Page 1

Rules no.
811/2019 um
licensing obligation
processing
personal information
a
CHAPTER I

General provisions.

Page 2

Article 1

Scope.

These rules apply to the obligation to license the processing of personal information and to
exemptions from that obligation.

Article 2

Glossary.

In these rules, the meaning of terms is as follows:

1. General personal information: Personal information that is not considered sensitive to
meaning of point 3. Paragraph 1 Article 3 Act on Privacy and Processing
personal information, no. 90/2018.
2. Encryption: The transformation of words or numbers into secret code that conceals meaning
their.
3. Central register: A systematic collection of personal information about all individuals in this country
which is accessible according to certain criteria, regardless of residence.

Terms defined in paragraph 1 Article 3 Act no. 90/2018 and Article 4. Regulation (EU)
2016/679 have the same meaning in these rules.

Article 3

Responsibility of the guarantor.

If the processing of personal information is subject to a license from the Data Protection Authority, cf. provisions of law or
of these rules, the person responsible for processing is responsible for applying for such a permit and conducting it
the processing always in accordance with the issued license and the provisions of Act no. 90/2018 and regulations
(ESB) 2016/679.

The Data Protection Authority's supervision does not affect the responsibility of the responsible party for processing
personal information, cf. Paragraph 2 Article 8 Act no. 90/2018.

Page 3

II. CHAPTER

Licensed processing of personal information.

Article 4

The following processing of personal information is subject to the written permission of the Data Protection Authority:

Co-synchronization of a file containing sensitive personal information with others
file, whether it contains general or sensitive
personal information. However, such synchronization is not subject to licensing:

a. if only synchronized with telephone number information or information from
national register of name, ID number, company number, address, address and
post number.
b. if the files of the same responsible party are synchronized, with the exception of the central one
files that contain sensitive personal information.
2. Processing of information on a person's criminal offense and criminal record, information on
drug, alcohol and drug use, sex and sexual behavior, unless the processing is
a necessary and normal part of the activities of the party in question.
3. Collection of personal information on financial matters, creditworthiness and creditworthiness
individuals for the purpose of communicating them to others.
4. Processing of information on human social problems or other privacy issues, e.g.
as a couple · divorce, separation, adoption and foster care agreements, except processing
is a necessary and natural part of the activities of the party in question.
5. Processing of personal information which involves the registration of a person's name
pre-determined criteria and the information shared with third parties for this purpose
to deny the man a particular facility or service.
6. Disclosure of sensitive personal information for the purpose of scientific research that falls outside
Scope of the Act on Research in the Health Sector, no. 44/2014, end stand
responsible for the information not provided for implementation
of the study.
7. Disclosure of sensitive personal information stored by the government in
interest flowed · parish.
Disclosure of general personal information held by the government in
in the interests of research, when the dissemination involves a special risk of being compromised
violation of the rights and freedoms of registered persons.

Page 4

Notwithstanding the provisions of the first paragraph. the processing of personal information is not subject to the permission of the Data Protection Authority
it is based on the approval or instructions of law. Then no processing permit is required
personal information provided in accordance with the rules of conduct adopted
been by the Data Protection Authority, cf. Paragraph 5 Article 40 Regulation (EU) 2016/679.

The Data Protection Authority may decide that the authority's obligation to obtain a license according to points 7 and 8 Paragraph 1
shall be deleted when general rules and safety standards to be followed have been established
such communication.

Delivery of biobanks to service samples with personal identifiers in favor
scientific research is always subject to the permission of the Data Protection Authority, cf. Paragraph 5 Article 9 laga um
biobanks and health information museums, no. 110/2000.

III. CHAPTER

On the dissemination of personal information to third countries or international organizations.

Article 5

In accordance with para. Article 46 Regulation (EU) 2016/679 is a dissemination of
personal information to a third country or international organization that does not provide
adequate protection of personal data, subject to the permission of the Data Protection Authority already one of
the following applies:

The sender of the information enters into an agreement with the recipient to ensure protection
information but does not use standard provisions of the European Commission
approved or approved by the Data Protection Authority and the Commission
certified;
2. the consignor and the consignee, both of whom are public bodies, accept the proceedings which:
is intended to protect personal data but is not legally binding; or
3. no other measures are taken pursuant to the second paragraph. Article 46 of the Regulation
(ESB) 2016/679.

IV. CHAPTER

Other provisions.

Page 5

Article 6

Surveillance.

The Data Protection Authority monitors the implementation of these rules. About sources
Privacy is subject to the provisions of Act no. 90/2018 and Regulation (EU)
2016/679.

Article 7

Entry into force, etc.

These rules, which are set according to the second paragraph. Article 31 Act no. 90/2018 and the third paragraph. 46.
gr. Regulation (EU) 2016/679, enters into force immediately. In parallel with their publication expire
rules no. 712/2008 on the obligation to notify and the obligation to permit the processing of personal information.

Privacy, August 29, 2019.

Björg Thorarensen.

Helga Þórisdóttir.

