General

The Ministry of Finance and Economic Affairs (“the service provider”) is the operator of the Digital Iceland login service and proxy system (“the service”). Government agencies, ministries and other public bodies (“the service recipient”) have access to the Digital Iceland login service and proxy system for the identification of ordinary users in accordance with the terms of the service.

The service provider login service and proxy system is twofold:

On the one hand, a login service that includes a central login interface where electronic IDs can be used on a phone, electronic IDs on a card or Auðkenni ehf.'s authentication app for authentication.

On the other hand, a proxy system that involves the provision of information to service users on the user's authorization through the system, on the one hand on the basis of the person's official registration, such as a proxy holder in a particular company that has been notified to the Directorate of Internal Revenue or legal counsel at Registers Iceland and the service provider applies for information to the relevant institutions, and on the other hand, authorizations that have been granted to users and are kept by the service provider.

On the basis of the above, the service recipient may grant users the right to certain actions in their IT systems. The service recipient is solely responsible for the rights it grants to a registered user based on information retrieved or confirmed through the service, including the powers that the user has based on a mandate. The service provider's authorisation system confirms only the existence of a mandate, but not that such a mandate is correct, adequate or appropriate for carrying out different actions in the service recipient's IT systems.

These terms and, where applicable, agreements and annexes made form an agreement between the service provider and the service recipient on the service. By using the service, the service recipient agrees to these terms.

1. Definitions

In this term, where the context of the text allows, the following terms shall be defined as follows:

Auðkenni: Auðkenni ehf., a company specializing in the issuing and development of electronic identification documents. The service provider pays Auðkenni a fee for the processing of electronic identification documents.

The ID app: A way to log in by identifying the person with electronic ID in a smartphone through a smartphone app, published by Auðkenni ehf.

Service provider login service: Central login interface on Ísland.is operated by the Ministry of Finance and Economic Affairs.

User: A natural or legal person using a service website.

Electronic IDs: Electronic IDs in the phone meet the requirements of Act No. 55/2019, on electronic identification and trust services for electronic transactions, see provisions of Regulation (EU) No. 910/2014.

Electronic ID card: Electronic ID cards that are obtained through a smart card.

Special mandates: Mandates created by users independently on my pages on Ísland.is. The mandates are stored by the service provider.

Mandate of a personal spokesperson for a disabled person: The mandate of a personal spokesperson for a disabled person is defined in Chapter IV of Act No. 88/2011 and Regulation No. 972/2012. The rights officer for disabled people establishes an agreement between the disabled person and the spokesperson. Information on personal spokespersons for disabled persons is stored with the service provider.

Service provider authorisation system: A service that disseminates to the service recipients the user authorizations that are registered in a public register such as a company register or a national register, at any given time, as well as authorizations that are centrally stored at the service provider.

The service recipient's supervisor: The service recipient's employee oversees his use of the service.

Service: Service provider login service and service provider proxy system

Service recipient: A legal entity that uses the service to identify users and the authorisation of users on its own service website.

Service provider: Digital Iceland under the auspices of the Ministry of Finance and Economic Affairs.

Service website: The website of the recipient of the service that uses the service to identify users.

2. Members' obligations

On the basis of agreement between the parties, the service recipient is granted access to the service. By using the service, the service recipient commits himself to strictly comply with the rules and conditions that apply to the service.

2.1. General

The service user may not store information from the service for future use or for purposes other than those to which the service is tailored. The service user guarantees that all handling and processing in its own web systems, including encrypted storage in incident logs, will take into account the protection of correctness, secrecy and ensure the traceability of the information provided by the service.

The service provider is responsible for the information not to reach the unauthorized parties and that the service providers staff who have access to the incident files ensure the security of the information contained in them.

If a service user shed their systems or their oversight to a third party, such work is always carried out under the responsibility of the service user.

2.2 Use of the service provider login service

The user uses the service provider's login service to authenticate the user to a service website.

User identification shall be made on the service provider's website. The service recipient may not request that information related to the user identification through the service be entered on his website. The service recipient may not encapsulate or disguise the login window of the service in any way. After identification, the user is returned to a URL specified by the service recipient, i.e. a service website.

2.3. Use of the service provider's authorization system

The service recipient uses information from the service provider's authorization system to grant users certain rights within a service website. The service provider disseminates information on the user's authorization to the service recipient at the request of the user.

Identification according to a mandate shall be made on the website of the service provider. The name of the user for whom a mandate is applied for shall be published on the website, as well as the relevant mandates. The service recipient may not encapsulate or disguise the website of the service in any way. After the identification of a mandate, the user is returned to a URL specified by the service recipient, i.e. a service website. The service recipient may not request information on other user mandates for the service than the user's identified mandate. The service recipient may not save information on a user's mandate once he has signed off from a service website, and information on a user's mandate shall be requested through the service provider's authorization system every time a user authenticates himself to a service website on the basis of a mandate.

Special mandates are established and registered with a service provider at the request of a user (then the client) in Ísland.is and at the establishment it is registered, among other things, to which service recipients it is requested that the mandate be taken and how long it lasts. Special mandates are disseminated to service recipients at the request of a user (the client).

The service provider is solely responsible for the rights it grants the user based on the information on authorizations applied for in the service provider's authorisation system, including the powers that the user has based on authorisation.

The service provider is not responsible for the validity of information that it seeks on the basis of official registration to another government authority, such as information that is downloaded to the national register or company register, and is not stored with the service provider. The service provider confirms the registration of mandates stored in the service provider's systems. Information on the mandates of personal advocates for disabled persons on the basis of the registration of rights-holders and on the other hand special mandates. The service provider only shares valid mandates with the service recipient at any given time.

3. Security

The service provider is responsible for taking appropriate technical and organizational measures to ensure the safety of the service. The security measures shall take into account the latest technology, the cost of implementation, the scope, context, the purpose of the processing and the risk of security breach.

The data transfer is carried out using a public data transfer network. The identification of a user in the service provider's login service requires an electronic ID on the phone, an electronic ID on a card or identification through the identification app by the user in question. User information is transferred via a coded channel directly to the service recipient. Security measures are aimed at the non-lockability of information in the transfer, even if an unauthorized party accesses the network communication or if equipment malfunctions.

The service recipient's security measures shall take account of the latest technology and satisfy the requirements set out at any given time by the service provider and presented on the website www.island.is. The service provider may request that a third party perform regular automated security audits of the service recipient's installation. If the conclusion of the security audit demonstrates that the service recipient's measures do not meet the service provider's security requirements as at any given time, or other serious weaknesses affecting security, the service recipient shall be informed, in a truthful manner, and a 10-day period shall be granted, starting when the notification is sent, to make adequate improvements. If the conclusion of the security audit is that the aforementioned weakness is minor, the service recipient shall be granted a 30-day period. If the service recipient is notified in writing, the service shall be suspended. If the weaknesses have not been corrected after the period of notice, the service recipient's use of the login service is suspended without further notice.

The recipient of the service and the service provider shall notify the counterparty as soon as possible if there is suspicion of unintentional, unauthorized or illegal processing of information or if there is suspicion of any security breach in the processing of information derived from the service. The notification shall be sent to the general email address of the party concerned (in case of the recipient of the service, island@island.is). In such notification, the party concerned shall describe the nature of the breach, including the estimated number of registered individuals that it concerns and the use of the information. The party concerned shall then describe the likely consequences of the breach and the measures it has taken or intends to take because of the security breach.

4. Functional tests and/or the provision of services

The timing of functional tests and/or the issuance of service in the real-world environment on Ísland.is is organized in cooperation between the service provider and the relevant service recipient, but shall not take place on Fridays, on weekends or on public holidays.

5. Responsibility

The recipient shall keep the service provider free from any damage, claims, actions, damage, guarantees, fines, penalties and costs (including legal costs) that the service provider may suffer as a result of or in connection with the actions or inaction of the recipient, whether it is caused by negligence, intentional or negligent action by the recipient or users in connection with the use of the service provider's login service or resulting from breach of the parties' agreement. This liability shall not in any way limit other contractual or statutory rights that the service provider may enjoy in relation to the recipient and any compensation or payment for injured parties shall not justify a breach of the obligations and obligations of the recipient.

The recipient of a service is responsible for any damage caused by his or its users using the information that is transferred between the service provider and the recipient.

The service provider is not responsible for damages due to the use of the service that result from ignorance, misunderstanding or misuse of the service by the service recipients or users. The service provider is not responsible for damages that result from the failure of the service recipients equipment to function properly.

The service provider shall not be directly or indirectly liable for damage caused by the unannounced closure of the service, for example, due to faults in the service provider's software or hardware or related software or hardware belonging to a third party or other causes. Should there be any errors, interruptions or delays in the service provided by the service provider, its responsibility shall be limited to correcting such errors, interruptions or delays as soon as possible.

The service provider is solely responsible for the damage to the service recipient if it is due to gross negligence or intention of the service provider's employees. The service provider's liability in such a case only covers direct damage but never any consequential damage that may result from this, such as the cessation of operations, lost transactions or a vote of no confidence.

Damage in violation of Act No. 90/2018 on Data Protection and the Processing of Personal Data is governed by Article 51 of the Act and Article 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council.

6. Payments

The service is available to the service recipients free of charge.

In the event of changes in the charge, they will be presented to service users 90 days before they take effect.

7. Operational security

The parties undertake to contribute to the safe operation of the service and work together to repair in the event of operational disruptions.

If the service recipient becomes aware that the service is in some way inadequate, he shall inform the service provider without delay. In such cases, the service recipient is normally not allowed to use the service until the service provider has completed the examination of his service.

If it is necessary to temporarily close the service due to maintenance of systems, updating of records, and/or other technical actions, for the operation of the service, the service provider shall inform the service recipient as soon as possible, but at least 24 hours before the end of the day.

The service provider may interrupt access to the service without warning if this is necessary due to a suspicion of a security breach in the service provider or if the service provider considers it clear that the service provider's equipment does not meet the requirements for the use of the service.

If the service recipient or the service provider is subject to any obstacles to the agreement with the counterparty on grounds of force majeure, then the obligations concerned shall be suspended until such obstacles have been removed and the parties to the agreement are able to fulfil their agreed obligations.

8. Termination

The service provider and the service recipient may terminate the service. The termination shall be in writing and the service shall then cease two (2) months after receiving the notice of termination. All contractual obligations of the parties shall remain in the termination period.

However, the service provider may terminate service to the service recipient without notice if:

The service provider is obliged by law or regulatory orders to cease to trade with the service recipient and/or it would be illegal for the service provider to continue to provide services to the service recipient.

The service provider neglects its obligations to a significant extent against the agreement of the parties, including these terms.

Any information or statements made by the service recipient before or during the period of validity of the agreement are incorrect, misleading or otherwise insufficient in the opinion of the service provider, or the ongoing obligation to disclose has not been fulfilled in accordance with these conditions.

Any occurrence of operations or behavior of the service recipient that, according to the service provider's unilateral assessment, is such that the service provider's business relationship with the service recipient may jeopardize the reputation of Ísland.is or such occurrences lead to the suspicion of fraud or criminal offences in the service recipient's activities.

Access to the service has not been active for 6 months.

The service provider does not have to state the reason for his decision to stop the service and shall not bear any costs for the exercise of such right.

A notice of termination is sent to the service recipient's registered e-mail address at the service provider and is deemed to have been received on the same day.

9. The duty of confidentiality

The service provider shall maintain confidentiality to the recipient of the service on information that is to be kept confidential. The service provider shall ensure that staff and contractors on their own behalf sign confidentiality statements or are bound by law to remain confidential.

The recipient of a service shall strictly observe confidentiality with users. The recipient of a service may not request or use information that he has requested through the service for purposes other than to identify a user on his website, direct identification or under a mandate.

10. Personal Protection

The service provider and the recipient of the service shall treat all processing of personal data in accordance with the fundamental concerns of privacy protection and the processing of personal data. This refers specifically to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data, see Act No. 90/2018, on the Protection of Privacy and the Processing of Personal Data.

The purpose of the processing of personal data is the identification of the user through the service and the provision of a mandate. The processing of personal data under these terms includes and is limited to personal data necessary for identification and the provision of a mandate.

The recipient and the provider shall take appropriate technical and organizational safeguards to ensure the security of the personal data they process and shall provide information to users who log in with the service, such as by publishing a privacy policy.

The Data Protection Terms apply to the processing of personal data by the service provider on behalf of the service recipient in connection with the service and are considered equivalent to a processing agreement according to Article 25(3) of Act No. 90/2018 on the Protection of Privacy and the Processing of Personal Data.

11. Transfer of rights and obligations

The service recipient may not transfer or transfer in part or in full his rights or obligations under these terms, except with the written consent of the service provider.

The service provider may use the services of a proxy or subcontractor to perform the obligations that are on him under these terms, however such work must always be carried out under the service provider's responsibility to the service recipient. The use of subprocesses is subject to the service provider's data protection terms.

12. Changes to the terms

The service provider reserves the right to make changes to these terms and conditions and shall be notified to the service recipient in an electronic notification sent to the service recipient's registered e-mail address or by other verifiable means at least six months before new or amended provisions take effect. On Ísland.is, new and/or updated terms are also notified before they take effect.

The service provider may make changes to the terms with a shorter notice if such changes to the terms are necessary by law. In such cases where the notice may be shorter, the service provider shall endeavor to notify such changes as soon as possible.

These terms were last updated: 30.9.2022

This text was translated from Icelandic using a machine translation. Be advised that content generated by machine translation can be inaccurate or flawed.