Bálkar Miðlun ehf, here after ISX, places strong emphasis on protecting the privacy of its customers and parties who communicate with ISX to safeguard their rights. This Policy contains information on the data ISX gathers about you, how it is used, how its security is ensured and your rights according to data protection legislation.

The collection and processing of personal data allows ISX to provide you, or companies which you work for or are connected with, with requested financial services. The personal data you submit includes:

• Basic information: Name, Icelandic Id. No., address, telephone number, email, name of employer and other basic information, as the case may be on nationality, marital status, spouse, children and connected parties such as legal guardians, holders of power of attorney or guarantors.
• Communication and contract information: All your interaction with ISX that takes place via email, online chat, in writing, in conversation and on social media. ISX also processes all information derived from or submitted in relation to any contracts you enter into with the ISX, e.g. for individual products or services.
• Information about identification: Any copies of legally required or electronic identification, including copies of your passport or driver's licence, your preferred means of identification and communication channels. This also includes the time and date of your visits to the ISX’s branches if you chose to register your Id. No. when you visit.
• Financial information: All information about your current and previous business and transaction history, including account balance and type, turnover, origin of funds, transaction statement and information about payment cards, payment history and orders along with information about income, expenses, financial commitments, and assets and liabilities.
• Information gathered through electronic monitoring: Audio and video recordings from surveillance cameras in the ISX’s facilities.
• Technical information and inferred data about behaviour and use: About the equipment and devices you use to connect to the ISX’s website and app such as user name, settings, IP number, type, number and settings of smart devices, operating system and browser type, language settings, how you connect to us, the origin and type of actions undertaken.
• Public information: From public registries such as Registers Iceland, the Icelandic Property Registry, the vehicle registry, the Registrar of Enterprises, the Legal Gazette and other public registries.
• Sensitive personal data: on racial or ethnic origin, political affiliation, trade union membership, health information, biometric data. Note that when using biometric data such as your fingerprint or face to log in to Bálkar Miðlun ’s app, identification takes place through your phone only and ISX does not receive copies of your biometric data.
• Other information: The list above is not exhaustive and ISX may process other personal data depending on the nature of the business relationship or your transactions with the ISX.

In exceptional cases, ISX may need to gather information classified as special categories of data. In other instances, financial information, e.g. transaction statements for payment cards or use of current accounts, may include sensitive personal data that may indicate certain behaviour. We do not gather sensitive data about you nor do we process such data without clear authorisation and unless absolutely necessary. Should you choose not to supply necessary information it may prevent ISX from providing the requested service. The personal data of children may be processed if it is necessary to carry out requested transactions or provide a service, e.g. create an account. The Data Protection Act states that the consent of a guardian is required for children under 13 years of age in relation to the offer of information society services directly to a child.

ISX processes personal data for clear and stated purposes in accordance with the Data Protection Act, the ISX's rules and this Policy. Processing of personal data may have various purposes, such as:

• To contact you, identify you and ensure the security and reliability of business transactions, through such means as due diligence on customers. ISX contacts customers through various channels, such as email, notifications on ISX website, ISX’s app and social media.
• Carry out requested transactions, provide services and advice and respond to enquiries, such as establish and maintain a business relationship, perform payments Analyse financial standing with regard for the ISX’s product and service offering in order to provide advisory service, including on asset management.
• For security and archiving purposes to safeguard the interests of customers, employees and others who have dealings with the ISX, ensure the traceability of transactions through such means as electronic monitoring and investigate issues or prevent money laundering, terrorist financing, fraud and other criminal conduct.
• Develop the ISX’s product and service offering, promote innovation and boost service levels, offer personalised and tailored services, respond to suggestions and complaints and process answers to marketing and/or service questionnaires.
• Develop solutions and reports for internal treasury purposes.
• Operate and maintain the ISX's websites and online services and improve user experience online, on apps and/or web-based solutions.
• Respond to legal requests and ensure cyber and data security by, among other things, analysing, investigating and preventing fraud and other misconduct.
• For marketing and promotional purposes and to provide personalised and tailored services, send messages about benefits and material that may interest you or you have requested. Note that photographs and video recordings are made at conferences, promotions and other events hosted by ISX and that these may appear publicly on the ISX’s websites, including social media.
• Perform statistical analysis on certain products, services or communication channels, front office or other individual functions in the ISX’s operation. Such analysis is based on non- personally identifiable data, if possible.

For the most part, the gathering and other processing of your personal data by ISX is based on a contract between you and ISX for specific services and to provide the requested financial service or to satisfy legal obligations ISX is subject to as a regulated entity on the financial market. In certain cases, ISX will request your informed consent to process personal data. In such cases, you can withdraw your consent at any time, and then the processing covered by the consent is terminated. In certain instances, ISX creates a personal profile using automated processing of your personal data to assess or anticipate aspects of your finances, such as development of financial standing or probability of default. Calculation of a credit score is an example of profiling. Profiles may also be prepared for marketing and cyber and information security purposes, e.g. to determine which benefit programme suits you best, and by employing pattern analysis on ISX website to maximise the safety of your financial information. Automated decision-making only takes place with your consent, if it is a prerequisite for the conclusion or execution of an agreement between you and the ISX, or if authorised by law. You can submit objections or contest automated decisions by email to [email protected].

The aforementioned personal data in the ISX’s possession is usually gathered directly from you when you enter into a business relationship with the ISX, apply for a certain product or service, or contact ISX through such channels as email, online chat or by other means. ISX may also need to disclose your personal data to domestic or foreign partners and/or service providers to provide you with certain services. ISX selects its partners and service providers with care and does not disclose personal data unless they comply with the ISX’s security demands. Foreign commercial ISXs receive information to process and settle international payments. Partners for payment transfers and card issuance, claim collection, operation and hosting providers, IT system providers and credit bureaus such as Creditinfo and custodians of financial instruments are also entities who it may be necessary to divulge personal information to in order for ISX to provide its services. In certain cases, ISX is obligate to divulge personal data to law enforcement authorities, other authorities or regulators both domestic and abroad, based on legal obligation or international contracts. ISX is focused on safeguarding the human rights of its customers, including their privacy, and processes such requests in accordance with documented procedures so that no more extensive information is provided beyond what is necessary at each time and only based on clear legal authorisation.

The Data Protection Act affords you certain rights, including to information about whether ISX processes your personal data and how such processing takes place in the ISX’s operation.

No service or software is completely secure. Contact ISX at the earliest opportunity if you are concerned that your personal data may be in danger or if you think that someone may have acquired your password or other information by emailing [email protected]. You will be notified of any data breaches with ISX or its processors that affect you, in accordance with law.

The ISX’s websites store cookies on your computer or smart device. Cookies are small text files that store information to analyse use of the ISX’s websites and improve user experience. Cookies are also used to tailor websites to your needs, e.g. by boosting the function of a website, saving your settings, processing statistical information, analysing traffic through websites and for marketing purposes. First party cookies are not a requirement for use of the ISX’s websites. They nevertheless play an important role in the use and functionality of websites as they facilitate use by, for example, auto- completing forms and saving settings. First party cookies only send information about you to ISX.

• Number of visitors, number of visits per visitor, date and time of visit.
• Which pages on the websites are viewed and how frequently.
• Type of files downloaded from the websites.
• Which devices, operating systems and browsers are used during visits.
• Which search words from search engines lead to the websites.

Third party cookies send information about you to another website owned by a third party, such as Google or Facebook. These third parties may also save cookies to your browser and through them gather information about your visits to the ISX’s website and the content you are interested in.

Generally, ISX retains your personal data for the duration of the business relationship, as long as required by law or to satisfy the ISX’s legitimate interests. The strict rules and regulations that apply to the ISX’s operation may require different retention times depending on the type or nature of your data. ISX strives not to retain information in personally identifiable form for longer than is necessary and safeguards such information in every respect.

Bálkar Miðlun ehf., Dalsbyggð 23, 210 Garðabær, is responsible for ensuring that all processing of your personal data complies with the Data Protection Act and rules and is the controller determining the processing of your personal data. ISX reserves the right to update this Policy on a regular basis. ISX will inform you about major changes to the Policy before they become effective upon publication to the ISX’s website, www.ISX.is.