.
• Educational fund subsidies.
• Information regarding the rental of summerhouses.
• Purchased gift vouchers and/or cards.
• Complaints regarding improper use of summerhouses and related video materials.
• Digital traces e.g. online behavior on the Efling website.
• Technical information, e.g., IP address.
• Image and sound from security cameras at Guðrúnartún 1.

b. Efling also collects the following sensitive personal data:

• Membership in the Union, citizenship, and information related to the operations of the funds and services for members.

c. Purpose of registration, storage, and processing of personal data.

Efling processes personal data for a clear and declared purpose, in accordance with data protection regulations, Union law, and this Policy. Reasons for Efling to process personal data are diverse, including:

• Calculating membership fees and accrued rights of each member.
• Protecting the interests of members.
• Conducting surveys and processing data, e.g., regarding wage increases, and to enable wage comparisons across professional groups for general publication.
• Communicating with members by phone, email, and/or post.
• Complying with the Accounting Act and tax law.
• Paying sick benefits and subsidies from other Efling funds, in accordance with relevant regulations.
• Selling gift vouchers (accommodations, flights, etc.) and allocating summerhouses and charging fees for them, in accordance with the recreational fund regulations.
• Disbursing grants from Efling funds and updating member status according to fund regulations.
• Preventing recurring misconduct in summerhouses/apartments.
• Ensuring the safety of members and Union property.
• Enabling Efling employees to assert members’ contractual rights as agreed in collective agreements.
• Giving members the opportunity to vote for the Efling board and facilitating candidates’ access to members before elections.
• Providing members with the opportunity to vote in elections on collective agreements and strike calls.

3. Legal authorization for the use of personal data

In accordance with Icelandic law, Efling is entitled to process personal data if the processing is based on legal provisions. Furthermore, Efling is obligated to inform individuals about the grounds for processing. Efling collects and processes personal data based on the following authorizations:

• To fulfill obligations arising from a contract (e.g., rental of a summerhouses).
• To fulfill a legal obligation.
• To protect the urgent interests of members
• Due to legitimate interests of the Union.

These actions are necessary for managing the Union’s activities and involve the necessity of collecting and processing personal data.

In some cases, the Union requests authorization and informed consent for the processing of personal data. In such cases, an individual may withdraw consent at any time, which results in the termination of processing covered by that consent.

4. Collection of children´s personal data

Efling’s policy is not to register, collect, process, or store personal data of children under 13 years of age, except when necessary to pay compensation due to death, illness, or accident. Efling obtains special consent from guardians to process data before providing services to a child who has not reached the age of 16.

5. Automated decision-making

At Efling, there is no automated decision-making during the processing of personal data.

6. Rights of individuals

According to the Personal Data Protection Act, individuals have certain rights, including the right to obtain information about whether Efling processes their personal data and how it deals with them in its activities. However, these rights are not absolute, and legal obligations or stronger interests of Efling, or third parties may prevent Efling from fulfilling the request of a person wishing to exercise rights under the Personal Data Protection Act. Efling endeavors to respond within 30 days to all requests from individuals wishing to exercise rights under the Personal Data Protection Act. If for any reason Efling cannot fully or partially comply with such a request, it seeks to justify such a decision.

• Access to Own Personal Data: Members have the right to know whether Efling processes their personal data and to receive information about the processing: its purpose, where it is disclosed, the source, whether automated decisions are made, and information about their rights. Individuals may also have the right to receive a copy of their personal data processed by Efling.
• Correction and Deletion of Personal Data: If a member believes that the personal data processed by Efling about them is inaccurate or incorrect, they have the right to correct it.
• Right to Erasure of Data: In certain cases, an individual has the right to request that Efling delete their personal data, for example, if they consider that the information is no longer necessary for the purposes for which it was collected. Exactly, the same principle applies in the situation where a person withdraws consent for the processing of personal data and there is no other legal basis for processing, or when the processing of information is found to be unlawful.
• Right to data portability: In certain cases, if the processing is based on a contract or consent, a member who has provided their personal data to Efling electronically may have the right to receive a copy of this information in a structured, commonly used, and machine-readable format. The member may also request Efling to transmit the relevant information directly to a third party.
• Withdrawal of consent: In cases where Efling processes personal data based on consent provided by the individual, the person who gave consent to Efling may withdraw it at any time. However, the withdrawal of consent does not affect the lawfulness of processing based on the consent before its withdrawal.
• Complaints to Persónuvernd: The Icelandic Data Protection Authority (Icelandic: Persónuvernd) oversees the implementation of the Data Protection and Processing Act and supervises case law in disputes concerning data protection. More information about the Authority can be found on its website at personuvernd.is. More information about the Authority can be found on its website at personuvernd.is. If a person is not satisfied with the Union’s processing of personal information about them, they can submit a complaint to the Personal Data Protection Authority by sending a message to the Persónuvernd, Rauðarárstígur 10, 105 Reykjavík or to postur@personuvernd.is.

7. Retention period of personal data

Personal data is retained by the Union for as long as necessary, considering the purpose of processing and the existence of factual reasons. The history of membership contributions, including information on payments from the sickness fund and data related to assistance in matters of collective agreements, constitutes an exception, and this information will be retained for a longer period. However, to the extent possible, in such a way as to minimize the risk of personal identification. Any information obtained in connection with these matters, including payslips and work hour records, will nevertheless be deleted in accordance with the main principle. Efling may be required to retain information based on legal obligations. In this way, accounting data is retained for a period of seven years from the date of acquisition.

8. Third Party Disclosure

Efling does not disclose, sell, or rent personal data to any third parties under any circumstances, unless the Union is legally obligated to do so, or in cases where a service provider, agent, or contractor employed by Efling requires it to perform specific tasks. In such cases, Efling enters into a data processing agreement with the relevant party receiving this data. The agreements include, among other things, the obligation of data processors to ensure the security of personal data and the prohibition of using them for purposes other than those specified.

Efling also discloses personal data to third parties when necessary to protect the urgent interests of members, such as in the case of pursuing unresolved claims.  Efling has entered into an agreement with the Union’s lawyer, which includes the investigation of wage claims on behalf of members and incorporates the new provisions regarding the protection of personal data, Act No. 90/2018.

Efling’s privacy policy does not cover information or processing of personal data by third parties over which Efling does not exercise supervision, nor is the Union responsible for their use, publication, or other actions. Therefore, we encourage you to familiarize yourself with the privacy policies of third-party entities, such as hosting service providers, who may direct users to our website.

9. Browsing Behavior and Mailing List Registration

When users visit the Efling website, the Union may collect technical information about their usage. The information stored by the system during users’ visits to the website is called cookies. The purpose of using cookies is to customize the service to your needs, to ensure the website functions perfectly and as intended, and to provide the best experience while visiting our website. The aim is also to process information for statistical purposes, analyze traffic on our website, and for marketing purposes.

Cookies facilitate user logins to My Pages. In some cases, cookies may collect information such as IP address, browser type, device type. Some of this information may be considered personal data; however, data protection and handling are discussed in more detail elsewhere in this Privacy Policy. Information obtained in this way is never used to identify the user.

Consent is not required for the use of basic cookies, but consent is required for the use of other types of cookies. By selecting the “allow cookies” option, you accept their use or reject them completely.

10. Security of Personal Data and Notification of Breaches

Ensuring the security of personal data processing is a priority for Efling. Therefore, we have implemented appropriate technical and organizational measures to protect the personal data of our members in accordance with our Security Policy. Access to data about Union members is restricted to Efling employees only. The Union has active access control, allowing access only to those employees who need the data for their work.

In the event of a breach of personal data security deemed to pose a significant risk to the rights of the member, they will be promptly notified. In this context, a security breach is considered to be an incident resulting in the loss or destruction of personal data, its alteration, disclosure, or unauthorized access by an unauthorized person without permission. However, we would like to point out that personal data shared by a member with us on social media platforms, such as information on Efling’s Facebook page, is considered public information and is not under Efling’s control, as Efling does not have control over such information, and the Union is not responsible for its use or publication. If a member does not wish to share this information with other users or social media service providers, they should not provide such information on our social media platforms.  

Additionally, Efling promotes awareness among employees through training and information on the protection of personal data security.

11. More information

Efling stéttarfélag ehf., kt. 701298-2259, Guðrúnartún 1, 105 Reykjavík, is responsible for ensuring that all processing of personal data complies with applicable laws and regulations concerning data protection and serves as the data controller responsible for their processing.

Efling’s Data Protection Officer oversees compliance with this Policy and the applicable laws and regulations concerning the protection of personal data in the Union’s activities. Requests, comments, and suggestions regarding the processing of personal data can be directed to Efling’s Data Protection Officer on the personuvernd@efling.is.

12. Update of Efling Privacy Policy

Efling will regularly update this Policy to best reflect the actions taking place at any given time.

With the introduction of changes to the Policy, they will be published on the Efling website and will come into effect upon publication, unless otherwise indicated. This Policy was last updated on March 13, 2024.