Privacy policy

Your privacy concerns us, and we at KILROY Iceland (hereinafter KILROY) take the responsibility you have entrusted us directly or indirectly seriously. 

This policy explains how KILROY collects customer data, uses the data and in which situations and to whom the data is disclosed for the purposes of dispense of digital ISIC, ITIC, IYTC and the management of the websites www.isic.is and isic.is/en.

KILROY is part of a European group of companies that operates within travel, educational counselling and student benefits as subsidiaries of KILROY International A/S. Collecting and processing personal data is a necessary part for dispensing student, youth and teacher identification documents and the process of it is described in this privacy policy. 

KILROY is a data controller for the processing of personal data for the purposes mentioned in paragraphs 3.1 - 3.4 of this Privacy Policy. The ISIC ASSOCIATION, registration number 26746760, headquartered Nytorv 5, 1450 København K. Denmark, is the controller of personal data for the purposes of ISIC, ITIC, IYTC issuing, management and any other purposes that ISIC Association processes personal data for. KILROY is not legally bound for the ISIC Association’s processing of personal data. For more information please visit https://www.isic.org/privacy-policy/.

If you have any questions regarding this privacy policy or to our handling of your personal data, please contact us at: 

KILROY Iceland

Lækjartorg 5, 3.hæð, 

101 Reykjavík

Ísland

[email protected]

1. Protection and safety are important to us 

Responsible handling of personal data as a part of the operation of our business is crucial to our business objectives and reputation. In this privacy policy we will account for how your personal data is collected and used when you are an applicant, supplier or business partner and how you can gain access to your own personal data. 

2. What is personal data? 

Personal data is any kind of data about an identified or identifiable living individual. An identifiable individual is understood as a person, who directly or indirectly can be identified, among other things, by an identification number or one or more elements, that are particular to a given person’s identity.

3. What types of personal data are we processing and why? 

Your personal data will be used for different purposes in relation to your position as an applicant for ISIC, IYTC or ITIC and the operations of KILROY. The data collected may vary, depending on whether you are an applicant, supplier or business partner, but in general it will be the data regarding the management of applications for dispensing of a digital ISIC, IYTC or ITIC, supplier administration, direct marketing and data processing regarding implementation of KILROY’s rights and obligations.  

Failure to provide personal data on your part, may mean that KILROY is unable to fulfil or continue its obligations towards you as a customer or a supplier.

As a rule, KILROY only collects and processes ordinary personal data for the purposes of management of applications for dispensing of a digital ISIC, IYTC or ITIC.

It is the responsibility of ISIC Association to process personal data as a data controller for the purposes of ISIC, ITIC, IYTC management and any other purposes that ISIC Association processes personal data for.

KILROY will typically gather the following information as a data controller: 

3.1    Information concerning our customers 

The information provided to us when applying for a digital ISIC, IYTC or ITIC online via the website is: first name, last name, birth date, place of study and proof of student status by the educational institution (applies only for ISIC), place of work and proof of teacher status by the educational institution (applies only for ITIC), promotional code (if applies), mobile phone number, email address, identification photo, card validity, date of issue, card serial number, information regarding payment of a fee for card issuance (price, type of payment, date, payment confirmation), and possible communication regarding provision of services. 

3.2    Information concerning our suppliers and business partners  

Information you provide when entering a contract or agreement with us, including contact information (job, job title, first name, middle name(s), surnames, addresses, telephone number, email address), information regarding your marketing and communication preferences, as well as information you have given us if you contact us with questions, to report a problem or when you contact us with reference to your customer relationship. 

3.3    Information concerning subscribers for direct marketing content

The information provided to us when subscribing for newsletters or other direct marketing content: Name, surname, phone number, email address, date of subscription.

3.4    Information concerning our customers who did not express disagreement for direct marketing at the time of purchase of products or services

The information collected by KILROY at the time of your purchase of KILROY products or services: name, surname, phone number, email address, products or services bought, date of purchase.      

4. What do we use your personal data for? 

KILROY processes your personal data to fulfil the purposes stated below. Notice that not all purposes, categories of information, recipients of information and types of procedures are applicable to you in all cases. KILROY exclusively processes your personal data to the extent necessary for you as applicant, supplier or business partner or in accordance with existing laws. 

4.1    Management of applications for dispensing of a digital ISIC, IYTC or ITIC 
KILROY processes your personal data when collecting and administering your applications for dispensing of a digital ISIC, IYTC, ITIC for the issue of chosen card including maintenance of applicant registers, billing for the application and or other fees.

4.2    Administration of supplier and business partner relationships 

KILROY processes your information when co-administrating supplier and business partner relations, where you are the supplier or business partner, or contact person with a supplier or business partner, which KILROY is working with as a part of the operation of our company, including maintenance of our CRM-registry with information about our contact with each supplier and business partner.  

4.3    Direct marketing

In order to provide you information regarding KILROY services or products or to conduct customer surveys, KILROY processes your personal data for direct marketing purposes. KILROY processes your personal data for direct marketing purposes only if you have provided us with the consent for direct marketing purposes and or you have bought products or services from KILROY (e.g. applied for a card) and at the time of purchase you did not express disagreement for use of your personal data for the direct marketing purposes.

4.4    Compliance with current laws and regulations 

KILROY processes your personal data in compliance with the laws and regulations that KILROY is subject to with respect to the operation of the business or for filing different liability and disclosure requirements in accordance with applicable laws and regulations. 

4.5    Automated decisions making and profiling

KILROY does not use your personal data to make decisions that are solely based on automatic processing except for profiling. Profiling is a form of automated processing of your personal data. We use profiling and data modelling e.g. to be able to offer you specific services and products that meet your preferences for marketing purposes. For example, a proposal for a new card issuance or renewal is prepared based on information about present type of the valid card, your compliance with our proposed products or goods.

4.6    Obligations to update personal data without undue delay

KILROY strives to guarantee that all personal data we process is correct and up to date. We therefore always ask you to inform us of the possible changes in your personal details (e.g. change of address, name, phone number, etc.) so that we can guarantee that your personal data is always correct and up to date. If your personal information changes, you should update your personal data immediately by writing to [email protected].

4.7    Statistics

All statistics and analysis are compiled in anonymized form and therefore do not contain information that can lead directly back to you as an identifiable person.  

5. How long do we keep your personal information?

KILROY will retain information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with the services or to comply with applicable legal, tax, or accounting requirements). 

Data processing retention period for management of applications for dispensing of a digital ISIC, IYTC or ITIC with KILROY is 36 months after the provision of the services (card issue date).

5.1.    We use your personal data for direct marketing purposes for 40 months after you have subscribed for newsletters or after a receival of your consent to use your personal data for direct marketing services.

5.2.    Your personal data may also be used for direct marketing purposes for 24 months after you have bought products or services at KILROY.

5.3.    Your data shall be deleted after we have received and executed your request to delete your personal data or you have unsubscribed from newsletters, when data processing is based under your consent or if we do not have any other reason to keep the data we process. You may withdraw your consent for direct marketing purposes at any time.

5.4.    The personal data for the purposes of administration of supplier and business partner relationships is stored for 3 years after the expiration of business relations. 

5.5.    KILROY processes personal data accordingly to the retention periods provided by the laws and regulations.

The data retention periods are never prolonged unless it is based under specific law and regulation.

6. Legal base for processing your personal data 

KILROY essentially processes your information on the following grounds:

6.1.     Your consent (e.g. Direct marketing).

6.2.     You enter into and fulfilling contractual agreements with KILROY (e.g. Management of applications for dispensing of a digital ISIC, IYTC or ITIC).

6.3.     Consideration for the legitimate interests of KILROY, as described above (e.g. direct marketing).

6.4.     Fulfilment of legal duties that KILROY is required to meet (e.g. billing, etc.).

6.5.     The processing is necessary for a legal claim to be established, enforced or defended (e.g. management of claims pertaining applications for dispensing of a digital ISIC, IYTC or ITIC).  

6.6.     In addition, there may be situations where we treat your personal data for the sake of KILROY’s or third parties' legitimate interests regarding the purposes described above, unless consideration for your interests is deemed more important (e.g. direct marketing, management of applications for dispensing of a digital ISIC, IYTC or ITIC). 

7. Transfer of Personal Data

KILROY only discloses data to the extent necessary for the operation of our business, including to provide services you have ordered. 

KILROY will typically pass personal data to the following recipients when issuing ISIC, ITIC, IYTC:

7.1.    When ordering ISIC, ITIC, IYTC, KILROY passes personal data to ISIC Association through the Global Office BV, Keizersgracht 174, Amsterdam, 1016 DW The Netherlands. ISIC Association stores cardholder data for all active ISIC, IYTC, ITIC globally in Co. Dublin, Ireland and processes the personal data transferred by KILROY in order to provide the applicant with the ISIC, IYTC, ITIC services and to prove students’, teachers’ or youths’ card validity globally. The following data is provided at the time of ISIC, ITIC, IYTC issue: first name, surname, birth date, place of study, photo, place of work (applies only for ITIC), email address, card’s serial number, and, only if requested by ISIC Association, the copy of proof of study or work you have provided to us in order to confirm your eligibility to hold the card that you have been issued (applies only to ISIC and ITIC). 

7.2.    Furthermore, KILROY may disclose your personal data to suppliers and service providers (data processors) as a part of normal operation of the company (for processing personal data on behalf of us), e.g. in connection with external administration of our IT systems, analysis reports, marketing, debt collection, credit rating, audit, legal assistance, payments acceptance etc.  

7.3.    Some of the suppliers as credit rating, audit, legal assistance, payments acceptance etc., may be considered as data controllers themselves. For further information regarding ISIC Association’s, our suppliers’ and partners' processing and protection of your personal data, please refer to their privacy policies and terms of use, for example in www.isicassociation.org

7.4.    KILROY strives to limit the disclosure of personal data in personally identifiable format to the maximum extent possible, thereby limiting the cases where information can lead back to you personally. 

8. International transfers of your personal data 

KILROY does not transfer your personal data to countries outside the EU/EEA for the purposes mentioned within this Privacy Policy, unless explicitly requested by the data subject or obliged by applicable laws.

9. Data integrity and security 

Personal data will be stored no longer than necessary in order to fulfil the purpose for which they have been collected, unless the storage is required to comply with national legal requirements, including statutory storage periods in connection with bookkeeping, etc. 

It is KILROY’s policy to protect personal data by taking adequate technical and organizational security measures. When your personal data is no longer needed, we will ensure that they are deleted in a safe manner. 

10. Your rights 

You are entitled to access any personal data we have registered and information on where it comes from and what we use it for. You can obtain information about how long we store your data, who receives data about you and to what extent we disclose data in Iceland and abroad. Your right of access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for our business and practices. Our know-how, business secrets as well as internal assessments and material may also be exempt from the right of access.  

In certain circumstances, you have the right to object to our processing your personal data. This is the case for example when the processing is based on our legitimate interests. 

Objection to direct marketing. You have the right to object to our use of your personal data for direct marketing purposes, including profiling that is related to this purpose at any time. 

If the data is incorrect, incomplete or irrelevant, you are entitled to have the data corrected or erased with the restrictions that follow from existing legislation and rights to process data. These rights are known as the “right to rectification”, “right to erasure” or “right to be forgotten”.  

If you believe that the data we have registered about you is incorrect, or if you have objected to the use of the data, you may demand that we restrict the use of these data to storage. Use will be restricted to storage only until the correctness of the data can be established, or it can be checked whether our legitimate interests outweigh your interests. 

If you are entitled to have the data we have registered about you erased, you may instead request us to restrict the use of these data to storage. If we need to use the data we have registered about you solely to assert a legal claim, you may also demand that other use of these data be restricted to storage. We may, however, be entitled to other use to assert a legal claim or if you have granted your consent to this. 

You can withdraw your consent at any given time. Please note that if you withdraw your consent, we may not be able to offer you specific services or products. Note also that we will continue to use your personal data, for example, to fulfil an agreement we have made with you or if we are required to do so by law. 

If we use data based on your consent or as a result of an agreement, and the data processing is automated, you have a right to receive a copy of the data you have provided in an electronic machine-readable format. 

If you wish to claim one or more of your rights, please contact us at [email protected]. Your request will be processed in accordance with the data protection legislation currently in force. 

Complaint about the processing of your personal data by KILROY can be made to: 

Iceland - The Icelandic Data Protection Authority Data Protection Commissioner - Helga Þórisdóttir
Rauðarárstígur 10, 105 Reykjavík, Iceland. Tel. +354-510-9600 [email protected]

11. Updates 

KILROY regularly evaluates and updates this privacy policy. Therefor please regularly check this privacy policy for any changes that may affect our processing of your personal data. 

Updated 18-10-2019