Reykjavik University Privacy Policy

This Annex forms a part of RU’s Privacy Policy. The Annex applies to the University’s processing of personal data of student applicants, as well as all current and former students of the University.

What personal data is processed about applicants?
We process the following types of personal data about the University’s applicants, along with additional information which the applicant chooses to share:

• contact information, such as name, social security number, address, telephone number and email address;
• education;
• work experience;
• language skills; and
• supporting documents submitted with the application, such as a resumé or other information shared by the applicant.

In the event of applicants not submitting their application, the University reserves the right to delete information on the applicant’s account. The applicant may, at any given time, delete an application that has yet to be submitted and deactivate the account.

What personal data is processed about students?
We collect and maintain various types of personal data about our students. The types of personal data collected may differ, depending on your study programme and your relationship with the University.

The following are examples of personal data the University collects about its students:

• contact information, such as name, social security number, address, telephone number and email address;
• study programme;
• academic record and grades;
• course registration;
• students’ usage on Canvas;
• classroom recordings;
• students’ exams and final assignments;
• notes from appointments with student counsellor or psychologist;
• information on special needs;
• health-related data;
• information regarding violation of University rules;
• library loan history;
• written communication history between students and teachers or faculty;
• payment information in relation to University and course fees;
• diploma; and
• information collected by electronic surveillance, e.g. surveillance camera recordings and information on internet usage.

In addition to the examples of data listed above, the University may collect and process other types of data, including data voluntarily submitted by students.

In general, the University collects personal data directly from students. Data may however be collected from third parties, such as Registers Iceland. The University will notify students when personal data is obtained from other third parties.

Why does the University process personal data and on what grounds?
Applicants’ personal data is processed on grounds of their application. The personal data collected about students is first and foremost used to honour our responsibilities laid down in the admission contract, but also to fulfil legal requirements and/or for the University’s legitimate business purposes.

Processing which is based on tour admission contracts with students includes:

• contact information, such as name, social security number, address, telephone number and email address;
• application;
• study programme;
• course registration;
• students’ usage on Canvas;
• payment information;
• students’ exams and final assignments;
• information relating to the services of student counsellors; and
• library loan history.

The processing of data based on our admission contract is necessary for the University to comply with its obligations to students, and vice versa, including the payment of tuition fees and course registration. The University processes data on students’ usage of Canvas in order to improve quality and development of teaching. Failure to provide necessary data may lead to the University not being able to comply with its obligations towards students.

The University may in addition process data based on its legitimate interest of safeguarding property, e.g. the processing of footage from surveillance cameras and data on internet usage. This also applies to the retention of data in relation to violations of University rules, as it is in our legitimate interest to keep track of such information in order to enforce the University’s rules. Moreover, the processing of written communication history between students and teachers or faculty is based on the legitimate interests of both the University and the school. The processing of contact information of former students and those who register on RU’s mailing list is processed, on one hand, based on the university’s legitimate interests in marketing and, on the other hand, based on consent. In cases where the processing of personal data is based on your consent, you are always entitled to withdraw such consent.

The University may also carry out other processing activities based on applicable legislation. For example, the University is obliged to retain the academic records of all its current and former students. The University is thus required by law to preserve all issued student diplomas. Moreover, the processing of health-related data for the purposes of providing special support to students and the processing of documents confirming illness, is based on provisions of the Higher Education Institution Act, which requires the University to provide students who deal with sickness or emotional or social difficulties, as well as students with disabilities, with special support.

Disclosure to third parties
The University may share your personal data with contractors and other third parties in relation to their service to the University, such as collectors and commercial banks for the collection of tuition fees. We may also share your contact information with external examination moderators, in order for them to be able to provide their services. Access to your personal data may also be provided to third parties that provide the University with information technology and data processing services, who generally act as data processors.

Third parties providing the University with the above processing services may be located outside Iceland. Personal data is however only transferred by to countries outside the European Economic Area if such transfer is permitted under applicable privacy legislation.

Furthermore, third parties may have access to user information stored in the MySchool directory, such as contact information, date of birth, and students’ portrait in some cases. For instance, the Student Unions at RU gets access to information from the directory for the purpose of sending students emails concerning activities and events and inviting them to join. Teachers and faculty also have access to the directory to facilitate internal communications.

Your personal data may also be shared with third parties to an extent permitted or required by applicable legislation or regulation, i.e. to the appropriate ministries on grounds of their supervision of the University’s operations.

Based on the University’s legitimate interests of fulfilling its service contract on teaching and research with the Ministry of Higher Education, Science and Innovation, your personal data may be shared with Statistics Iceland, the Ministry and the Icelandic Centre for Research. When applicable, students’ academic records may be shared with the Icelandic Student Loan Fund.

Moreover, your personal data may be disclosed as permitted or required by applicable law or regulatory requirements or to comply with valid legal processes such as search warrants, subpoenas or court orders. Disclosure can also be necessary during emergency situations or to protect the safety of a student or employee, the University or a third party.

This Annex forms a part of RU’s Privacy Policy. The Annex applies to the University’s processing of personal data of job applicants.

What personal data is processed about job applicants?
We collect and maintain various types of personal data about our applicants. The types of personal data collected may differ, depending on the position applied for.

The following are examples of personal data the University collects about its applicants:

•  contact information, such as name, social security number, address, telephone number and email address;
• job applications;
• resumés and information about education, training, work experience, and letter of intent;
• information from referees and when applicable, recruitment agencies;
• information on the applicant’s ability to deliver lectures, when applicable; and
• information from job interviews.

In addition to the examples of data listed above, the University may collect and process other types of data you submit during the application process, i.e. information regarding hobbies and your family. The University also collects the contact information of referees.

Should the University be required to apply for a work permit on behalf of the applicant, pursuant to the Foreign Nationals’ Right to Work Act No. 97/2002, the following information is also processed:

• country and place of birth;
• information on the arrival in Iceland;
• marital status;
• insurance company; and
• information provided in a criminal record.

In general, the University collects personal data directly from you. However, data may also be collected from referees and recruitment committees, when applicable. The University will notify you when personal data is obtained from other third parties.

If you are offered a position at the University, we may request that you provide a copy of your diploma in relation to specific jobs before the employment contract is finalised.

Why does the University process personal data and on what grounds?
We collect applicants’ personal data primarily to assess their qualifications for a specific position at the University.

The processing of your personal data is carried out in relation to your job application, i.e. based on your request to enter into a contract with the University. Referees’ contact information is, on the other hand, processed on grounds of the University’s legitimate interests of researching the applicant’s career.

The processing of personal data by the University, when applying for a work permit on behalf of the applicant to be hired, is based on the University’s legal obligations as stipulated in the Act on Foreigners No. 80/2016 and Foreign Nationals’ Right to Work Act No. 97/2002. In certain cases, we may also need your consent to process specific data relating to your work permit application. In such cases you may, at any time, withdraw your consent. The withdrawal does however not affect the processing carried out prior to the withdrawal.

Failure to provide the University with the information requested during the application process may affect your chances of being hired.

Access to your personal data and disclosure to third parties
The right to access information on applicants is limited to the University’s Human Resource department, directors and the supervisors of the position applied for.
The University may share your personal data with members of recruitment and qualification committees, who may potentially be external parties. The University may also share your personal data with a recruitment agency in relation to the recruitment process. For work permit applications, personal data is shared with the Directorate of Labour, the Directorate of Immigration and the respective Trade Union for evaluation, as required by the Foreign Nationals’ Right to Work Act.

We note that the University employs third party data processors who provide us with information technology services. For the purposes of providing those services, the data processors may have access to your personal data, e.g. for hosting purposes.
The University will not transfer personal data to countries outside the European Economic Area unless such transfer is permitted under applicable privacy legislation. Should members of recruitment and qualification committees be situated outside the EEA, the transfer of data is executed on grounds of standard contractual clauses or your consent.

Retention of personal data
Under the Public Archives Act no. 77/2014, the University is prohibited from destroying or disposing of any documentation that falls within the scope of the Act, without permission from the National Archive of Iceland. Therefore, your personal data is handed over to the National Archives of Iceland in 30 years’ time.

This Annex forms a part of RU’s Privacy Policy. The Annex applies to the University’s processing of personal data of all current and former employees, part-time teachers and contractors, collectively referred to as “Employees”.

What personal data is processed about employees?
We collect and maintain various types of personal data about our employees. The types of personal data collected may differ between employees, depending on their role within the University.

The following are examples of personal data the University collects about its employees, although more limited information may be collected about our contractors and part-time teachers:

• contact information, such as name, social security number, address, telephone number and email address;
• job applications, recommendations and details from job interviews;
• information on education, training, and work experience;
• information from performance evaluations, professional development and professional training sought by employees;
• employment contracts;
• information on salary, benefits, and related information, such as bank accounts, pay, grants, allowances, etc.;
• information on trade union membership and pension fund;
• information on work-related accidents;
• information about the closest relative;
• attendance records for events organised by the University;
• employee reprimand letters;
• time registration and information on employee presence;
• information on holidays and sick days;
• information on cafeteria purchases;
• portrait and date of birth published on the University’s intranet;
• information for travel booking;
• information on termination of employment, i.e. letter of termination, last day of employment and settlement;
• emails sent or received via an email address provided by the University;
• classroom recordings; and
• information collected by electronic surveillance, e.g. surveillance camera recordings, information on internet usage and information collected from access cards to access-controlled areas.

In addition to the examples of data listed above, the University may collect and process other types of data, including data voluntarily submitted by employees. The University also conducts a workplace analysis in which employee satisfaction is measured, the results of which are not traceable to individual employees.

In general, the University collects personal data directly from employees. Data may be collected from third parties, e.g. from witnesses in relation to work-related accidents, from the cafeteria in relation to purchases, and from supervisors or colleagues in relation to performance evaluations. The University will notify employees when personal data is obtained from other third parties.

Why does the University process personal data and on what grounds?
The processing of the personal data collected is first and foremost based on our contractual obligations under our employment contract, on our legal obligations or on our legitimate interests.

Processing for the purpose of honouring your employment contract includes the following data:

• contact information, such as name, social security number, address, telephone number and email address;
• employment contract;
• information on salary, benefits, and related information, such as bank accounts, pay, grants, allowances, etc.;
• information on education, training, and work experience;
• information from performance evaluations;
• information for travel booking;
• information on cafeteria purchases; and
• time registration, information on employee presence and earned holiday leave.

The processing of personal data which is based on the employee’s employment contract is necessary for the University to comply with its obligations to employees, and vice versa, including the payment of salary and to assess employees’ qualifications and ability to take on different roles within the University. Failure to provide necessary data may lead to the University not being able to comply with its contractual obligations or being required to alter your tasks or roles at the University.

In addition to the above, the University may process your personal data based on its legitimate interest of safeguarding property, for example video footage via the use of surveillance cameras and other content collected via electronic surveillance, e.g. from the University’s access control systems. Portraits of employees and part-time teachers are also displayed on the University’s intranet to facilitate their identification.

Furthermore, the processing of data in relation to employee reprimands is based on the University’s legitimate interests of enforcing employee rules. The registration of data relating to educational and professional development is based on the University’s legitimate interests of analysing employee educational needs and mapping out their skills and abilities. Event attendance records are registered on the grounds of the University’s legitimate interests of organising such events.

The University may also process data based on employees’ legitimate interests, e.g. information on the closest relative, for contacting in case of emergencies.

Based on our legitimate interests of facilitating the transfer of information to employees and part-time teachers, the University makes use of an intranet containing employees’ and part-time teachers’ contact information and portrait. We may request your consent for the processing of additional data on the intranet, such as your date of birth. Whenever your consent is required for our collection or processing of your personal data you may, at any time, withdraw your consent.

The University may also carry out other processing activities based on its legal obligations, such as under labour and tax legislation. For instance, processing of information in relation to work-related accidents and information on employees’ pension fund, trade union and sick days. The University also registers information in relation with possible employee reprimands on the grounds of legislation, specifically information for measures against bullying, sexual or gender-based harassment and violence at the workplace.

As the University is legally obligated, under the Public Archives Act, to deliver archives to the National Archives of Iceland, the University’s retention of data is also based on its legal obligations.

Disclosure to third parties
We may share your personal data with contractors and other third parties because of their service to the University in relation to your employment contract, e.g. commercial banks and financial institutions for salary payment and workers in the travel industry for travel bookings. We may share your personal data with other educational institutions at your request, and with parties you cooperate with, e.g. in relation to a seminar presentation.

Access to your personal data may also be provided to third parties who provide the University with information technology services as well as other data processing services.
Third parties providing the University with processing services may be located outside Iceland. Personal data is however only transferred outside the European Economic Area if such transfer is permitted under applicable privacy legislation.

We may share your personal data with third parties as authorized or required by applicable legislation, e.g. the Administration of Occupational Safety and Health in case of a work-related accident, to trade unions and pension funds or insurance companies. For statistical purposes, your data may also be shared with Statistics Iceland. It may furthermore be shared with third parties to comply with valid legal processes such as search warrants, subpoenas and court orders. Disclosure can also be necessary during emergency situations or to protect the safety of University employees or a third party.

This Annex forms a part of RU’s Privacy Policy. The Annex applies to the processing of employee and student personal data which is collected via electronic surveillance, as well as the processing of personal data collected via video surveillance on the University’s property and on Reykjavik University campus.

The following electronic surveillance is carried out in the University:

• surveillance of internet use and the use of the University’s equipment;
• surveillance of emails sent or received via an email address provided by the University;
• access control on the premises; and
• monitoring with surveillance cameras on the University’s property and campus.

This surveillance is carried out based on the University’s legitimate interests of safeguarding its computer and network servers and other property. We ensure that the processing does not exceed what is necessary to reach the intended purpose of the electronic surveillance.

Email surveillance
Emails that are sent and/or received via an email address provided by the University pass through a spam-filter and are scanned for viruses and malware.

Generally, the University does not view the emails of employees and part-time teachers in accounts provided for by the University. However, the University reserves the right to do so, if need be. Such viewings shall only take place under exceptional circumstances, e.g.:

1. if the mailbox is believed to be used for unlawful or criminal purposes, including breach of University rules;
2. if there is suspicion of professional misconduct, including violations of law and University rules;
3. if there is suspicion of a third party having unlawfully taken over or gained access to the mailbox;
4. in the event of a security breach or a similar technical incident in which it is necessary to view the mailbox to diagnose and address the problem; or
5. due to maintenance or surveillance of the email system itself which may, under exceptional circumstances, require access to certain mailboxes.

Accessing former or absent employees’ email accounts may also be necessary to come by urgent and essential documents. Viewing of email accounts may also be necessary, given reasonable suspicion of gross professional misconduct. This does, however, not apply to private email that is neither sent nor received through email addresses provided for by the University.

In the event of a viewing of the email of an employee or student, the viewing shall be carried out in accordance with the applicable laws and regulations on personal data and electronic surveillance that are in force at the given time.

In the event of a viewing, the respective employee or student shall be notified beforehand and given the opportunity to be present during the viewing. This is, however, not applicable when critical interests advise against waiting for the individual, such as in the case of a serious failure of the University’s computer systems that outweigh the employee’s or student’s rights to privacy. If unable to attend the viewing, the employee or student shall be given the opportunity to appoint a representative to be present during the viewing.

At the end of employment, employees’ email accounts are deactivated and deleted, as per instructions from their immediate supervisor or head of the Human Resource department. Employees shall delete private emails at the end of employment and be given the opportunity to make copies of such emails. When deemed necessary to view emails of a former employee, the former employee shall be given the opportunity to be present during the viewing, with the same exceptions as provided above.

At the end of attendance, students’ email accounts are deleted. Students shall be given a reasonable amount of time to make copies before the deletion takes place.

Surveillance of internet and use of equipment
The use of equipment owned by the University, along with the use of the University’s internet, is traceable to the user. The University monitors all logging on and off its computers, thus making it possible to view which employees and students have used a specific device and at what time. This data is, however, not centrally recorded. For security reasons, employee and student user identification, MAC identification, and IP address assigned by the University are saved when employees and students use the University network. Therefore, the University can access information on where and how long a certain employee or student has used certain equipment on the University’s network.

The University generally monitors the internet usage and data levels for the purposes of detecting abnormal traffic. This is necessary for security reasons as well as ensuring that internet usage is in accordance with the University’s rules . The rules for users of the University’s computer systems can be viewed here. Additionally, users using the RHnet shall comply with the RHnet Acceptable Use Policy.

The University reserves the right to view more detailed information on the internet usage, connections, and data levels of specific employees and students, if there is reasonable suspicion of a violation of applicable laws and regulations.

In the event of a viewing of a specific user’s internet usage, the user shall be notified beforehand and given the opportunity to be present. This is, however, not applicable when critical interests advise against waiting, such as in the case of a serious failure of the University’s computer systems that outweigh the users right to privacy. If unable to attend the viewing, the user shall be given the opportunity to appoint a representative to be present during the viewing.

Information about the internet usage of employees and students is kept on a server, generally for no longer than 90 days. Information may, however, be preserved on a backup for a longer time.

Surveillance cameras
The University uses surveillance cameras for the purposes of safeguarding the University, faculty and students as well as their possessions. The areas under surveillance are labelled; the cameras are, however, only situated in public areas around the University premises, including the University’s corridors. Surveillance cameras are not utilized in faculty areas or classrooms, unless specifically specified.

Surveillance cameras can also be found on Reykjavík University campus. The surveillance cameras are used to safeguard property and possessions as well as to follow house rules. There are nine cameras in each building and they are located in the lobby, in the storage corridor, and in the shared laundry room. The areas under surveillance are specially labeled.

Footage obtained by electronic surveillance is erased when there is no longer a valid reason for retention and is generally not kept for more than 30 days unless permitted by law. This does not apply to the necessary preservation of footage in relation to the establishment, exercise or defence of a legal claim or other requirements of law.

Access controls on the premises
The University’s premises are access-controlled. Employees and students receive access cards that track their comings and goings on University premises. The information collected through these access cards is preserved for six months. It may, however, be preserved on a backup for a longer time.

Disclosure to third parties
Personal data collected by way of electronic surveillance is not shared with third parties without your consent or in accordance with the Data Protection Authorities’ decision or rules. However, information may be shared with the police, i.e., in the case of an accident or alleged criminal offense.

This Annex forms a part of the University of Reykjavik‘s Privacy Policy. The Annex applies to the University‘s processing of personal data of students of the Open university.

What personal data is processed about students of the Open university?
The University collects and retains various types of personal data about the students of the Open university. The types of personal data collected may differ, depending on which course or study program a student participates in and whether any admission requirements are made.

The following are examples of personal data the University collects about students of the Open university:

• contact information, such as name, social security number, address, telephone number and email address;
• academic record, CV, place of work and recommendations, if admission requirements apply;
• information from interviews for study programs, if admission requirements apply;
• information on academic record within RU;
• health-related data due to special needs;
• library loan history;
• written communication history between students and teachers or faculty;
• payment information in relation to course fees; and
• confirmation that a student has completed a course or a study program.

In addition to the examples of data listed above, the University may collect and process other types of data, including data voluntarily submitted by students.

In general, the University collects personal data directly from students. If registration for a course or study program is made via a student’s place of work, personal data may however also be collected straight from the place of work. The University will notify students when personal data is obtained from other third parties.

Furthermore, the University processes the contact information of former students of the Open university, as well as of those individuals who have signed up for the Open university mailing list or promotional meetings.

Why does the University process personal data and on what grounds?
The personal data collected about students is first and foremost used to honour our responsibilities laid down in the admission contract, but also for the legitimate purposes of the University and sometimes personal data is processed based on the consent of students.

Processing which is based on our admission contracts with students includes:

• contact information, such as name, social security number, address, telephone number and email address;
• academic record, CV, place of work and recommendations, if admission requirements apply;
• information from interviews for study programs, if admission requirements apply;
• information on academic record within RU;
• confirmation of illness;
• library loan history;
• payment information in relation to course fees; and
• confirmation that a student has completed a course or a study program.

Provision of data based on our admission contract is necessary for the University to comply with its obligations to students, and vice versa, including the payment of course and/or study program fees and for the purposes of course registration. Failure to provide necessary data may lead to the University not being able to comply with its obligations towards students.

The University may process data in order to safeguard written communication history between students and teachers or faculty, based on both the University’s and students’ legitimate interests. Processing of contact information of former students and those who register for the Open university’s mailing list or promotional meetings is based either on the University’s legitimate marketing interests or the individual’s consent. Whenever the processing of personal data is based on your consent you may, at any time, withdraw your consent.

The processing of health-related data for the purposes of providing special support is based on provisions of the Higher Education Institution Act, which requires the University to provide students who deal with sickness or emotional or social difficulties, as well as students with disabilities, with special support.

Disclosure to third parties
We may share your personal data with contractors and other third parties in relation to their service to the University, such as collectors and commercial banks for the collection of course and/or study program fees. Access to your personal data may also be provided to third parties which provide the University with information technology and data processing services, who generally act as data processors.

Third parties providing the University with processing services may be located outside Iceland. Personal data is however only transferred to countries outside the European Economic Area if such transfer is permitted under applicable privacy legislation.

Your personal data may also be shared with third parties to an extent permitted or required by applicable legislation or regulation, e.g. to the appropriate ministries in relation to the security brokerage study program and the certification of financial consultants. The transfer of data to third parties may also be based on the University’s contract with the student or his/her place of work.

Moreover, your personal data may be disclosed as permitted or required by applicable law or regulatory requirements or to comply with valid legal processes such as search warrants, subpoenas or court orders. Disclosure can also be necessary during emergency situations or to protect the safety of a student or employee, the University or a third party.

This Annex forms a part of the University of Reykjavik‘s Privacy Policy. The Annex applies to the University‘s processing of personal data of students of Skema as well as their guardians.

What personal data is processed about students of the Open university and their guardians?

The following are examples of personal data the University collects about students of Skema:

• contact information, such as name, social security number, address and telephone number;
• sex;
• school;
• health-related data, e.g. regarding allergies and other diagnoses;
• information on courses attended at Skema;
• pictures from daily work; and
• award documents.

The University processes the contact information of guardians, as well as their payment information in relation to payment of course fees. In addition to the examples of data listed above, the University may collect and process other types of data, including data voluntarily submitted by students and their guardians.

In general, the University collects personal data directly from its students’ guardians. The University will notify students and their guardians when personal data is obtained from third parties.

Furthermore, the University processes the contact information of those who sign up for the Skema’s mailing list.

Why does the University process personal data and on what grounds?
The personal data collected about students and their guardians is first and foremost used to honour our responsibilities based on our contract with guardians in relation to the students’ studies, but also for the legitimate purposes of the University and sometimes personal data may be processed based on the consent of guardians or the students themselves.

Processing which is based on our contracts with guardians includes:

• contact information, such as name, social security number, address and telephone number;
• school;
• information on courses attended at Skema; and
• payment information.

Based on the school’s legitimate interests and for statistical purposes, the school processes data on the students’ sex.

The processing of health-related data is based on the explicit consent of guardians. The publishing of photographs and videos from Skema’s daily work is also based on guardians’ consent, which is requested from guardians upon registration, or from the student him/herself, where appropriate. Photographs and videos that are taken at Skema’s open events may however be published without the consent of guardians, provided that the photographs or footage does not show individuals in sensitive circumstances.

Furthermore, the contact information of our customers may be used for marketing purposes, based on the University’s legitimate interests. The contact information of individuals who sign up for Skema’s mailing list is processed based on the individuals’ consent. Whenever the processing of personal data is based on your consent you may, at any time, withdraw your consent.

Disclosure to third parties
The University may share the personal data of students and their guardians with contractors and other third parties in relation to their service to the University, such as collectors and commercial banks for the collection of course fees. Access to your personal data may also be provided to third parties which provide the University with information technology and data processing services, who generally act as data processors. Furthermore, photographs and video footage may be transferred to social media for the purposes of posting the photographs and video footage on relevant social media in order to provide insight into the daily operations of Skema.

Third parties providing the University with processing services may be located outside Iceland. Personal data is however only transferred to countries outside the European Economic Area if such transfer is permitted under applicable privacy legislation.

Moreover, your personal data may be disclosed as permitted or required by applicable law or regulatory requirements or to comply with valid legal processes such as search warrants, subpoenas or court orders. Disclosure can also be necessary during emergency situations or to protect the safety of a student or employee, the University or a third party.