Origo respects your privacy and is committed to protecting your personal data. This notice will inform individuals how Origo collects and otherwise processes their personal data when Origo is the controller of personal data.
Origo is the controller of consumer ‘s personal data who buy products or service from Origo and the individuals acting as representatives on behalf of companies who do business with Origo. When Origo is the controller it decides the purpose and meaning of the processing and is also responsible for the treatment and security of the personal data.
This notice does however not cover the processing of personal data when Origo is providing IT services to enterprises and is acting as a processor of personal data, in which case Origo’s customers (enterprises) are the controllers of the personal data. Enterprises who buy IT services from Origo and are acting as controllers are responsible for making a data processing agreement with the processors acting on their behalf, as well as ensuring the right treatment and security of the personal data.
This notice supplements other privacy notices which Origo may provide to individuals on specific occasions or due to specific processing of personal data.
Origo has appointed a data protection officer (DPO) who is responsible for overseeing compliance with data protection legislation. All questions related to data protection or privacy shall be sent to the e-mail email@example.com or by mail to:
Data Protection Officer, Borgartúni 37, 105 Reykjavík.
Origo will review this notice regularly to make sure the notice is in compliance with data protection law and reflects Origo‘s processing of personal data at each time.
Last changes were made July 3, 2018.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
Origo may collect, use, store and transfer different kinds of personal data which have been grouped together as follows:
Origo may also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from personal data but is not considered personal data in law as this data will not directly or indirectly reveal individual’s identity. For example, Origo may aggregate Usage Data to calculate the percentage of users accessing a specific website feature. However, if Aggregated Data is combined or connected with personal data so that it can directly or indirectly identify individuals, Origo will treat the combined data as personal data which will be used in accordance with this privacy notice.
Origo does not collect any Special Categories of Personal Data about individuals (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor does Origo collect any information about criminal convictions and offences.
Origo uses different methods to collect data from and about individuals including through:
Origo may collect Identity, Contact and Financial Data direct from individuals when they fill in forms or correspond to Origo by post, phone, email or otherwise. This includes personal data individuals provide when they:
As individuals interact with Origo’s websites, Origo will automatically collect Technical Data about their equipment, browsing actions and patterns. Origo collects this personal data by using cookies, server logs and other similar technologies. Please see our cookie notice for further details.
Origo has access to Identity Data through the National Registry in Iceland for commercial purposes.
Below is a description of ways that Origo uses individual’s personal data and which legal basis is relied on to do so.
Note that Origo may process individual’s personal data for more than one lawful ground depending on the specific purpose for using the data. Individuals can contact Origo if they need details about the purpose and legal basis Origo relies on to process personal data, see below.
Origo will only use personal data when the law allows. Most commonly, Origo will use personal data in the following circumstances:
Generally, Origo does not rely on consent as a legal basis for processing personal data except for using cookies on Origo’s website.
Origo collects Identity and Contact Data when new customers register. The legal basis relied on is in most circumstances performance of a contract with the individual who‘s data is being collected.
Origo processes Identity, Contact, Financial, Transaction and Marketing Data to process and deliver products or services, i.e. managing payments from individuals and collecting payments individuals owe to Origo. Managing payments is in most circumstances necessary for the performance of a contract with an individual. Origo has on the other hand legitimate interests in recovering debts due to the company.
Origo collects personal data from individuals how call Origo‘s service desk or use our repair services. This processing is in most circumstances necessary for the performance of contract.
Origo also processes personal data of individuals who are customers of Origo to manage the relationship with them. The categories of data Origo processes for that purpose are Identity, Contact and Marketing Data. An example of a processing activity that is performed for this purpose would be when Origo sends it‘s customers surveys or asks them to review products or services. This processing is necessary for the legitimate interests of Origo to study how customers use Origo‘s products or services.
Origo will process Identity, Contact and Technical Data to administer and protect the business and websites. This includes troubleshooting, data analysis, testing and other system maintenance that is necessary for Origo’s legitimate interest for running business and network security.
Origo processes Technical and Usage Data for analysing how to improve websites, products, services, marketing, customer relationship and experiences. This processing is necessary for Origo’s legitimate interests to develop products and services and help the business grow.
Origo’s core business is providing IT services to enterprises. When doing business with enterprises Origo will process Contact Data belonging to individuals that are employees of these enterprises. The categories of data that Origo will be processing is most likely Identity and Contact Data and the legal basis for processing is based on Origo’s legitimate interests to run business.
Origo uses CCTV cameras around the company’s buildings and inside them in Reykjavik and Akureyri. All monitored areas inside the buildings are marked. Origo uses CCTV cameras for security and to protect the company’s properties.
Calls from customers to Origo’s service desk are recorded. The recording is based on Origo’s legitimate interests to ensure security in the business.
Origo collects Identity Data about customers that are attending meetings at Origo’s facilities at Borgartún 37, 105 Reykjavik. The processing is based on Origo’s legitimate interests as it is necessary for security and for compliance with ISO 27001 standard.
Origo may process Identity, Contact, Technical and Usage Data to analyse the customer needs with their interests in mind. This way it’s possible to decide which products, services and offers may be relevant for customers. This processing is based on Origo’s legitimate interests to be able to develop products and services and make the business grow.
Individuals that have purchased products or services from Origo or asked to be contacted on Origo’s website will receive marketing emails if they have not opted out at point of collection of the personal data. Individuals can at any given time ask Origo to stop sending them marketing material by following the opt-out links on any marketing email they have received from Origo.
Where individuals have opted out of receiving marketing material it will not apply to personal data provided to Origo as a result of a product/service purchase, warranty registration, or other transactions.
Origo may process personal data when it is necessary so for the company to comply with a legal obligation or court order.
Origo will only use personal data for the purposes for which it was collected, unless the new purpose is compatible with the original purpose.
If Origo needs to use personal data for an unrelated purpose, individuals will be notified and which legal basis the processing will be based on.
Origo may disclose personal data with third party service providers for the purpose set out above.
Third parties that process personal data on behalf of Origo when providing their services are considered processors according to data protection law. Example of such processors are:
Origo requires all third parties processing personal data to sign a data processing agreement (DPA). Origo does not allow third-party service providers to use personal data for their own purposes and only permits them to process personal data for specified purposes and in accordance with Origo’s instructions.
Origo may disclose personal data with authorities when required by law or court order.
Some of Origo’s third party service providers are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA.
Whenever Origo transfers personal data out of the EEA, it will ensure a similar degree of protection is afforded to the data by ensuring at least one of the following safeguards is implemented:
Origo is ISO 27001 certified and has in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
Access to personal data is limited to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on Origo’s instructions and are subject to a duty of confidentiality. Origo has emphasized on privacy awareness among employees with training and regular education.
Origo has procedures in place to deal with any suspected personal data breach and individuals will be notified and any applicable regulator of a breach where Origo is legally required to do so.
More information about Origo’s information security and certification can be found here.
Origo will only retain your personal data for as long as reasonably necessary to fulfil the purposes it was collected for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. Origo may retain your personal data for a longer period in the event of a complaint or if there is a prospect of litigation in respect to Origo’s relationship with the individual.
To determine the appropriate retention period for personal data, Origo considers the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which the personal data is processed and whether the purpose can be achieved through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
By law Origo has to keep basic information about customers (including Contact, Identity, Financial and Transaction Data) for 7 years after they cease being customers for accounting purposes.
All information due to electronic monitoring will be retained for 90 days.
In some circumstances Origo will anonymize personal data (so that it can no longer be associated with an individual) for research or statistical purposes, in which case we may use this information indefinitely without further notice to individuals.
Under certain circumstances, individuals have rights under data protection laws in relation to their personal data. Individuals have the right to:
Individuals can request access to their personal data. This enables them to receive a copy of the personal data Origo holds about them and to get information about the processing.
Individuals have the right to request correction of the personal data that Origo holds about them. This enables them to have any incomplete or inaccurate data corrected.
Individuals can have right to request erasure of your personal data. This enables them to ask Origo to delete or remove personal data where there is no good reason for continuing to process it. Note, however, that Origo may not always be able to comply with the request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Individuals have the right to object to processing of their personal data where Origo is relying on a legitimate interest (or those of a third party). Individuals also have the right to object where personal data is processed for direct marketing purposes. In some cases, Origo may demonstrate that it has compelling legitimate grounds to process individuals information which override his rights and freedoms.
Individuals have the right to request restriction of processing of their personal data. This enables them to ask for the processing of their personal data to be suspended in the following scenarios:
Individuals have the right to request transfer of their personal data to them or to a third party. Origo will try it’s best to provide to an individual, or a third party he has chosen, their personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which the individual initially provided consent for Origo to use or where Origo used the information to perform a contract with the individual.
Individuals have the right to withdraw consent at any time where Origo is relying on consent to process their personal data. However, this will not affect the lawfulness of any processing carried out before the withdraw of consent. When individuals request to withdraw their consent, Origo may not be able to provide certain products or services to them.
Individuals have the right to make a complaint at any time to their supervisory authority. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance.
If individuals wish to exercise any of their rights set out above, please send a request through our service portal.
Note that Origo is only allowed to process requests when the company is acting as the controller of personal data.
Individuals will not have to pay a fee to exercise their rights. However, Origo may charge a responable fee if a request is clearly unfounded, repetitive or excessive. Alternatively, Origo could refuse to comply with your request in these circumstances.
Origo will identify individuals that send request with an electronic ID. This identification is necessary so Origo can comply with its legal obligation in accordance with data protection law. The identification ensures that personal data is not disclosed to unauthorised persons.
In some circumstances Origo will contact individuals for further information if necessary.
Origo will try to respond to all legitimate requests within one month. Occasionally it could take longer than a month if request is particularly complex or an individual has made a number of requests. In this case, we will notify individuals and keep them updated.