Icelandair Group Employee and Applicant Privacy Policy

When we process personal information about employees or job applicants in accordance with this Privacy Policy, the company to which your application is directed to or the company with which you have your employment contract is considered to be the data controller of your data.

You may at any time contact our appointed Data Protection Officer, Mr. Ari Guðjónsson, by writing to [email protected] or by writing us at the following address:

Icelandair Group
C/O DPO
Reykjavíkurflugvelli 
101 Reykjavík
Iceland

We always endeavor to comply with privacy laws and regulations and this policy is based on current privacy laws, as well as the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC).

Our Privacy Policy applies when we collect, use or otherwise process your personal information regarding our employment relationship or when you apply for a job at Icelandair Group.

Personal information is any identified or identifiable information relating to you as individual, which directly or indirectly can be traced to you. The following are examples of personal information:

• Name 
• Social Security number 
• Email address 
• Health information

In certain cases, we may process information about you that is considered to be particularly sensitive within the meaning of privacy law. According to privacy law, particular care needs to be taken when processing sensitive types of information, such as information on health health or your union membership. This information is considered to be sensitive personal information, and Icelandair Group will be particularly cautious when processing such information. 

Sensitive personal information may be collected as part of your employment relationship with us and you may also provide us with such information in connection with your employment application.

Icelandair Group processes sensitive personal information about staff and applicants, for example, in the following cases:

• Because employees have specific rights granted by law, collective agreements or employment contracts, we may need to process health information about you so that you may benefit from such rights. For example, we need to keep a record of whether or not a member of staff has been on sick leave in order to allocate rights related to such leave.
• We process information about union membership so that we can pay your statutory membership fees to the union according to relevant law and collective agreements.

As an employer, we process various types of personal information about our employees and job applicants. Different types of personal information may be collected depending on the nature of the job in question. The following are examples of information that Icelandair Group processes about employees:

• General contact information, such as name, address, phone number and email address. 
• Social Security number
• Gender
• Information on education and work experience
• Information required to pay salaries and to pay taxes on pension funds and unions.
• Information resulting from the employment relationship
• Recordings from surveillance cameras
• Photographs
• Information on salary, sick leave and other benefits

In the job application process and after the engagement of our employment relationship, we may collect personal information from you as well as other third parties, e.g. references or employment agencies. We may also process personal information which is publicly available, e.g. information from news and social media, as long as there are legitimate reasons for such processing. 

As an employer, Icelandair Group needs to process various personal information about staff and applicants as a regular part of our business operations. Icelandair Group only processes personal information when it is permitted by law. When we process personal information, in almost all cases it will be for the following purposes:

• So that we can take steps prior to entering into a contract:
  
  • Example: We process personal information in the job application process so that we can decide on whether or not to hire an applicant.
• So that we can perform our contract with you:
  
  • Example: We use your information such as your name, national ID and bank details so that we can pay your salary in accordance with our employment contract.
• When we have legitimate interests or when we are protecting the legitimate interests of third parties:
  
  • Example: In case of a dispute, we may be required to process your personal information to protect our interests or the interests of other third parties.
  • Example: We monitor some computer systems, controlled areas and maintain access controls for the purposes of security and safeguarding of property. That way, we can ensure the reliability and traceability of information and minimize the risk of security breaches.
• Because we are required by law to process personal information:
  
  • Example: In order to pay your union membership fees and mandatory pension payments, we need to process information related to your union and pension fund membership.
• If you have provided your consent for specific processing of data.
• In rare cases, we may process your personal information in order to protect your vital interests or the vital interests of another person.
  
  • Example: In case of an emergency, we might transfer information on a medical condition if it were necessary to protect your vital interests.

Icelandair Group may transfer your personal information to third parties when there are legitimate reasons for such transfers. An example of such transfer is when we transfer personal information for the purpose of payroll management. Icelandair Group also transfers personal information within the Icelandair Group when there are legitimate reasons for such transfers. 

Your personal information may also be delivered to a third party to the extent permitted or required by applicable laws or regulations, such as to the government, police or a court of law.

Personal information is also transferred to third parties which provide Icelandair Group with IT services and other services which are used in our regular business operations.

Recipients of your personal information may be located outside of Iceland. However, Icelandair Group will not transfer personal information outside the European Economic Area unless permitted by privacy legislation, for example, on the basis of Standard Contractual Clauses, your consent or the Data Protection Authority’s publicized list of countries that provide adequate protection of personal information.

Finally, your personal information may be transferred to the extent permitted or required by applicable laws or regulations or to respond to legal actions such as subpoenas or court orders.

The processing of personal information is vital so that Icelandair Group can maintain its regular business operations. If you or other third parties refuse to provide your personal information when it is necessary for the purposes described in the section “For what purposes does Icelandair Group process personal information?”, it may result in us not being able to enter into or fulfill an employment contract with you. It may also result in us not being able to fulfill or legal obligations.

We may make changes to this Privacy Policy from time to time so that they best reflect the current processing of personal information. When we make changes to this Privacy Policy, we may or may not give you notice about the changes. You can always find the current version of this Privacy Policy on our intranet.

Icelandair Group will ensure the safety of your personal information by applying appropriate safety measures, e.g. with external security as well as organizational and technical security measures. Security measures are intended to protect personal information from being lost, misused, altered and against all illegal processing.

You may have the right to decide how your personal information is processed by Icelandair Group. You may have the right to access your personal information being processed by Icelandair Group, and to be informed whether we process personal information about you or not.

In certain circumstances you may have the right to have the information you provided, transferred directly to a third party by Icelandair Group. 

Similarly, you may request that all or certain parts of your personal information stored by Icelandair Group be deleted, for example, if there are no longer legitimate interests for the processing. If the processing is based on your consent, you may at any time withdraw it.

You may also have the right to limit the processing of your personal information, as well as the right to object to any processing performed on the basis of the legitimate interests of Icelandair Group.

The rights mentioned above may be subject to restrictions. Thus, the law may oblige Icelandair Group to reject a request for the deletion or access to data. Furthermore, Icelandair Group may reject your request on the basis of it infringing the rights of others.

If you are interested in knowing which types of your personal information Icelandair Group processes or wish to have your personal information altered, deleted or delivered to you, please contact us by sending an email to [email protected], or by writing to us via letter.                                                                                                                                                                      

If you wish to submit a complaint regarding Icelandair Group's processing of your personal information, you can contact the Data Protection Authority.