Privacy of employees

The Act on Data Protection and the Processing and Personal Data, No. 90/2018 stipulates the rights of an employer to register and process personal data, including information about their employees. The main rule in this act stipulates that registration and processing of data is only allowed when the person in question gives their consent unequivocally.

Because of the nature of employment contracts it can be tricky for the employee, to refuse, withdraw or change their former statement. Therefore, it is not always certain that the given consent provides the employer an unconditional access and process of delegate personal information. The employer must always follow, with special care, the six main rules that are explained below.

The processing of personal data shall be lawful only if, and to the extent that, at least one of the following applies:

• The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third person, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

In the processing of personal data, all following rules shall be adhered to:

1. The processing should be processed lawfully, fairly and in a transparent manner in relation to the data subject.
2. The information collected should only be used for specified, explicit, legitimate, and objective purposes and not further processed in a manner that is incompatible with those purposes; further processing for historical, statistical or scientific purposes shall not be considered to be incompatible with the initial purposes, provided that appropriate security is taken into consideration.
3. The processing is adequate, relevant, and limited to what is necessary in relation to the purpose of the processing.
4. The processing is accurate and, where necessary, kept up to date; personal data that is inaccurate or incomplete, given the purpose of their processing, shall be erased, or rectified without delay.
5. The processing should be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, provided that appropriate security is taken into consideration.
6. The information should be processed in a manner that ensures appropriate security of the personal data.

Further information can be found at The Icelandic Data Protection Authority.