Data Protection

In 2017 the Bank began implementing Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) which came into force in Europe on 25 May 2018. The Regulation was introduced into Icelandic law by the Data Protection Act No. 90/2018, which came into force on 15 July 2018. The Data Protection Officer is Erla Thurídur Pétursdóttir.

The Regulation was implemented in three stages. The first stage mapped the processing of personal data by reviewing procedures and execution. The second stage involved the processing of stage one and analyzing in which areas the Bank was not in compliance with the forthcoming legislation and what corrective action was required. The first and second stages were carried out in 2017.

The third stage, carried out in 2018, involved defining measures for corrective action and identifying and implementing necessary changes. The third stage was completed in a project accelerator, and a total of 20 employees from five divisions worked on it for 16 weeks. The project was completed on 7 June 2018. A legal firm, specializing in data protection law, was hired to advise on the implementation.

Implementing the regulation raised awareness and improved employees’ knowledge of data protection and the new legislation, created a record of processing data activities and introduced changes to data processing in order to comply with the new requirements. A new data protection policy, which meets the Bank’s obligation to provide information to people, was devised and introduced, and reports were made available in customers' online bank accounts, so that people could receive confirmation in digital format of what personal data was being processed at the Bank and obtain a copy of the reports.

Arion Online Banking included a new feature whereby customers could accept or reject direct mail and other marketing material, and the cookies policy was updated. A data protection management system was set up by incorporating data protection issues in policies and processes, such as the security policy, the new products process and the software development process. Data protection was also incorporated in management supervision. The Bank also designed a procedure for assessing the impact of data protection. A Data Protection Officer was appointed in mid-2018.

Arion Bank’s data protection policy can be viewed on the Bank’s website.