Rannís Privacy Policy

Within Rannís, safe handling and storage of personal data is considered of utmost importance and care is taken to ensure that all processing of personal information is in accordance with current personal data protection laws. The aim is always to limit the processing of personal data as much as possible and not to collect information beyond what is considered necessary. Any personal data processing usually takes place to fulfil the statutory role of the organisation, and the organisation's authority to process such information is provided for, to the extent necessary, in Art. 12, Act no. 3/2003.

Definition of personal data

Personal data is considered to be any kind of information that can be linked to individuals, e.g. ID number, location, IP addresses/network IDs or one or more factors that characterise an individual in some way. Personal data does generally not refer to information about companies or animals.

Data Protection Officer

Elísabet María Andrésdóttir is the appointed Data Protection Officer for Rannís. She can be contacted by e-mail at personuverndarfulltrui(at)rannis.is , by phone +354-515 5800, or by sending regular mail to:

Rannís – Icelandic Centre for Research

Borgartún 30

IS-105 Reykjavík

Collection of personal data and purpose of data processing

Rannís collects personal data in connection with tasks that have been entrusted to the organisation based on laws and regulations that apply to the organisation and its role. Rannís collects information either as responsible party or as processing party.

Rannís only processes personal data when legal basis allows. The legal basis may vary depending on the purpose of the data processing. In almost all cases, the legal basis is supports the following:

• When processing of personal data is necessary for evaluation of a grant proposal and grant payments.
• When processing personal data is necessary for processing job applications and making employment contracts with employees.
• When Rannís is obliged to process personal data to comply with laws or regulations.
• When an individual authorises Rannís to process personal data for a specific purpose.
• In cases where the processing of personal data is subject to other law, the legal basis for processing may be different from that stated above. In such cases, the processing of personal data may be subject to consent.
• Camera system in Rannís' reception monitors customers' arrival in real time and ensures that they receive service. The pictures are saved for 3 months and only viewed if a crime takes place and then in consultation with the police and a technician who only get accesses to relevant photage.

What personal data is processed?

The nature of personal data processed by Rannís may depend on the case or project in each case. In most cases the registered information comes from the individuals themselves and the National Registry of Iceland, such as name, address, ID number, telephone, e-mail address, etc.

Processing of personal data is most often related either to grant proposals for competitive funding or applications for appropriation funds that are administered by Rannís. When applying for a grant through Rannís, part of the application process may involve participation of partners. In such cases, affiliates are defined as processors under the Privacy Act.

Rannís' privacy policy applies every time a proposal is submitted to one of the competitive funds or appropriation funds that Rannís manages. Upon receipt of proposals or applications, personal data is collected for the purpose of evaluating and processing the application, and in case of approval, further terms and conditions may apply. It is important for applicants to become acquainted with the rules of the fund in question, to know whether further conditions or terms apply.

Further processing of personal data may be done for the purpose of statistical analysis of applicants to fulfil legal obligations. Rannís compiles statistics on applications for funds for the public authorities. The statistical analysis is based on the information provided by the applicants in their applications. Examples of personal information that are used in statistical analysis are age, gender, education and location.

Disclosure of personal data to third parties

Rannís does not use personal data for other purposes than those for which it is collected, and personal data is never shared with third parties without obtaining consent or in accordance with written agreements and/or law. In cases where a third party, i.e. the processor gets access to personal data, full confidentiality is ensured.

Further information on handling of personal data in connection with applications and management of funded projects:

Personal information used to evaluate proposals or appropriation funding:

• Name, address, e-mail address, contact information, date of birth and gender.
• Current job, education, work experience, references, and research performance.
• Information on other project team members, if applicable.
• Project information.
• Other information related to the application/project.

Information collected for payment of grants:

• Bank details, such as account information and other payment information.

Information on previous grants:

• Reports describing previous projects and grants that have been funded by Rannís and/or other parties.

Information about previous communication:

• Customer communication information may be recorded and saved.

When and why is "sensitive personal information" collected?

In some cases, personal information is treated as "sensitive personal information". Special categories of personal information, such as religion, ethnicity or health, require increased protection under the Privacy Act. These categories are referred to as "sensitive personal information". Rannís will only process these data categories in special circumstances.

The following are examples where Rannís could work with sensitive personal information:

Applicants with disabilities may in certain cases be entitled to special grants or additional funding. For Rannís to be able to evaluate applications for such additional funding, applicants must provide information about their disability, see Article 12 of Act 3/2003.

Retention of personal data and how long it is stored

Proposals, supporting documents and other submissions received by Rannís are stored in an electronic case file under a specific case number in the organisation's digital filing system, that holds all information on that case.

Rannís' operations are subject to Act no. 77/2014 on Public Archives. This means that Rannís is obliged to keep grant applications indefinitely unless there is an authorisation for disposal, cf. Art. 24 of the Act.

Legal dispute or claim

Rannís could use personal information in the event of a legal dispute or claim, e.g. in cases related to illegal activities or fraud.

Administrative purposes

In individual cases, personal data, including information from applications, is stored for administrative purposes which may e.g. cover accounting, auditing, fraud prevention (including financial due diligence by competent bodies), system testing, maintenance and development.

Web metrics

Rannís uses Google Analytics to measure traffic on its websites. At each visit to Rannís' website, items are recorded, such as time and date, keywords, country of visitor, type of browser and operating system used. This information can be used for market analysis, web site improvements and development, such as regarding the content that users are most looking for. No attempt is, or will be made, to obtain further information regarding visits to Rannís' website or to link it to personally identifiable information.

Spam protection

In the web forms that users have to fill out for grant applications, Rannís has activated automatic spam protection, the so-called ReCAPTCHA spam protection from Google. Users may become aware of it in such a way that they are asked to solve tasks that are difficult for programmed automation to solve.

ReCAPTCHA collects data about the browser and its use and analyses it in order to identify whether the form submitted comes from a real person or a digital application. Strictly speaking, this activity falls under the definition of privacy law. The data sent to Google is anonymous and does not contain any information submitted by the user.

This type of spam prevention has proven to be essential for the functioning of the website. If a user is not willing to undergo ReCAPTCHA data collection, the person in question can contact Rannís directly for information.

Security measures

At Rannís, great emphasis is placed on ensuring the security of personal data. Rannís' application and information system is hosted and operated by the IT Faculty of the School of Engineering and Natural Sciences at the University of Iceland.

To ensure the security of personal data, the following organisational and technical measures are in place:

• Encryption of databases, communication, and data during transmission.
• Access controls, ensuring that access to personal data is only provided to those who need it for their work.
• General computer protection, such as virus protection and firewalls, which are regularly updated.
• Regular staff training on security issues.

The duty of confidentiality rests on all Rannís employees according to Act no. 70/1996 on the Rights and Duties of Government Employees.

Withdrawal of consent

An individual who has given consent to the processing of personal data may revoke the consent. To withdraw approval, contact Rannís by sending an e-mail to personuverndarfulltrui@rannis.is, or send a regular mail to:

Persónuverndarfulltrúi / Data Protection Officer

Rannís – Icelandic Centre for Research

Borgartún 30

IS-105 Reykjavík

Request for copy of personal data and how to file a complaint

According to the Privacy Act, it is possible to request a copy of the personal data that has been processed. Rannís will do its utmost to respond to the request within 30 days of receiving it.

The request must be in writing and contain the following information:

• Name and address.
• What information is requested.
• All information that facilitates the compilation of the requested data, for example information on applications or correspondence that may be related to the personal information.
• E-mail address, phone number and other contact information.

In addition, the following is requested:

• Copies of documents such as a passport or driver's license. This is necessary to confirm the identity of the individual submitting the request.
• Signature and date of the request.
• If information is requested on behalf of a third party, a power of attorney must be signed from the relevant party.

Requests for copies of personal information and/or complaints should be sent to the e-mail address personverndarfulltrui@rannis.is or by sending a mail to Rannís' office:

Persónuverndarfulltrúi / Data Protection Officer

Rannís – Icelandic Centre for Research

Borgartún 30

IS-105 Reykjavík

Those who believe that the processing of personal information by Rannís violates their rights can send a complaint or complaint to the Data Protection Authority (Persónuvernd).

You can contact the Data Protection Authority by sending an e-mail to postur@personuvernd.is or by phone +354-510 9600. The institution is located at Raudarárstígur 10, 105 Reykjavík.

The privacy policy will be updated every 2 years or when necessary.

Updated and approved in January 2022.