Data protection < Origo

Privacy Notice

Origo respects your privacy and is committed to protecting your personal data. This notice will inform individuals how Origo collects and otherwise processes their personal data when Origo is the controller of personal data.

Origo is the controller of consumer ‘s personal data who buy products or service from Origo and the individuals acting as representatives on behalf of companies who do business with Origo. When Origo is the controller it decides the purpose and meaning of the processing and is also responsible for the treatment and security of the personal data.

This notice does however not cover the processing of personal data when Origo is providing IT services to enterprises and is acting as a processor of personal data, in which case Origo’s customers (enterprises) are the controllers of the personal data. Enterprises who buy IT services from Origo and are acting as controllers are responsible for making a data processing agreement with the processors acting on their behalf, as well as ensuring the right treatment and security of the personal data.

This notice supplements other privacy notices which Origo may provide to individuals on specific occasions or due to specific processing of personal data.

Origo has appointed a data protection officer (DPO) who is responsible for overseeing compliance with data protection legislation. All questions related to data protection or privacy shall be sent to the e-mail personuvernd@origo.is or by mail to:

Data Protection Officer,
Borgartúni 37,
105 Reykjavík.

Origo will review this notice regularly to make sure the notice is in compliance with data protection law and reflects Origo‘s processing of personal data at each time.

Last changes were made July 3, 2018.

  • Collection and processing of personal data

    Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

    Origo may collect, use, store and transfer different kinds of personal data which have been grouped together as follows:

    • Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
    • Contact Data includes billing address, delivery address, email address and telephone numbers.
    • Financial Data includes bank account and other payment details.
    • Transaction Data includes details about payments to and from individuals and other details of products and services they have purchased from Origo.
    • Technical Data includes internet protocol (IP) address, your login data, browser type and version.
    • Usage Data includes information about how you use our website, products and services.
    • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

    Origo may also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from personal data but is not considered personal data in law as this data will not directly or indirectly reveal individual’s identity. For example, Origo may aggregate Usage Data to calculate the percentage of users accessing a specific website feature. However, if Aggregated Data is combined or connected with personal data so that it can directly or indirectly identify individuals, Origo will treat the combined data as personal data which will be used in accordance with this privacy notice.

    Origo does not collect any Special Categories of Personal Data about individuals (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor does Origo collect any information about criminal convictions and offences.

  • Methods for collection of personal data

    Origo uses different methods to collect data from and about individuals including through:

    Direct interactions

    Origo may collect Identity, Contact and Financial Data direct from individuals when they fill in forms or correspond to Origo by post, phone, email or otherwise. This includes personal data individuals provide when they:

    • apply for Origo‘s products or services;
    • create an account on Origo‘s website;
    • subscribe to Origo‘s service or publications;
    • request marketing to be sent to them;
    • contact Origo‘s service desk; or
    • register to a course at the Origo school

    Automated technologies or interactions

    As individuals interact with Origo’s websites, Origo will automatically collect Technical Data about their equipment, browsing actions and patterns. Origo collects this personal data by using cookies, server logs and other similar technologies. Please see our cookie notice for further details.

    Third parties or publicly available sources

    Origo has access to Identity Data through the National Registry in Iceland for commercial purposes.

  • Purpose of processing and legal basis

    Below is a description of ways that Origo uses individual’s personal data and which legal basis is relied on to do so.

    Note that Origo may process individual’s personal data for more than one lawful ground depending on the specific purpose for using the data. Individuals can contact Origo if they need details about the purpose and legal basis Origo relies on to process personal data, see below.

    Origo will only use personal data when the law allows. Most commonly, Origo will use personal data in the following circumstances:

    • Where processing personal data is necessary for the performance of a contract with an individual (or to take steps prior to entering into a contract)
    • Where it is necessary for Origo’s legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
    • Where Origo needs to comply with a legal obligation.

    Generally, Origo does not rely on consent as a legal basis for processing personal data except for using cookies on Origo’s website.

    To register new customers

    Origo collects Identity and Contact Data when new customers register. The legal basis relied on is in most circumstances performance of a contract with the individual who‘s data is being collected.

    To process and deliver products or services

    Origo processes Identity, Contact, Financial, Transaction and Marketing Data to process and deliver products or services, i.e. managing payments from individuals and collecting payments individuals owe to Origo. Managing payments is in most circumstances necessary for the performance of a contract with an individual. Origo has on the other hand legitimate interests in recovering debts due to the company.

    Service desk and repair services

    Origo collects personal data from individuals how call Origo‘s service desk or use our repair services. This processing is in most circumstances necessary for the performance of contract.

    To manage the relationship with customers

    Origo also processes personal data of individuals who are customers of Origo to manage the relationship with them. The categories of data Origo processes for that purpose are Identity, Contact and Marketing Data. An example of a processing activity that is performed for this purpose would be when Origo sends it‘s customers surveys or asks them to review products or services. This processing is necessary for the legitimate interests of Origo to study how customers use Origo‘s products or services.

    Network and information security

    Origo will process Identity, Contact and Technical Data to administer and protect the business and websites. This includes troubleshooting, data analysis, testing and other system maintenance that is necessary for Origo’s legitimate interest for running business and network security.

    Improving products and services

    Origo processes Technical and Usage Data for analysing how to improve websites, products, services, marketing, customer relationship and experiences. This processing is necessary for Origo’s legitimate interests to develop products and services and help the business grow.

    Contact Data

    Origo’s core business is providing IT services to enterprises. When doing business with enterprises Origo will process Contact Data belonging to individuals that are employees of these enterprises. The categories of data that Origo will be processing is most likely Identity and Contact Data and the legal basis for processing is based on Origo’s legitimate interests to run business.

    Electronic monitoring

    Origo uses CCTV cameras around the company’s buildings and inside them in Reykjavik and Akureyri. All monitored areas inside the buildings are marked. Origo uses CCTV cameras for security and to protect the company’s properties.

    Calls from customers to Origo’s service desk are recorded. The recording is based on Origo’s legitimate interests to ensure security in the business.

    Guests attending meetings

    Origo collects Identity Data about customers that are attending meetings at Origo’s facilities at Borgartún 37, 105 Reykjavik. The processing is based on Origo’s legitimate interests as it is necessary for security and for compliance with ISO 27001 standard.

    Direct marketing

    Origo may process Identity, Contact, Technical and Usage Data to analyse the customer needs with their interests in mind. This way it’s possible to decide which products, services and offers may be relevant for customers. This processing is based on Origo’s legitimate interests to be able to develop products and services and make the business grow.

    Individuals that have purchased products or services from Origo or asked to be contacted on Origo’s website will receive marketing emails if they have not opted out at point of collection of the personal data. Individuals can at any given time ask Origo to stop sending them marketing material by following the opt-out links on any marketing email they have received from Origo.

    Where individuals have opted out of receiving marketing material it will not apply to personal data provided to Origo as a result of a product/service purchase, warranty registration, or other transactions.

    Necessary to comply with legal obligation or court order

    Origo may process personal data when it is necessary so for the company to comply with a legal obligation or court order.

    Cookies

    Origo uses cookies to improve the user experience on it’s websites. Origo’s use of cookies is based on legitimate interests in some cases and in other cases on consent. More information about cookies and how to manage them can be found here.

    Change of purpose

    Origo will only use personal data for the purposes for which it was collected, unless the new purpose is compatible with the original purpose.

    If Origo needs to use personal data for an unrelated purpose, individuals will be notified and which legal basis the processing will be based on.

  • Disclosure of personal data

    Origo may disclose personal data with third party service providers for the purpose set out above.

    Third parties that process personal data on behalf of Origo when providing their services are considered processors according to data protection law. Example of such processors are:

    • Companies that provide Origo with information technology or telecommunication services
    • Professional advisers that provide services to Origo, for example lawyers, auditors and accountants

    Origo requires all third parties processing personal data to sign a data processing agreement (DPA). Origo does not allow third-party service providers to use personal data for their own purposes and only permits them to process personal data for specified purposes and in accordance with Origo’s instructions.

    Origo may disclose personal data with authorities when required by law or court order.

  • Cross border transfer of personal data

    Some of Origo’s third partiy service providers are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA.

    Whenever Origo transfers personal data out of the EEA, it will ensure a similar degree of protection is afforded to the data by ensuring at least one of the following safeguards is implemented:

    • Origo will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
    • Where Origo uses certain service providers, it may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
    • Where Origo uses providers based in the US, it may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.
  • Security of personal data

    Origo is ISO 27001 certified and has in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

    Access to personal data is limited to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on Origo’s instructions and are subject to a duty of confidentiality. Origo has emphasized on privacy awareness among employees with training and regular education.

    Origo has procedures in place to deal with any suspected personal data breach and individuals will be notified and any applicable regulator of a breach where Origo is legally required to do so.

    More information about Origo’s information security and certification can be found here.

  • Retention of personal data

    Origo will only retain your personal data for as long as reasonably necessary to fulfil the purposes it was collected for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. Origo may retain your personal data for a longer period in the event of a complaint or if there is a prospect of litigation in respect to Origo’s relationship with the individual.

    To determine the appropriate retention period for personal data, Origo considers the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which the personal data is processed and whether the purpose can be achieved through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

    By law Origo has to keep basic information about customers (including Contact, Identity, Financial and Transaction Data) for 7 years after they cease being customers for accounting purposes.

    All information due to electronic monitoring will be retained for 90 days.

    In some circumstances Origo will anonymise personal data (so that it can no longer be associated with an individual) for research or statistical purposes, in which case we may use this information indefinitely without further notice to individuals.

  • Data subject's rights

    Under certain circumstances, individuals have rights under data protection laws in relation to their personal data. Individuals have the right to:

    Request access to personal data

    Individuals can request access to their personal data. This enables them to receive a copy of the personal data Origo holds about them and to get information about the processing.

    Request correction of personal data

    Individuals have the right to request correction of the personal data that Origo holds about them. This enables them to have any incomplete or inaccurate data corrected.

    Request erasure of personal data

    Individuals can have right to request erasure of your personal data. This enables them to ask Origo to delete or remove personal data where there is no good reason for continuing to process it. Note, however, that Origo may not always be able to comply with the request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

    Object to processing

    Individuals have the right to object to processing of their personal data where Origo is relying on a legitimate interest (or those of a third party). Individuals also have the right to object where personal data is processed for direct marketing purposes. In some cases, Origo may demonstrate that it has compelling legitimate grounds to process individuals information which override his rights and freedoms.

    Restrict processing

    Individuals have the right to request restriction of processing of their personal data. This enables them to ask for the processing of their personal data to be suspended in the following scenarios:

    • If individuals want to establish the data's accuracy.
    • Where individuals believe that Origo’s use of the data is unlawful but they do not want to erase it.
    • Where an individual needs Origo to hold the data even if Origo no longer requires it as he needs it to establish, exercise or defend legal claims.
    • The individual has objected to Origo’s use of his data but Origo needs to verify whether there are overriding legitimate grounds to use it.

    Transfer personal data

    Individuals have the right to request transfer of their personal data to them or to a third party. Origo will try it’s best to provide to an individual, or a third party he has chosen, their personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which the individual initially provided consent for Origo to use or where Origo used the information to perform a contract with the individual.

    Withdraw consent

    Individuals have the right to withdraw consent at any time where Origo is relying on consent to process their personal data. However, this will not affect the lawfulness of any processing carried out before the withdraw of consent. When individuals request to withdraw their consent, Origo may not be able to provide certain products or services to them.

    Right to make a complaint to the supervisory authority

    Individuals have the right to make a complaint at any time to their supervisory authority. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance.

  • How do data subjects send requests to Origo?

    If individuals wish to exercise any of their rights set out above, please send a request through our service portal.

    Note that Origo is only allowed to process requests when the company is acting as the controller of personal data.

    No fee usually required

    Individuals will not have to pay a fee to exercise their rights. However, Origo may charge a responable fee if a request is clearly unfounded, repetitive or excessive. Alternatively, Origo could refuse to comply with your request in these circumstances.

    Identification

    Origo will identify individuals that send request with an electronic ID. This identification is necessary so Origo can comply with its legal obligation in accordance with data protection law. The identification ensures that personal data is not disclosed to unauthorised persons.

    In some circumstances Origo will contact individuals for further information if necessary.

    Time limit to respond

    Origo will try to respond to all legitimate requests within one month. Occasionally it could take longer than a month if request is particularly complex or an individual has made a number of requests. In this case, we will notify individuals and keep them updated.