This privacy policy is intended to inform what personal information the organization collects and in what way the organization uses such personal information.

The Icelandic Red Cross, SSN. 530269-2649, Efstaleiti 9, 103 Reykjavík (also referred to as "the Red Cross", "the organization" and "our") places great emphasis on ensuring the reliability, confidentiality and security of the personal information that the organization processes.

This privacy policy is intended to inform you about the Red Cross' processing of personal data, including what personal data the organization collects, how the organization uses such personal data and to which third parties the Red Cross may share the information.

This privacy policy applies to personal data on individuals who belong to the following groups that provide services to the Red Cross or seek services from the association: volunteers, members, clients, benefactors, purchasers of services, course participants, instructors of courses and participants in other projects. The policy also applies to the processing of personal data on applicants for jobs and participants in the work of the union.

This privacy policy only applies when the Red Cross processes personal data as a controller in the sense of Act No. 90/2018 on Data Protection and the Processing of Personal Data, e.g. when the Red Cross processes the personal data of volunteers, clients, benefactors, participants in courses, applicants for jobs with the Association or others who are connected to the Red Cross in one way or another. In this policy, the parties about whom the Red Cross may process personal data are referred to collectively as "data subjects" or to "you".  

Please contact us if you are in doubt about how this Privacy Policy applies to you. Our contact details will be provided at the end of the policy.

Data Controller	The controller is the person who determines the purposes and methods of the processing of personal data. It can be an individual, a organization, a public authority or another body.
Data Processor	The controller is the person who determines the purposes and methods of the processing of personal data. It can be an individual, a organization, a public authority or another body.

The managing director/management concerned is responsible for ensuring compliance with laws, policies and the role of the organization. The Managing Director ensures that the relevant employees support in the implementation of the document.

The document owner is in charge of oversight and ensures that the content of the document is enforced and maintained.

The quality manager is responsible for the organization of quality documents and issues documents in the quality system.

Heads of departments, department heads and other staff with staff authority are responsible for presenting the document and ensuring their employees' understanding of it.

All staff and volunteers are responsible for complying with the document and informing them of any deviations they encounter. 

5.1.         What personal data does the Red Cross process?

The Red Cross' processing of personal data depends on the organization's relationship with the individuals to whom the information belongs. Different personal data may be collected about individuals depending on whether the person in question is doing business with the association, is a volunteer or attends services from the Red Cross.

In the sections below you can find further information on what personal data the Icelandic Red Cross processes in different cases, a description of the purpose for which the processing is carried out and on what basis the processing is based. Click on the one that applies to you.

5.1.1.     Job applicants

The Red Cross processes the following personal data on job applicants, as applicable:

·         contact information, such as name, address, email address, and telephone number

·         ID number

·         information contained in the CV and cover letter

·         information on the application form, including career and education

·         Other information that the applicant chooses to provide during the recruitment process

The organization also processes the following information on the applicants who proceed in the recruitment process:

·         Information from referees

·         information that emerges during a job interview

Information on applicants is obtained from the applicant himself, references and from Alfred ehf. and they are used to assess the applicant's ability to perform the job in question. Such processing is based on the applicant's request for an employment contract.

The Icelandic Red Cross stores applicants' personal information for up to 6 months after the application has been received by the organization, after which applications are securely deleted. The Red Cross may request to store applications longer due to further job opportunities at the organization. In such cases, the Red Cross will contact the applicant and request approval for longer storage.

5.1.2.    Volunteers

5.1.2.1.    Applicants for volunteer positions

The Red Cross collects and stores various personal information about applicants for volunteer work. Different types of personal data may be collected depending on the nature of volunteer work, but the following personal data of applicants is generally requested and processed:

·         contact information, such as name, address, telephone and email address

·         ID number

·         information contained in the CV and cover letter

·         Reasons for application, specified by the applicant

·         A criminal record certificate or a confirmation from a volunteer that he/she has not been guilty of, enjoys the legal status of a defendant in connection with or is under investigation in connection with violent or sexual offences

·         where applicable, other optional information, such as gender, convenient location, interests and language skills

A criminal record certificate is only requested in cases where the volunteer work involves close work with children or close work with adults where supervision is limited, e.g. in visiting projects. After the criminal record has been examined, it is deleted, but a confirmation that the applicant does not have a criminal record is saved. The Red Cross bases this processing on a legal obligation, with regard to work with children (Article 10(4) of the Youth Act No. 70/2007), but on legitimate interests with regard to other volunteer work. In cases where a volunteer will be working with children, the Red Cross requests a criminal record certificate directly from the Director of Public Prosecutions, but never without a power of attorney from the applicant.

The above information is used to assess the applicant's ability to carry out the volunteer work in question. Such processing is based on the applicant's request for an agreement on volunteer status and, as applicable, on the basis of the legitimate interests of the Red Cross.

In addition to the above, applicants can provide the following information, which is then processed by the Red Cross for the purpose of identifying how well the Red Cross volunteer group reflects the diversity of the community, as well as being used when matching projects and volunteers, so that volunteers receive appropriate tasks:

·         nationality

·         health information, e.g. information about difficulties with vision, gait, independence, hearing, memory or communication.

It has no effect on the processing of an application whether the applicant chooses to provide this information or not, and therefore this processing is based on the unequivocal consent of the applicant. Thus, the applicant can at any time withdraw his/her consent to the processing of the above-mentioned information, and request that it be deleted.

5.1.2.2.  Active volunteers

Different types of personal information are collected depending on the nature of the volunteer work in question at any given time. However, the Red Cross always processes the following personal data about its volunteers:

·         contact information, such as name, address, telephone and email address

·         ID number

·         information about the areas of interest and projects that the volunteer carries out

·         Information on attendance at meetings and other events

·         information about where the volunteer is working and at what time

·         information on training and education that a volunteer has attended from the Red Cross

In addition to the above, active volunteers may be required to provide the following information:

·         information contained in the CV and cover letter

Information about volunteers is collected from the volunteers themselves or partners of the Red Cross, such as the ESC. The information is used to assess the applicant's ability to carry out the volunteer work in question and to keep track of volunteers' participation in the work. Such processing is based on an agreement with volunteers. The Red Cross may in some cases share the personal data of volunteers with third parties, for example to the ESC, International Youth Exchange or Rannís, as appropriate.

At meetings and events attended by volunteers, photographs may be taken and published on the Red Cross website, as the case may be, on the basis of the Red Cross's legitimate interests or the consent of volunteers. However, proportionality is always observed in such publication.

As further specified in this privacy policy, the Red Cross conducts electronic monitoring, including in its stores and where clothing sorting takes place. The surveillance is primarily carried out for the purpose of asset and security protection, but the Red Cross may also use the camera surveillance for the purpose of ensuring that volunteers are present on duty. 

5.1.3.    Community Servers

Volunteers may come from the community service group, i.e. those who serve a sentence by performing community service. The Red Cross, on the basis of an agreement with the Directorate of Prisons, is responsible for the management of community services. The following information is processed about community servers:

·         contact information, such as name, phone number, and email address

·         Project description

·         Information on attendance at the project

Information on community servants is received from the Directorate of Prisons, but information on projects and attendance of community servants in those tasks is obtained from the Red Cross. The processing for which the Red Cross is responsible is therefore based on an agreement with the community servants. 

5.1.4.    Clients

Different personal information is collected depending on how assistance the Red Cross provides to the client in question.

Only the information that is necessary at any given time is processed, but the following are examples of the personal data that the Red Cross processes about almost all of the association's clients:

·         contact information, such as name, address, telephone number, and email address

·         ID number

·         information about the client's circumstances and the services provided

In exceptional cases, the following information is processed, but only when such processing is necessary to provide the client with the requested service:

·         information about religion, sexual orientation, country of origin, nationality, etc.

·         Information on family life

·         Health Information

Information on clients is obtained either from the individual himself, relatives, municipalities, the government or others, as appropriate. The information is used for the purpose of providing clients with the assistance they need and their processing is based on either a legal obligation, contract, consent, the client's vital interests or the legitimate interests of the Red Cross.

The Red Cross may in some cases share the personal data of clients with third parties who provide the client with services or are involved in projects under the auspices of the Red Cross, e.g. to municipalities or the Directorate of Immigration. Such disclosure is generally based on the client's consent or request for services, but could under certain circumstances take place on the basis of the client's compelling interests, provided that the client is not able to give consent.

Finally, the Red Cross and the International Council of the Red Cross and Red Crescent Societies (ICRC) are joint controllers for the processing that takes place through family reunification and search services. Thus, the Red Cross is responsible for processing related to the collection of information from clients and the registration of personal information in the search system, while the International Council of the Red Cross and Red Crescent Societies is responsible for hosting the information and processing in the system. 

5.1.5.    Benefactors

About the benefactors of the Red Cross, e.g. Philanthropists and those who make voluntary contributions to the association, the following personal data is processed:

·         contact information, such as name, address, telephone number, and email address

·         ID number

·         Card and payment information

·         information on grants or other forms of support, if applicable

Photographs of certain benefactors may also be published by the Red Cross, but such publication is based on the consent of the benefactor in question or his/her guardian.

Information about benefactors is collected from the individual himself and is used for the purpose of contacting the benefactors of the Red Cross and sending them payment demands. This processing is based on the organization's agreement with the benefactor in question. A benefactor's ID number is also requested for the purpose of disseminating necessary information on their contribution to the Iceland Revenue and Customs, in accordance with the provisions of the Income Tax Act, as such contributions are deductible from income tax.

In cases where a benefactor is a child and chooses to support the Red Cross, e.g. by holding a raffle, information about the benefactor usually comes from the guardians and the information is provided with their consent.

The Red Cross may in some cases share the personal data of benefactors with third parties, such as banks or payment processors.

Information on previous grants may be used to keep track of who the Red Cross can turn to for fundraising in the future. This processing is based on the legitimate interests of the Red Cross. 

5.1.6.    Fundraising

The Red Cross may contact individuals for fundraising purposes, both by telephone and email. These can be both individuals who have been in contact with the union before, but also parties who have no connection to the union. It is always ensured that parties that are prohibited in the telephone directory or the National Registry are not contacted and that direct mail is not sent except in accordance with the provisions of the Telecommunications and Data Protection Act. This processing is based on the legitimate interests of the Red Cross.

5.1.7.    Courses organized by the Red Cross

When you register for an event or course organized by the Red Cross, we ask for your personal information to manage your registration and payment, as applicable. Different information may be collected depending on the type of event or course, but in general, the following information is requested, which is necessary for the Red Cross to comply with your request to participate:

·         contact information, such as name, address, telephone and email address

·         ID number (for the issuance of certificates and academic achievements)

·         Information on which courses are attended

·         Payment Information

·         Employer information

·         information on attendance and graduation from the course

In cases where third parties, often employers, have managed the registration of individuals for a course organized by the Red Cross and shared a list of participants with the Red Cross, the Red Cross may pass on information back to the employer about who attended the course and who graduated from the course. Such dissemination takes place on the basis of the organiser's legitimate interests. 

The Red Cross collects and stores the following personal information about instructors who instruct in courses organized by the organization:

·         contact information, such as name, address, telephone and email address

·         Information on instructor qualifications

·         information on taught courses and participation in courses

·         payment information, as applicable

The information is used to assess the person's ability to instruct in a course and this processing is based on our agreement with the instructor.

Courses may also include photographs that are published on the Red Cross website, as the case may be, on the basis of the Red Cross's legitimate interests or consent. However, proportionality is always observed in such publication.

5.1.8.    Red Cross online store

The Red Cross runs an online store where you can support the organization by buying various gifts for good deeds, merchandise and more. In order to be able to process individuals' purchases of products to support the Red Cross, the organization generally processes the following personal information about customers:

·         contact information, i.e. name, e-mail address, address and telephone

·         ID number

·         Payment Information

An email address is requested so that the customer can be sent an electronic receipt and an address to send the product to the customer. An ID number is also requested for the purpose of disseminating necessary information on contributions to the Iceland Revenue and Customs, in accordance with the provisions of the Income Tax Act, as such contributions are deductible from income tax.

The Red Cross also uses cookies to improve the customer experience in its online store. The Red Cross may also use contact information to send customers who have shopped at the Red Cross information about education and events organized by the organization. This processing is based on the legitimate business interests of the Red Cross, but customers can always opt out of such emails by clicking on the link that appears at the bottom of the email in question.

5.1.9.    Ambulance transport

The Red Cross collects and stores various personal data on individuals transported by ambulance transport, those who carry out such transport and the payer of the service.

The Red Cross may process the following personal data on an individual transported by ambulance:

·         name, social security number, address and citizenship

·         information that an individual has been transported by ambulance transport

·         Information on when the transfer took place

·         information on where an individual was transferred from and where information on the handling of the transfer

The Red Cross may process the following personal data about the intended payer of ambulance transport:

·         Contact information and ID number

The Red Cross also processes information on the ambulance's call name and the ambulance's fixed number, which may be traceable to the individual who provided ambulance transport.

The above information is necessary to provide ambulance transport and to collect fees for such services in a special system run by the Emergency Line ohf. and is obtained on the basis of a legal obligation and on the basis of a service agreement with Icelandic Health Insurance.

The Red Cross may in some cases share the personal data of data subjects with third parties, for example to collection agencies and payment providers.

5.1.10.  Customers who

The Red Cross collects and stores the following personal information about its customers and contacts who act on behalf of legal entities that do business with the Red Cross:

·         contact information, such as name and email address

·         communication history

If you are an individual doing business with the Red Cross, we also process information that is necessary to be able to send you a demand for payment.

The above information is necessary so that customers can be provided with the service they seek at any given time. Their processing is based either on the legitimate interests of the Red Cross to be able to provide the requested services or on a contract.

5.1.11.   Contractors and suppliers

The Red Cross collects and stores the personal data of contractors who are hired to carry out certain projects as well as the organization's suppliers.

The Red Cross processes the following information on contractors who carry out projects for the association, and this processing is based on our contract with the contractor in question:

·         contact information, such as name, address, email address, and telephone

·         communication history

·         ID number

·         Bank Information

·         information on qualifications and experience, if applicable

If you are a contact person for suppliers, the following information may be processed about you on the basis of the legitimate interests of the Red Cross:

·         Contact contact information, such as name and email address

·         communication history

5.1.12.   First Aider of the Year

Every year, nominations are opened for the title of First Aider of the Year. Individuals can submit nominations and then one is selected from those nominations. In connection with this project, personal data is processed about those who nominate, but also about, those who are nominated and those who received first aid from the nominees.

More specifically, the following personal data is processed about the person who submits a nomination:

·         contact information, such as name, phone number, and email address

·         age

·         communication history

The following information is processed about the person nominated for the title:

·         name

·         age

·         contact information, such as email address, telephone number, and address

·         A story of the incident where first aid was administered by the person

Finally, the following information is processed about the person who received first aid from the nominee:

·         name

·         A story of the incident in which the person accepted first aid

The above information is received with the nomination and is therefore provided by the person who nominates another individual for the title. A special selection committee, consisting of representatives from the Red Cross, ICE-SAR, the National Emergency Line, Landspítali University Hospital, the Civil Protection Department of the National Commissioner of Police, and the National Association of Fire and Ambulance Personnel, will then have access to the nominations, evaluate them and select the First Aider of the Year.

Information about the nominee is deleted as soon as the selection of a First Aider is completed. The nominations themselves, which contain information about the nominee and the person who received first aid from the nominee, are retained for 4 years, after which they are deleted.

This processing is based on legitimate interests. 

5.1.13.   Electronic monitoring

The Red Cross uses camera surveillance in the organization's stores, in the organization's facilities where clothing sorting takes place as well as in the organization's emergency shelter where Red Cross clients are staying.

Camera surveillance is used for security and property protection purposes. Camera surveillance in the Emergency Shelter is also used to ensure compliance with the house rules that apply in the Emergency Shelter. Camera surveillance in the association's facilities where clothing sorting takes place may also be used for the purpose of ensuring that volunteers are present on shifts.

The processing is carried out on the basis of the legitimate interests of the organization and its employees.

All areas where camera surveillance takes place under the auspices of the Red Cross are appropriately marked.

Information collected through electronic monitoring is generally not stored for more than 30 days. The Red Cross may be required to share information collected through electronic surveillance with the police or another third party, such as an insurance organization, in order to make a claim or defend against a claim, e.g. in the event of theft or in the event of an accident.

5.1.14.  Board and committees

The Red Cross processes the following personal data on individuals who sit on the board of the association and/or committees on its behalf:

·         contact information, such as name, address, email address, and telephone number

·         ID number

·         information on qualifications

The information is used to make appointments to the board and committees in accordance with the law, and its processing is based on the law on the one hand and the agreement on committee membership on the other.

5.2.        Source of information and retention period

Personal data processed by the Red Cross is generally obtained directly from the individual to whom the information relates, unless otherwise stated.

The Red Cross stores personal data for as long as necessary in relation to the purpose of the processing, as further described in this Privacy Policy in connection with individual processing operations, unless otherwise permitted or required by law.

The Red Cross also reserves the right to prepare non-personally identifiable statistical summaries and other derived information that is undoubtedly non-personally identifiable and to use them in the work of the organization, for example for the organization's annual report, newsletters and at meetings organized by the Red Cross.

5.3.        Disclosure of personal data to third parties

The Red Cross may share personal information with third parties, such as in connection with a third party's contractual relationship with the organization or for debt collection.

In addition to the third parties specified in the policy in connection with individual processing operations, personal data may also be disclosed to third parties who provide the Red Cross with IT and telecommunications services or other services related to processing and are part of the organization's operations. The transfer of personal data to such parties is based on the Red Cross's legitimate interest in outsourcing certain tasks to external parties.

Third parties that provide services to us as described above may be located outside of Iceland. However, the Red Cross will not share personal data outside the European Economic Area unless this is permitted on the basis of applicable data protection legislation, e.g. on the basis of standard contractual clauses, the consent of individuals or the Data Protection Authority's advertisement of states that provide adequate protection of personal data.

Finally, personal information about you may be disclosed to the extent permitted or required by applicable law or regulation. Also, your personal information may be shared with third parties in response to lawful actions such as house searches, subpoenas, or court orders.

5.3.1.    How is the security of personal information ensured?

The Icelandic Red Cross endeavours to take appropriate technical and organisational measures to protect personal data, with particular regard to its nature. Examples of such security measures are access control to systems and other storage locations where personal data is stored and two-factor authentication. These measures are intended to protect personal data against accidental loss or alteration and against unauthorised access, copying, use or disclosure.

5.3.2.   Your rights regarding the information processed by the Red Cross

Data protection laws guarantee individuals certain rights over their personal data. Thus, individuals can, for example, request access to their personal data or that it be deleted. The Red Cross seeks to ensure that the rights of the data subject are guaranteed by the association. It should be noted that your rights based on data protection laws are not absolute. Thus, the law may, for example, oblige the Red Cross to reject a request for deletion or access to data. The organization can also reject your request because of the organization's rights or the rights of other parties, e.g. to privacy, if the organization considers those rights to outweigh them.

In the event of a situation where we are unable to comply with your request, we will endeavour to explain why your request has been denied, subject to limitations imposed by law.

·         Right to rectification: It is important that the personal data processed by the Red Cross is both correct and relevant. It is therefore important that we are notified of any changes that may occur to your personal data.

·         You have the right to have inaccurate personal data about you corrected. Taking into account the purposes of the processing of personal data, you also have the right to have incomplete personal data about you completed, including by providing additional information.

·         Right of access: You have the right to obtain confirmation as to whether or not we process personal data about you, and if so, you can request access to the data and how the processing is carried out. You may also have the right to receive a copy of the information.

·         Right to data portability: In certain circumstances, you can request that the Red Cross transmit information that you have provided to us or that originates from you directly to you or to a third party. However, this right only applies when the processing of the personal data in question is based on either your consent or your agreement with the Red Cross.

·         Right to erasure: In certain circumstances, you can request that your personal data be erased without delay, for example when the retention of the data is no longer necessary in relation to the purposes for which the processing is carried out or because you have withdrawn your consent to the processing of the personal data and no other authorisation is based on it.

·         Right to withdraw consent to processing: If the processing of your personal data is based on consent, you are entitled to withdraw your consent at any time.

·         Right to restriction of processing: If you do not want your data to be deleted, e.g. because you need it to defend against a claim, but still do not want it to be further processed by the Red Cross, you can request that its processing be restricted.

·         Right to object to processing: If the processing of your personal data is based on the legitimate interests of the Red Cross, you have the right to object to that processing.

5.4. Inquiries and requests

If you wish to exercise your rights under the data protection laws described above, or if you have any questions regarding the Privacy Policy or how we process your personal data, you can contact the Data Protection Officer of the Red Cross. The Data Protection Officer will endeavour to respond to your queries and guide you regarding your rights under this Privacy Policy.

The Red Cross will generally not charge a fee for processing requests received from individuals. The Red Cross, however, reserves the right to charge for requests that are considered manifestly unfounded, repetitive and/or excessive. In addition, the Red Cross may be permitted to refuse to comply with a request in the above cases.

The Red Cross may contact individuals and request further information in relation to inquiries and requests, if deemed necessary. The Red Cross will keep your request, all information related to the request as well as communications related to the request for 4 years from its processing.

5.5.        Data Protection Officer of the Red Cross

The Red Cross has appointed a data protection officer. The Data Protection Officer receives inquiries and requests from the individuals about whom the Red Cross processes information, in addition to advising the Red Cross on the processing of personal data and acting as a contact person with the Data Protection Authority.

All inquiries regarding data protection should be sent to the Data Protection Officer at the email address personuvernd@redcross.is.

5.6.       Right to lodge a complaint with the Data Protection Authority

If you are not satisfied with the Red Cross' handling of your personal information, you can always file a complaint with the Data Protection Authority.

Information about the Data Protection Authority can be found on www.personuvernd.is.

5.7.       Changes to this policy

The Red Cross may from time to time change this privacy policy in accordance with changes in applicable laws or regulations or due to changes in how the organization processes personal data.

Any changes that may be made to the policy will take effect after an updated version has been published on the organization's website.

Approved 11th August 2025.

If there is a difference between the Icelandic and English version, the Icelandic one prevails.