Privacy Policy of CORUS ehf.

At CORUS ehf. (“CORUS” or the “Company”), great emphasis is placed on ensuring the reliability, confidentiality, and security of the personal data processed by the Company. The purpose of this Privacy Policy is to inform you about CORUS’s processing of personal data, including what personal data we collect and how such data is used.

This Privacy Policy applies solely when the Company processes personal data as a data controller in accordance with Act No. 90/2018 on Data Protection and the Processing of Personal Data, e.g. when the Company processes the personal data of contact persons acting on behalf of legal entities that do business with the Company, or job applicants.

This privacy policy does not apply to the company's processing of personal data carried out in connection with the human resources-related services that we provide to legal entities. In such cases, the Company’s customer acts as the data controller, and the Company acts as the data processor on behalf of that customer, processing personal data based on a contract.

The Company has appointed a Data Protection Officer who oversees the Company’s compliance with applicable data protection laws, cf. Section 7 of this Policy.

1. What personal data do we process?

The Company’s processing of personal data depends on its relationship with the individuals whose data it processes.

Sections (a)–(g) below provide further information on what personal data the Company processes in different contractual relationships, the purpose of processing, the legal basis supporting such processing, and how long the data is retained.

a) Contact persons of customers

The main business activities of the Company consist of providing software solutions and services in the field of HR and payroll solutions to legal entities. If you act on behalf of such a customer, we process the following information about you based on the Company’s legitimate business interests:

  • name

  • workplace

  • phone number and email address

  • communication history

  • ID number (kennitala), for the purpose of verifying your authority to conduct account transactions on behalf of the customer, as applicable

The Company may also use your contact information to send you surveys, service updates, training information, event invitations, and news about new products and offers. This processing is based on the Company’s legitimate interests, but you may always opt out by clicking the unsubscribe link at the bottom of such emails.

Calls to the Company’s service desk may be recorded, and callers are notified of the recording at the start of the call.

b) CORUS website

The CORUS website contains information about the Company’s primary services. You may subscribe to our mailing list to receive updates, news, training information and event invitations. When you subscribe, we request the following personal data based on the Company’s legitimate interests:

  • name and email address

  • information about your company and job title

You may also submit inquiries via the website, whether general questions or requests for consultation. When you submit such an inquiry, we request the following data based on your request to enter into a contract:

  • name and work email address

  • phone number

  • company

  • job title

  • type and subject of the inquiry

The Company may use your email address to send you training and event information, as well as notifications of new products and offers. This processing is based on legitimate interests, and you may opt out at any time.

We use cookies to enhance your experience on the CORUS website. Further information can be found in the cookie banner displayed when you visit the website.

c) Courses and events

When you register for an event or course (collectively referred to as an “event”), we may request personal data to manage your registration and payment, where applicable. The type of data collected depends on the event, but generally includes the following (necessary to fulfil your request to participate):

  • name

  • ID number (kennitala)

  • email address

Photos may be taken at certain events and published on the Company’s website, either based on legitimate interests or your consent. The Company always ensures reasonable limits in such publications.

After the event, we may send follow‑up emails and additional content that may interest you, including invitations to similar events.

d) CORUS premises

The following personal data is collected about visitors to the Company’s premises, based on the Company’s legitimate interests:

  • name and meeting time

  • phone number

  • which employee you are visiting

CORUS conducts electronic surveillance using security cameras at its premises, both indoors and around the buildings. All monitored areas indoors are clearly marked. Camera surveillance is carried out for security and property protection purposes based on the Company’s legitimate interests.

e) Job applications

If you apply for a job with the Company, we will process the following data:

  • information contained in your CV and cover letter

  • information provided on the application form, including work experience and education

  • information provided during interviews, as applicable

If you move forward in the recruitment process, we may request:

  • criminal record certificate, if applicable

  • references

  • personality or aptitude tests with the applicant's consent

Criminal record certificates are only requested when an offer of employment is intended and are deleted after review. This processing is based on the Company’s legitimate interests in ensuring workplace safety and integrity.

Most information is collected directly from you but may also be obtained from references or recruitment agencies and is used to assess your suitability for the role. This processing is based on your request to enter into an employment contract.

The Company retains job applications for up to 9 months after receiving them. If you maintain a profile on the Company’s recruitment portal, information is retained for an additional 9 months. The Company may request consent to retain applications longer for future opportunities.

2. Sources of data and retention period

Unless otherwise stated, the Company collects personal data directly from you. Data may also be obtained from third parties, e.g., Registers Iceland.

Unless specifically stated elsewhere in this Policy, the Company retains personal data only as long as necessary for the purposes of processing, unless otherwise permitted or required by law. Personal data is typically not retained for more than seven years.

3. Disclosure of personal data to third parties

The Company may disclose personal data to third parties that provide services related to data processing and form part of the Company’s operations. Examples include external advisors (auditors, lawyers, consultants) and providers of IT and telecommunications services. Such disclosures are based on the Company’s legitimate interests in outsourcing certain tasks.

The Company may also disclose data to potential investors and advisors in relation to mergers, acquisitions, or due diligence, based on legitimate interests.

Additionally, personal data may be disclosed to regulatory authorities when required by law, administrative order, or court ruling—such as the Financial Supervisory Authority, the Data Protection Authority, the Tax Authorities, or the police.

Some recipients may be located outside Iceland. The Company does not transfer personal data outside the EEA unless permitted under applicable data protection laws, e.g., standard contractual clauses, consent, or adequacy decisions.

4. Security of personal data

CORUS takes appropriate technical and organizational measures to protect personal data, considering its nature. These measures are designed to prevent accidental loss or alteration and unauthorized access, copying, use, or disclosure.

Examples of such measures include system access controls, physical access controls, and staff confidentiality obligations.

5. Your rights

Data protection laws grant individuals certain rights over their personal data, such as the right to access or request deletion. These rights are not absolute, laws may require the Company to deny requests, e.g., for legal compliance or to protect intellectual property or the rights of others.

If the Company cannot fulfil your request, we will explain why unless restricted by law.

Your rights include:

Right to rectification; You may request correction of inaccurate or incomplete personal data.

Right of access: You may request confirmation whether we process your data and, if so, access to the data.

Right to data portability: You may request that data you provided to us be transferred to you or a third party, when the processing is based on your consent or a contract.

Right to erasure: You may request deletion of your data under certain circumstances.

Right to withdraw consent: If processing is based on consent, you may withdraw it at any time.

Right to restriction of processing: You may request restriction instead of deletion, e.g., if you need the data to defend a claim.

Right to object: If processing is based on legitimate interests, you may object.

6. How to submit a request?

To exercise your rights, you may contact the Company at: personuvernd@corus.is.

The Company may only process requests where it acts as a data controller. Requests regarding data processed on behalf of customers should be directed to the relevant customer (data controller).

The Company generally does not charge for handling requests but may charge for clearly unfounded, repetitive, or excessive requests. The Company may deny such requests.

Identity verification is required (using electronic ID) to ensure data is not disclosed to unauthorized parties.

Requests and related correspondence are retained for 4 years from completion.

7. Data Protection Officer

 The Data Protection Officer handles inquiries and provides advice to the Company.
Contact: personuvernd@corus.is.

8. Right to lodge a complaint

If you are dissatisfied with CORUS’s processing of your personal data, you may lodge a complaint with the Data Protection Authority.

Information: www.personuvernd.is.

9. Changes to this Policy

The Company may amend this Policy from time to time in line with changes to data protection laws or Company practices. Changes take effect once the updated version is published on the Company website.