Gildi is a pension fund, and the fund’s activities relate to the receipt, preservation and return of premiums as well as the payment of pensions. In order to carry out these tasks, the fund needs to process personal information, i.a. about fund members. The processing of such information is based on the applicable laws and regulations at any given time on the handling and protection of personal information. Gildi is generally considered the responsible party for the data that is processed in the fund’s activities.

The fund’s Privacy Policy prescribes the basis for the processing of personal information by the fund concerning fund members or parties related to them.

General considerations regarding the processing of personal information in the fund’s activities
In the day-to-day operations of the fund, the processing of personal information may be needed. Such processes can, among other things, relate to accounting entries and reconciliations, risk analyses of the fund’s assets and liabilities, auditing and actuarial evaluation. Processing may also take place in order to fulfil statutory requirements or statutory requests from supervisory bodies.

The fund’s computer systems are partly operated on the basis of outsourcing agreements with service providers. In such cases, privacy considerations are taken into account in accordance with what is detailed later. A written agreement must be made with the processor stating that it is only permitted to work with personal information in accordance with the instructions of Gildi Pension Fund and that extensive obligations rest on the processor based on the law on the handling of personal data.

The secure storage and handling of information about fund members and others is very important in terms of trust, confidentiality and the image of Gildi. Appropriate measures are taken to protect personal data against unlawful destruction, accidental loss or alteration and unauthorised access. The fund emphasises proportionality when processing personal information. In the fund’s activities, various technical and organisational measures are taken in order to achieve those goals.

• The fund strives not to save personally identifiable data unless it is needed in the fund’s operations.
• It is emphasised that information is only accessible to those who need it, i.a. with access controls.
• It is emphasised that personally identifiable information on paper is stored in closable and, as the case may be, locked storage if they are not in use.
• If there is a suspicion that processing entails a high risk for an individual in the sense of the law, an analysis of the effects of the processing is carried out in advance.
• If it is practical and technically possible, efforts should be made to make information non-personally identifiable, e.g. in connection with analyses and assessment of risk.
• The fund considers it an advantage that outsourcers who work with and service the fund’s data are certified and demands that they adequately ensure that the security of the data is a priority for them.
  

Personal information obtained and its use
Information that Gildi’s fund members provide to the fund or that Gildi obtains with their permission from third parties is only collected for the purpose of being able to provide them with the services provided by the fund, and it is ensured that the fund has consent from a fund member or is authorised by law to process the information.

Information obtained by the fund will only be used in accordance with the purpose for which it was intended. In addition to the following information, the fund may also collect and process other information that fund members provide to the fund, as well as information that is necessary for the fund for its activities.

Information about premiums in mutual insurance and/or private pension:
Employers of fund members send the fund declaration reports that provide information about premiums paid to the fund for mutual insurance and/or private pension and from which individuals they originate, along with information about trade union membership in those cases where the fund handles the collection of trade union fees according to contracts (Efling – trade union, Hlíf trade union and the Hairdressers’ Association). This information is used i.a. in order to grant fund members rights in accordance with the fund’s Articles of Association and to collect contributions from employers.

Personal information related to pension rights in mutual insurance and/or private pension:
Gildi stores, i.a. the following personal information in connection with the administration of pension rights:

• Information about gender, name, age, nationality, union, date of birth, ID number, e-mail address, address and telephone number.
• Information about the fund member’s family and themselves when applicable to confirm the right to a spouse’s or child’s pension or due to the division of pension rights based on information provided to the fund or obtained from public records, incl. birth certificate, death certificate, marriage certificate or summary of the progress of the allocation.
• Information on fund member’s employer.
• Information on pension rights and payment history.
• Information on tax bracket and using personal tax allowance.
• Information on paid premiums and payment history.
• Information on bank accounts.

Personal information related to disability pension rights:
In addition to the above, Gildi stores the following personal information in connection with the administration of disability pension rights as applicable at each time:

• Information about a person’s health, working conditions, career and income to confirm their right to disability pension rights. This information is obtained from the relevant person or relevant experts based on the approval of the fund members.

Personal information related to fund member loans:
Gildi provides loans to fund members on the basis of the fund’s credit rules at any given time. In connection with the granting of such loans, the fund obtains relevant information about the borrower’s finances in order to assess their ability to pay, as required by Act, no. 118/2016 on Property Loans to Consumers. These are i.a. information about family circumstances, income, assets and obligations. Information is also gathered about the property in which it is planned to grant a mortgage along with the necessary information for loan disbursement, e.g. about bank accounts. Such information is obtained on the basis of the borrower’s consent in each case. Gildi also preserves communication information, i.e. information about name, ID number, e-mail address, address and phone number. When collecting fund members’ loans, data is stored, e.g. about payment history and arrears.

Dissemination of personal information:
Gildi does not sell or give third parties access to personal information for a fee.

Personal information may be shared with other pension funds when it is applicable on the basis of the fund member’s consent in order to streamline procedure for the fund member, e.g. when a fund member has pension rights in more than one pension fund and applies for payment or division of rights.

External parties involved in the operation of the fund, e.g. actuaries, IT companies, accountants, specialist consultants, contractors or companies that carry out service projects for the fund, may have access to personal information as appropriate for their work at any given time.

Location of data:
Electronic information collected is processed and stored within the European Economic Area. Information in paper format is stored in Iceland. Care is taken to ensure that the handling and storage of information is secure and in accordance with the fund’s Privacy Policy.

E-mail handling:
Please note that sending personally identifiable information to the fund via e-mail is not considered a secure method of transmission, and fund members do so at their own risk. You can send data to the fund securely by contacting the fund’s staff.

Retention period of data:
On the basis of the fund’s Articles of Association, lifetime pension rights are granted and fund member loans can be granted for up to 40 years. The fund stores personal information for as long as is needed to process pension rights or loans and for as long after the payment of pension rights ends or loans are paid off and is needed in the fund’s opinion to be able to answer questions, complaints or legal claims regarding the fund’s activities. Furthermore, data is stored if this is required based on the laws or rules of the government according to which the fund operates. Information is not deleted if this is technically impossible, if this is permitted by law. Information may be deleted earlier based on an objective assessment that there is no longer a need to preserve the relevant data.

Rights of fund members regarding personal data
Rights to information, access and transfer:
Fund members have the right to know whether their personal information is being processed and, if so, receive information about which information and how it is used. Furthermore, under certain circumstances, fund members have the right to request that the information be sent to other service providers.

Gildi grants fund members access to information regarding themselves upon request. The right to restrict access is reserved if such disclosure violates another person’s rights or when other exceptions apply, e.g. on the basis of law. If access is restricted, an effort will be made to explain why.

Rights to correction:
It is important that the fund’s information regarding fund members is correct at all times. A fund member has the right to request that if the fund has incorrect information regarding them, it be corrected. If a correction is requested, the fund should be contacted with further information and justification so that an assessment can be made as to how the information should be corrected.

Rights to deletion:
In certain cases, a fund member may request that data be deleted, e.g. when (i) it is no longer necessary for the fund to store the relevant data, (ii) information is processed on the basis of informed consent and withdrawal is requested, and (iii) information is processed on a legitimate basis and the fund member believes it is not present. If data deletion is requested, a request must be sent to the fund along with justification so that a position can be taken on the request. However, the right of fund members to delete personal information is not without precedence. Thus, the fund may be authorised or obliged to reject a request for deletion, e.g. on the basis of applicable laws or government orders.

Rights to prohibit processing:
In certain cases, fund members are authorised to prohibit processing if this is permitted on the basis of current law.

Communications and complaints:
Requests for the right to access, transfer, correction, deletion, prohibition of processing, information or complaints can be communicated to the fund in the following ways:

By mail: Gildi Pension Fund, Guðrúnartún 1, 105 Reykjavík
By e-mail: personuvernd@gildi.is
Tel: 515 4700

Inquiries and complaints can also be submitted to Persónuvernd, Rauðarárstígur 10, 105 Reykjavík, www.personuvernd.is.

Amendments to the Privacy Policy
Amendments to the Privacy Policy take effect upon their approval by the fund’s Board of Directors, and the current policy is published on the fund’s website.


Approved at the Board meeting on 25 June 2018.