Account of how Veitur Utilities processes private data

1. General

Veitur Utilities (Veitur ohf.) is a subsidiary of Reykjavik Energy (OR) and manages distribution utilities for electricity, hot water, water and sewerage systems. Reykjavik Energy operates in accordance with Act no. 136/2013 on the operations of Reykjavik Energy. The companies conduct the processing, production and sale of electrical power, hot water and steam and the operation of fundamental systems, such as the distribution of electricity, hot water supplies, sewage disposal and the fibre network, in addition to other activities of a comparable nature. Reykjavik Energy sells these products and services to its customers in exchange for payment.

There is a contractual relationship between Veitur Utilities and its customers for the provision of products and/or services. In order to provide and deliver these, the company needs to collect, log, save and process personal data regarding customers so that Veitur Utilities can fulfil its duties to its customers. These data do not include sensitive personal information.

Veitur Utilities guarantees that the company’s handling of all personal data is conducted in accordance with the Act on Data Protection and the Handling of Personal Information and regulations deriving from it.This file, which complements the policy, contains data and information on the elements which Veitur Utilities must provide for the collection and processing of personal data on customers.

2. Purpose of processing personal data of customers

Veitur Utilities collects and processes specified personal data on customers to make it possible for the company to provide the agreed upon products and services and to collect the stipulated payments. It is also to make it possible to always guarantee the best possible quality of products and services.

Personal data may also be processed for the purpose of defining marketing opportunities with a view to offering additional new services.

The reasons for processing personal data may also be different to those defined above. For example, Veitur Utilities uses electronic surveillance for specific purposes in each case, since processing of this kind is mainly conducted to guarantee the safety of staff, the quality of service and  the security and safeguarding of property: Camera surveillance in and close to Veitur Utilities constructions, the call line at the service desk, tachographs in vehicles and radio receivers in the Tetra communications system. Electronic surveillance is governed by the electronic surveillance regulations rules and instructions in Veitur Utilities’ Operational Handbook, which specifies, among other things, the purpose of the surveillance in each case, where and how it is applied, the company’s obligations in this regard and the rights of the staff.

Veitur Utilities guarantees that personal data regarding customers will not be used for any purposes other than those specified above without the full knowledge and consent of the customer.

3. On what authority is the processing of personal data about customers founded?

The processing of personal data on customers is also necessary for the execution of contracts between Veitur Utilities and the customer for the company’s provision of products and/or services.In addition to this, processing may also be due to legislation such as Public Archives Act no. 77/2014, Accounting Act no. 145/1994  and Annual Accounts Act no. 3/2006.

Since consent is the basis for the processing of personal data about customers, it is governed by special terms, which the customer agrees to when granting the consent. These terms shall not be amended without the approval of the customer.

4. Type of personal data that is processed

Veitur Utilities only collects and processes the following information about customers:

  1. Name
  2. ID-No.
  3. Address
  4. Telephone number
  5. E-mail address
  6. Bank accounts
  7. Payment card information which is encrypted for 24 hours and then deleted
  8. Usage history – readings/bills
  9. Malfunction history - operational problems
  10. Default information
  11. Communications information
  12. Applications for services/products (e.g. household pipelines, transfer of water and sewage pipes etc.)
  13. Recording of phone calls to the Service Desk
  14. Surveillance cameras in common areas and work stations

When a customer communicates with Veitur Utilities on social media, e.g. to submit meter readings or other information, the rules of the specific medium regarding the protection and storage of personal data shall apply. When appropriate, the company transfers the communications/information over to its system and handles its protection and storage in accordance with its personal data protection policy and rules set to implement it.

5. Recipients of personal data on customers

Data about customers are stored by Veitur Utilities or on behalf of the company in Iceland or one of the company’s partners within the EEA  where rules about the processing of personal data are the same as those in Iceland. Personal data shall not be disclosed to third parties, except on the basis of  legal authorisations, regulatory acts, court rulings, work contracts or the approval of a customer.

6. Storage time - For how long is personal data on customers stored?

Veitur Utilities stores personal data for as long as the law assumes is necessary on the basis of the purpose of the processing. Since Reykjavik Energy is owned by public bodies, the company is subject to the Public Archives Act and is therefore subject to certain preservation and submission obligations. Thus the company is subject to certain restrictions regarding the erasure of data. The data which the company is authorised to erase with special permission from the Reykjavik Municipal Archives shall be erased in accordance with the authorisation that is granted in each case.

7. Rights of customer to protest, gain access to, correct and delete/restrict processing

Customers have the right to oppose Veitur Utilities’ collection of personal data, if they believe it is not consistent with its purpose, the principle of proportionality is not observed or if they believe that the same purpose can be achieved in a lighter manner.

A customer can request information on the processing that is conducted at Veitur Utilities, provided there are no other interests that prevent it. These requests shall be processed as swiftly as possible and no less than a month after the customer’s request has been received.

A customer may have the right to demand that any erroneous, misleading or incomplete personal data about him/her be corrected and/or deleted.

8. Customers’ right to submit complaints and remarks

If customers wish to submit a complaint or remarks regarding the processing of personal data, they should be sent directly to the company. If the relevant unit does not respond, the customer can contact the Data Protection Officer of the Reykjavik Energy Group, personuverndarfulltrui@or.is (see details below).

Customers are also allowed to seek the opinion of the Icelandic Data Protection Authority on this processing (www.personuvernd.is).

9. Accuracy and reliability of information

Veitur Utilities is responsible for the reliability of information and ensuring that customer information is constantly updated in accordance with customer notifications regarding changes and taking into account the purpose of the processing.

The customer is responsible for informing Veitur Utilities of any changes in his/her information.

10. Safety of personal data on customers

Veitur Utilities guarantees the safety of personal data through technical and organisational measures. Veitur Utilities’ Information Security Policy provides more details on measures, as well as the relevant guidelines in the company’s operational handbook.

Access to personal data on customers is restricted to the staff that needs to access it to achieve the purpose of the processing. The staff are informed and conscious of their obligation to maintain confidentiality and protect the safety of the personal data to which they have access. The obligation of confidentiality remains in force even after they have terminated their employment.

--------------------------------------------------------------------------------------------------------------------------------------------------

Other than the stipulations stated above, the staff’s handling of personal data shall comply with Act no. 90/2018 on Data Protection and the Handling of Personal Information and measures which Veitur Utilities implements on the basis of it.  

The Data Protection Officer of Reykjavik energy is Hörður Helgi Helgason, a laywer at the Landslög law firm, Borgartúni 26, 105 Reykjavík. Tel. 520-2900, personuverndarfulltrui@or.is.