Privacy Policy of the Competition Authority

All processing of personal data by the Competition Authority shall be in accordance with Law no. 90/2018 on personal data protection and processing of personal data („the Personal Data Protection Act“) and Regulation (EU) 2016/679 of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

This privacy policy contains information on, among other things, the lawfulness and purpose of the Competition Authority's processing of personal data, the disclosure of personal data, the rights of individuals, and the contact details of the Competition Authority's Data Protection Officer.

The privacy policy is reviewed regularly and published on the Competition Authority's website.

Information about the person responsible

A controller is the person who determines, alone or jointly with others, the purposes and means of processing personal data. Personal data is any information that can be linked to an individual, such as a name, national insurance number, location data, an online identifier, etc.

The Competition Authority is an independent supervisory body responsible for the enforcement of the Competition Act No. 44/2005 („the Competition Act“). The Competition Authority is the data controller in accordance with the Personal Data Act.

The Competition Authority is located at Borgartún 26, 105 Reykjavík. Further information about the Competition Authority can be found on the authority's website., Competition.is.

Purpose of processing personal data

The Competition Authority processes personal data for the purpose of fulfilling the organisation's statutory supervisory role in accordance with the provisions of competition law. The main areas of the Competition Authority's work are:

a) to enforce the prohibitions and obligations of competition law and, where applicable, Articles 53 and 54 of the EEA Agreement, and to grant exemptions under competition law,

b) to determine measures against anti-competitive conduct by undertakings,

c) to ensure that the actions of public authorities do not restrict competition and to advise the government on ways to make competition more effective and to facilitate the entry of new competitors into the market,

d) to monitor developments in competitive and business practices in specific markets within the Icelandic business sector and to examine the management and ownership links between companies.

Lawfulness of processing personal data

The Competition Authority primarily processes non-personal information relating to companies. However, the Competition Authority holds personal data when the public makes a complaint or submits a request to the authority, e.g. the individual's name, address, national registration number and email address. The Competition Authority also collects comparable personal data about, for example, directors and contacts of companies in connection with the authority's projects, either from individual companies, corporate groups and business associations or from other government authorities on the basis of a legal obligation or legal authority.

In most cases, the Competition Authority's processing of personal data is based on points 3 or 5 of Article 9 of the personal data protection law, i.e. on the basis of a legal obligation, public interest or the exercise of official authority. However, depending on the circumstances, the processing may also be based on points 1 and 2 of Article 9 of the Act, i.e. on the basis of consent or a contract.

Disclosure of personal data

Personal data may be shared within the Competition Authority to the extent necessary for the performance of its duties. Personal data may also be shared with other government authorities on the basis of a legal obligation or legal authority. For example, personal data may be disclosed to the Competition Appeals Board if decisions of the Competition Authority are appealed, or to the police in accordance with competition law. Personal data may also be disclosed to the courts, for example, if a party does not accept an appeal board's decision and brings an action for annulment, or as part of the Competition Authority's statutory law enforcement or supervisory role.

Personal data may also be disclosed to authorities and competition bodies within the EEA in accordance with competition law and in connection with cooperation based on the EEA Agreement and obligations arising from the Agreement.

Personal data may also be disclosed to the processors of the Competition Authority and further processed there. Furthermore, personal data may be disclosed to the Authority's consultants and contractors to assist the Authority in carrying out its statutory duties under competition law.

The Competition Authority will ensure that personal data is only disclosed where necessary.

Retention period for personal data

The Competition Authority emphasises that personal data should not be retained for longer than is necessary, taking into account the purpose of the processing, where a longer retention period is not provided for by law.

The Competition Authority falls within the scope of the Public Records Act No. 77/2014. Under this Act, documents, including those containing personal data, must be handed over to the National Archives when they are 30 years old.

It is not permitted to destroy documents in the archives of parties subject to the Act, except with the authorisation of the National Archivist, in accordance with regulations issued under the Public Archives Act, or pursuant to a specific statutory provision.

Security of personal data

The Competition Authority places great emphasis on ensuring the security of personal data processing. The Competition Authority operates in accordance with the ISO/IEC 27001:2013 standard issued by the Standards Council of Iceland. Based on this standard, the Competition Authority has established an information security policy to ensure the security of information, information systems and communication systems. The Competition Authority systematically conducts a risk assessment to determine whether further measures are required for specific data or information systems.

Employees of the Competition Authority are subject to a strict duty of confidentiality under Article 34 of the Competition Act. This duty of confidentiality remains in effect after termination of employment. The same duty of confidentiality also applies to those who process personal data on behalf of the Competition Authority.

Rights of data subjects under data protection law

The Data Protection Act grants registered individuals various rights in relation to their personal data. The rights are set out in Chapter III of the Act.

Right of access

The data subject has the right to access all personal data that the data controller processes about them. However, this right is subject to exceptions specified in the law.

Right to correction

The data subject has the right to have inaccurate personal data concerning them rectified by the controller.

Right to erasure (the right to be forgotten)

A registered party has the right to have the controller erase their personal data. However, this right does not apply in full when the controller is a body subject to an obligation to disclose information under the law on public archives, such as the Competition Authority.

Right to restriction of processing

The data subject has the right to request that the controller restricts processing in certain circumstances.

Right to object to processing

The data subject shall have the right, on grounds relating to their particular situation, to object to processing of personal data based on public interest, the exercise of official authority or legitimate interests.

Right to data portability

The data subject has the right to have personal data concerning him or her transmitted to another controller, provided certain conditions are met. This only applies when the controller's processing is based on consent or a contract, and therefore generally does not apply to the Competition Authority's processing of personal data.

Right to lodge a complaint with the Data Protection Authority

The data subject always has the right to lodge a complaint with the Data Protection Authority regarding the processing of personal data by the data controller.

Further information about your rights can be found on the website of the Data Protection Authority., Personal data protection.

The Competition Authority's website

The Competition Authority's website does not automatically collect any personally identifiable data about its use or users. Website traffic is measured using Google Analytics, but this information is not personally identifiable; it is for the sole purpose of measuring website traffic.

When a comment or query is submitted via the website, your name and email address are requested. This information is necessary for the Competition Authority to be able to respond to the query. The information is not stored in the service provider's web system, and no further data collection or processing takes place there.

Data Protection Officer

The Competition Authority has appointed a Data Protection Officer whose role is to monitor compliance with Law no. 90/2018 on Personal Data Protection and Processing of Personal Data, the provisions of EU Regulation no. 2016/679 and, where applicable, other laws concerning the processing of personal data.

The Data Protection Officer is the Competition Authority's contact with the Data Protection Authority.

You can contact the Data Protection Officer by sending an email to the email address personuvernd@samkeppni.is.

Last updated 1 November 2019