In most instances, the Bank receives personal data from individuals themselves. The gathering and processing of personal data is a prerequisite for the Bank to provide financial services. Data that the Bank processes is classified as a rule as general personal data, but in exceptional circumstances the Bank is required to process sensitive personal information, e.g. um ethnicity and health. Processing of general personal data is only carried out based on an individual’s consent, an agreement with the individual, a legal obligation, legal authority or the legitimate interests of the Bank, the customer or a third party. Processing of sensitive personal data is only carried out based on an individual’s informed consent or legal authority or if the legal requirements for processing sensitive personal information are satisfied.

Personal data provided by an individual

An individual requesting financial services provides the Bank directly with personal data to verify his/her identity, such as name, Id. No., address and nationality, as well as data for communication purposes and on contact persons, e.g. e-mail addresses and telephone numbers. The individual provides the financial and other information required for provision of the goods or services involved in the business relationship, e.g. information to assess the customer's payment capacity, such as a statement of his/her assets and liabilities. The Bank records and preserves communications between individuals and the Bank as provided for by law, this Policy and the Bank's rules.

If an individual refuses to provide the Bank with personal data or objects to its processing, this may affect whether or how the Bank provides the services concerned.

Individuals also provide personal data indirectly, e.g. with IP numbers, by how they identify themselves and when they visit the Bank’s website or online banking, where cookies are used and actions are registered. Further details on cookies can be obtained on the Bank's website. Electronic surveillance is carried out by surveillance cameras at the Bank's establishments and at ATMs. The information is preserved for the sake of traceability, documentation, security and quality assurance.

Personal data provided by a third party

The Bank only accepts personal data from third parties, including undertakings or institutions which possess personal data on individuals, when the former parties are authorised to provide data to the Bank. Examples of parties which provide the Bank with information on individuals are Registers Iceland, the Directorate of Internal Revenue, the Director of Customs and CreditInfo-Lánstraust. The Bank obtains data on individuals for the purpose of ensuring that information on them is reliable and accurate, so that they reflect the individuals’ financial situation correctly. The Bank also obtains personal data which is made publicly available, and processing of which is generally authorised, e.g. information from the Legal Gazette.

The Bank needs to process personal data in order to provide individuals with financial services and financial advice. Personal data is processed for clear and stated purposes in accordance with the Personal Data Protection Act and this Policy and for no other unrelated purposes, unless the Bank is authorised to do so, and the individuals have been informed of the new purpose.

Processing in connection with implementing agreements

When an individual establishes a business relationship with the Bank, the Bank processes personal data on the individual in accordance with an appropriate authorisation, e.g. Landsbankinn's General Terms and Conditions, special terms and conditions or a specific agreement for certain products or services. The Bank furthermore processes personal data on individuals after the establishment of a business relationship in order to fulfil agreements between them. If an individual requests additional services from the Bank this could result in further processing of his/her personal data by the Bank, in addition to which the customer may need to provide updated information depending on the nature of the services concerned.

Examples of the processing carried out for the purpose of establishing a business relationship and carrying out agreements:

- registration of personal data and preservation of electronic ID on the occasion of new transactions, including the opening of a payment account and access to online banking or a request for the issuance of debit or credit cards;
- preparation of credit rating and credit assessment to take a decision on granting credit;
- analysis of a customer’s situation with respect to the Bank's products and services offered, for the purpose of offering financial advice, asset management advice or other services;
- provision of personal data to domestic or foreign partners, e.g. undertakings providing payment mediation or intermediation in transactions in connection with carrying out payment;
- reception of applications for supplementary pension savings and payment from a pension fund.

Processing carried out due to legislative obligations, regulations and administrative provisions

Landsbankinn processes personal data on individuals to fulfil statutory tasks involved in its activities as provided for by law, regulations, court orders, administrative rulings, financial market guidelines and other instructions from authorities.

The authorities, including the Financial Supervisory Authority, the Central Bank of Iceland, the District Prosecutor and the tax and customs administration can request certain information from the Bank on individuals provided there are clear statutory authorisations to this effect. The Bank is obliged to comply with such requests for information and, as appropriate, to provide access to the Bank's establishments and IT systems.

Examples of the processing carried out for the purpose of complying with legal requirements:

- risk management and treasury operations, e.g. preparing credit ratings and credit assessments, assessment of the Bank’s capital adequacy ratio and collateral risk;
- due diligence on individuals as required under the Act on Measures to Combat Money Laundering and Terrorist Financing;
- analysis and investigation of cases concerning money laundering, terrorist financing, fraud and other types of criminal activity;
- preservation of certain personal data on the basis of the Act on Annual Financial Statements, the Act on Accounting and the Act on Securities Transactions.

Processing based on legitimate interests

In certain cases, the Bank processes personal information based on legitimate interests if the processing is necessary in order for the Bank, a third party or parties to whom information is communicated to be able to safeguard their legitimate interests. Such processing is not carried out if it is clear that the fundamental rights and freedoms of an individual concerning protection of personal privacy outweigh the interests at stake in processing.

Examples of processing carried out for the legitimate interests of the Bank, the individual or a third party:

- To process applications concerning the rights of individuals based on requests from individuals, e.g. requests for access to personal data, to correct, delete or limit the processing of personal data.
- preparing and sending individuals direct marketing material about the Bank’s benefits, products and services suitable for them;
- analysing and investigating issues related to network and information security and to prevent fraud;
- developing and testing new work procedures, business processes and information systems of the Bank to improve security and the products and services it offers;
- processing information on legal entities, their owners, directors, executive management, authorised signatories and contact persons so that the Bank can make informed decisions about lending, collateral and guarantees.

Processing based on consent

In certain instances, the Bank processes personal data on individuals based on their consent, e.g. using cookies on the Bank's web, as described in more detail in this policy. In such cases, the Bank provides the individual with more information on the specific processing of personal data covered by the consent. It is always possible to notify the Bank of the withdrawal of consent provided, and then the processing covered by the consent is terminated. Withdrawal of consent does not affect the processing of personal data prior to the withdrawal.

Automated decision-making

In certain instances, the Bank makes automated decisions on services based on a profile of the individual constructed from the Bank’s data on the person. Automated decision-making only takes place with the individual’s consent, if it is a prerequisite for the conclusion or execution of an agreement between the individual and the Bank, or if authorised by law. An individual may submit objections or contest an automated decision if it affects his/her interests.

Examples of profiling are the calculation of a credit assessment, a credit rating for a customer and a loyalty classification. An example of an automated decision is the automatic extension of an overdraft based on the customer's credit rating. Further details on profiling are provided in Landsbankinn's General Terms and Conditions. Further information on credit assessment is available on the Bank's website.

Processing of personal information on children not legally competent

The Bank needs to process personal data on children for the purpose of conducting business or providing services which have been requested, e.g. to open a payment account. Marketing material is not addressed to children, but the Bank does send marketing material to guardians for promotion of goods and services. If guardians choose not to receive marketing material on their child’s behalf, they may refuse such through online banking. Before the Bank offers children electronic services via the Internet, which involve the processing of personal data, the guardian's consent is obtained if a child is under the age of 13, as provided for in the Personal Data Protection Act.

Electronic surveillance is carried out by surveillance cameras at the Bank's establishments and at ATMs. All use of surveillance cameras complies with provisions of the Personal Data Protection Act and rules adopted on its basis.

Telephone conversations between individuals and bank employees may be recorded in accordance with the provisions of the Telecommunications Act or other Acts. Recording of telephone conversations is carried out for the purpose of ensuring security and traceability of transactions. The Bank does not guarantee that all calls are recorded.

Recorded telephone conversations and call records are not preserved for more than 90 days unless otherwise provided for by law.

Landsbankinn does not sell personal data to third parties. The Bank may be required to provide personal information to third parties, such as regulatory authorities, other authorities, payment service providers or other legal entities with which the Bank has a commercial or consultancy relationship. The Bank does not provide personal data unless such disclosure is permitted by law. In addition, in the case of payments in foreign currency certain information about the payment, its purpose and the payer is forwarded to foreign commercial banks for settlement in accordance with the respective law.

Processors who process personal information on behalf of the Bank may also be provided with personal data in order to carry out specific processing on behalf of the Bank. The Bank only partners with processors who can provide sufficient assurance that the processing of personal data respects the requirements of the Personal Data Protection Act and the customer’s rights.

Parties to whom the Bank delivers personal data include financial information agencies in the event of defaults, IT undertakings for operation and hosting of information systems, collection agencies, payment card and mediation undertakings for execution of transactions, as well as various depositories of financial instruments, as described in detail in the terms and conditions for securities services.

Personal data is preserved while the business relationship between the individual and the Bank is in effect, as long as provided for by law or required by the Bank’s legitimate interests and rules and objective grounds

Objective grounds exist if the data is still being processed according to the original purpose for its collection or in connection with the Bank's commercial interests, e.g. to determine, set forth and protect the Bank's claims.

The Bank strives not to retain information in personally identifiable form for longer than is necessary. It derives from the above that different retention times may apply depending on the type and nature of personal data.

Landsbankinn is subject to the Public Archives Act, No. 77/2014, the Accounting Act, No. 145/1994, and the Act on Securities Transactions, No. 108/2007, and must preserve information and data in accordance with the provisions of these Acts, as well as other Acts governing its operations which specify a retention time for information. Copies of personal identification, public documentation and other information gathered on individuals on the basis of Act No. 64/2006, on Actions to Combat Money Laundering and Terrorist Financing, are preserved for at least five years from the conclusion of individual business transactions or a permanent business relationship.

The Personal Data Protection Act provides for the rights of individuals, including rights to be informed and obtain information on how personal data is processed. Individuals must verify their identity when they wish to exercise their rights. The following rights may be subject to restrictions arising, for instance, from legislation, the interests of others to whom the information relates or significant financial or commercial interests of the Bank, e.g. concerning business secrets or intellectual property rights.

Right to access own personal data

Individuals are entitled to confirmation from the Bank as to whether their personal data is processed and, if so, to access this data. Furthermore, they are entitled to information on the purpose of processing personal data, the categories of personal data, its recipients, guidelines for retention time, the individuals’ rights, whether automatic decision-making occurs and individuals’ authorisation to lodge complaints with the Data Protection Authority.

Right to transmit personal data

Individuals are entitled to receive specific personal data concerning them, which they have provided to the Bank, in a structured, commonly used, machine-readable format and, as the case may be, to have the Bank transmit such data to another controller to whom the individual refers if technically feasible. This only applies to personal data which the Bank has gathered on the basis of an individual’s consent or for the performance of a contract and was processed automatically.

Right to rectification and erasure of personal data

The Bank places strong emphasis on having reliable and accurate personal data. An individual requesting to submit information on change of address, place of residence, postal box or other personal information is advised to communicate this to the Bank through the settings in online banking, by e-mail or in a bank branch, in accordance with the Bank's instructions.

Individuals are entitled to have inaccurate personal data concerning them rectified. Under certain circumstances, they are also entitled to have personal data concerning them erased.

Right to object to or restrict processing of personal data

Individuals can always object to the processing of personal data, including profiling, which is done for the purpose of direct marketing and refuse promotional material on benefits, goods and services in online banking. Following such objections, the Bank will neither process personal data for this purpose nor send the person concerned direct mail.

Individuals may also object to the processing of personal data carried out on the basis of legitimate interest for specific circumstances concerning themselves. Following such objections the Bank may not carry out further processing of personal data unless the legal requirements exist for so doing.

Individuals may also, under certain circumstances, request that the processing of their personal data be temporarily restricted, e.g. if they consider the personal data which the Bank is processing to be incorrect or if they consider processing by the Bank to be unauthorised or that the Bank no longer needs the personal data.

Time limits for handling and fees

Generally, the Bank will comply with requests regarding the above-mentioned rights of individuals without charge to them. Nonetheless, the Bank reserves the right to charge fees in accordance with its tariff if delivery of more than one copy of personal data is requested. The Bank also reserves the right to refuse to comply with a request which is obviously irrelevant or excessive.

Further information on the rights of individuals and requests for access can be found in the customer data rights portal on the Bank's website.

The Bank places strong emphasis on security in processing of personal data. The Bank has implemented organisational and technical safeguards in accordance with the Bank's Security Policy and ISS ISO/IEC 27001: 2013 Information Security Standard which is the basis of structural and maintenance measures that protect the confidentiality, accuracy and availability of data and information systems.

Landsbankinn encourages active awareness of security issues among its employees, service providers, partners and customers. The obligation of confidentiality applies by law to all employees and others involved in the processing of personal data on the Bank’s behalf about anything they may become aware of in the conduct of their work concerning the business and personal affairs of customers and others whose personal data the Bank processes.

Should a security breach occur in the processing of personal data, where it is confirmed or suspected that personal data has been received by unauthorised parties, such a breach will be notified to the Data Protection Authority and, as appropriate, to the individuals unless it does not pose a major risk to individuals.

Landsbankinn, Austurstræti 11, 155 Reykjavík, Reg No. 471008-0280, is responsible for the processing and handling of the personal data used in the Bank's operations and is therefore considered a controller of the processing, under the Personal Data Protection Act.

Landsbankinn's Data Protection Officer is responsible for ensuring the Bank's activities comply with applicable laws and rules on personal data protection. Queries, objections and suggestions concerning personal data and personal data protection can be directed to the email address personuvernd@landsbankinn.is or by sending a letter by mail to: Data Protection Officer, Landsbankinn, Austurstræti 11, 155 Reykjavík, Ísland.

Should a dispute arise regarding processing of personal data, a complaint can be sent to the Data Protection Authority by e-mail to the address: postur@personuvernd.is or by mail to: Data Protection Authority, Rauðarárstígur 10, 105 Reykjavík, Iceland.

Landsbankinn is always seeking ways to increase the security in its business and to improve and develop its product and service offerings, and the Bank's Personal Data Protection Policy may change as a result. Changes to the Policy will take effect upon the publication of the revised Policy on the Bank's website, www.landsbankinn.is