1. Information about us
BBA Fjeldco ehf., Katrínartúni 2, 105 Reykjavík, reg. no.6108190950 (also referred to as ‘’BBA’’ and ‘’we’’’) is the controller of any personal information that we process in connection to the legal services we provided to our clients.
BBA Fjeldco ehf.
c/o Sara Rut Sigurjónsdóttir
2. Types of personal information we collect
Personal information means any information that can be used to directly or indirectly to identify a specific individual.
BBA collects and processes certain personal information for the purposes of providing legal services to clients. Depending on whether you are a client of BBA or whether you are representing a legal person that is a client of BBA.
The following are examples of personal data that BBA processes of individuals that are clients of BBA:
- identification information of the individual that is a client, such as name/that is, identification number and domicile;
- communication information, such as a telephone number, email and communication with a client;
- financial information;
- personal identification, such as a copy of a passport or drivers licence; and
- other personal information that an individual provides us with in connection to legal services.
The following are examples of information about individuals that represent a client who is a legal person or an individual that is in another way a contact for a client:
- contact information, such as the name of the employee, the name of the legal person that the employee works for and title; and
- communication information, such as telephone number, email and communication with an employee.
It shall be noted that providing personal data is always optional for a client. If certain information is not provided it may affect BBA’s ability to provide legal advice.
In general BBA collects personal information directly from a client or a representative of a client. In some instances, the information may be provided by third parties, such as the National Register of Iceland, Property Register of Iceland, CreditInfo, Keldan, the Directorate of Internal Revenue, banks or other financial companies, District Courts, District Commissioner and public authorities.
BBA may in some cases collect data through website visits to the Company’s website, www.bba.is, including information regarding the location of the individual that opens the website, the type of browser that is used and general information regarding traffic on the website.
3. Legal bases for collection
The processing of personal data that BBA holds depends on the purpose of the collection of personal data. For example, BBA processes personal data of a client to:
- fulfil our contractual obligations of providing legal services;
- ensure the interests of our client or other obligations in connection to the legal services we provide;
- fulfil legal obligations;
- safeguard the legitimate interests of BBA, particularly in relation to asset and security management and marketing, such as debt collection, managing the clients, marketing etc.
If a client has provided its consent to BBA for the processing of personal data for a specific purpose then consent is the legal basis for processing. The client can withdraw its consent at any time when the processing of personal information is based on consent. Further, it shall be noted that the withdrawal of consent does not affect the legality of the processing before the withdrawal of consent.
4. Disclosure of personal data
The employees of BBA have access to personal data to the extent necessary to fulfil our contractual obligations towards our clients. Personal data may be delivered to third parties that process data on behalf of BBA or provide services to us. Those parties are for example IT system and software providers, banking and financial service providers as well as debt collectors.
In some instances, BBA has a legal obligation to disclose a client’s personal information to regulatory authorities, law enforcement agencies, district courts and other governmental bodies.
It shall be noted that the attorneys employed at BBA are bound by a legal duty of confidence regarding all information they receive according to Article 22 of Act no. 11/1998, except if they have a legal obligation to disclose information or the client has provided consent for such disclosure. Other employees are also bound by a similar confidentiality requirement.
5. Data transfers outside the European Economic Area
GDPR is applicable in all countries within the European Economic Area (,,EEA area’’) and data transfers within the EEA area are unlimited if based on an appropriate legal basis. GDPR restricts data transfers to countries outside the EEA area, including the United Stated. BBA uses the services of providers in the United States and transfers data to the United States for example, in relation to the monitoring of our website. As a data controller BBA is responsible for ensuring that our clients personal data is only transferred to parties that provide adequate protection to clients’ personal data. Therefore, BBA only transfers personal data to parties certified as Privacy Shield members or parties who have provided appropriate safeguards such as standard contractual clauses.
6. Data retention
Personal information is generally processed and retained as long as necessary to fulfil contractual obligations to clients, legal obligation and legitimate interests of BBA. When data is no longer necessary to fulfil contractual obligations or legal obligation they are deleted. However, BBA may retain personal information relating to legal services for a longer period when obliged by legal and/or regulatory requirements, such as limitation periods for taking legal action and accounting requirements.
7. Data subject rights
Individuals enjoy certain rights in relation to the processing of BBA on personal data. They include the right to:
- request information about how BBA processes personal data and receive a copy of the information;
- request erasure of personal data, rectification of inaccurate personal data or request that BBA complete incomplete personal data;
- request to receive personal data in a structured, commonly used, and machine-readable format and to have them transferred to another party.
It shall be noted that BBA is permitted in limited circumstances to deny that personal data is erased, transferred or that access to data is provided. BBA will ensure that the personal data of each client is updated and reliable.
8. Protection of information
BBA has taken appropriate and reasonable steps to ensure that all personal data is protected from misuse, interference and loss, as well as unauthorised access, modification or disclosure. The measures taken to protect personal data include:
- implementation of technical and organisational measures designated to ensure continued confidentiality, continuity, availability and load resistance of processing systems and services;
- managing the access of individuals to our premises;
- managing the access of employees and others to systems that contain personal information;
- ensuring that third parties who have access to the personal data of clients have made appropriate security safeguards to protect personal information; and
- limiting the retention period of the personal data of clients.
This Policy will be updated regularly in accordance to the changes made by BBA in relation to the processing of personal data. We encourage you to review this policy on a regular basis to be informed about how we use and protect your personal data.