Lucinity Privacy Notice

On the processing of Customer and Employee Data – Data Controller

Version 1.2 – September 2020


Lucinity ehf., 591218-0770, is a cloud-based software solution provider for anti-money laundering (AML) and related services (“Servies”).  Delivering state-of-the-art AML services requires the use of sensitive personal data from banks and financial institutions. Under Act No. 90/2018 on data protection and the processing of data (“Act on Data Protection”) and the General Data Protection Regulation No. 2016/679 on the protection of natural persons concerning the processing of personal data and the free movement of such data, (“GDPR”) Lucinity acts as a both a data controller and data processor. During most of Lucinity’s processing activities, it acts as a Data Processor for its Customers; a separate Privacy Notice is provided on this processing. However, when processing customer and employee data, it acts as a Data Controller.

  • Scope and Context

The scope of this notice covers the use of personal data from the following:

  • Users of Lucinity’s websites, products, and services, including employees of Lucinity’s customers
  • Employees of Lucinity
  • Prospective employees of Lucinity who apply for work through the website or portals or who’s information is sent to Lucinity from recruitment sources
  • Lucinity board members and shareholders
  • Lucinity suppliers and contractors
  • Other stakeholders

This privacy notice aims to provide information on how Lucinity collects and processes personal data through our operations and services.

Collection of Personal Data, Purpose, and Use

Lucinity may use your personal information for operational, legal, administrative, and other legitimate purposes permitted by applicable law. Some of the ways we may use personal information include:

  • Performing user verification
  • Providing you with requested products or services
  • Providing customized product and service information
  • Performing selection of candidates through the hiring process
  • Assessing your performance, if you are a contractor or supplier
  • Providing product service updates, information, and alerts
  • Sending communications, including for marketing or other customer satisfaction purposes
  • Order processing and to provide transaction documents
  • Analyzing and monitoring the extent of use and enhancing our products and services

Personal data is obtained from the following sources:

  • Directly from you
  • Through the usage of Lucinity products and services
  • Employment agencies
  • Your employer, if you are a supplier or contractor
  • Referees, either external or internal
  • Security clearance providers
  • Health providers
  • Pension funds
  • Government agencies, for example, tax offices
  • Trade unions
  • Providers of staff benefits
  • Credit rating offices

If you are an employee of our customer, Lucinity collects the following data to understand usage, improve system operation and verify adherence to external legal requirements

  • User log-in and log-out times
  • User role within the platform
  • User review time per case behavior
  • User feedback on cases
  • Case routing
  • Number of cases filed to authorities and the respective behaviors
  • Other data as deemed important from time to time by both parties

If you are an employee of Lucinity, we collect and process the following categories of personal data:

Information related to your employment

We use the following information to carry out the contract we have with you, provide you access to business services required for your role, and manage our human resources processes:

  • Personal contact details such as your name, address, contact telephone numbers (landline and mobile), and personal email addresses.
  • Your date of birth, gender, and national identifier number
  • A copy of your passport or similar photographic identification
  • Marital status, emergency contacts, and contact information
  • Employment and education history, including your qualifications, job application, employment references, right to work information
  • Results of criminal and credit delinquency record lookup
  • Location of employment
  • Details of any secondary employment and conflict of interest declarations
  • Security clearance details including basic checks and greater security clearance details according to your job
  • Your responses to staff surveys if this data is not anonymized
  • Your confidentiality declaration and other commitments within the employment contract

Information related to your salary, pension, and loans

We process this information for the payment of your salary, pension, and other employment-related benefits. We also process it to administer statutory and contractual leave entitlements such as a holiday or maternity leave.

  • Information about your job role and your employment contract, including; your start and leave dates, salary, any changes to your employment contract, working pattern (including any requests for flexible working)
  • Details of your time spent working, and any overtime, expenses, or other payments claimed
  • Details of any leave including sick leave, holidays, special leave, etc
  • Pension details
  • Your bank account details, payroll records, and tax status information
  • Trade Union membership for the deduction of subscriptions directly from salary
  • Details relating to Maternity, Paternity, Shared Parental and Adoption leave and pay

Information relating to your performance and training

We use this information to assess your performance, to conduct pay and grading reviews, and to deal with any employer/employee-related disputes. We also use it to meet the training and development needs required for your role.

  • Information relating to your performance at work, e.g., performance reviews, promotions
  • Grievance and dignity at work matters and investigations to which you may be a party or witness
  • Disciplinary records and documentation related to any investigations, hearings, and warnings/penalties issued
  • Whistleblowing concerns raised by you, or to which you may be a party or witness
  • Information related to your training history and development needs

Information relating to monitoring

We use this information to assess your compliance with corporate policies and procedures and to ensure the security of our premises, IT systems, and employees.

  • Information about your access to data held by us for criminal enforcement if you are involved with this work
  • Information on physical access to company premises, derived from security systems
  • Information derived from monitoring IT acceptable use standards, e.g., concerning software development or other use of IT systems
  • Photos and CCTV images

Information relating to your health and wellbeing and other special category data

We use the following information to comply with our legal obligations and for equal opportunities monitoring. We also use it to ensure the health, safety, and wellbeing of our employees.

  • Health and wellbeing information either declared by you or obtained from health checks, eye examinations, occupational health referrals, and reports, sick leave forms, health management questionnaires, or fit notes, i.e., Statement of Fitness for Work from your GP or hospital
  • Accident records if you have an accident at work
  • Details of any desk audits, access needs, or reasonable adjustments
  • Information you have provided regarding Protected Characteristics for equal opportunities monitoring. This includes racial or ethnic origin, religious beliefs, disability status, and gender identification and may be extended to include other protected characteristics

Due to the nature of our company, Lucinity requires employees to supply their criminal record and their credit delinquency record. This a precondition of employment, but we do not store or process this data.

We do not collect any other special categories of personal data about you (this includes details about your religious or philosophical beliefs, sex life, sexual orientation, political opinions, information about your health, and genetic and biometric data).

We may also collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.

Lawful basis for processing Personal Data

We rely on the following lawful basis for processing your personal data under the GDPR:

  • Article 6(1)(b) which relates to processing necessary for the performance of a contract
  • Article 6(1)(c) so we can comply with our legal obligations as your employer
  • Article 6(1)(d) to protect your vital interests or those of another person
  • Article 6(1)(f) for the purposes of our legitimate interest

Where the information we process is special category data, for example, your health data, the additional bases for processing that we rely on are articles 9(2).

Disclosure/transfers of personal data

The employees of Lucinity have access to personal data to the extent necessary to fulfill its contractual obligation towards its customer and other sub-processors and other third parties that work on behalf of Lucinity.

It shall be noted that Lucinity may be legally obligated to disclose personal information to regulatory authorities or other governmental bodies.

Lucinity will not share your personal data with any other company for marketing purposes.

Data transfers outside of the European Economic Area

Lucinity engages processors to carry out specific processing activities. Therefore, Lucinity transfers personal data outside the European Economic Area (“EEA”) regularly; however, as a Data Controller, Lucinity ensures that it only transfers personal data processors that provide adequate protection to the personal data, for example, by way of appropriate safeguards.

Retention of personal data

Lucinity will seek to either erase or return data obtained once it no longer requires the data to fulfill its contractual obligations or for other legitimate purposes of the company. Lucinity is obligated by legal and regulatory requirements, such as accounting requirements, to retain personal data, such as accounting requirements.

Data Subjects Rights

Lucinity is responsible for taking appropriate measures in providing the data subjects with information concerning the processing of their data and their rights on the basis of GDPR.

Lucinity will provide the data subject with the following rights per GDPR, particularly, the right to:

  • access to data obtained and retained
  • rectification of inaccurate data obtained
  • erasure of the data obtained and retained
  • restriction on processing the data obtained
  • objection to the processing of the data obtained
  • the right to data portability

Lucinity will assist the customer, without undue delay, if the data subject wishes to exercise its rights, particularly regarding the right of access and/or rectification of inaccurate personal data.

It shall be noted that the customer always has the right to lodge a complaint with the supervisory authority.

Notification of a Data Breach

In case of a personal data breach by Lucinity or a Sub-Processor, Lucinity will take appropriate measures in accordance with the GDPR.

Measures are taken to ensure Data Protection

Lucinity is obliged to ensure the adequate protection of data according to article 27 of GDPR, cf. 32, with the following measures:

  • Lucinity safeguards its workplace with a control system
  • Lucinity has implemented a security policy to ensure the safety of information technology
  • Lucinity has trained its employees and informed them of the processes and internal rules of the processing of personal data
  • Lucinity applies active internal control and has implemented internal standards and processes to ensure the safety of personal data
  • Lucinity has implemented procedures to respond to data breaches
  • Lucinity conducts a data protection risk assessment/impact assessment regularly
  • Lucinity ensures to restrict the access of employees to the Data Controller’s systems
  • Lucinity has established procedures to easily obtain personal data and to restore accounts if a material breach or technical incident occurs
  • Lucinity ensures that the rules of the Data Protection Agency No. 299/2001 regarding the safety of personal data are met and that the company plans to have its activities certified based on the ISO 27001 standard on information safety before year-end 2020
  • Lucinity has appointed a Data Protection Officer (DPO) to manage any data requests and handle any data issues or data breaches

Data Protection Officer (DPO)

Lucinity has appointed a Data Protection Officer (DPO) to manage any data requests and handle any data issues or data breaches

Should customers require further information concerning this Privacy Notice or any other information, it should refer to the DPO by phone or email. The DPO will respond to the query as soon as possible.

Lucinity ehf – Data Protection Officer

Borgartún 25

105 Reykjavík



phone: +354 844 4065

Privacy Notice Amendments

This Notice will be updated regularly in accordance with the changes made by Lucinity in relation to the processing of personal data.

List of Personal Data Processors

Data processors are third parties who provide certain parts of our staff services for us. They abide by their privacy policies and cannot do anything with your personal information unless we have instructed them to do so. Our current data processors are listed below.  This excludes unions and pension funds and other entities with whom you have a direct relationship.

Data Processor Purpose Privacy Notice
BambooHR Cloud-based HR system
Google Cloud Platform Cloud computing service for managing applications and services
Microsoft Dynamics NAV Cloud-based salary system
Microsoft Azure Cloud computing service for managing applications and services
Microsoft SharePoint Cloud-based document management and collaboration platform
Officevibe Cloud-based employee survey system