1. General consultation and services
2. Léttský
3. Avaya phone system
4. Connection with Office 365 provider
5. Consultation service for databases
6. Endpoint management
7. User service and device operation
8. Web hosting
9. SAP S/4HANA hosting
10. Backup
11. Gagnaský
12. Database hosting
13. Data storage
14. Operation of Microsoft 365 environment
15. Operation of databases
16. Tölvuský
17. Kjarni
18. CCQ
19. Rent a Prent (RAP)
20. Hosting of equipment
21. Dynamics 365 - Business Central
22. Tollvís
Data processing descriptions
Below is a list describing the processing of personal data that Origo may carry out in connection with each service that Origo may provide to customers.
It should be noted that this is a description of all of Origo's main services (the "Processor") and therefore not all descriptions apply to each customer (the "Controller"); instead, these are only descriptions of the services that the Controller purchases from the Processor at any given time.
The nature and purpose of the processing is determined by the service description in the service agreement/s concluded between the parties. Usually, the processing either consists in the Processor hosting the Controller's personal data and/or the Processor's possible access to the Controller's personal data in connection with the technical assistance that the Processor provides to the Controller.
For each processing description below, information is provided about the categories of personal data, the categories of data subjects, sub-processors and information on whether the sharing of personal data outside the EEA takes place, in relation to each of the Processor's services.
1. General consultation and services
1.1. Purpose and nature of processing
Origo provides professional services in the field of IT, system design, app programming, installation work on equipment, installation or changes to software, hardware maintenance and other services as specified in the agreement with the service buyer. The service may be in a standard form or adapted to each situation.
In order to be able to provide the service, Origo may need access to the service buyer's personally identifiable information.
1.2. Categories of data subjects and categories of personal data
The personal data that Origo may gain access to can be different depending on the nature of the service buyer's activity or the service that Origo provides to the service buyer at any time. Origo is prohibited from processing personal data without the instructions of the service buyer.
1.3. Sub-processors
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105. Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
1.4. Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
2. Léttský
2.1 Purpose and nature of processing
Origo (the Processor) handles the administration of computes and smart devices for the service buyer (the Controller) and handles their user management as well as operating the Controller's Microsoft 365 environment. If requested, the Processor will take control of the users' computer equipment in connection with: installation, assistance or problem solving for the users of devices under management.
2.2 Categories of data subjects and categories of personal data
The processing of personal data extends to the Microsoft 365 operating environment and personal data on users' devices and users' home areas in the cloud:
The Controller's users:
Name and username
Phone number
E-mail address
IP addresses
When taking control of users' devices for assistance:
All personal data on the user's device
For backing up home area and Microsoft 365 administration
May contain information about all categories of data subjects and personal data stored on the Controller's home area
2.3 Sub-processors
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
2.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
3. Avaya phone system
Origo (the Processor) provides a phone system solution to the service buyer (the Controller) as well as operating and hosting the system for the Controller.
3.2 Categories of data subjects and categories of personal data
The following personal data is stored in the system:
The name of the caller
The selected number
The phone number of an incoming call
Call length and time
A copy of the phone call in a recording system
3.3 Sub-processors
No sub-processors.
3.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
4. Connection with Office 365 provider
4.1 Purpose and nature of processing
Origo (the Processor) connects the users of the service buyer (the Controller) so that they can identify themselves and use the services requested by the service buyer. The Processor hosts the system and has access to it in connection with services and technical support.
4.2 Categories of data subjects and categories of personal data
The Controller's users:
User names
E-mail addresses
4.3 Sub-processors
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
4.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
5. Consultation service for databases
5.1 Purpose and nature of processing
Origo (the Processor) conducts a review of the databases of the service buyer (the Controller) and for this purpose has temporary access to the Controller's databases.
5.2 Categories of data subjects and categories of personal data
Information on the Controller's databases may relate to all categories of data subjects and personal data that the Controller chooses to store on its databases.
5.3 Sub-processors
No sub-processors.
5.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
6. Endpoint management
6.1 Purpose and nature of processing
Origo (the Processor) connects the devices of the service buyer (the Controller) to the service seller's central software solution to monitor them and perform necessary software updates to ensure security. The Processor hosts the software solution and has access to it and information on users' devices in connection with services and technical support.
6.2 Categories of data subjects and categories of personal data
Origo's processing covers the operating environment of the administration tool and personal data on computers and smart devices:
The Controller's users:
Name and username
E-mail address
IP addresses
When taking control of users' devices for assistance:
All personal data on the user's device
6.3 Sub-processors
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
6.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
7. User service and device operation
7.1 Purpose and nature of processing
Origo (the Processor) handles the administration of computes and smart devices for the service buyer (the Controller) and their user management. If requested, the Processor takes control of the users' computer equipment in connection with: installation, assistance or problem solving for the users of devices under management.
7.2 Categories of data subjects and categories of personal data
The processing of personal data extends to personal data on users' devices and home areas:
The Controller's users:
Name and username
Phone number
E-mail address
IP addresses
When taking control of users' devices for assistance:
All personal data on the user's device.
7.3 Sub-processors
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
7.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
8. Web hosting
8.1 Purpose and nature of processing
Origo (the Processor) hosts the website of the service buyer (the Controller).
8.2 Categories of data subjects and categories of personal data
All personal data that the Controller may place on its website.
8.3 Sub-processors
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
8.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
9. SAP S/4HANA hosting
9.1 Purpose and nature of processing
Origo (the Processor) provides and hosts networks, servers, disk arrays and operating systems for the service buyer (the Controller) for hosting on HANA virtual machines. Hosting of systems involves daily maintenance and operation of infrastructure in the Processor's data center.
9.2 Categories of data subjects and categories of personal data
All data that the Controller hosts on its virtual machines.
9.3 Sub-processors
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
9.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
10. Backup
10.1 Purpose and nature of processing
Origo (the Processor) provides services to the service buyer (the Controller) in the form of data backup and storage. The data is hosted in Iceland in ISO 27001 certified data centers.
10.2 Categories of data subjects and categories of personal data
The personal data of the Controller that is copied can cover all categories of data subjects and personal data that the Controller chooses to be copied.
10.3 Sub-processors
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
10.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
11. Gagnaský
11.1 Purpose and nature of processing
Origo (the Processor) provides services to the service buyer (the Controller) in the form of long-term storage of data that is accessible to the Controller via an internet connection. The data is stored as two identical copies in two separate data centers in Iceland.
11.2 Categories of data subjects and categories of personal data
All categories of data subjects and personal data that the Controller chooses to store in the data storage to which it has access.
11.3 Sub-processors
IBM Danmark ApS, Proevensvej 1 Broendby, 2605 Denmark
Service of software and hardware as well as technical support.
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
11.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
12. Database hosting
12.1 Purpose and nature of processing
Origo (the Processor) hosts databases for the service buyer (the Controller) along with the data stored there. The database is accessible to the Controller via an internet connection.
12.2 Categories of data subjects and categories of personal data
Personal data may concern all categories of data subjects and the personal data that the Controller chooses to store in the environment.
12.3 Sub-processors
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
12.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
13. Data storage
13.1 Purpose and nature of processing
Origo (the Processor) provides services to the service buyer (the Controller) in the form of data storage that is accessible to the Controller via an internet connection.
13.2 Categories of data subjects and categories of personal data
Personal data in the Processor's data storage may concern all categories of data subjects and the personal data that the Controller chooses to store in the data storage to which it has access.
13.3 Sub-processors
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
13.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
14. Operation of Microsoft 365 environment
14.1 Purpose and nature of processing
Origo (the Processor) handles the operation of the Microsoft 365 environment for the service buyer (the Controller) and/or sells Microsoft licenses to the Controller and for that purpose has access to the Microsoft 365 license environment of the Controller.
14.2 Categories of data subjects and categories of personal data
The Controller's users:
Name and username
Phone number
E-mail address
IP addresses
14.3 Sub-processors
No sub-processors.
14.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
15. Operation of databases
15.1 Purpose and nature of processing
Origo (the Processor) handles the operation of databases for the service buyer (the Controller) and for that purpose has access to the databases concerned.
15.2 Categories of data subjects and categories of personal data
Processing covers the information contained in the Controller's respective databases, which information may concern all categories of data subjects and the personal data that the Controller chooses to store on its databases.
15.3 Sub-processors
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
Only in respect of Oracle databases: Miracle ehf., reg. no. 4710032980, Kringlan 7, 103 Reykjavik.
Technical assistance for the operation of Oracle databases.
15.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
16. Tölvuský
16.1 Purpose and nature of processing
Origo (the Processor) provides the service buyer (the Controller) with access to computer resources used for processing and/or changing data. The data is not permanently retained and instead is only stored in servers' random access memory and cache. Permanent storage is in the Gagnaský.
16.2 Categories of data subjects and categories of personal data
· The Controller's data may concern data subjects and personal data from all categories that the Controller chooses to have processed in the service.
16.3 Sub-processors
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
16.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
17. Kjarni
17.1 Purpose and nature of processing
Origo (the Processor) hosts the system and the Processor may also have access to data in the system in connection with services and technical support provided to the service buyer (the Controller).
17.2 Categories of data subjects and categories of personal data
The personal data that the Controller places in the system is processed. The data that may be processed is mainly the following, as applicable: Employees of the Controller and/or contractors of the Controller:
Contact information
Copy of employment/contractor agreement
CV
Information about education and courses
Salary information/copies of invoices
Copies of medical certificates
Reports of accidents at work
Etc.
Applicants for jobs at the Controller:
Application documents, e.g. copy of CV, information on work experience and education
Information that applicants provide to the Controller
Employees' immediate family members and/or references:
Contact information, i.e. name, e-mail address and/or phone number
17.3 Sub-processors
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
17.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
18. CCQ
18.1 Purpose and nature of processing
Origo (the Processor) handles the hosting of the system. The Processor may also, as the case may be, have access to data in the system in connection with services and technical support provided to the service buyer (the Controller).
18.2 Categories of data subjects and categories of personal data
The personal data that the Controller places in the system is processed. The data and data subject categories concerned are mainly the following, as applicable, depending on which modules and functions of the CCQ quality management system/Justly Pay are used:
In connection with all modules of the CCQ quality management system/Justly Pay:
Name and username of system users
E-mail address of system users
User authorisations and access controls
The immediate superior and employer of system users
Settings selected by each user
In connection with competence management in the CCQ quality management system:
CVs of employees/contractors
Education of employees/contractors
Training and courses completed by employees/contractors
Rights of employees/contractors
In connection with audits in the CCQ quality management system:
Anomaly registration
In connection with the assets register in the CCQ quality management system:
Information about the Controller's contracts
Information about equipment and other assets, down to the individual, as the case may be
In connection with the tips module of the CCQ quality management system:
Contact information of those who submit tips, as the case may be
Content of tips, e.g. accident registrations, near anomalies, incidents, etc. It should be noted that tips may contain sensitive personal information, depending on the purpose for which the Controller uses the module.
In connection with Justly Pay:
Content of equal pay tips
Content of audits and/or anomaly registrations. In addition to the above information, the system collects information about event registrations of system users.
18.3 Sub-processors
IBM Prøvensvej 1, Danmörk-2605 Brøndby
Hosting of the CCQ quality management system and Justly Pay.
The systems are hosted in Germany (Frankfurt) and the United Kingdom (London).
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 10, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
18.4 Sharing of data outside the EEA
Please note that the UK is classified as a non-EEA country with adequate security measures and no additional measures are therefore required. Please note that the UK is a safe country and transporting data there is therefore permitted without further measures.
19. Rent a Prent (RAP)
19.1 Purpose and nature of processing
Origo (the Processor) provides printing services to the service buyer (the Controller). To be able to set up and operate this service for the Controller, the Processor has access to printing service software and the operating environment of print servers.
19.2 Categories of data subjects and categories of personal data
The data and categories of data subjects that are processed are those that can found on print servers and in related software.
The Controller's RAP users:
Name
Phone number
User name
Keyword for opening an account
E-mail address
Title, department, position
Id. no.
Address
User print history
Data that may concern any category of data subjects:
When reviewing a report of users' print history, a small part of the text contained in the documents is visible and may contain personal data from all categories.
19.3 Sub-processors
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
19.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
20. Hosting of equipment
20.1 Purpose and nature of processing
Origo (the Processor) hosts the equipment of the service buyer (the Controller) in secure system rooms. The Controller stores data on the hosted equipment without the involvement of Origo.
20.2 Categories of data subjects and categories of personal data
All categories of data subjects and personal data that the service buyer stores on the hosted equipment.
20.3 Sub-processors
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
20.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
21. Dynamics 365 - Business Central
21.1 Purpose and nature of processing
Origo (the Processor) manages the operation of the system for the Controller and the Processor also has access to data in the system in connection with services, technical support and consultation provided to the service buyer (the Controller).
The system is hosted in the Microsoft Azure environment, and there is a direct contractual relationship between the customer and Microsoft regarding that processing.
21.2 Categories of data subjects and categories of personal data
The personal data that the Controller places in the system is processed. The data that may be processed is mainly the following, as applicable:
Employees of the Controller and/or contractors of the Controller:
E-mail addresses and usernames
Customers and suppliers of the Controller:
Name
Address
Id. no.
Financial information of individuals
21.3 Sub-processors
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
Unimaze ehf., reg. no. 550403-3150, Borgartún 37, 105. Reykjavik (a subsidiary of the Processor).
Handles the transmission of electronic messages and the approval of invoices.
21.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.
22. Tollvís
22.1 Purpose and nature of processing
Origo (the Processor) has developed a software and environment accessible to the customer (the Controller) trough a cloud service for use to create customs declerations (Tollvís or the solution).
The service provided by the Processor to the Controller is defined in the Controller's subscription contract or an accepted offer from the Processor. To provide the service, the Processor needs to process the Controller‘s personal data.
22.2 Categories of data subjects and categories of personal data
The Controller‘s users:
Name
Id. no.
Email
Phone number
22.3 Sub-Processors
Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown. Dublin 18, D18 P521, Ireland.
The system along with all the information saved is stored in a Microsoft Azure data center in Ireland.
Unimaze ehf., reg. no. 550403-3150, Borgartún 37, 105. Reykjavik (a subsidiary of the Processor).
Handles the transmission of electronic messages and the approval of invoices
Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).
Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.
Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.
22.4 Sharing of data outside the EEA
No sharing of data outside the EEA takes place.