Privacy Policy

ESJA Legal ehf., reg. no. 470909-2180, operator of the website esl.is (hereafter the “Company,” “we,” or “our”), places strong emphasis on the security and lawful processing of personal data handled in its operations.

​

This Privacy Policy is based on the Icelandic Act on Data Protection and the Processing of Personal Data No. 90/2018 and the EU General Data Protection Regulation (GDPR) (EU) 2016/679. For definitions of individual terms, reference is made to Article 3 of the Act.

​

Personal data refers to any information relating to an identified or identifiable individual, i.e. information that can be directly or indirectly traced to a person. All processing of personal data by the Company is carried out in accordance with the law and applicable regulations.

 

Processing of personal data classified as health data differs in many respects from other processing, particularly regarding the interests of the data subjects. Special provisions apply to such processing under the Data Protection Act. This Privacy Policy reflects that particularity and describes what personal data the Company collects, the purpose of processing, retention periods, and the security measures in place.

​

Core Principles

1. Personal data processed by the Company is used only on the basis of authorization granted to us by law, contract, or mandate.

2. Personal data is stored securely, with strict care to prevent unauthorized access, disclosure, or misuse.

3. Information entrusted to us is not disclosed to third parties unless required by law, explicit authorization, or a final court ruling.

4. Personal data is permanently deleted as soon as legally permitted or required.

 

Detailed Provisions

Purpose and Legal Basis

The purpose and legal basis for processing personal data derive from Articles 5 and 6 of the GDPR. If data is obtained from sources other than the data subject, it is done lawfully. Personal data is used only for the purposes notified to clients at the time of collection. If the Company needs to use the data for another purpose, clients will be informed and the legal basis explained.

​

Data Collected

The Company collects and stores personal data as necessary to provide quality legal services. This includes both general personal data and sensitive data such as health information. Data may include:

​

• Financial information relating to individuals or entities

• Entity type, name, gender (for individuals), phone number, and main contacts

• Business activities, occupation, and education

• Health and family information

 

Data may be collected directly from the client, from a connected third party (e.g. employer), or from judicial or administrative authorities.

 

Disclosure to Third Parties

Personal data is shared only on the basis of consent, mandate, contract, or legal obligation.

 

Security Measures

The Company applies appropriate technical and organizational measures to protect personal data. Examples include encrypted and access-controlled data storage, and audit logging.

 

Data Retention

• General client data: retained for one year after the end of the client relationship, unless otherwise required by law.

• Accounting records: retained for seven years after the end of the relevant fiscal year.

 

Rights of Individuals

Clients have the right to request access to their personal data, subject to the limitations of the Data Protection Act. Clients may also withdraw consent at any time, in which case data will be deleted unless retention is required by law.

Individuals may file a complaint with the Icelandic Data Protection Authority (Persónuvernd): www.personuvernd.is.

 

Requests must be submitted in person at the Company’s office, Hlíðarfót 15, ground floor, 102 Reykjavík, using the Company’s forms. Valid photo ID must be presented. Requests cannot be submitted by phone or email. Clients are advised never to send sensitive personal data by email.

​

Amendments

The Company may amend this Privacy Policy at any time without notice, for example to reflect changes in applicable laws and regulations.

 

Data Protection Officer:
Ómar R. Valdimarsson, Supreme Court Attorney
Email: omar@esl.is | Tel: +354 517-3100

 

This Privacy Policy was adopted on 15 July 2018 and last updated on 14 October 2022.

 

Cookie Policy

Personal data processed on the website
On esl.is, the Company processes personal data submitted by users, such as name, email, and message content. Non-personal data is also collected via Google Analytics.

 

Use of cookies
Cookies are used to track visits and store user preferences (e.g. language settings). If users prefer not to accept cookies, browser settings can be adjusted to reject them.

 

Analytics
Google Analytics is used to monitor website usage, collecting information such as visit date/time, entry source, browser, device, and use of search terms. This helps improve the site.

​

Cookies stored and their lifetime

• _ga_H4ZY2FM62Y – Google Analytics – 2 years

• _ga – Google Analytics – 2 years

• _gid – Google Analytics – 1 day

• _gat_gtag_UA_191218151_1 – Google Analytics – 1 minute

• _fbp – Facebook – 3 months

​

SSL Certificate
The website uses an SSL certificate to encrypt communication between users and the site, enhancing security and preventing third-party interception of sensitive data.

​

If there is any discrepancy between the Icelandic version of this privacy policy and this translation, the Icelandic version shall prevail.