Privacy

NTÍ emphasizes that personal information that the agency collects is obtained for clear and legitimate purposes.

NTÍ collects, stores and analyzes data through NTÍ's activities for the following purposes:

• To provide the service - To enable NTÍ to fulfill its statutory role and provide individuals with the services to which they are entitled under Act no. 55/1992, the Administrative Law, the law on privacy and processing of personal information, the Information Act, the Law on Public Archives and other statutory provisions. This is in accordance with paragraph 3. Article 9 in Act no. 90/2018 on privacy and processing of personal information.
• Performance measurement - NTÍ uses non-personally identifiable information for statistical processing, with the aim of improving the Agency's services, for the benefit of NTÍ's customers.
• Registration og non-conformities - NTÍ records all non-conformities from approved work processes to learn from them and assess whether preventive measures are needed. Thus, the NTÍ utilizes the non-conformities to improve procedures and prevent further anomalies.
• Other - NTÍ uses personal information for other purposes as required and permitted by law.

NTÍ collects and processes limited personal information that is necessary in order to process losses, which is NTI's main role. All claims are processed in accordance with the Administrative Act. NTI saves information on all cases that are handled at NTI under a unique case number accordingt to the rules of National Archives of Iceland

Personal information regarding processing of claims
The claimant provides information about the property that was damaged (property identification number, address, postal code and municipality), date of damage event and what kind of damage event caused the damage as well as descriptions of the damage and circumstances.

Contact information
The claimant is asked to choose between electronic or paper communication and provide relevant contact information so that they can be contacted during the processing of the case. The contact information in question is a postal address for communication by post and an email address for electronic communication. In addition, the claimant provides a telephone number so that he can be reached during the processing of the case. If the claimant chooses to designate a contact to communicate with NTÍ on his behalf, he provides an identification number (kennitala) and email address for the contact. Contact information is deleted from the tables of the database upon completion, but remain in the documents and event record if the information has been used for communication.

Bank Account Information
The claimant provides information on their bank account in order for the NTÍ to be able to pay compensation as appropriate. If payment is made, the information will be available in the payment receipt, but will be deleted from the database tables when the case is closed.

Data processing during the processing of a case
If data is received from the claimant, they are saved together with other case files. During processing of the case various documents are made, such as letters between the owners and the NTÍ, assessment reports, memorandums, photographs from the damage assessment, measurements and other adjustors' working documents and communication between NTÍ and the assessors. If an individual contacts NTÍ for any reason, the communication history is stored, as well as the data and contact information generated during the processing of the case. This applies whether you contact NTÍ by phone call, mail, e-mail or by any other way.

Real estate
If damage is reported on a real estate, the claimant retrieves information about the property from the National Registry at Registers Iceland through the NTÍ notification page. The aforementioned information is: who the owners of the property are (ID number, name, ownership ratio, purchase and delivery date) and information about the property (sub-unit numbers and description, year of construction, level of construction, size and fire valuation).

Movables
If damage is reported to movables, the claimant provides the policy number and ID number of the insured in order for NTÍ to retrieve a copy of the insurance policy from the insurance company for the property.

Personal information of the insured
NTÍ keeps a record of all insurance policies that fall under NTÍ's insurance coverage. The information is obtained from the insurance companies and contain the location of the insured assets. From that, the location of property is gathered from the Access address registry and saved.

Personal information of contacts for public infrastructure
NTI saves communication with contacts for owners of public infrastructures that are insured directly with NTI. Such communications may include the sender's personal information, such as, name, telephone number and e-mail address and are stored in the relevant cases.

Queries and other cases
Among the information that NTI is obligated to register on all administrative cases are the names of individuals related to the case, and senders or recipients of documents.

Accounting
NTÍ preserves NTÍ's accounting records according to law on accounting, including the names and identification numbers of publishers of bills.

As a public entity, NTÍ must comply with Act no. 77/2014 on public archives. This means that NTÍ must store all data received or created in its activities, except for working documents. All data are therefore stored at NTÍ until they are delivered to the National Archives of Iceland for permanent storage when they have reached the age of 30. All NTÍ's electronic data is stored within the European Union.

Security backups - NTÍ follows the guidelines of the Financial Supervisory Authority no. 1/2019 on the risk of operating information systems of regulated parties, where the requirement is that NTÍ backs up data and information systems.

The NTÍ is obligated to store information collected about individuals in an organized manner. In addition, NTÍ is also obligated to correct incorrect information if it is detected.

Data subjects have the right to request that NTÍ share data about them, or limit its processing. Individuals can request information on what data NTÍ has about themselves and receive a copy of it. Data subjects have the right to request correction at any time. NTÍ reserves the right to charge a fee for such processing, cf. authority in the Information Act. If a fee is to be charged, the data subject will be notified of it before processing occurs.

If a data subject suspects that NTI's processing of personal data is not based on legal grounds or contractual provisions they have the right to object to the processing or withdraw consent for NTÍ's processing of personal data. Data subjects also have the right to submit a complaint regarding NTÍ's processing of personal data to the Data Protection Authority.

Access to and correction of information - All data generated during claims processing as well as all the personal information that the claimant has registered are accessible at nti.is/minarsidur. There, the claimant can correct and / or update the personal information that has been registered.

Copies of personal information - NTÍ enables individuals to make copies of their own information stored in NTÍ Claims Register. Information regarding damage reported after 16.2.2015 is available at nti.is/minarsidur. Requests for other personal information should be sent to nti@nti.is.

NTI is subject to supervision by the Central Bank of Iceland's Financial Supervisory Authority and other regulators and strives to comply with all laws, regulations and guidelines that apply to the agency. NTI works closely with regulators to ensure data security. A service provider that manages the overall operation of IT systems is certified according to the ISO27001 Information Security Standard. Information technology service providers are required by the Act on the Privacy and Processing of Personal Information to ensure data protection by design and by default in IT systems, as possible, taking into account the latest technology, costs of implementation, scope, context and purpose of processing and risk.

NTI endeavors to protect individuals from unauthorized access or unauthorized alteration, disclosure or vandalism of personal data processed by NTI. For example:

• In many cases, NTI's sites are encrypted with SSL (highlighted in the browser with the "https" prefix preceding the URL and an image of a padlock).
• When individuals sign in to My Sites, they use a government managed password (Íslykill) or electronic credentials to sign in.
• NTI regularly reviews the process of collecting, storing and processing information, including technical security measures, to protect unauthorized system access.
• NTI restricts access to personal data to NTI staff and processors who have signed a processing agreement in accordance with the Act on Privacy and Processing of Personal Information as well as contractual parties that have signed a confidentiality agreement for the processing. Access is always limited to those that require the access for their work for NTI.
• NTI updates its security measures regularly to protect against computer attacks, illegal deletion or alteration of personal information.
• NTI has conducted penetration tests on NTÍ's systems to ensure that known methods could not be used to break into NTI's servers.
• Processors must immediately notify NTI of any security breach in accordance with the Act on Privacy and Processing of Personal Information.
• All personal information is managed by access controls and the individuals with access to the information are bound by confidentiality.

NTI outsources part of its activities in order to fulfill its statutory role safely and efficiently. Outsourced activities include damage assessment, internal audits, information technology services and data hosting. Processing agreements are in force with NTI's processors and they state the authority and obligations of the processor when it comes to the processing of personal data. The provision of personal information to third parties is limited to the extent possible. There is no need to enter into processing contracts with independent controllers, e.g. law and accounting firms.

NTI does not disclose personal information to a non-contractual third party unless legally obliged. NTI is a government agency and is therefore subject to the Information Act and the Act on Privacy and Processing of Personal Information. NTI only shares personal information with individuals, companies or organizations outside the NTI if access to, use of it or disclosure is considered necessary to:

• comply with applicable laws and regulations in connection with procedures and requests from authorities.
• identify, prevent or otherwise respond to fraud, security or technical issues.
• protect the rights, property and security of our users or the public from vandalism, as required by law or permitted.

NTI is considered to be a party liable for delivery according to the Act on Public Archives, and therefore submits data to the National Archives of Iceland (ÞÍ) for permanent storage in accordance with the relevant rules. Data is submitted to ÞÍ ​​every five years for safekeeping. NTI provides access to the data for 30 years, after which ÞÍ provides the access. All access to data is subject to the information law and the laws on privacy and processing of personal information.

Processors are not permitted to outsource the processing of personal data to another party without the consent of NTI.

NTI reserves the right to share non-personally identifiable data to third parties for research purposes.

What are cookies?

Cookies are small text files that are stored in the device used to visit a web page.
Cookies can be either session cookies or persistent cookies. Session cookies are deleted by a user's device when they close the browser. Persistent cookies will remain on the user's website until deleted or expired.
A user always has the option to disable cookies or request permission to use cookies each time. Please note that such measures may limit the potential use of websites in whole or in part.

Does Natural Catastrophe Insurance of Iceland use cookies?

Necessary cookies

In the notification section of the website, the entered information is temporarily stored until the notification is sent. This is done to improve the user experience so that the user does not have to re-enter the information if a notification is not sent immediately and is considered as necessary cookies.

Optional cookies

If a user has permitted the use of cookies, permanent cookies are used to record visits to the nti.is website, otherwise not.

Third-party cookies, Google Analytics, are used on the Website. Information about how Google Analytics uses cookies is available on Googles Web site.

Natural Catastrophe Insurance of Iceland uses this service in particular to obtain statistical information used to refine and develop the website and the information published there. This information, for example, highlights how many users access specific subpages on the webpage, how long they are browsing, what content users search for in the search engine on the page, from which webpages users come to the site and what kind of browser they use to view it.

What information does Natural Catastrophe Insurance of Iceland collect using cookies?

When visiting a user on the NTÍ website, any of the following information may be collected automatically:

IP address (Internet Protocol address)
URL of previous website
Country
Time Zone
What a user viewed on the site
Operating system and browser
How long a visit to each page lasted
Response Time of Page
Method of leaving a page

Questions or complaints regarding this privacy policy and / or the processing of personal information should be directed to NTÍ, Hlíðasmári 14, 201 Kópavogur or via the email address nti@nti.is or to NTI's Data Protection Officer, Auðbjörg Friðgeirsdóttir, audbjorg.fridgeirsdottir@is.pwc.com
Statement last updated 23.11.2020