Privacy Policy

About the Privacy Policy

This Privacy Policy provides information about the processing activities of personal data within Icepharma (hereinafter also referred to as "us" or "we", as applicable) and explains how individuals can exercise their rights under the Data Protection Law. For further information or questions with respect to data privacy please contact our company data privacy officer, Helga Björnsdóttir,

We may update our Privacy Policy from time to time, to ensure that it reflects the processing of personal data that takes place at any given time and to ensure the correct sharing of information on the processing and handling of personal data in the operations. The content of the policy may be changed in accordance with changes in laws and regulations on the processing and handling of personal data. Any amendments become effective upon publication on our Website.

Last updated: May, 2023

1. Processing of personal data

All processing of personal data takes place in accordance with Act No. 90/2018 on Data Protection and Processing of Personal Data ("the Data Protection Act") and the European Parliament and Council (EU) Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free dissemination of such data ("General Data Protection Regulation" or "GDPR").

We are responsible for the processing of personal data within the company either as the Data Controller, i.e., the party that determines the purposes and means of the processing of personal data or as Data Processor, i.e. the party who processes personal data on behalf of the Data Controller. Personal data means any information relating to an identified or identifiable natural person ("data subject"), i.e., information that can be used to personally identify an individual, directly, or indirectly, from the information alone or with additional data, which is in our possession or which we can easily access. Data that is not personally identifiable is not deemed to be personal data.

We may collect, record, use, store or transfer personal data about individuals. This personal data can be divided into the following categories:

  • Identification information: such as name, username and similar identification, ID number and gender.
  • Contact information: such as address, e-mail, phone number.
  • Job-related information: such as information about the workplace, specialty, job number.
  • Financial information: such as bank account information or other payment information.
  • Business history information: an overview of the products purchased, and invoices issued.
  • Technical information: such as IP address, login information, browser type and information on browser type and version.
  • User behaviour information: such as information about how websites, products or services are used.
  • Marketing information: such as information related to an individual's choice of whether Icepharma may send them marketing materials.
  • Travel information: such as information from passport, etc.
  • Information about hobbies and habits: such as information related to health and lifestyle, information related to the field of interest/specialisation of healthcare professionals, etc.
  • Other information that could be considered personal information within the meaning of the law: such as information in connection with individuals' use of a certain product, information about a certain party's communication with Icepharma, information about Icepharma's requested communication routes with healthcare professionals or other parties, etc.

In addition, it may be necessary to process special categories of personal data (sensitive personal data), such as data concerning health, and only when such data processing meets the legal requirements for the processing of special categories of personal data.

2. Methods for collecting personal data

Different methods are used to collect personal data. The following are examples of how we collect personal data in its operations:

Collection of information directly from an individual

We most commonly receive and collect identification and contact information directly from the individual, including from customers, customer contacts, healthcare professionals, patients, patient's relatives, staff, job applicants, etc. In other cases, individuals may also be asked to provide job-related information and financial information as well as other categories of personal data. In certain cases, Icepharma employees receive special categories of personal data from the individuals, such as data concerning health.

Individuals can always refuse to provide Icepharma with personal data when requested. However, if an individual chooses not to provide the information necessary for Icepharma to provide the requested service or perform contractual obligations, it may make it impossible for us, in whole or in part, to provide the requested service to the individual or otherwise fulfill its contractual obligations.

Automatic technology or communications

We may also collect technical information about individuals automatically when individuals visit and use Icepharma's websites. Personal data is collected through the use of cookies, incident registration, and similar technology. For further information on cookies, see Icepharma's Website Privacy Statement.

Collection of data from third parties

In certain cases, we may receive personal data from third parties or obtain personal data from companies, institutions, or contacts of legal entities that hold personal data about an individual, when the aforementioned parties are authorized to provide such data to the company and when the data is necessary for Icepharma for certain purposes. The same applies to personal data that is made public, such as the personal data of healthcare professionals in public records or from websites, as their processing is generally permitted and the data is only processed to the extent and for the purpose for which the data in question was originally made available.

3. Lawfulness of processing

We only process the personal data of individuals if the processing is lawful in accordance with the Data Protection Act. The processing of general personal data thus occurs only when at least one of the following applies:

  1. An individual has given consent to the processing of his or her personal data for one or more specific purposes;
  2. The processing is considered necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. The processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. The processing is considered necessary to protect the vital interests of the data subject or another individual;
  5. The processing is considered necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. The processing is considered necessary for the purposes of the legitimate interests pursued by Icepharma, a customer or another third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Individuals are always welcome to contact us if they wish to receive further information about the purpose of processing activities and its lawfulness. The processing of special categories of personal data only occurs when an individual has given their consent for such processing or if it is deemed necessary to fulfill a legal obligation or to protect the urgent interests of an individual or another individual and only when at least one of the legal requirements for processing special categories of personal data is met, cf. Article 11 of the Data Protection Act No. 90/2018.

4. Purposes of processing personal data

We strive to conduct all processing of personal data in a fair and transparent manner. Personal data is always processed for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes unless the company has the authority to do so, and an individual has been informed of the new purpose. The processing of personal data is always limited to the data that is considered necessary and relevant in relation to the purpose for which they are processed.

A more detailed description of the specific processing activities can be found here as well as in the "Record of processing activities" which is kept by a Data Protection Officer ("DPO").

5. Disclosure of personal data

The disclosure of personal data between employees within Icepharma may be necessary but is only permitted when the recipient of the personal data has reason to obtain the data due to their work and the disclosure is in accordance with the appropriate restrictions on the disclosure of personal data.

Personal data is not sold to third parties, but Icepharma may, however, be obliged to disclose personal data to third parties, for example to a supervisory authority, the government, or other legal entities with which Icepharma has a business relationship. Such disclosure will only take place if lawful and in such a way that the data is treated as confidential.

Some of Icepharma's service providers may receive personal data due to the implementation of a service agreement between the parties. We only use processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of applicable data protection legislation. All processing activities processed by Icepharma's processors are governed by a Data Processing Agreement.

6. Transfer of personal data between countries

We may disclose and/or transfer personal data to other countries, i.e., to a recipient country that provides personal data with adequate protection, cf. all countries within the EEA area as well as the countries that the Data Protection Authority has advertised as safe third countries. In exceptional cases, personal data is disclosed to countries outside the EEA and only when authorized in accordance with the Data Protection Act.

7. Retention Period

Data is not stored in a form that permits the identification of data subjects for longer than is necessary for the purposes for which the personal data are processed. Personal data is stored for the duration of business relationships, as long as required by law or legitimate interests and for an apposite reason. An apposite reason is considered to exist if the data is still being processed in accordance with the original purpose of its collection. As a result of the above, different retention periods may apply depending on the processing purpose, type, and nature of personal data.

We follow policies and procedures for the retention and deletion of personal data. Once a year, an internal audit of the storage of personal data is carried out, and the personal data that is no longer needed for the business is no longer kept unless the law requires such data to be stored and retained for a longer period of time.

8. About security, supervision, and responsibility


Security measures in the interest of data protection and compliance with principles

We have implemented technical and organizational security measures to ensure general data security and compliance with the principles of the processing of personal data. High-quality and lawful processing of personal data is an integral part of the operation, and appropriate procedures, methods, training, security aspects and other aspects have been implemented with the aim of ensuring compliance with the principles of the Data Protection Act.

The personal data that we collect, process, and store is protected by strict rules and processes both when it comes to the human touch and the electronic environment. These measures are intended, first and foremost, to protect personal data against accidental loss or alteration and against unauthorized access, copying, use, or disclosure. Other measures are aimed at ensuring, by default, that personal data collected and used as necessary for specific purposes is not stored longer than necessary and is not made available to unauthorized parties.

Data Protection Officer (DPO) and Information Security Team

A dedicated information security team bears the main responsibility for information security issues. The designated Data Protection Officer is one of the members of the team and bears the main responsibility for data protection issues and is the liaison with the Data Protection Authority. The team monitors compliance with applicable laws and regulations on data protection in the company´s operation as well as compliance with internal policies and procedures regarding information security and the handling of personal data. The team also has an important role towards employees, such as raising awareness, providing information and training. High-quality and lawful processing of personal data is an integral part of the operation, and it is the team's responsibility to ensure that all employees are aware of and trained in all internal procedures concerning the protection and handling of personal data.

Active safety awareness of employees

We promote an active safety awareness of employees and provide employees with adequate and appropriate education and training. All employees are participants in the company's privacy policies and undertake to comply with the Privacy Statement and the procedures to ensure its implementation. All employees, and others involved in the processing of personal data on behalf of Icepharma, have a contractual and/or statutory duty of confidentiality regarding everything they become aware of in the course of their work. Violations of confidentiality are taken seriously and will be handled with a pre-defined procedure.


We accurately record the processing of personal data, to the extent that such registration is required by the Data Protection Act. Thus, we define and record the basis for the processing of each processing element of personal data in the company's operations and maintain a record of the processing activities, including a record of the consent of the data subjects and how consent is obtained.

Built-in data protection and impact assessment

Regular assessments are made of the ways in which built-in privacy can be ensured in all applications, systems, and processes used and supported in the operations. Such an assessment is made in light of various factors, such as the latest technology, the cost of implementation, the nature, scope, context, and purpose of processing, as well as the risks that processing may have on the rights and freedoms of individuals. In the case of risky processing within the meaning of the Data Protection Act, a regular assessment of the impact of data protection is carried out in addition.

Strict requirements for information systems

All information systems used in Icepharma's operations are required to support the company's objectives of compliance with data protection laws and regulations, and care is always taken to ensure that personal data is only accessible to those employees whose access is necessary for their work. Access to information is controlled by access controls.

9. Personal Data Breach

Every effort is made to ensure that there is no personal data breach in the processing of personal data in the operations. A personal data breach is when there is a breach of security that results in the unintentional or unlawful destruction of personal data; in personal data being sent to unauthorized parties, stored or otherwise processed; or that it is lost, altered, published or unauthorized access is given to it. A personal data breach may entail a breach of confidentiality, lead to data becoming inaccessible, or the alteration of personal data.

The information security team monitors possible personal data breaches, i.a. to ensure compliance with laws and regulations regarding the handling of deviations and registration of deviations. In the event of a personal data breach, defined internal procedures are activated which, i.a. ensure that personal data breaches are reported in an appropriate manner within the time limits required by law and regulations.

In the event of a personal data breach, our DPO will without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Data Protection Authority and, as the case may be, individuals, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.

If parties become aware of a personal data breach regarding personal data, they are kindly asked to contact us by sending an e-mail to: without undue delay to reduce the risk of damage. An example of a personal data breach that we want to be informed about is, e.g. if an individual receives an e-mail that contains personal data that is irrelevant to the recipient and/or contains personal data about another person.

10. Information regarding individual privacy rights

The Data Protection Act provides for and guarantees individuals certain rights regarding the processing of their personal data. The following rights are in general available to individuals:

  • The right to information about and access to your own personal data stored by us:
  • The right to request the correction, deletion, or restricted processing of your personal data;
  • The right to object to a processing for reasons of our own legitimate interest, public interest, or profiling, unless we are able to prove that compelling, warranted reasons superseding your interests, rights, and freedom exist, or that such processing is done for purposes of the assertion, exercise or defense of legal claims;
  • The right to data portability;
  • The right to file a complaint with a data protection authority;
  • You may at any time with future effect withdraw your consent to the collection, processing, and use of your personal data.

We respect the rights of the data subject and respond to them when Icepharma is considered the Data Controller, but the rights may, however, be subject to restrictions arising, i.a. from the law, the interests of others to whom the information relates or important financial or business interests of Icepharma.

If an individual wishes to exercise their rights based on the Data Protection Act, this shall be done by sending the request to Icepharma's Data Protection Officer by email: In order for such requests to be processed, we need to collect personal data about the applicant to ensure identification.

If Icepharma receives a formal individual rights request from an individual to exercise the above rights, Icepharma will inform the applicant of the actions that will be taken as soon as possible, but at the latest within two weeks of receiving it.

11. Communication with the Data Protection Authority

Individuals have the right to send a complaint to the Data Protection Authority at any time if they believe that Icepharma will not respond satisfactorily to a submitted individual rights request or if they oppose or disagree with the way their personal data is handled or believe that such information is not processed in the manner required by applicable law.

Complaints to the Icelandic Data Protection Authority can be sent by e-mail to or by letter to: Persónuvernd, Rauðarárstígur 10, 105 Reykjavík, Iceland. However, Icepharma would kindly like to request that an individual first contacts Icepharma's DPO so that the company has the opportunity to resolve a dispute before a complaint is sent to the Data Protection Authority.