The processing of personal data is governed by legislation on personal privacy and on personal data processing, as they are at any given time, as well as the relevant legislation of the European Economic Area. The legislation covers, amongst other things, the processing, storing and transfer of personal data.

Orkan is responsible for the registration of personal data and the processing of that data in its operations.

We collect and retain personal data on our customers for purposes including the following:

• To be able to provide our customers with the services they require, whether it's home delivery of a key or card or receiving payments so that customers can purchase fuel at Orkan stations or make purchases in partner stores and/or in connection with other products and services that we sell or provide. To otherwise enforce our terms and conditions
• To allow us to comply with our obligations under the Accounting Act, requests from public authorities and agencies, and other provisions of law.
• To allow us, as necessary, to give customers a quote for credit transactions (business card), in which case we request information about the business category and turnover of the customer.
• To decide on the business terms and whether to initiate credit transactions, we will request information from the default register about the individuals in question.
• CCTV footage is collected and stored for security and asset protection purposes.
• To allow us to send customers information about discounts, special offer days and offers from partners, provided customers have agreed to such communications.
• To allow us to send customers information tailored to them, i.e. on their birthday or about incremental discounts, provided customers have agreed to such communications.
• To respond to our customers' queries and requests.
• To send customers important information related to our services to them, such as information about changes to our terms and conditions and other information related to our services to them.
• To contact customers to provide them with information or to assist them in relation to the services they have requested.
• For in-house analyses and planning, for market research, to improve our services and to compile statistics for quality control and marketing activities, such as customer behaviour in loyalty programmes.

If customers agree, we may use their personal data to inform them of general discounts on products and/or services from us, our affiliates or partners and send them other marketing materials that we think may be of interest to them. In addition, we can send customers information tailored to them, i.e. an offer on their birthday or marketing material based on the location of their residence. We may also use information to process statistics for quality control and marketing activities. These communications may take place via e-mail, phone, letters or text messages. However, we will endeavour to keep such communications to a minimum.

Customers' consent is requested when they apply for a key or a card on Orkan’s website. Customers will also be able to provide their consent by e-mailing us at personuvernd@orkan.is or calling us at 464 6000.

Customers can withdraw their consent at any time to prevent receiving further information for marketing purposes. Customers can opt out by visiting our website and unsubscribing, clicking on a link in an e-mail they have received from us, sending an e-mail to personuvernd@orkan.is or by calling 464 6000.

The withdrawal of consent may not take effect immediately, but we will endeavour to comply with such requests as soon as possible. If customers do not wish to receive marketing content from us, we may still continue to contact them and send them necessary information in relation to our services and/or as required by law.

We will never share personal data with third parties without having obtained customers’ consent for such disclosure, except as required by law or in the instances listed in this Privacy Policy.

Orkan may share personal data with third parties (processors) that are service providers, agents or developers, in order to complete a task for a customer or provide customers with a service or product that they have requested or approved. We may also share data with processors when necessary to protect critical interests, for example when collecting an unpaid claim. Orkan also shares data, for statistical purposes, with processors who work with us in quality control and marketing. Orkan provides the processors with only the personal data necessary for them for the above purposes, and we make an agreement with them so they are under an obligation to keep the data of our customers safe and use it for the above purposes only.

We are committed to ensuring the security and privacy of our customers. Orkan has an internal control system to ensure that appropriate technical and organisational safety measures are always taken.

We will notify customers without undue delay in the event of a breach of security regarding their personal data that poses a high risk to them. Security violations in the above sense means security breaches that result in unintentional or unlawful destruction of personal data or with the consequence that it is lost, altered, displayed, or accessed without permission.

However, customers are reminded that they are responsible for the personal data, e.g. name, personal identity number and photograph, that they elect to share publicly, including via Orkan’s chat or Facebook page.

We strive to keep personal data about our customers accurate and reliable and update this data as necessary. We retain personal data from customers for the period deemed necessary unless a longer retention period is required or permitted by law. We will review and revise our retention procedures for customers’ personal data once a year, on average, including with reference to their retention period. If we determine that further processing is not authorised, we will discontinue all processing of personal data from that time onwards. If there is a possibility that personal data might be needed later to comply with legal requirements, e.g. to the tax authorities, or to appeal or defend against a legal claim, we will copy the relevant personal data and retain them securely for as long as necessary.

Customers are entitled to and may request the following information and actions by sending a written inquiry to personuvernd@orkan.is:

• to know what personal data are stored about them, how they were generated and processed, and to access such data.
• that their personal data are updated and corrected.
• to request that their personal data be deleted, if there are no longer any material grounds to retain such data.
• to object to and/or restrict the processing of personal data.
• to withdraw their consent for processing when processing is based on their consent, by the same means as the customer provided the consent and/or by sending us a written request to personuvernd@orkan.is.

Customer's requests will be considered and we will supply the information (as applicable) within a reasonable period of time, subject to the restrictions imposed by the rights and freedoms of others, including business secrets and intellectual property rights. We draw your attention to the collection of a special photocopy fee if more than one copy is requested. Customers will be notified and given a statement in case of delay or if the request cannot be completed in full, no later than one month after receipt of it.

If customers object to with the Company's processing of personal data, they can send a complaint to the Data Protection Authority (www.personuvernd.is).

The Orkan website is intended for persons who are at least 17 years old. We require that persons under 17 years of age do not provide personal data via the website. It is our policy not to collect or retain personal data about any person under 17 years of age.

The Privacy Policy is reviewed regularly and may be amended accordingly. Customes are therefore advised to familiarise themselves with the Privacy Policy on a regular basis. Any amendments to the policy will take effect on publication of the company's website: http://www.orkan.is. We welcome all feedback on the Privacy Policy and encourage customers to send us inquiries.

Orkan has appointed the lawyer Peter Dalmay as Data Protection Officer. The Data Protection Officer’s e-mail address is peter@law.is. For any issues relating to the handling of personal data, please contact us by writing to personuvernd@orkan.is and/or by calling 464-6000.

Approved on 26 February 2019