Pingdom Check

Icelandair Group Employee and Applicant Privacy Policy

Below is a summary of how Icelandair Group and our subsidiaries (hereafter collectively referred to as “Icelandair Group”) process your personal information when you apply for a job and while you remain employed with us:

  • As an employer, Icelandair Group needs to process the personal information of staff and job applicants as part of our regular business operations.
  • Icelandair Group processes your personal information when you apply for a job with us, while our employment relationship is ongoing and for a longer period when there are legitimate reasons for doing so.
  • Icelandair Group will provide you with details about what types of information are collected and for which purposes.
  • Icelandair Group will put in place measures and use methods to keep your information secure and protected.
  • Icelandair Group will make sure your data protection rights are respected and to give you more control over your own information.
  • Icelandair Group will use your personal information for the purposes described in this Privacy Policy.

We recommend that you read the Privacy Policy so that you get a better understanding of how your personal information is processed, what types of information we collect, how it is collected, what purpose it is used for and whom they may be shared with.

Similarly, we will provide you with some specific examples of the processing of your personal information. If you have further inquiries, please contact your closest supervisor or Icelandair Group’s data protection officer via e-mail by writing to [email protected].

Please keep in mind the summary above, and the Privacy Policy are not part of our employment contract with you, with regards to your rights at any given time in accordance with applicable law.

Icelandair Group's Privacy Policy

When we process personal information about employees or job applicants in accordance with this Privacy Policy, the company to which your application is directed to or the company with which you have your employment contract is considered to be the data controller of your data.

You may at any time contact our appointed Data Protection Officer, Mr. Ari Guðjónsson, by writing to [email protected] or by writing us at the following address:

Icelandair Group
C/O DPO
Reykjavíkurflugvelli 
101 Reykjavík
Iceland

We always endeavor to comply with privacy laws and regulations and this policy is based on current privacy laws, as well as the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC).


When does this policy apply?

Our Privacy Policy applies when we collect, use or otherwise process your personal information regarding our employment relationship or when you apply for a job at Icelandair Group.

What is personal information?

Personal information is any identified or identifiable information relating to you as individual, which directly or indirectly can be traced to you. The following are examples of personal information:

  • Name 
  • Social Security number 
  • Email address 
  • Health information


What is sensitive personal information?

In certain cases, we may process information about you that is considered to be particularly sensitive within the meaning of privacy law. According to privacy law, particular care needs to be taken when processing sensitive types of information, such as information on health health or your union membership. This information is considered to be sensitive personal information, and Icelandair Group will be particularly cautious when processing such information. 

Sensitive personal information may be collected as part of your employment relationship with us and you may also provide us with such information in connection with your employment application.

Icelandair Group processes sensitive personal information about staff and applicants, for example, in the following cases:

  • Because employees have specific rights granted by law, collective agreements or employment contracts, we may need to process health information about you so that you may benefit from such rights. For example, we need to keep a record of whether or not a member of staff has been on sick leave in order to allocate rights related to such leave.
  • We process information about union membership so that we can pay your statutory membership fees to the union according to relevant law and collective agreements.


Which types of personal information do we process about staff and applicants and how is it collected?

As an employer, we process various types of personal information about our employees and job applicants. Different types of personal information may be collected depending on the nature of the job in question. The following are examples of information that Icelandair Group processes about employees:

  • General contact information, such as name, address, phone number and email address. 
  • Social Security number
  • Gender
  • Information on education and work experience
  • Information required to pay salaries and to pay taxes on pension funds and unions.
  • Information resulting from the employment relationship
  • Recordings from surveillance cameras
  • Photographs
  • Information on salary, sick leave and other benefits

In the job application process and after the engagement of our employment relationship, we may collect personal information from you as well as other third parties, e.g. references or employment agencies. We may also process personal information which is publicly available, e.g. information from news and social media, as long as there are legitimate reasons for such processing. 


For what purposes does Icelandair Group process personal information?

As an employer, Icelandair Group needs to process various personal information about staff and applicants as a regular part of our business operations. Icelandair Group only processes personal information when it is permitted by law. When we process personal information, in almost all cases it will be for the following purposes:

  • So that we can take steps prior to entering into a contract:
    • Example: We process personal information in the job application process so that we can decide on whether or not to hire an applicant.
  • So that we can perform our contract with you:
    • Example: We use your information such as your name, national ID and bank details so that we can pay your salary in accordance with our employment contract.
  • When we have legitimate interests or when we are protecting the legitimate interests of third parties:
    • Example: In case of a dispute, we may be required to process your personal information to protect our interests or the interests of other third parties.
    • Example: We monitor some computer systems, controlled areas and maintain access controls for the purposes of security and safeguarding of property. That way, we can ensure the reliability and traceability of information and minimize the risk of security breaches.
  • Because we are required by law to process personal information:
    • Example: In order to pay your union membership fees and mandatory pension payments, we need to process information related to your union and pension fund membership.
  • If you have provided your consent for specific processing of data.
  • In rare cases, we may process your personal information in order to protect your vital interests or the vital interests of another person.
    • Example: In case of an emergency, we might transfer information on a medical condition if it were necessary to protect your vital interests.


When might we transfer personal information to other third parties?

Icelandair Group may transfer your personal information to third parties when there are legitimate reasons for such transfers. An example of such transfer is when we transfer personal information for the purpose of payroll management. Icelandair Group also transfers personal information within the Icelandair Group when there are legitimate reasons for such transfers. 

Your personal information may also be delivered to a third party to the extent permitted or required by applicable laws or regulations, such as to the government, police or a court of law.

Personal information is also transferred to third parties which provide Icelandair Group with IT services and other services which are used in our regular business operations.

Recipients of your personal information may be located outside of Iceland. However, Icelandair Group will not transfer personal information outside the European Economic Area unless permitted by privacy legislation, for example, on the basis of Standard Contractual Clauses, your consent or the Data Protection Authority’s publicized list of countries that provide adequate protection of personal information.

Finally, your personal information may be transferred to the extent permitted or required by applicable laws or regulations or to respond to legal actions such as subpoenas or court orders.

What if you don’t provide personal information?

The processing of personal information is vital so that Icelandair Group can maintain its regular business operations. If you or other third parties refuse to provide your personal information when it is necessary for the purposes described in the section “For what purposes does Icelandair Group process personal information?”, it may result in us not being able to enter into or fulfill an employment contract with you. It may also result in us not being able to fulfill or legal obligations.

Changes to this Privacy Policy

We may make changes to this Privacy Policy from time to time so that they best reflect the current processing of personal information. When we make changes to this Privacy Policy, we may or may not give you notice about the changes. You can always find the current version of this Privacy Policy on our intranet.

Security of personal information

Icelandair Group will ensure the safety of your personal information by applying appropriate safety measures, e.g. with external security as well as organizational and technical security measures. Security measures are intended to protect personal information from being lost, misused, altered and against all illegal processing.

What are my rights when it comes to processing personal information?

You may have the right to decide how your personal information is processed by Icelandair Group. You may have the right to access your personal information being processed by Icelandair Group, and to be informed whether we process personal information about you or not.

In certain circumstances you may have the right to have the information you provided, transferred directly to a third party by Icelandair Group. 

Similarly, you may request that all or certain parts of your personal information stored by Icelandair Group be deleted, for example, if there are no longer legitimate interests for the processing. If the processing is based on your consent, you may at any time withdraw it.

You may also have the right to limit the processing of your personal information, as well as the right to object to any processing performed on the basis of the legitimate interests of Icelandair Group.

The rights mentioned above may be subject to restrictions. Thus, the law may oblige Icelandair Group to reject a request for the deletion or access to data. Furthermore, Icelandair Group may reject your request on the basis of it infringing the rights of others.

If you are interested in knowing which types of your personal information Icelandair Group processes or wish to have your personal information altered, deleted or delivered to you, please contact us by sending an email to [email protected], or by writing to us via letter.                                                                                                                                                                      

If you wish to submit a complaint regarding Icelandair Group's processing of your personal information, you can contact the Data Protection Authority.