Data Protection

a) Equipment and online store

To process your order Origo will generally process the following personal data:

- ID number

- email

- phone number

We request an ID number to register a product‘s warranty period, but you are free to refuse the registration of your ID number. We use the email address to send you an electronic receipt, and a phone number is requested when a product is collected in a smart box.

To shop in our online store, you need to register as a user by providing the following data necessary so that we can sell our products and, where applicable, keep track of the product´s warranty period.

- name

- e-mail

- phone number

- buyers’ ID number

- company, if applicable

The following data is necessary to complete your purchase in the online store:

- payment information

- address, upon a request for home delivery

The online store saves data about your purchase history, and you can collect products on your wish list there. If you leave your products in the shopping cart in the online store, we will send you an email to remind you to complete the purchase. This processing of data is based on Origo’s legitimate business interests.

We also use cookies to improve your experience in Origo’s online store. Further information can be found in Origo’s Cookie Policy.

Origo may also use your contact information to send you service surveys, information regarding seminars and events organized by the company, and new products and offers. This processing is based on Origo’s legitimate business interests; however, you can always object to receiving such emails by clicking on the link at the bottom of the respective email.

b) Customer contacts

Origo’s core operation consists of providing IT services to legal entities. If you represent such a customer, we will process the following data about you based on the company´s legitimate business interests:

- name - workplace

- phone number and email address

- communication history

- ID number to verify your authorization to conduct account sale business on behalf of a customer, as applicable.

Origo may also use contact information to send you service surveys, information regarding seminars and events organized by the company, and new products and offers. This processing is based on Origo’s legitimate business interests; however, you can always object to receiving such emails by clicking on the link at the bottom of the respective email.

Customer phone calls that come through Origo’s help desk are recorded, and customers are informed of the recording at the beginning of the call.

c) Origo’s website

You can find our primary products and service information on Origo's website. There you can subscribe to our mail list to receive information regarding Origo’s news, seminars, and events, as well as offers, news, and information regarding our latest products in our store. When you subscribe to our mail list, we request the following personal data based on our legitimate business interests:

- name and email address

- company information and job title

On our website, you can also send us a message, whether it is a general inquiry, a consultation request, or an errand designated to a particular department within Origo. When you send us an inquiry, we request the following personal data based on your request:

- name and work email

- phone number

- company

- job title

- type and content of the inquiry

We may use your email address to send you information regarding seminars and events organized by the company and regarding new products and offers. This processing is based on Origo’s legitimate business interests; however, you can always object to receiving such emails by clicking on the link at the bottom of the respective email. We use cookies to improve your experience on Origo’s website. Further information can be found in Origo’s Cookie Policy.

d) Workshop

When you bring us equipment to repair, we request the following information from you, which is mainly processed based on our contract with you:

- name

- ID number

- e-mail

- phone number

An ID number is used to determine whether the equipment is under warranty and to ensure payment for the repair, as appropriate. We use the email address and phone number to send you the repair status.

e) Courses and events

When you register for an event or course (collectively referred to as „events“) on behalf of Origo, we may request your personal data to keep track of your registration and payment, when applicable. We collect different data depending on the type of event in question, while in general, we request the following data, which is necessary for us to comply with your request for participation:

- name

- ID number

- e-mail

At some events, photographs are taken and published on Origo’s website, as the case may be, based on Origo’s legitimate business interests or your consent. However, moderation is always maintained when images are published. After the event, we may send you follow-up emails and emails with content that we think you might be interested in, e.g., invitations to similar events.

f) Origo’s premises

The following personal data is collected about meeting guests visiting Origo’s premises; this processing is based on our legitimate interests, whereas it is necessary for security purposes and to fulfill the conditions set out in the ISO 27001 security certification that the company operates according to:

- name and the time of the meeting

- phone number

- which employee is being met

Origo maintains electronic surveillance by using surveillance cameras at the company´s premises, both indoors and around the respective building. All monitored areas that are indoor are specifically marked. Camera surveillance is performed for security and property protection purposes based on Origo’s legitimate interests. Footage collected by surveillance cameras is not stored for more than 90 days. However, this does not apply to footage that needs to be preserved for a legal claim to be restricted, presented, or defended due to a court case or other legal necessity.

g) Job applications

If you apply for a job at Origo, we process the following data about you:

- information presented in the CV and cover letter

- information in an application form, e.g., on career and education

- information presented in the job interview, as appropriate

If you succeed in the recruitment process, we request the following data:

- criminal record

- information from referees

- personality tests or other approved aptitude tests upon the applicant´s consent.

However, we only request a criminal record if you are about to be offered a job, and it is then requested before a decision is made on employment. After reviewing the criminal record, it is deleted. This processing is based on Origo’s legitimate interests in ensuring the safety and integrity of the workplace.

Data regarding you is primarily obtained from you but may be obtained from referrals and, as appropriate, recruitment agencies and is used to evaluate your qualification for the job in question. This processing is based on your request for an employment contract.

Origo stores your personal data for up to 9 months after the company receives the application; after that period, the applications are securely deleted. If you wish to maintain your application on Origo’s application website, your personal data will be stored for additional 9 months. Origo may ask to store applications longer due to further job opportunities at the company. In that case, Origo will contact you and request consent for extended retention time.

In principle, Origo collects personal data directly from you. However, data may also be obtained from third parties, e.g., from the National Registry.

Origo stores personal data for as long as necessary based on the purpose of the processing, unless otherwise authorized or required by law. However, personal data is generally not stored for more than seven years.

Origo may share personal data with third parties that provide the company with services related to the processing of personal data and is part of the company´s operations. Examples of such parties are external consultants, e.g., auditors, lawyers, appraisal agents, and parties that provide Origo IT and telecommunications services, as well as Origo’s subsidiaries. The disclosure of personal data to such parties is based on Origo’s legitimate interests.

In addition, Origo may share personal data with regulatory authorities when required by law, government directive, or court order. An example of such disclosure is the delivery of personal data to a supervisory authority, e.g., The Financial Supervisory Authority, The Director of Internal Revenue, or the police, based on a court ruling or a lawful request.

These parties may be located outside of Iceland. Origo will not, however, share personal data outside the European Economic Area unless authorized to do so based on relevant privacy legislation, e.g., based on standard contractual clauses, your consent, or the Data Protection Authority´s advertisements on countries that provide adequate protection of personal data.

Origo is certified by BSI UK according to the ISO 27001:2013 standard and has implemented safety measures in accordance with the standard. Further information on Origo’s safety certification and policy can be found here.

The Data Protection Act ensures individuals certain rights over their personal data. Thus, individuals can, e.g., request access to or the deletion of their personal data.

It should be noted that your rights under the Privacy Act are not implicit. Thus, laws may, for example oblige Origo to reject a request for deletion or access to data. The company may also reject your request due to the company´s rights, e.g., intellectual property rights, or the rights of other parties, or for the protection of privacy if Origo considers those rights to be of more importance.

In the event of a situation where we are unable to comply with your request, we will endeavor to explain why the request has been rejected, however, with regard to the restrictions based on legal obligations.

Right of rectification

It is important that the personal data processed by Origo is both accurate and relevant. Therefore, it is important that we are notified of any changes that may occur to your personal data. You have the right to have inaccurate personal data regarding you corrected. Taking into account the purpose of the processing, you also have the right to have incomplete personal data about you completed, e.g., by providing additional information.

Right of access

You have the right to request a confirmation from us on whether we process your personal data or not, and if so, request access to the personal data and how the processing is managed. You may also be entitled to a copy of the information.

Right to data portability

In certain circumstances, you may request Origo to send information you have provided or provided to us directly to you or a third party. However, this only applies when processing the relevant personal data is based on your consent or an agreement with Origo.

Right to erasure („the right to be forgotten“)

In certain circumstances, you may request the immediate deletion of your personal data, for example, when the storage of the data is no longer necessary considering the purpose of the processing or because you have revoked your consent for the processing of personal data; and there is no other authorization that the processing is based on.

Withdrawal of consent

When the processing is carried out based on your consent, you have the right to withdraw your consent at any time.

Right to request restriction of processing

If you don‘t want your personal data to be deleted, e.g., because you need them to defend against a legal claim, however, you don‘t want them further processed by Origo, you can request that the processing is limited.

The right to object to processing

If the processing of your personal data is based on Origo’s legitimate interests, you have the right to object to that processing.

If you want to exercise your rights based on the Privacy Act, you can send a request to Origo through the company´s service portal here.

Origo is only authorized to process requests based on the Privacy Act when the company is the controller, e.g., when you as an individual conclude business with Origo or represent a legal entity that concludes business with the company. Requests related to the processing of personal data by a legal entity that purchases IT services from Origo shall be directed to the relevant legal entity, which is the controller.

We generally do not charge a fee for processing requests from individuals. However, we reserve the right to charge for requests that are deemed to be manifestly unwarranted, repeated, and/or excessive; Origo may refuse to comply with the request in instances that are mentioned above.

Origo will identify individuals who submit a request to the company with electronic IDs. This Identification is necessary so Origo can fulfill its legal obligation under the Privacy Act and includes security measures so that the personal data related to individuals is not disclosed to unauthorized parties.

Origo may also contact individuals and request further information if deemed necessary.

Origo will retain your requests, all information related to the request, and communications regarding the request for 4 years from its service.

The Data Protection Officer receives inquiries and requests regarding the protection of personal data, advises Origo on processing personal data, and is our contact with the Data Protection Authority. All inquiries regarding privacy protection shall be sent to the Data Protection Officer at his email address, personuvernd@origo.is, or by post:

Origo’s Data Protection Officer

Borgartún 37, 105 Reykjavík

If you are not satisfied with how Origo processes your personal data, you can always send a complaint to the Data Protection Authority.

Information regarding the Data Protection Authority is available at https://www.personuvernd.is/.

Origo may from time to time change this Privacy Policy in accordance with changes to the Data Protection Act or due to changes in how the company processes personal data. All changes made to the Policy will take effect after the updated version has been published on the company´s website.

This Privacy Policy was last updated in June 2022.