1. General consultation and services

2. Léttský

3. Avaya phone system

4. Connection with Office 365 provider

5. Consultation service for databases

6. Endpoint management

7. User service and device operation

8. Web hosting

9. SAP S/4HANA hosting

10. Backup

11. Gagnaský

12. Database hosting

13. Data storage

14. Operation of Microsoft 365 environment

15. Operation of databases

16. Tölvuský

17. Kjarni

18. CCQ

19. Rent a Prent (RAP)

20. Hosting of equipment

21. Dynamics 365 - Business Central

Data processing descriptions

Below is a list describing the processing of personal data that Origo may carry out in connection with each service that Origo may provide to customers.

It should be noted that this is a description of all of Origo's main services (the "Processor") and therefore not all descriptions apply to each customer (the "Controller"); instead, these are only descriptions of the services that the Controller purchases from the Processor at any given time.

The nature and purpose of the processing is determined by the service description in the service agreement/s concluded between the parties. Usually, the processing either consists in the Processor hosting the Controller's personal data and/or the Processor's possible access to the Controller's personal data in connection with the technical assistance that the Processor provides to the Controller.

For each processing description below, information is provided about the categories of personal data, the categories of data subjects, sub-processors and information on whether the sharing of personal data outside the EEA takes place, in relation to each of the Processor's services.

1. General consultation and services

1.1. Purpose and nature of processing

Origo provides professional services in the field of IT, system design, app programming, installation work on equipment, installation or changes to software, hardware maintenance and other services as specified in the agreement with the service buyer.  The service may be in a standard form or adapted to each situation.

In order to be able to provide the service, Origo may need access to the service buyer's personally identifiable information.

1.2. Categories of data subjects and categories of personal data

The personal data that Origo may gain access to can be different depending on the nature of the service buyer's activity or the service that Origo provides to the service buyer at any time. Origo is prohibited from processing personal data without the instructions of the service buyer.

1.3. Sub-processors

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105. Reykjavik (a subsidiary of the Processor).

Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

1.4. Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

2. Léttský

2.1 Purpose and nature of processing

Origo (the Processor) handles the administration of computes and smart devices for the service buyer (the Controller) and handles their user management as well as operating the Controller's Microsoft 365 environment. If requested, the Processor will take control of the users' computer equipment in connection with: installation, assistance or problem solving for the users of devices under management.

2.2 Categories of data subjects and categories of personal data

The processing of personal data extends to the Microsoft 365 operating environment and personal data on users' devices and users' home areas in the cloud:

The Controller's users:

  • Name and username

  • Phone number

  • E-mail address

  • IP addresses

When taking control of users' devices for assistance:

  • All personal data on the user's device

For backing up home area and Microsoft 365 administration

  • May contain information about all categories of data subjects and personal data stored on the Controller's home area

2.3 Sub-processors

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

2.4 Sharing of data outside the EEA

  • No sharing of data outside the EEA takes place.

3. Avaya phone system

Origo (the Processor) provides a phone system solution to the service buyer (the Controller) as well as operating and hosting the system for the Controller.

3.2 Categories of data subjects and categories of personal data

The following personal data is stored in the system:

  • The name of the caller

  • The selected number

  • The phone number of an incoming call

  • Call length and time

  • A copy of the phone call in a recording system

3.3 Sub-processors

No sub-processors.

3.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

4. Connection with Office 365 provider

4.1 Purpose and nature of processing

Origo (the Processor) connects the users of the service buyer (the Controller) so that they can identify themselves and use the services requested by the service buyer. The Processor hosts the system and has access to it in connection with services and technical support.

4.2 Categories of data subjects and categories of personal data

The Controller's users:

  • User names

  • E-mail addresses

4.3 Sub-processors

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

4.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

5. Consultation service for databases

5.1 Purpose and nature of processing

Origo (the Processor) conducts a review of the databases of the service buyer (the Controller) and for this purpose has temporary access to the Controller's databases.

5.2 Categories of data subjects and categories of personal data

Information on the Controller's databases may relate to all categories of data subjects and personal data that the Controller chooses to store on its databases.

5.3 Sub-processors

No sub-processors.

5.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

6. Endpoint management

6.1 Purpose and nature of processing

Origo (the Processor) connects the devices of the service buyer (the Controller) to the service seller's central software solution to monitor them and perform necessary software updates to ensure security. The Processor hosts the software solution and has access to it and information on users' devices in connection with services and technical support.

6.2 Categories of data subjects and categories of personal data

Origo's processing covers the operating environment of the administration tool and personal data on computers and smart devices:

The Controller's users:

  • Name and username

  • E-mail address

  • IP addresses

When taking control of users' devices for assistance:

  • All personal data on the user's device

6.3 Sub-processors

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

6.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

7. User service and device operation

7.1 Purpose and nature of processing

Origo (the Processor) handles the administration of computes and smart devices for the service buyer (the Controller) and their user management. If requested, the Processor takes control of the users' computer equipment in connection with: installation, assistance or problem solving for the users of devices under management.

7.2 Categories of data subjects and categories of personal data

The processing of personal data extends to personal data on users' devices and home areas:

The Controller's users:

  • Name and username

  • Phone number

  • E-mail address

  • IP addresses

When taking control of users' devices for assistance:

All personal data on the user's device.

7.3 Sub-processors

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

7.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

8. Web hosting

8.1 Purpose and nature of processing

Origo (the Processor) hosts the website of the service buyer (the Controller).

8.2 Categories of data subjects and categories of personal data

All personal data that the Controller may place on its website.

8.3 Sub-processors

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

8.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

9. SAP S/4HANA hosting

9.1 Purpose and nature of processing

Origo (the Processor) provides and hosts networks, servers, disk arrays and operating systems for the service buyer (the Controller) for hosting on HANA virtual machines.  Hosting of systems involves daily maintenance and operation of infrastructure in the Processor's data center.

9.2 Categories of data subjects and categories of personal data

All data that the Controller hosts on its virtual machines.

9.3 Sub-processors

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

9.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

10. Backup

10.1 Purpose and nature of processing

Origo (the Processor) provides services to the service buyer (the Controller) in the form of data backup and storage. The data is hosted in Iceland in ISO 27001 and SOC2 certified data centers.

10.2 Categories of data subjects and categories of personal data

The personal data of the Controller that is copied can cover all categories of data subjects and personal data that the Controller chooses to be copied.

10.3 Sub-processors

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

10.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

11. Gagnaský

11.1 Purpose and nature of processing

Origo (the Processor) provides services to the service buyer (the Controller) in the form of long-term storage of data that is accessible to the Controller via an internet connection. The data is stored as two identical copies in two separate data centers in Iceland.

11.2 Categories of data subjects and categories of personal data

All categories of data subjects and personal data that the Controller chooses to store in the data storage to which it has access.

11.3 Sub-processors

IBM Danmark ApS, Proevensvej 1 Broendby, 2605 Denmark

  • Service of software and hardware as well as technical support.

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

11.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

12. Database hosting

12.1 Purpose and nature of processing

Origo (the Processor) hosts databases for the service buyer (the Controller) along with the data stored there. The database is accessible to the Controller via an internet connection.

12.2 Categories of data subjects and categories of personal data

Personal data may concern all categories of data subjects and the personal data that the Controller chooses to store in the environment.

12.3 Sub-processors

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

12.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

13. Data storage

13.1 Purpose and nature of processing

Origo (the Processor) provides services to the service buyer (the Controller) in the form of data storage that is accessible to the Controller via an internet connection.

13.2 Categories of data subjects and categories of personal data

Personal data in the Processor's data storage may concern all categories of data subjects and the personal data that the Controller chooses to store in the data storage to which it has access.

13.3 Sub-processors

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

13.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

14. Operation of Microsoft 365 environment

14.1 Purpose and nature of processing

Origo (the Processor) handles the operation of the Microsoft 365 environment for the service buyer (the Controller) and/or sells Microsoft licenses to the Controller and for that purpose has access to the Microsoft 365 license environment of the Controller.

14.2 Categories of data subjects and categories of personal data

The Controller's users:

  • Name and username

  • Phone number

  • E-mail address

  • IP addresses

14.3 Sub-processors

No sub-processors.

14.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

15. Operation of databases

15.1 Purpose and nature of processing

Origo (the Processor) handles the operation of databases for the service buyer (the Controller) and for that purpose has access to the databases concerned.

15.2 Categories of data subjects and categories of personal data

Processing covers the information contained in the Controller's respective databases, which information may concern all categories of data subjects and the personal data that the Controller chooses to store on its databases.

15.3 Sub-processors

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

Only in respect of Oracle databases: Miracle ehf., reg. no. 4710032980, Kringlan 7, 103 Reykjavik.

  • Technical assistance for the operation of Oracle databases.

15.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

16. Tölvuský

16.1 Purpose and nature of processing

Origo (the Processor) provides the service buyer (the Controller) with access to computer resources used for processing and/or changing data. The data is not permanently retained and instead is only stored in servers' random access memory and cache. Permanent storage is in the Gagnaský.

16.2 Categories of data subjects and categories of personal data

·       The Controller's data may concern data subjects and personal data from all categories that the Controller chooses to have processed in the service.

16.3 Sub-processors

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

16.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

17. Kjarni

17.1 Purpose and nature of processing

Origo (the Processor) hosts the system and the Processor may also have access to data in the system in connection with services and technical support provided to the service buyer (the Controller).

17.2 Categories of data subjects and categories of personal data

The personal data that the Controller places in the system is processed. The data that may be processed is mainly the following, as applicable: Employees of the Controller and/or contractors of the Controller:

  • Contact information

  • Copy of employment/contractor agreement

  • CV

  • Information about education and courses

  • Salary information/copies of invoices

  • Copies of medical certificates

  • Reports of accidents at work

  • Etc.

Applicants for jobs at the Controller:

  • Application documents, e.g. copy of CV, information on work experience and education

  • Information that applicants provide to the Controller

Employees' immediate family members and/or references:

  • Contact information, i.e. name, e-mail address and/or phone number

17.3 Sub-processors

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

17.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

18. CCQ

18.1 Purpose and nature of processing

Origo (the Processor) handles the hosting of the system. The Processor may also, as the case may be, have access to data in the system in connection with services and technical support provided to the service buyer (the Controller).

18.2 Categories of data subjects and categories of personal data

The personal data that the Controller places in the system is processed. The data and data subject categories concerned are mainly the following, as applicable, depending on which modules and functions of the CCQ quality management system/Justly Pay are used:

In connection with all modules of the CCQ quality management system/Justly Pay:

  • Name and username of system users

  • E-mail address of system users

  • User authorisations and access controls

  • The immediate superior and employer of system users

  • Settings selected by each user

In connection with competence management in the CCQ quality management system:

  • CVs of employees/contractors

  • Education of employees/contractors

  • Training and courses completed by employees/contractors

  • Rights of employees/contractors

In connection with audits in the CCQ quality management system:

  • Anomaly registration

In connection with the assets register in the CCQ quality management system:

  • Information about the Controller's contracts

  • Information about equipment and other assets, down to the individual, as the case may be

In connection with the tips module of the CCQ quality management system:

  • Contact information of those who submit tips, as the case may be

  • Content of tips, e.g. accident registrations, near anomalies, incidents, etc. It should be noted that tips may contain sensitive personal information, depending on the purpose for which the Controller uses the module.

In connection with Justly Pay:

  • Content of equal pay tips

  • Content of audits and/or anomaly registrations. In addition to the above information, the system collects information about event registrations of system users.

18.3 Sub-processors

IBM Prøvensvej 1, Danmörk-2605 Brøndby

  • Hosting of the CCQ quality management system and Justly Pay.

  • The systems are hosted in Germany (Frankfurt) and the United Kingdom (London).

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 10, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

18.4 Sharing of data outside the EEA

Please note that the UK is classified as a non-EEA country with adequate security measures and no additional measures are therefore required. Please note that the UK is a safe country and transporting data there is therefore permitted without further measures.

19. Rent a Prent (RAP)

19.1 Purpose and nature of processing

Origo (the Processor) provides printing services to the service buyer (the Controller). To be able to set up and operate this service for the Controller, the Processor has access to printing service software and the operating environment of print servers.

19.2 Categories of data subjects and categories of personal data

The data and categories of data subjects that are processed are those that can found on print servers and in related software.

The Controller's RAP users:

  • Name

  • Phone number

  • User name

  • Keyword for opening an account

  • E-mail address

  • Title, department, position

  • Id. no.

  • Address

  • User print history

Data that may concern any category of data subjects:

  • When reviewing a report of users' print history, a small part of the text contained in the documents is visible and may contain personal data from all categories.

19.3 Sub-processors

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

19.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

20. Hosting of equipment

20.1 Purpose and nature of processing

Origo (the Processor) hosts the equipment of the service buyer (the Controller) in secure system rooms. The Controller stores data on the hosted equipment without the involvement of Origo.

20.2 Categories of data subjects and categories of personal data

All categories of data subjects and personal data that the service buyer stores on the hosted equipment.

20.3 Sub-processors

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

20.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.

21. Dynamics 365 - Business Central

21.1 Purpose and nature of processing

Origo (the Processor) manages the operation of the system for the Controller and the Processor also has access to data in the system in connection with services, technical support and consultation provided to the service buyer (the Controller).

The system is hosted in the Microsoft Azure environment, and there is a direct contractual relationship between the customer and Microsoft regarding that processing.

21.2 Categories of data subjects and categories of personal data

The personal data that the Controller places in the system is processed. The data that may be processed is mainly the following, as applicable:

Employees of the Controller and/or contractors of the Controller:

  • E-mail addresses and usernames

Customers and suppliers of the Controller:

  • Name

  • Address

  • Id. no.

  • Financial information of individuals

21.3 Sub-processors

Syndis ehf., reg. no. 580113-0600, Borgartún 37, 105, Reykjavik (a subsidiary of the Processor).

  • Monitoring of monitoring and request system and service of the Processor's log management system. In connection with the service, Syndis has access to IP addresses, contact information and information about the content of requests from the request system.

  • Specialised security services and consultation. The access of Syndis ehf. can extend to all the information that the Processor processes on behalf of the Controller.

Unimaze ehf., reg. no. 550403-3150, Borgartún 37, 105. Reykjavik (a subsidiary of the Processor).

  • Handles the transmission of electronic messages and the approval of invoices.

21.4 Sharing of data outside the EEA

No sharing of data outside the EEA takes place.