Landsbankinn places strong emphasis on protecting the privacy of its customers and parties who communicate with the Bank to safeguard their rights. This Policy contains information on the data the Bank gathers about you, how it is used, how its security is ensured and your rights according to data protection legislation.

This Policy applies to the processing of personal data in the Bank’s entire operation and to all individuals who do business with it, including former, current and prospective customers, parties connected to customers, such as family members, and guarantors or holders of power of attorney. The Policy also applies to persons other than customers, such as individuals who are in communication with the Bank, visit its facilities or website, apply for grants, or participate in events hosted by the Bank.

The aim of the Policy is to provide a comprehensive overview of the personal data the Bank processes and to inform customers, employees and others of the purposes and means by which the Bank collects and handles personal data to ensure compliance with laws and regulations.

The Policy does not apply to the operation of legal entities, neither associated entities nor subsidiaries of Landsbankinn. The Bank may need to process information about individuals connected to legal entities who are customers, such as beneficial owners, directors of the board, executives, authorised signatories and, as the case may be, employees of the legal entity.

Please note that details about the processing of your personal data may be provided in Landsbankinn’s General Terms and Conditions, special terms and conditions or information provided for certain products or services.

The collection and processing of personal data allows the Bank to provide you, or companies which you work for or are connected with, with requested financial services. The personal data you submit includes:

• Basic information: Name, Icelandic Id. No., address, telephone number, email, name of employer and other basic information, as the case may be on nationality, marital status, spouse, children and connected parties such as legal guardians, holders of power of attorney or guarantors.
• Communication and contract information: All your interaction with the Bank that takes place via email, online chat, in writing, in conversation and on social media. The Bank also processes all information derived from or submitted in relation to any contracts you enter into with the Bank, e.g. for individual products or services.
• Information about identification: Any copies of legally required or electronic identification, including copies of your passport or driver's licence, your preferred means of identification and communication channels. This also includes the time and date of your visits to the Bank’s branches if you chose to register your Id. No. when you visit.
• Financial information: All information about your current and previous business and transaction history, including account balance and type, turnover, origin of funds, transaction statement and information about payment cards, payment history and orders along with information about income, expenses, financial commitments, and assets and liabilities.
• Information gathered through electronic monitoring: Audio and video recordings from surveillance cameras in the Bank’s facilities, ATMs and the recording of telephone conversations.
• Technical information and inferred data about behaviour and use: About the equipment and devices you use to connect to the Bank’s website, online banking and app such as user name, settings, IP number, type, number and settings of smart devices, operating system and browser type, language settings, how you connect to us, the origin and type of actions undertaken.
• Public information: From public registries such as Registers Iceland, the Icelandic Property Registry, the vehicle registry, the Registrar of Enterprises, the Legal Gazette and other public registries.
• Sensitive personal data: on racial or ethnic origin, political affiliation, trade union membership, health information, biometric data. Note that when using biometric data such as your fingerprint or face to log in to Landsbankinn’s app, identification takes place through your phone only and the Bank does not receive copies of your biometric data.
• Other information: The list above is not exhaustive and the Bank may process other personal data depending on the nature of the business relationship or your transactions with the Bank.

In exceptional cases, the Bank may need to gather information classified as special categories of data. In other instances, financial information, e.g. transaction statements for payment cards or use of current accounts, may include sensitive personal data that may indicate certain behaviour. We do not gather sensitive data about you nor do we process such data without clear authorisation and unless absolutely necessary. Should you choose not to supply necessary information it may prevent the Bank from providing the requested service.

Processing personal data of children

The personal data of children may be processed if it is necessary to carry out requested transactions or provide a service, e.g. create a payment account and issue a debit card. The Data Protection Act states that the consent of a guardian is required for children under 13 years of age in relation to the offer of information society services directly to a child. All marketing material, including gifts, notifications and benefits intended for children is sent to guardians and, as the case may be, also their children. You can opt out of such marketing material and gifts at any time through online banking for individuals or the Bank’s Data Rights Portal. The Bank may contact you to ask if your decision has changed.

Landsbankinn processes personal data for clear and stated purposes in accordance with the Data Protection Act, the Bank's rules and this Policy. Processing of personal data may have various purposes, such as:

• To contact you, identify you and ensure the security and reliability of business transactions, through such means as due diligence on customers. The Bank contacts customers through various channels, such as email, notifications in online banking, Landsbankinn’s app, the Bank’s website and social media.
• Carry out requested transactions, provide financial services and advice and respond to enquiries, such as establish and maintain a business relationship, perform payment and credit assessments and determine self-service authorisations, assess credit risk and prevent borrowing from exceeding repayment capacity, analyse financial standing with regard for the Bank’s product and service offering in order to provide advisory service, including on asset management, pension savings or other service, receive applications for and remit pension savings.
• For security and archiving purposes to safeguard the interests of customers, employees and others who have dealings with the Bank, ensure the traceability of transactions through such means as electronic monitoring and investigate issues or prevent money laundering, terrorist financing, fraud and other criminal conduct.
• Develop the Bank’s product and service offering, promote innovation and boost service levels, offer personalised and tailored services, respond to suggestions and complaints and process answers to marketing and/or service questionnaires.
• Develop solutions and reports for the purpose of credit and risk management, such as to measure and monitor credit risk, operational risk, market risk, underwriting risk and for internal treasury purposes.
• Operate and maintain the Bank's websites and online services and improve user experience online, in Landsbankinn’s app and online banking for individuals and corporates and, as the case may be, the Bank’s other web-based solutions.
• Respond to legal requests and ensure cyber and data security by, among other things, analysing, investigating and preventing fraud and other misconduct.
• For marketing and promotional purposes and to provide personalised and tailored services, send messages about benefits and material that may interest you or you have requested. Note that photographs and video recordings are made at conferences, promotions and other events hosted by the Bank and that these may appear publicly on the Bank’s websites, including social media.
• Perform statistical analysis on certain products, services or communication channels, front office or other individual functions in the Bank’s operation. Such analysis is based on non-personally identifiable data, if possible.

Lawfulness of processing of personal data

For the most part, the gathering and other processing of your personal data by the Bank is based on a contract between you and the Bank for specific services and to provide the requested financial service or to satisfy legal obligations the Bank is subject to as a regulated entity on the financial market. In certain cases, the Bank will request your informed consent to process personal data. In such cases, you can withdraw your consent at any time, and then the processing covered by the consent is terminated.

Finally, your data may be processed if it is necessary for the purposes of legitimate interests pursued by the Bank, you yourself or a third party. Such processing does not take place if it is clear that your interests outweigh the interest of the Bank or a third party. The following processing operations are based on legitimate interests: processing of basic information from Registers Iceland, determination of benefit programmes for customers and retention of the business history of former customers, classification and monitoring of loans, development and testing of new products and services, for marketing purposes and target group analysis, and for cyber and information security purposes.

Automated decision-making

In certain instances, the Bank creates a personal profile using automated processing of your personal data to assess or anticipate aspects of your finances, such as development of financial standing or probability of default. Calculation of a credit score is an example of profiling. Profiles may also be prepared for marketing and cyber and information security purposes, e.g. to determine which benefit programme suits you best, and by employing pattern analysis in online banking to maximise the safety of your financial information.

Profiling may also be a factor in automated decision-making that relates to you. In automated decision-making your personal data is processed automatically by software to reach a decision without the aid or involvement of human agency. Automated decision-making is used, for instance, to determine the amount of self-service lending in Landsbankinn’s app, based on such factors as your credit score.

Automated decision-making only takes place with your consent, if it is a prerequisite for the conclusion or execution of an agreement between you and the Bank, or if authorised by law. You can submit objections or contest automated decisions by email to personuvernd@landsbankinn.is.

The aforementioned personal data in the Bank’s possession is usually gathered directly from you when you enter into a business relationship with the Bank, apply for a certain product or service, or contact the Bank through such channels as email, online chat or by other means.

Information can also be sourced from third parties, including the Bank’s partners such as card issuers, payment service providers and public entities. Unconnected parties may also provide information about you, e.g. local credit information providers, customs and tax authorities and public registries. External parties are not authorised to submit information about you to the Bank unless authorised to do so, for example with your consent or legal authorisation.

The Bank may also need to disclose your personal data to domestic or foreign partners and/or service providers to provide you with certain services. The Bank selects its partners and service providers with care and does not disclose personal data unless they comply with the Bank’s security demands. Foreign commercial banks receive information to process and settle international payments. Partners for payment transfers and card issuance, claim collection, operation and hosting providers, IT system providers and credit bureaus such as Creditinfo and custodians of financial instruments are also entities who it may be necessary to divulge personal information to in order for the Bank to provide its services.

Disclosure may also take place based on your consent, e.g. if you request that the Bank provide fintechs or other entities with your payment information. You can further authorise the Bank to divulge other information, such as your name, email or phone number, to partners for marketing purposes.

In certain cases, the Bank is obligate to divulge personal data to law enforcement authorities, other authorities or regulators both domestic and abroad, based on legal obligation or international contracts. The Bank is focused on safeguarding the human rights of its customers, including their privacy, and processes such requests in accordance with documented procedures so that no more extensive information is provided beyond what is necessary at each time and only based on clear legal authorisation.

The Data Protection Act affords you certain rights, including to information about whether the Bank processes your personal data and how such processing takes place in the Bank’s operation. You can manage your rights through the customer Data Rights Portal on the Bank’s website and use it to request:

Access to your personal data
You are entitled to confirmation from the Bank as to whether your personal data is processed and, if so, to access this data. You are also entitled to certain minimum information about the arrangement of processing, provided for among other things in this Policy.

Transfer of personal data
You can request that certain personal data you have given to the Bank be transferred to another specified party, if technically feasible. This only applies to personal data which the Bank has gathered on the basis of your consent or for the performance of a contract and was carried out by automated means.

Rectification or erasure of personal data
You can at any time request rectification of inaccurate or unreliable personal data concerning you. Under certain circumstances, you are also entitled to have personal data concerning yourself erased.

Limiting or objecting to processing of personal data
You can at any time object to the processing of personal data, including profiling, for direct marketing purposes and refuse promotional material on benefits, products and services in online banking, Landsbankinn’s app or the Bank’s Data Rights Portal. You can also object to the processing of personal data based on your particular situation. Finally, you can in certain cases request that temporary limitations apply to the processing of your personal data.

The Bank will respond to requests according to the above free of cost unless such requests are unfounded, excessive or if multiple copies of personal data are requested. Individuals must verify their identity when they wish to exercise their rights. For further information on your rights, see the Bank's Data Rights Portal.

You are also entitled to refer disputes over the Bank’s handling of your personal data to Persónuvernd, the Icelandic Data Protection Authority. We hope that you will contact us first with any privacy issues to allow us to help. If you do choose to contact the Data Protection Authority, the email address is postur@personuvernd.is.

No service or software is completely secure. Contact the Bank at the earliest opportunity if you are concerned that your personal data may be in danger or if you think that someone may have acquired your password or other information by emailing personuvernd@landsbankinn.is. You will be notified of any data breaches with the Bank or its processors that affect you, in accordance with law.

Your personal data is retained in a secure environment that safeguards it against unauthorised access, misuse or disclosure. The Bank’s management of information security is certified under information security standard ÍST ISO/IEC 27001:2013. The Bank also has in place an internal information security policy, rules on information security, security processes, and has implemented organisational and technical security measures in accordance with laws and regulations on cyber and information security.

The Bank’s products and services are also designed with regard for security and privacy. The Bank regularly assesses the risk of processing personal data in information systems and software to apply appropriate security measures and ensure, in as much as possible, the privacy of the individuals affected by the processing of personal data in the Bank’s systems and software.

The Bank also promotes active security awareness amongst its employees and publishes educational material on the handling and security of personal data, in accordance with the Data Protection Act. All the Bank’s employees are bound by confidentiality in accordance with the Bank’s rules and laws that apply to financial undertakings.

The Bank’s websites store cookies on your computer or smart device. Cookies are small text files that store information to analyse use of the Bank’s websites and improve user experience. Cookies are also used to tailor websites to your needs, e.g. by boosting the function of a website, saving your settings, processing statistical information, analysing traffic through websites and for marketing purposes.

The Bank’s websites utilise different types of cookies. So-called session cookies are generally deleted when a user leaves the website. Persistent cookies on the other hand are saved to the user’s computer or device and store your actions or selections on the Bank’s websites.

Necessary cookies, such as statistics cookies and functionality cookies, activate functions on the Bank’s websites. They are a prerequisite of use of the Bank’s websites, allowing them to function as intended, and consent is not required as such cookies are based on the Bank’s legitimate interests. Necessary cookies are generally first party session cookies, used by Landsbankinn only.

First party cookies are not a requirement for use of the Bank’s websites. They nevertheless play an important role in the use and functionality of websites as they facilitate use by, for example, auto-completing forms and saving settings. First party cookies only send information about you to Landsbankinn.

Third party cookies are in place because of services Landsbankinn purchases from third parties, e.g. analytic and advertising cookies. Their use allows the Bank to tailor its websites to user needs, more effectively analyse use of websites and prepare marketing material and advertisements tailored to certain target groups by considering, amongst other things:

• Number of visitors, number of visits per visitor, date and time of visit.
• Which pages on the websites are viewed and how frequently.
• Type of files downloaded from the websites.
• Which devices, operating systems and browsers are used during visits.
• Which search words from search engines lead to the websites.

Third party cookies send information about you to another website owned by a third party, such as Google or Facebook. These third parties may also save cookies to your browser and through them gather information about your visits to the Bank’s website and the content you are interested in.

Most browsers have the option of changing settings to prevent cookies. Deleting cookies is also relatively simple. Here is some more information about deleting cookies. A more detailed description of cookies, including the third-party cookies the Bank uses, is available on the Bank’s website. Information about the use of third party cookies is also available on the websites of these third parties.

Generally, the Bank retains your personal data for the duration of the business relationship, as long as required by law or to satisfy the Bank’s legitimate interests. The strict rules and regulations that apply to the Bank’s operation may require different retention times depending on the type or nature of your data.

Audio and visual recordings from phones and security cameras are retained for 90 days and deleted automatically once that period elapses in accordance with the Data Protection Authority’s rules on electronic surveillance. Phone recordings that pertain to securities trading are retained for 5 years in accordance with the Act on Securities Transactions.

The Bank is an entity subject to an obligation of transfer, in accordance with the Act on Public Archives. The obligation to transfer means that the Bank is obliged to retain all records in the Bank’s archive and transfer them to a public archive when they have reached an age of 30 years. The Bank strives not to retain information in personally identifiable form for longer than is necessary and safeguards such information in every respect.

Specific legislation also provides for the obligation to retain certain information such as accounting records, personal identification and other information required under the Act on Measures against Money Laundering and Terrorist Financing. Audio and visual content gathered from electronic surveillance with security cameras and audio recordings of telephone conversations is not retained longer than for 90 days, unless otherwise provided by law.

Landsbankinn hf., Austurstræti 11, 155 Reykjavík, is responsible for ensuring that all processing of your personal data complies with the Data Protection Act and rules and is the controller determining the processing of your personal data.

Landsbankinn's Data Protection Officer is responsible for ensuring that the Bank's activities comply with applicable laws and rules on privacy and data protection. Please direct any queries, complaints or comments relating to the processing and handling of personal data to the Bank’s Data Protection Officer by email to personuvernd@landsbankinn.is.

The Bank reserves the right to update this Policy on a regular basis. The Bank will inform you about major changes to the Policy before they become effective upon publication to the Bank’s website, www.landsbankinn.is.