This privacy statement provides information about the processing of personal data in Icepharma's operations, such as which individuals information is collected and what types of personal data are collected at any given time, for what purpose personal data is processed and with what authority, about the retention of the information, about its dissemination and how its security is ensured. The statement also provides individuals with information about their rights in relation to privacy and how parties can exercise their rights based on the Privacy Act.

The purpose of Icepharma's privacy statement is to ensure that there is a holistic view of the collection, registration, transfer, storage, retention and destruction of personally identifiable information and to ensure that customers, other business partners, partners, employees and other individuals, as appropriate, are informed about how the company handles and processes personal information in its extremely diverse operations.

Icepharma has appointed a special privacy council that has primary responsibility for matters relating to privacy and is the company's point of contact with privacy authorities.

The Icepharma Privacy Council consists of; Icepharma CEO, Icepharma Privacy Officer, Icepharma Quality Manager, Pharmaceuticals Manager and Communications Manager. The Council's main role is to monitor compliance with regulations in the company's operations, such as ensuring that internal policies and procedures regarding the handling of personal data are followed, and thus has an important role to play towards Icepharma employees, such as raising awareness, providing information and training. The quality and lawful processing of personal data is an integral part of Icepharma's operations and it is the Council's responsibility to ensure that all Icepharma employees are aware of and trained in all internal procedures regarding privacy and the handling of personal data.

Icepharma may collect, record, use, store or transfer personal information about individuals. This personal information can be divided into the following categories:

• Identification information: such as name, username and similar identifiers, social security number and gender.
• Contact information: such as address, email, telephone number.
• Employment-related information: such as information about workplace, specialty, employment number
• Financial information: such as bank account information or other payment information.
• Transaction history information: an overview of the products that have been purchased and invoices that have been issued.
• Technical information: such as IP address, login information, information about browser type and version.
• User behavior information: such as information about how websites, products or services are used.
• Marketing information: such as information related to an individual's choice of whether Icepharma is allowed to send them marketing materials.
• Travel information: such as information from a passport, etc.
• Information about interests and habits: such as information related to health and lifestyle, information related to the field of interest/specialization of healthcare professionals etc.
• Other information that could be considered personal information within the meaning of the law: such as information related to individuals' use of a specific product, information about a specific party's communication with Icepharma, information about Icepharma's requested communication channels with healthcare professionals or other parties, etc.

In addition, the company may need to process sensitive personal information, such as health information about individuals, and only when such processing meets the legal requirements for processing sensitive personal information.

Section 6 provides examples of the purposes for which Icepharma may collect and use personal information about individuals. Icepharma uses different methods to collect personal information, but the following are examples of the ways in which Icepharma collects personal information in its operations:

Collection of information directly from an individual

Most commonly, Icepharma receives and collects identification and contact information directly from the individual, including customers, customer contacts, healthcare professionals, patients, patient relatives, employees, job applicants, etc. In other cases, individuals may also be asked to provide employment-related information, financial information, and other categories of personal information. In certain cases, Icepharma employees receive sensitive personal information from the individual, such as health information.

Individuals may always refuse to provide Icepharma with personal information when requested. However, if an individual chooses not to provide information that is necessary for Icepharma to provide the requested service or perform contractual obligations, this may result in Icepharma being unable, in whole or in part, to provide the individual with the requested service or otherwise fulfill its contractual obligations.

Automated technology or communication

Icepharma may also collect technical information about individuals automatically when individuals visit and use Icepharma websites. This personal information is collected through the use of cookies, event logging and similar technologies. See more about cookies here.

Collection of information from third parties

In certain cases, Icepharma may receive personal information from third parties or obtain personal information from companies, institutions or contacts of legal entities that hold personal information about an individual, when the aforementioned parties are authorized to provide such information to the company and when the information is necessary for Icepharma for a specific purpose. The same applies to personal information that is publicly available, such as personal information of healthcare professionals in public registers or from websites, as their processing is generally permitted and the information is only processed to the extent and for the purpose for which the information in question was originally made available.

The Data Protection Act restricts how personal data may be processed. However, the restrictions do not prevent the processing of personal data, but are intended to ensure that personal data is processed fairly and lawfully and only for specified purposes.

Icepharma only processes personal data of individuals if authorized by data protection laws. The processing of general personal data in Icepharma's operations thus only takes place when at least one of the following conditions is met:

1. The individual has given his consent to the processing of his personal data for one or more specific purposes;
2. The processing of personal data is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the data subject's request prior to entering into a contract;
3. The processing of personal data is necessary for compliance with a legal obligation;
4. The processing of personal data is necessary to protect the vital interests of the data subject or another natural person;
5. The processing of personal data is necessary for the legitimate interests pursued by Icepharma, a customer or another third party, i.e. when the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, do not outweigh the interests or fundamental rights and freedoms of the data subject.

An individual's personal information may be processed under more than one authority depending on the purpose of the processing at any given time, but individuals are always welcome to contact Icepharma if they wish to receive further information about the purpose of the processing and the authority behind the processing.

The processing of sensitive personal data at Icepharma only takes place when an individual has given their consent to such processing or if it is deemed necessary to comply with a legal obligation or to protect the vital interests of an individual or another person and only when at least one of the legal requirements for the processing of sensitive personal data is met, cf. Article 11 of the Personal Data Protection Act No. 90/2018.

Icepharma strives to conduct all processing of personal data in a fair and transparent manner towards the data subject. Personal data is always processed for a clearly specified and legitimate purpose and not processed for another and unrelated purpose unless the company has permission to do so and the individual has been informed of the new purpose. The processing of personal data is always limited to the information that is considered necessary and relevant in relation to the purpose of the processing at any given time.

Below is a list and further description of when Icepharma may process personal data about individuals and on what authority(ies) the processing is based. When the company is given the opportunity to provide individuals directly with all necessary information about the processing of personal data at the time it is collected or received, this is done with an appropriate privacy notice that specifically covers specific processing operations. Thus, the list that follows should not be interpreted as an exhaustive authority for all types of processing operations carried out in Icepharma's operations.

Processing of personal data when visiting Icepharma websites

Icepharma may collect technical information about individuals, which may include personal information, automatically when individuals visit and use Icepharma websites. This personal information is collected through the use of cookies, event logging and similar technologies. Examples of such information include; IP addresses, device identifiers, language settings, device settings, operating system type, browser type, search history, pages visited, etc. The collection and processing of personal information in this context is based either on the consent of the individual or on the legitimate interests of the company, which consist of being able to provide a good experience on websites and to contribute to its further development. More information about how we use cookies can be found here.

Processing of personal data about company/organization contacts

In connection with Icepharma's diverse activities, the company's employees interact with a wide range of contacts from companies and/or institutions in the performance of their duties. In connection with such interactions, parties may be asked to provide Icepharma with personal information, such as identification and contact information (name, telephone number, email address), when necessary. Such collection and receipt of personal information is considered necessary for Icepharma's legitimate interests, which consist of being able to conduct business and to maintain good relations with partners and customers. Personal information collected is only retained for as long as necessary, but the retention period may vary depending on the nature of the interaction at any given time.

Processing of personal data for inquiries and complaints

As Icepharma's operations are diverse, the company may receive a variety of inquiries and/or complaints that are in one way or another related to Icepharma's product and/or service offerings. In cases where it is not possible to respond to such inquiries and/or complaints immediately upon receipt, the person making the inquiry and/or complaint may be asked to provide Icepharma with personal information in the form of identification and contact information so that the person concerned can be contacted again in connection with the processing, handling and follow-up of the matter.

Processing of personal data in connection with inquiries and/or complaints may also be considered necessary for Icepharma's legitimate interests to analyze inquiries and/or complaints that may concern the quality and safety of medicines, medical devices or other products offered by Icepharma and may require the company to take certain security measures based on laws and regulations. When all processing of a general inquiry or complaint is completed and no further action or follow-up is required, the personal data is deleted or made non-personally identifiable.

Processing of personal data for notifications concerning the safety of medicines or medical devices

Icepharma encourages healthcare professionals and others who wish to report adverse drug reactions or submit an incident report in connection with medical devices (such as a report of deviations, defects or inefficiency) to report such adverse drug reactions/incidents directly to the Icelandic Medicines Agency. If an individual nevertheless chooses to report an adverse drug reaction/incident to Icepharma, the company is obliged to process such reports, cf. the obligation to report to regulatory authorities on the basis of the Medicines Act and the Medical Devices Act, and in this context it is necessary to collect and process personal information about the person submitting such reports. It depends on the nature and content of the reports, and therefore who submits them, what personal information is collected at each time and what information is recorded.

When the reporter is other than the individual concerned by the incident, such as a healthcare professional or a relative of a patient/client, the person concerned is kindly asked not to provide personally identifiable information about the individual concerned by the incident, such as the patient/client's name.

Some reports require detailed documentation of the reason, reason and incident behind the report, such as a detailed description of the adverse drug reaction and its impact on the individual, information about medical history, information about previous medication use or other health-related information concerning the physical and mental health of the individual concerned. To protect the rights of data subjects in this context and ensure the security of sensitive personal data, Icepharma has implemented appropriate technical and organizational security measures, such as implementing procedures aimed at making sensitive personal data non-personally identifiable so that it cannot be traced back to a specific individual, either directly or indirectly.

The collection and processing of personal data about reporters and those affected by the reported event is considered necessary to comply with legal obligations to report incidents concerning the safety of medicines and medical devices to regulatory authorities. In addition, the processing is considered necessary to protect the vital interests of individuals as well as the public interest in the field of public health, such as to ensure that strict requirements are made for the quality and safety of medicines and medical devices. Information related to notifiable incidents concerning the safety of medicines and medical devices, including personal data, is stored and preserved by Icepharma for the aforementioned purposes while the medicine or medical device to which the reported event relates is on the market and for longer as required by law and regulations.

Processing of personal data in connection with the distribution of safety materials/safety information to healthcare professionals

According to Directive 2001/83/EC of the European Parliament and of the Council on the Community code relating to medicinal products for human use, the marketing authorisation holder of a medicinal product may be obliged to provide and make available to healthcare professionals educational materials and other information on the safety of medicinal products (hereinafter referred to as ''safety material'') in accordance with the risk management plan for the medicinal product approved by the European Medicines Agency/Iceland. In this context, the marketing authorisation holder must submit a distribution plan for the relevant safety material to the medicinal product authorities for review and approval. The marketing authorisation holder must maintain a record to confirm that the approved distribution has taken place and must be available to the marketing authorisation holder upon request during an audit or inspection.

In order to fulfil the above obligations, Icepharma, either as a marketing authorisation holder or as an agent of the marketing authorisation holder, collects the necessary personally identifiable information about the recipients of the safety information and maintains a register of recipients. The transmission and distribution of safety information is based on a legal obligation and has the purpose of ensuring that important safety information is delivered to healthcare professionals and patients. The collection and processing of personal data about the recipients of the safety information is therefore considered necessary to fulfil this legal obligation. The personal data collected is stored and preserved by Icepharma for the aforementioned purposes while the medicinal product to which the safety information relates is on the market and for longer as required by law and regulations.

Processing of personal data about online store customers

When an individual establishes access to online stores that are part of Icepharma's operations and when a registered user confirms an order/transaction and becomes an Icepharma customer, he is required to register general personal information about himself. Such processing of personal information is considered necessary for Icepharma to fulfill a contract between the parties or for measures that must be taken at the request of an individual before a contract is concluded between the parties. The following is a more detailed description of the nature of the processing of personal information about registered users and customers of online stores by Icepharma.

When an individual creates an account in an online store:

When an individual creates their own account in Icepharma's online stores, they must register identification and contact information, such as name, ID number, gender, telephone number and email address.

When a registered user confirms an order and purchase of a product:

When an individual confirms the purchase of a product, they must register identification and contact information, such as name, social security number, gender, address, telephone number and email address, so that the customer can prove their identity when they visit their product. Contact information is collected so that it is possible to contact the customer in connection with the processing of their order, as well as if the customer wishes to receive an electronic receipt for the purchase sent to their email address. If a customer has requested that the product be sent to their home, information about the customer's name and address is also shared with the distributor (Post). In order for the transaction to take place, customers must also register payment information, which is sent directly to the payment service and is never stored by Icepharma. When a customer confirms their transaction with payment, information about their order is also collected, such as order number, information about the purchased product and information about the payment method. This information is part of the accounting data and facilitates traceability if it is necessary to look up a customer's previous transactions.

When the recipient of an order is different from the actual Icepharma customer:

When a customer has requested delivery of an ordered product but registers another person as the recipient of the product, the customer must also register information about the name, address and postal code of the recipient. When this is the case, Icepharma considers that the Icepharma customer has received the recipient's authorization for such registration. This information must also be communicated to the distributor (Post).

Processing of personal data about Icepharma employees

Icepharma collects, processes and stores various personal data about Icepharma employees as well as about individuals hired as contractors. Different personal data may be collected about different employees and the collection and processing may depend on the nature of the work at hand. The collection and processing of personal data about current and/or former employees is considered necessary primarily to perform a contract between the parties, i.e. so that the company can fulfill its obligations under the employment contract. The processing of personal data about current and/or former employees may also in some cases be necessary for Icepharma to comply with a legal obligation, such as on the basis of labor legislation or tax legislation. In addition, the processing of personal data about current and/or former employees may be considered necessary for the legitimate interests of Icepharma, such as for security and asset protection purposes.

Further information, including on the collection, processing, sharing and retention of personal data about Icepharma employees, can be found in the ''internal rules on employee privacy'' which are accessible to all current Icepharma employees. Further information on the processing of personal data of current and former Icepharma employees can be requested by sending an inquiry to the email address: personuvernd@icepharma.is.

Personal information collected about Icepharma employees is only retained for the duration of the employment relationship and thereafter for as long as is necessary in each case or as required by law and regulations.

Processing of personal data of job applicants at Icepharma

Icepharma collects and processes personal information about applicants for jobs at the company. Different personal information may be collected about different applicants and the collection and processing of personal information may depend on the nature of the job applied for. If applying for an advertised job at Icepharma or submitting a general application, an individual must first create an account on the company's recruitment website by filling in their ID number and password. The applicant then fills out an electronic application form where it is necessary to register identification and contact information, information about education, training, career and work experience. In addition to the above information, Icepharma may also collect and process other information that applicants provide themselves and wish to include with their job application, such as a copy of a diploma, a photo of the applicant, a cover letter, etc. Icepharma never requests that applicants register sensitive personal information about themselves as defined in the Privacy Act.

The collection and processing of personal data for the above purposes is considered necessary for the legitimate interests of the company, which consist of Icepharma being able to assess whether an applicant is suitable for the positions applied for and/or other vacancies that are not advertised. Icepharma does not use information about individuals from job applications for any purpose other than recruitment.

Information related to new registration on the Icepharma recruitment website is stored in the Icepharma database for 6 months after registration. This registration can be maintained by re-registering on the website, but if this is not done, the registration is deleted after 6 months. Submitted applications are stored in the Icepharma application database for 6 months from the time they are submitted, after which the application is completely deleted.

In most cases, Icepharma receives personal information directly from the applicant, but if it comes to the point where information is obtained from a third party, Icepharma will inform the applicant of this. In exceptional cases, Icepharma may need to share information collected in connection with job applications with third parties, such as recruitment agencies involved in recruitment at Icepharma and/or other legal entities with which Icepharma has a business relationship, and the applicant is then informed of this. Icepharma does not provide personal information unless such sharing is permitted by law, and care is always taken to treat the information as confidential.

After an individual has submitted an application through the Icepharma application platform, they can always withdraw their job applications and thereby revoke their consent to the storage and handling of data that they have provided to Icepharma in the form of a job application or request correction of the submitted data. They do this by submitting a formal privacy request through the Icepharma website or by email to the email address persoonvernd@icepharma.is. See more details in Chapter 11.

Processing of personal data in connection with electronic monitoring and reception of visitors to Icepharma premises

Due to the nature of Icepharma's operations, electronic surveillance cameras are used in and around Icepharma's premises. The information is retained for security and asset protection purposes as well as for traceability, documentation and quality issues. All use of such surveillance cameras is in accordance with the provisions of the Privacy Act and the rules established thereunder. All material collected during monitoring is treated as confidential. All material collected through the use of a camera system is automatically deleted no later than 90 days from the date it was created, unless it is necessary to retain it longer due to suspicion of a criminal act, a violation of professional conduct, an accident or other comparable matter.

Visitors to Icepharma premises, for example for meetings or other events, may be asked to provide identifying information, such as name. The registration of personal information for this specified purpose is necessary for Icepharma's legitimate interests, which include protecting safety and property.

Other processing of personal data

In certain cases, Icepharma processes personal data when the processing is necessary for Icepharma, a third party or parties to whom the information is communicated to, to safeguard their legitimate interests. An example of this is processing that would have the purpose of developing and improving the company's information system, to analyze and investigate issues related to network and information security within Icepharma and/or to prevent misuse of services. However, such processing will never take place if it is clear that the fundamental rights and freedoms of individuals who require privacy protection outweigh other interests in the processing.

Icepharma carries out various activities in connection with marketing and promotional activities for the company's products and services. In this context, it may be necessary to collect and use personal information about the person to whom the marketing activities are directed, which primarily refers to an individual's contact information, such as name, telephone number and email address.

Marketing and promotional activities related to medicines and medical devices

Icepharma has a strong information obligation towards healthcare professionals and the public, including to ensure the correct use of medicines and medical devices and to draw attention to innovations. When marketing medicines and medical devices, Icepharma complies with the laws concerning the marketing of medicines and medical devices, cf. Medicines Act No. 100/2020 and Medical Devices Act No. 16/2001, regulations issued on the basis of the laws, as well as the EFPIA, Frumtaka and MedTech codes of conduct and communication. Marketing, in this context, refers to all activities and processes related to advertising or promotional activities that create, communicate and distribute information about medicines and medical devices to healthcare professionals, clients and society as a whole.

In connection with such work, company representatives interact with healthcare professionals, individual healthcare professionals, patients/clients, relatives and others. The necessary use of personal information for the specified purpose is based on authorization in the data protection law, i.e. either on the consent of the person to whom the marketing and promotional work is directed or because Icepharma has a legitimate interest in approaching the person for the benefit of the company's marketing and promotional work, such as by letter, email or telephone, in order to:

• Raise awareness of innovations in relation to the treatment of patients/clients. Raise awareness of innovations in relation to product ranges and services. Raise awareness of presentations, educational courses, meetings and conferences.
• Otherwise maintain good relations with healthcare professionals and clients and provide excellent service.

Other marketing and promotional activities

In connection with other general marketing and promotional activities of Icepharma, an individual may be asked to directly provide the company with personally identifiable information.

The provision of personal information for general marketing purposes is always optional for individuals and never a condition for the provision of services. Individuals and customers may be invited to register their email address on a mailing list, and the person's email address is then used for marketing purposes, for example to promote new products, offers and events.

Consent granted for direct electronic marketing

In certain cases, such as when using direct electronic marketing, the law requires Icepharma to obtain the prior consent of the individual to whom the marketing is directed. If an individual wishes to confirm their consent to Icepharma representatives approaching the individual by email or telephone, such as to draw attention to innovations in relation to the product range or for promotional, meeting and conference invitations, this must be done by email to the following address: personuvernd@icepharma.is or by completing a consent form on the Icepharma website. An individual who gives their consent can always withdraw their consent and thereby refuse further communication with Icepharma for the specified purpose.

Rejection of receiving target mail

If an individual wishes to object to Icepharma representatives contacting them in the form of direct marketing, such as by phone or email, a request to this effect may be sent to the email address: personuvernd@icepharma.is.

The sharing of personal information between Icepharma employees may be necessary but is only permitted when the recipient of the information has a reason to obtain the information for their job and the sharing is in accordance with applicable restrictions on the sharing of personal information.

Icepharma does not sell personal information to third parties, but the company may be required or necessary to share or provide personal information to third parties, such as regulators, governments or other legal entities with which Icepharma has a business relationship. Such provision will only be made if permitted by law and in such a way that the information is always treated as confidential.

Icepharma's service providers in the role of processors, who have been given the role of processing personal data on behalf of Icepharma, may be provided with personal data due to the implementation of a service agreement between the parties. Such processors may be service providers, agents or contractors on behalf of the company, but only processors are sought who can provide sufficient guarantees that the processing of personal data and the rights of individuals meet the requirements of data protection laws. Icepharma provides its processors with only the personal data that is necessary for the purpose of the processing, and such processing is always based on an agreement between the parties, where the processor undertakes the obligations to ensure the security of the information and use it only for the purposes stated in the agreement between the parties.

Data protection laws restrict the transfer of personal data across borders to ensure appropriate protection of individuals' privacy. A transfer of personal data across borders is considered to occur when personal data from one country is transferred, transmitted, accessed or otherwise made available in another country. Icepharma may transfer and/or transfer personal data out of the country, i.e. to a recipient country that provides adequate protection for personal data, cf. all countries within the EEA as well as those countries that the Data Protection Authority has advertised as safe third countries. In exceptional cases, personal data is transferred to countries outside the EEA and only when this is permitted, such as when appropriate safeguards are in place, such as binding corporate rules, standard data protection clauses approved by a supervisory authority and recognised by the European Commission, recognised codes of conduct, recognised certification schemes, when the data subject has been informed of the potential risks of such a transfer and has given his or her explicit consent to the transfer or on the basis of other measures referred to in Article 46 of the General Data Protection Regulation. In such cases, no more information is transferred than is necessary.

Icepharma does not retain personally identifiable information for longer than is necessary in relation to the original purpose for which it was collected and processed. Personal information is retained for the duration of the business relationship, as long as required by law or for legitimate interests and for a legitimate reason. A legitimate reason is deemed to exist if the information is still processed in accordance with the original purpose for which it was collected. As a result, different retention periods may apply depending on the type and nature of the personal information.

Icepharma employees follow the company's policy and procedures for the retention and destruction of personal information. An internal audit of personal information retention is conducted once a year and personal information that is no longer needed or made non-personally identifiable is deleted, unless the law requires such information to be retained for a longer period.

Data protection laws provide for and guarantee individuals certain rights regarding the handling of personal data, including the right to education and information about how personal data is processed. Icepharma respects the rights of the owners of personal data, but the following rights may be subject to restrictions arising from, among other things, the law, the interests of others to whom the information relates, or the important financial or commercial interests of Icepharma. If an individual wishes to make a request regarding their rights listed below (a ''data protection request''), this should be done by completing and submitting a formal data protection request via the Icepharma website. See more in section 11.

Right to information and access to your personal information

An individual has the right to receive education and information about whether and how their personal data is processed in Icepharma's operations. Thus, an individual may have the right to information about the purpose of processing personal data, categories of personal data, their recipients, retention period criteria, rights they have, and their authority to file a complaint with the Icelandic Data Protection Authority, etc. An individual also has the right to request access to personal data, which must be provided in the form that is possible at any time, in writing or electronically.

Right to rectification and deletion of personal data

An individual who wishes to communicate changed information is advised to communicate it to Icepharma by submitting a formal privacy request via the Icepharma website or by email to personuvernd@icepharma.is. An individual has the right to have inaccurate or incorrect personal information about them corrected and in certain cases they also have the right to have personal information completely deleted, cf. when personal information is no longer necessary for the purpose for which it was originally collected or when an individual has decided to withdraw their consent for its use, when they have objected to the processing of personal information about them or if the processing is otherwise incompatible with the law and regulations on privacy.

Right to object to the processing of personal data

An individual may object to the processing of personal data concerning their particular situation when the processing is justified on the basis of legitimate interests or public interest. Icepharma always strives to clearly inform individuals of their right to object when applicable. If an objection is raised to the processing of personal data, Icepharma will not process the personal data further unless there are legal requirements to do so.

Right to request restriction of processing of personal data

In certain cases, an individual may request that the processing of personal data about them be temporarily restricted, for example if they believe that the personal data processed by Icepharma is incorrect, if they believe that Icepharma is not authorized to process it, or that the company no longer needs the personal data. In such cases, processing is suspended while such a request is reviewed and information is provided on the next steps.

Right to transfer personal data

An individual has the right to have information that he or she has provided to Icepharma transferred to another controller to whom the individual refers, if technically feasible. This only concerns personal data that Icepharma has obtained on the basis of the individual's consent or for the performance of a contract and that are processed by automated means. After the transfer, the third party is responsible for the information that the individual has requested to be transferred.

Right to withdraw consent to the processing of personal data

An individual who has given consent to the processing of personal data for a specific purpose has the right to withdraw that consent. If an individual withdraws their consent, it will not affect the processing that took place before the consent was withdrawn, but it may mean that Icepharma will no longer be able to provide certain services that have been requested.

Right to file a complaint with the Data Protection Authority

Individuals have the right to file a complaint with the Icelandic Data Protection Authority regarding the processing of their personal data. However, if a dispute arises regarding the processing of personal data, Icepharma would like an opportunity to resolve the dispute before submitting a complaint to the Icelandic Data Protection Authority. Information about the Icelandic Data Protection Authority can be found here.

If an individual wishes to make a request regarding their rights under the Privacy Act, this should be done by completing and submitting a formal privacy request. If Icepharma receives a formal privacy request from individuals to exercise the above-mentioned rights, as mentioned in Section 10, Icepharma will inform the requester of the actions that will be taken as soon as possible, but at the latest within two weeks of receipt.

Icepharma will generally comply with requests concerning the above-mentioned rights of individuals when Icepharma is the controller of the personal data, but reserves the right to refuse to comply with a request that is manifestly unfounded or excessive. In order to process such requests, Icepharma is required to obtain personal information about the requester to ensure identification. Formal processing of a data protection request cannot therefore begin until identification has been carried out.

If the requester believes that Icepharma will not adequately respond to a privacy request, the requester may submit a complaint to Icepharma's Privacy Board at personuvernd@icepharma.is or send a complaint to the Icelandic Data Protection Authority.

Security measures for privacy and compliance with principles

Icepharma has implemented technical and organizational security measures to ensure general information security and compliance with the principles of personal data processing. The quality and lawful processing of personal data is an integral part of Icepharma's operations and appropriate procedures, methods, training, security measures and other elements have been implemented with the aim of ensuring compliance with the principles of data protection law.

Personal information collected, processed and stored by Icepharma is protected by strict rules and procedures, both in the human and electronic environment. All such security measures are primarily intended to protect personal information against accidental loss or alteration and against unauthorized access, copying, use or disclosure. Other measures aim to ensure that, by default, personal information collected and used as necessary for a specific purpose is not retained for longer than is necessary.

Active employee safety awareness

Icepharma actively promotes employee security awareness and provides employees with appropriate education and training. All Icepharma employees are obligated to comply with Icepharma's privacy statement and the procedures that are intended to ensure its implementation. All employees, and others involved in the processing of personal data on behalf of Icepharma, are contractually and legally obliged to maintain confidentiality regarding everything they learn in the course of their work. Violations of confidentiality are viewed seriously and are subject to a defined channel within Icepharma.

Documentation

Icepharma accurately documents the processing of personal data, to the extent such recording is required by data protection law. Thus, Icepharma defines and documents the basis for processing each processing element of personal data in the company's operations and maintains a record of the processing activities, including a record of the consent of the data subjects and how consent is obtained.

Privacy by design and privacy impact assessment

An assessment is regularly carried out to determine how privacy by design can be ensured in all applications, systems and processes used and relied on in Icepharma's operations. Such an assessment is carried out taking into account various aspects, such as the latest technology, the cost of implementation, the nature, scope, context and purpose of the processing as well as the risk that the processing may pose to the rights and freedoms of individuals. In the case of risky processing within the meaning of the Data Protection Act, a regular assessment of the impact of data protection is also carried out.

Strict requirements for information systems

All information systems used in Icepharma's operations are required to support the company's goals of compliance with privacy laws and regulations, and care is always taken to ensure that personal information is only accessible to those employees who need access to it in their work. Access to information is controlled through access controls for which Icepharma's information security team is responsible.

Security breaches in the handling and processing of personal data

Icepharma does everything it can to ensure that there are no security breaches when processing personal data in the company's operations. A security breach is when there is a failure or breach of security that leads to the accidental or unlawful destruction of personal data, the transmission of personal data to unauthorized parties, storage or processing in another way, or the loss, alteration, disclosure or unauthorized access to personal data. A security breach may include a breach of confidentiality, the loss of access to information or the alteration of personal data.

Icepharma's information security team monitors potential security breaches, among other things, to ensure compliance with laws and regulations regarding handling and recording of irregularities. If a security breach occurs in the processing of personal data, defined internal processes are activated by Icepharma's information security team, which, among other things, ensure that security breaches are reported appropriately within the time limits required by law and regulations.

Security breach notification

If a security breach occurs in the processing of personal data that is likely to result in a high risk to the rights and freedoms of individuals, the Data Protection Authority and, where applicable, individuals shall be notified, without undue delay and, if possible, no later than 72 hours after becoming aware of the security breach, in accordance with Section 27 of the Act on the Protection of Personal Data and the Processing of Personal Data.

If parties become aware of a security breach regarding privacy, they are kindly requested to contact Icepharma's Privacy Policy at personuvernd@icepharma.is without undue delay in order to reduce the likelihood of damage. An example of a security breach that Icepharma would like to receive information about is, for example, if an individual receives an email that contains personal information that is irrelevant to the recipient and/or contains personal information about another party.

About cookies

Icepharma may collect technical information about individuals automatically when individuals visit and use Icepharma websites. Such information is collected through the use of cookies, event logging and similar technologies. In some cases, the use of cookies may be technically necessary so that users have a good experience on Icepharma websites. In addition, the temporary retention of the data collected through the use of such cookies may also be considered necessary for security reasons, i.e. to ensure traceability of the information in the event of unauthorized access to Icepharma servers. Cookies do not collect information about user names, email addresses, telephone numbers or social security numbers, and Icepharma's purpose in using cookies is not to identify users. However, in certain cases, a cookie may collect a large amount of other types of information that could potentially identify a user in one way or another. When applicable, the information is considered personal data within the meaning of Act No. 90/2018 on the Protection of Personal Data and the Processing of Personal Data. The legal basis for the technical collection, use and storage of personal data through the use of cookies is the user's consent. See more about cookies here.

About Icepharma's wireless network

Icepharma's wireless network is called Icepharma_staff and is locked with a WPA key. Icepharma does not specifically log the internet usage of those connected to Icepharma's wireless network, but all internet traffic is logged in Icepharma's security equipment. The security equipment logs information about the user's device, such as IP address and device type. Files belonging to the security equipment are not searched unless there is a reasonable suspicion of a violation of the law, if there is a reasonable suspicion that a serious security breach has occurred, or during troubleshooting.

Icepharma's Privacy Policy Board monitors compliance with applicable laws and regulations on privacy in the company's operations. Inquiries, comments and suggestions regarding the processing of personal data in the company's operations can be directed to the email address personuvernd@icepharma.is or by sending a letter to: Icepharma's Privacy Policy Board, Lynghálsi 13, 110 Reykjavík, Iceland.

Individuals have the right to file a complaint with the Icelandic Data Protection Authority at any time if they object to or are dissatisfied with the way personal information about them is being processed or if they believe that such information is not being processed in a manner consistent with the Personal Data Protection Act. If a dispute arises regarding the processing of personal information, a complaint can be filed with the Icelandic Data Protection Authority by sending an email to the following address: postur@personuvernd.is or by sending a letter to: Personal Data Protection Authority, Rauðarárstígur 10, 105 Reykjavík, Iceland. However, Icepharma requests that an individual first contact the Icepharma Privacy Board so that the company has the opportunity to resolve the dispute before submitting a complaint to the Icelandic Data Protection Authority.

The following privacy statement was last revised in September 2020. Icepharma reviews the statement regularly, and no less frequently than annually, to ensure that it reflects the processing of personal data that takes place at any given time and to ensure correct information about the processing and handling of personal data in the company's operations. The content of the statement may change in accordance with changes in laws and regulations regarding the use and handling of personal data. Changes to the statement will enter into force upon the publication of an updated statement here on the Icepharma website.

Version 1 – Approved by the Icepharma Board of Directors on September 10, 2018.

Version 2 – Approved by the Icepharma Board of Directors on April 1, 2020, updated September 2020