Privacy Policy

General

Innnes has set out a privacy policy that aims to inform employees, customers, and other stakeholders about the purposes for which personal data is collected and how it is processed. Innnes is responsible for ensuring that the collection and processing of personal data is in accordance with the provisions of Act No. 90/2018 on the Protection of Personal Data and the Processing of Personal Data (often referred to as the “Privacy Act” or „Persónuverndarlög“ in Icelandic). In this way, Innnes ensures reliability, integrity, and confidentiality when it comes to the processing of personal data and privacy.

How do we collect personal data?

Innnes ehf, 650387-1399, Korngarðar 3, 104 Reykjavík is the data controller for the processing of personal data that takes place in connection with Innnes services, job applications and products.

Data Protection Officer

Innnes has appointed a Data Protection Officer to ensure that the company complies with the Privacy Act. He receives inquiries and requests from individuals in relation to data protection and advises the company on the processing of personal data and privacy. He is also the contact person for the Data Protection Authority.

All inquiries regarding data protection should be sent to the Data Protection Officer via the email address personuvernd@innnes.is or by letter to:

Data Protection Officer of Innnes
Korngarðar 3
104 Reykjavík

What personal data do we collect?

Online store contacts and customers

Innnes' main activity is to provide services and process product orders from companies/institutions/associations and their contacts, i.e. consumers. In order to do so, Innnes generally collects the following personal information:

• Name (the contact)
• Social ID number of the contact (if applicable)
• Company name
• ID number of the company
• Email Address (the contact)
• Telephone number of the company

This information is requested to provide satisfactory service and because of legitimate business interests of Innnes. The consumer's email address is requested to forward an electronic receipt or payment slip. Payment information is requested to complete the consumer's purchase and the social security number is requested to verify his credentials.

In an online store, customers are required to create a user and, in that process, the following information is requested so Innnes can fulfil its obligation on purchasing and delivering the product:

• Company Name
• Company ID Number
• Address
• Company/Contact Email Address
• Telephone Number

 

• Cashier Name
• Cashier Phone
• Cashier Email Address
• Invoice Address

 

• Contact Name
• Contact Email Address
• Contact Phone
• Contact ID Number (if applicable)

 

• Name of Responsible Person
• Contact Email Address
• Contact ID Number
• Contact Phone

 

• Name of the goods receipt</span
• Email address of the goods receipt
• Address of the goods receipt
• Phone number of the goods receipt

The online store also saves customers purchase history to offer the possibility of revisiting orders with products that the customer wants to purchase again, creating an order list, and setting products as favourites.

The online store also uses cookies to collect and analyse information about the use and functionality of the website, to be able to use solutions from social media and to improve content and display relevant marketing materials.

Innnes may generally send its customers opinion and service surveys, information about events, as well as about new products, offers or recipes. This processing is based on the company's legitimate business interests, but customers can either change their registration or opt out of such emails by clicking on "unsubscribe here" which appears at the bottom of the email. 

In cases of processing and delivering awards, grants, or donations from Innnes to consumers (who are not already doing business with Innnes), the company requests the following personal information due to the company's legitimate business interests:

• Contact Name 
• Company/Association/Organization 
• Telephone Number 
• Address 
   

Website and other media

On Innnes‘ website you can find all kinds of information about the company, product offerings, recipes, and news. You can also sign up for the Innnes mailing list to receive the latest news from the company, event announcements and special offers on products. When you sign up for the mailing list, we only ask for your email address. 

On Innnes‘ website you can also contact us and send us inquiries and suggestions. The following personal information is requested and collected based on your inquiry: 

• Name
• Email address
• Telephone Number 

Innnes maintains a register of suggestions and inquiries received by the company, along with information on their processing. Registration is for the sole use of Innnes' service, sales, and marketing departments. Copies of general inquiries are stored in our management system for 2 months. Copies of quality and safety issues are stored for 5 years.

Accommodation 

The following personal information is collected about meeting attendees who come to Innnes’ premises and is this processing based on our legitimate interests. The collection is necessary for security reasons but also to meet the requirements of the ISO27001 security certification to which Innnes operates: 

• Name Company
• Telephone number
• The employee the guest is meeting with  

Courses and events

When customers and other individuals register for an event or course, Innnes requests personal information to manage the registration and even payment if applicable. The type of information requested depends on the event, but generally the following information is requested to fulfil the request for participation: 

• Name
• Email address
• Telephone number 

At some events Innnes hosts or participates in, photographs and recordings are taken and are generally published on Innnes’ website based on Innnes' legitimate business interests and the consent of the individual. Of course, proportionality is observed in the publication of images by individuals. 

After the event, a follow-up email is sometimes sent to individuals with a summary of the relevant event and other useful information. 

Job applicant

When applying for a job at Innnes, the following personal information about the applicant must be provided: 

• Name
• Social security number
• Email address
• Telephone Number 

The applicant can also upload information such as a CV, certificates (if applicable) and a cover letter. 

If the applicant is accepted for the job, all data is stored in Innnes' human resources system (H3). If the applicant is not accepted for the job, the application is deleted within six months from the date of application, but the information is stored in the application system (50skills) until then. The company may request to keep the application longer due to job opportunities. In such cases, the applicant in question is contacted and consent is obtained for longer retention. If the applicant is offered the position, the following additional information is requested: 

• Criminal record
• Address
• Gender
• Payment details
• Union membership
• Pension fund details
• Nationality details
• Gender
• Referee information
• Copy of driving license (if applicable)
• Copy of student ID (if applicable) 

Regarding the request for a criminal record, it is only requested when you are about to be offered the job and before formal employment takes place. Once the criminal record has been reviewed, it is stored in Innnes' human resources system (H3). Criminal records are processed to ensure the safety and integrity of the workplace. 

Electronic surveillance

Supervision and surveillance of Innnes' information systems is in accordance with regulations no. 50/2023 on electronic surveillance and the processing of personal data generated during electronic surveillance. 

Electronic monitoring is located in several locations. It can be, for example, in the following locations: 

• Internet use 
• Camera recordings 
• Access card use 
• Email use 
• Logging in and out of systems and computers 

An employee has the right to be informed when and why their data has been accessed. Data collected through monitoring is treated as confidential and will not be further processed or disclosed to others except with the employee's consent or a court order. 

Information generated through electronic monitoring is destroyed as soon as there is no longer a legitimate reason to retain it. 

If there are any comments or objections to the implementation of monitoring and/or suggestions that it does not meet the requirements set out in these rules or the law, please contact Innnes's privacy officer by sending an email to personuvernd@Innnes.is or calling 530-4000.

Source of information and retention period Personal data is provided by the individual and the retention agreed to by him/her. However, information may also come from a third party, such as the Registers Iceland. Personal data is otherwise stored for as long as is necessary for the purpose of the processing. The storage period for such personal data depends on the nature of the information and the legal provisions applicable to the relevant processing of personal data, e.g. tax and/or accounting legislation. 

To whom do we provide personal information

There may be situations where Innnes needs to provide personal information to third parties, but this is only done in accordance with the law, due to Innnes' legitimate business interests or according to the signature of the owner of the information. Examples of this are: 

• Innnes provides data to external consultants, e.g. auditors, lawyers or regulated parties 

• Innnes provides data in connection with mergers and/or acquisitions and sales to potential investors and/or consultants, which is then part of the due diligence that would be carried out. 

• Innnes provides data according to a court order and, for example, in that case, the data is provided to the police, the Financial Supervisory Authority or the Director of Internal Revenue. 

• Innnes provides data to parties that provide outsourced services to the company, and the data provided is then considered necessary so that the service can be provided. Innnes ensures that such third parties maintain full confidentiality. 

It is worth noting that Innnes never transfers data outside the European Economic Area unless such authorization is in place, and this is then done based on applicable data protection laws, e.g. with the consent of the owner or according to contractual terms. 

What is your right?

In some cases, an individual has rights under data protection legislation in relation to Innnes’ processing of their personal data. If an individual wishes to exercise these rights, we ask them to contact the Data Protection Officer, who will endeavour to respond to the request as soon as possible, unless the request is multiple or extensive. The Data Protection Officer may need to request additional information from individuals in connection with the request, for example for identification purposes. Such identification is necessary so that the company can comply with its legal obligations under data protection legislation and to ensure that individuals’ personal data are not disclosed to unauthorised parties. 

Innnes generally does not charge a fee for the delivery of data or the processing of other requests. However, Innnes reserves the right to charge a fee or refuse delivery in the case of requests that are manifestly unfounded, excessive, or repetitive. 

Right of access

A person has the right to request access to their personal data and to receive a copy of the data. In this way, they can ensure that the data is correct and that our processing of it is in accordance with the law. 

Right to rectification

If any information about an individual is incorrect or inaccurate, the person concerned has the right to have it corrected.

Right to erasure

In certain cases, an individual may have the right to have personal data that the company stores about them deleted. This applies particular in cases where the information is no longer necessary, if the individual has objected to the processing of the information (see below), if the processing is unlawful, or if the processing is based on consent that the individual has later withdrawn. Innnes reserves the right to assess at any time whether it is necessary to delete data.

Right to restriction of processing

In the following cases, an individual has the right to stop the processing of personal data:

• If an individual disputes the accuracy of the personal data (until Innnes can confirm that it is accurate), Innnes reserves the right to assess in each case whether it is obligatory to delete the data. 

• The processing is unlawful, but the individual does not want the personal data to be deleted 

• We no longer need the personal data for the processing, but the individual needs them to establish, exercise or defend legal claims. 

• The individual has objected to the processing, cf. below. In that case, the company will stop the processing as long as the company has not demonstrated an overriding legitimate interest in continuing it. 

Right to object to processing

If our processing is based on public interest, legitimate interests of Innnes or others and an individual believes that due to their circumstances the processing infringes their fundamental rights, they may object to the processing. If the individual objects, the company will stop the processing unless they can demonstrate overriding legitimate interests in continuing it.

Right to withdraw consent

In cases where Innnes bases processing on the customer‘s consent, they are always entitled to withdraw such consent. However, withdrawal does not mean that processing that took place before the consent was withdrawn is unlawful.

Security of personal information guaranteed

Innnes ehf. applies appropriate security measures to prevent personal information from being lost, changed, disclosed, or accessed without permission. Access to information is limited to those parties who need it and who are bound by a duty of confidentiality.

If a failure occurs that affects personal information, we will report this to the Icelandic Data Protection Authority and, where applicable, to the person concerned as required by law.

If you believe that your communication with us is not secure, we ask you to immediately notify us of the problem by sending an email to personuvernd@innnes.is. You also have the right to file a complaint with the Icelandic Data Protection Authority if you are not satisfied with Innnes' handling of your personal information. Further information about Personal Information can be found at www.personuvernd.is

Laws and jurisdiction

Icelandic laws shall apply to this policy. Innnes and the individual shall seek to resolve any dispute regarding the implementation of the provisions of this policy by agreement. If no agreement is reached, the dispute shall be brought before the Reykjavík District Court. A dispute may be referred to arbitration if both parties agree, and Act No. 53/1989 on contractual arbitration shall apply to the proceedings before the arbitration court.

Changes to the Privacy Policy

Innnes reserves the right to change the privacy policy without notice. If there are significant changes, they will be announced on the company's website. A new version is identified by the publication date.

Similarly, it is important to us that information about customers is always as accurate as possible. Therefore, we kindly ask individuals to inform us if their contact information (e.g. phone number or email address) or other information changes.

If you have any questions about the processing of personal data at Innnes, you can send inquiries to the email address personuvernd@innnes.is.