General

The Ministry of Finance and Economic Affairs is the operator of a digital mailbox. By connecting to a digital mailbox, public entities and other entities authorized to do so, according to the regulation on a digital mailbox, become so-called publishers in it. The service of a digital mailbox enables publishers to publish and share data with the recipient. This is done by the digital mailbox by receiving so-called document notifications from the publisher and publishing them in the recipient's digital mailboxes. The recipients can then request through their digital mailbox to view the content of data that they have been published there. The digital mailbox then sends a request to the appropriate publisher to send the content of the data that the recipient wishes to view in the recipient's viewing interface in the digital mailbox. The operator of a digital mailbox stores document notifications in its systems but does not have access to the content of the information referred to in the notification. The publisher is responsible for the notifications sent to the digital mailbox and the information that is shared with the recipient during an inspection. The operator does not take any position on the data sent by the publisher and is not responsible for its content. These terms and, where applicable, agreements and annexes made form an agreement between the operator and the publisher on the use of the digital mailbox by the publisher. By using the service, the publisher agrees to these terms.

1. Definitions

In this context, the following terms shall be defined as follows: Data record: List of data and references to find data in the publisher's data system. Publication: The publication of the publication of the publication of the existence of data in a digital mailbox. Publication: Public entities, i.e. the state, local authorities, their institutions and other public bodies, which are obliged to publish data in a digital mailbox, or other entities which are permitted to publish data in a digital mailbox on the basis of regulations. Operator: Digital Iceland under the authority of the Ministry of Finance and Economic Affairs. Digital mailbox: Central web service of an operator where individuals, legal entities and public institutions have a digital mailbox where they can view data from the publishers. Inspection: The transfer of data from the publisher to the recipient. Recipient: Individuals, legal entities and institutions who have access to a digital mailbox. Web service: The service of a publisher that sends document notifications to a digital mailbox and requested data for inspection at the request of the recipient. Technical description of web services: The technical requirements that, at any given time, are made for web services. Security requirements for web services: The security requirements that, at any given time, are made for web services.

2. Members' obligations

The operator may not store data that the document notification refers to and the recipient requests for inspection. The publisher guarantees that all treatment and processing in its own web services and related systems, including encrypted storage in incident files, takes into account the protection of accuracy, secrecy and ensures traceability of the information provided by the web services. The publisher is responsible for the information not to reach the hands of unauthorised parties and for the publisher's staff, who have access to incident files, to ensure the security of the information contained in them.

2.1. General

The publisher may connect a web service to the operator's digital mailbox once the security requirements of the web service have been met as specified at each time. If the publisher shed its systems or oversees them to a third party, such work is always carried out under the responsibility of the publisher, but the publisher shall inform the operator of any changes that may affect the connection of a web service to a digital mailbox. The operator and the publisher shall each maintain a record of events concerning the communication between the digital mailbox and the publisher's web service. The records shall give a clear picture of the communication between the systems, the timing of the publication of notifications and the viewing of the recipient.

2.2. Using the Digital Mailbox

The publisher maintains a list of items and records the necessary references to the data so that the data is properly published in a digital mailbox and meets the requirements of the web service technical description. The publisher records the information it considers necessary for the recipient to understand the subject of the data. All inclusion in a list of items is the responsibility of the publisher. Document notices sent to a digital mailbox shall be recorded in the publisher's list of items. The publisher may not remove data from the mailbox, as data is considered to have been published by the recipient as soon as it reaches the mailbox, regardless of whether it has been viewed. However, if data has been published in the mailbox intended for other people, as per Article 88(4) of the Electronic Communications Act no. 70/2022, the data can be revoked and the publisher must inform the right recipient of that measure.

3. Security

The operator is responsible for taking appropriate technical and organisational measures to ensure the security of the digital mailbox. Security measures shall take into account the latest technology, the cost of implementation, the extent, context, the purpose of the processing and the risk of security breach. The transmission of data is carried out using a public data transmission network. The identification of a user in a digital mailbox is carried out using the operator's login and proxy services. All data communication between the publisher's web service and the operator of a digital mailbox is carried out via a encrypted channel. Security measures shall be aimed at the non-lockability of information in the transmission, even if an unauthorised party accesses the network communications or if a malfunction occurs in the equipment. The security measures of the publisher shall take into account the latest technology and satisfy the requirements set out at any given time by the operator. The operator may request that a third party perform regular automated security audits of the installation of the publisher. If the conclusion of the security audit shows that the measures taken by the operator do not meet the security requirements of the operator at any given time, or other serious vulnerabilities affecting security, the publisher shall be notified, in a verifiable manner, and shall be granted a period of 10 days beginning with the date of the notification, to make adequate corrective action. If the conclusion of the security audit is that the said vulnerability is minimal, the publisher shall be granted a period of 30 days. If the publisher is notified in writing, the operator may terminate the access to the service of the publisher, until the relevant vulnerability has been corrected. If the publisher is found to be in breach of these conditions or otherwise misusing the publication in a digital mailbox, or it is clear that it is not able to or intends to comply with these conditions, the operator may, at any time, and without notice, block the access of the relevant publisher until the publisher has made a demonstrable corrective action. In such a case, the operator shall send the relevant publisher a demonstrable notification.

4. Functional tests and/or the provision of services

The timing of functional tests and/or the issuance of service in the real-world environment on Ísland.is is organized in cooperation between the service provider and the relevant service recipient, but shall not take place on Fridays, on weekends or on public holidays.

5. Responsibility

The operator is not responsible for damages arising from the use of a web service caused by the unawareness, misunderstanding or misuse of the publisher or the recipient. Furthermore, the operator of the web service is not responsible for damages arising from the failure of the publisher or the recipient's equipment to function properly. The operator is not responsible for damages arising from unauthorized use, e.g. if the unauthorized party has obtained access to the web service from the publisher, or if the publisher has failed to notify the operator of the misuse of the web service, or is suspected of doing so. The operator is not directly or indirectly responsible for damages arising from the unannounced closure of a digital mailbox, e.g. due to faults arising from the loss of communication, communication interruption or other interruptions that may occur in the operation of the web service and are unforeseen or unavoidable due to force majeure. In the event of any error, interruption or delay in the digital mailbox, arising from the abovementioned circumstances, the operator's responsibility shall be limited to correcting such errors, interruptions or delays as soon as possible. The operator is solely responsible for the loss of the publisher if it is due to gross negligence or intentional failure of the operator's employees. The operator's responsibility in such a case shall only cover direct damage, but never any consequential damage that may result from this, such as the cessation of operation, lost transactions or the dissemination of opinions. The publisher shall keep the operator safe from any damage, claims, actions, damage, guarantees, fines, penalties and costs (including legal costs) that the operator may suffer as a result of or in connection with the actions or inaction of the publisher, whether it is due to the publisher's negligence, intentional or negligent use of the digital mailbox or resulting from breach of the agreement between the parties. This non-harm liability does not in any way limit other contractual or statutory rights that the operator may enjoy against the publisher and any compensation or non-harm payments do not justify a breach of the obligations and obligations of the publisher. Damage arising from breach of Act No. 90/2018 on the Protection of Privacy and the Processing of Personal Data is governed by Article 51 of the Act and Article 82 of Regulation (EU) 2016/679 of the European Parliament and of the Council.

6. Payments

The service is available to publishers free of charge.

7. Operational security

The parties undertake to promote the safe operation of the digital mailbox and work together to repair any operational disruptions. The publisher and the operator shall notify the counterparty without delay if there is suspicion of unintentional, unauthorised or illegal processing of information or if any security breach is suspected in the handling of information derived from the service. The notification shall be sent to the address island@island.is, in the case of the publisher. In such notification, the party concerned shall describe the nature of the breach, including the estimated number of registered individuals concerned and the use of the information. The party concerned shall then describe the likely consequences of the breach and the measures it has taken or planned to take in response to the security breach. The operator will notify the publisher if any failures or necessary updates relating to the digital mailbox occur. In the event that the digital mailbox is down for force majeure, the operator shall also notify the publisher of such a failure. The service of the operator generally takes place during office hours, but if connection to the digital mailbox is interrupted, the operator shall respond to the notification as soon as possible. The operator may temporarily interrupt the access of the publisher to the service without warning if there is a reasonable suspicion of unauthorized processing of information, a security breach or if the operator finds it clear that the equipment of the publisher does not meet the requirements of the operator for the use of the digital mailbox. If the interruption of operations causes documents to be published for inspection, the operator shall advise the recipient to consult the publisher about the content of the document notification. If the operator or the publisher encounters any obstacles in fulfilling the agreement with the counterparty for reasons that are beyond its control, the relevant obligations shall be suspended until such obstacles are removed and the parties to the agreement are able to fulfil their agreed obligations.

8. Termination

Neither an operator nor publishers who are legally obliged to publish data in a digital mailbox may terminate this service. Operators and publishers who are authorized to use a digital mailbox on the basis of a regulation may terminate the service. The termination shall be in writing and the service shall then cease two (2) months after receiving the notice of termination. All contractual obligations remain in the termination period. The operator does not need to state the reason for the decision to terminate and shall not bear any costs for the application of termination.

9. The duty of confidentiality

The operator shall maintain confidentiality to the publisher of information to be disclosed. The operator shall ensure that staff and contractors on their own behalf sign confidentiality statements or are bound by law to remain confidential.

10. Personal Protection

The publisher has familiarised himself with the relevant rules on the use of information, including the provisions of Act No. 90/2018, on the protection of personal data and the processing of personal data, including the handling, processing and sharing of information and data. The publisher is responsible for the processing of personal data in relation to its use of the digital mailbox, including the transmission, storage and publication of personal data in the mailbox. The operator is responsible for the processing of personal data for the operation of the mailbox itself, such as information on users of the mailbox and events records. The processing of personal data for the digital mailbox is further specified in the Act, which is available on the website of the institution. The processing of personal data shall be in accordance with the Act on the Protection of Privacy and the Processing of Personal Data. The controller is responsible for the processing of personal data being lawful and based on Article 9 and, as applicable, Article 11 of the Act and for the processing of personal data being in accordance with the principles of the Act, see Article 8 of the Act. The parties shall jointly ensure that the principle of inherent and default personal protection is maintained, if necessary, they shall jointly evaluate the impact on the protection of personal data for the processing and consult with the Data Protection Authority in advance in accordance with Article 30 of Act No. 90/2018. The parties shall conduct risk assessments of the processing, as necessary, and take appropriate measures to reduce the risks identified. The parties are each responsible for their ability to demonstrate compliance with Act No. 90/2018. The parties shall assist each other in demonstrating compliance with the law, such as by providing all necessary documents to enable them to demonstrate compliance and for the controller or auditing body to carry out audits, including inspections, and provide assistance in such audits. The parties are jointly responsible for providing individuals with information on the processing of their personal data for the use of the parties on the digital mailbox in accordance with Article 17 of Act No. 90/2018, see Articles 12 to 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council (EU) 2016/679. The information shall be published in the Icelandic Data Protection Policy and made available to recipients. Otherwise, the processing of personal data, such as notification of security breaches and the rights of individuals, is carried out according to the processing terms of Digital Iceland. The provisions of this service terms override the provisions of other terms or agreements. The provisions of this terms relating to the processing of personal data and the division of responsibility between the parties shall be made available to individuals affected by the processing on request.

11. Transfer of rights and obligations

The publisher may delegate the operation of web services and communication with a digital mailbox to a third party under its authority, according to a legal obligation or agreement thereto. The publisher shall inform the operator of changes in the structure of web services at least 30 days in advance. The responsibility of the publisher under these terms remains unchanged even if changes occur in the structure of web services. The operator may use the services of a representative or subcontractors to perform the obligations that are on him under these terms, however such work shall always be carried out under the responsibility of the operator to the publisher. The use of subprocessors is subject to the data protection conditions of the operator.

12. Changes to the terms

The operator reserves the right to make changes to these terms and conditions unilaterally and shall notify the publisher electronically with at least 30 days notice, which shall be sent to the publisher in a verifiable manner before new or amended provisions take effect. In addition, new or updated terms are published on the website of the operator. However, the operator of a web service may make changes to terms with shorter notice if such changes to terms are necessary by law or due to the risk of security breach. In such cases where the notice may be shorter, the operator of a web service shall endeavour to notify such changes as soon as possible.

Terms and conditions last updated: 01.11.2022

This text was translated from Icelandic using a machine translation. Be advised that content generated by machine translation can be inaccurate or flawed.