Policy on Protection of Personal Data

Iceland Symphony Orchestra

1. General


The role of the Iceland Symphony Orchestra (ISO) is to enrich the musical culture in Iceland, foster interest in and knowledge of music, and give Icelanders the opportunity to enjoy music, including through radio broadcasts and through concert performances in as many locations around Iceland as possible. Particular emphasis is placed on performing and promoting Icelandic music, both in Iceland and abroad, when the opportunity arises.

The ISO is owned by the State (82%) and the City of Reykjavík (18%) and is operated as a Part A State institution.

The Orchestra welcomes a large number of concert guests each year and is concerned about the treatment of guests’ and employees’ personal data, and in this context it has adopted the following personal data protection policy.

The policy can always be found on the organisation’s website: Every effort has been made to explain the processing of personal data in a simple and concise manner.

Upon request, the ISO provides information on the data that are gathered and on what is done with them.

The ISO will use data for the purposes listed in this personal data protection policy. This entails, among other things, providing customers with the services they have requested and improving their experience with the Orchestra.

The ISO will also use the data to make relevant offers to customers. The ISO will not send marketing materials to customers if they notify the Orchestra that they do not wish to receive such materials. On the other hand, the ISO will continue to send customers important updates and information on services or products that they have bought, in order to inform them of changes and remind them of concert times.

This policy is based on the Act on the Protection of Privacy and Processing of Personal Data, no. 90/2018 (the Data Protection Act).

2. On marketing materials

When customers provide information directly to the ISO, they may be asked whether they wish to receive marketing materials from the Orchestra. The ISO respects customers’ wishes concerning whether, and in what manner, they wish to receive marketing materials.

Customers may change their minds at any time concerning whether they wish to receive marketing materials. Those wishing to stop receiving marketing materials should contact the Orchestra by e-mail at sinfonia[at] It is also possible to unsubscribe to such materials online and by clicking on the relevant link in marketing e-mails.

When customers indicate that they do not wish to receive marketing materials, the ISO will nevertheless retain their personal data in order to fulfil their request not to receive such materials.

3. On storage of personal data


Customers’ personal data will be stored as long as is necessary to achieve the purpose for which data processing is needed. Care will be taken to delete personal data as is provided for by law.

4. On data controllers


When the ISO processes personal data on its customers, it is considered the controller of the data. Other service providers that provide a part of the service – such as the landlord of the building and concert ticket booking websites – are separate data controllers. These entities’ personal data protection policies can be obtained from them.

5. Scope


The ISO’s personal data protection policy applies when personal data pertaining to the Orchestra’s relationship with its customers or prospective customers are gathered, utilised, or processed in some other way. This includes instances when customers book concert tickets in person, by telephone, or on the Orchestra’s website, or whether they use other services from the ISO, such as the website or other telephone-based services.

6. On personal data


All information that identifies customers – such as name, contact information, purchase history, or website usage information – is considered personal data.

7. Types of personal data and the purpose of processing


The ISO has access to the following personal data on individuals who have purchased tickets to Orchestra events, which takes place via the ticketing website

· Full name, address, national ID number, e-mail address, and telephone number.

· Information on the services purchased, such as ticket purchases and subscriptions.

While the service is being provided, and via e-mail, information is gathered in connection with communications between customers and ISO personnel, such as the processing of complaints, in order to improve the quality of service.

Individuals may also subscribe to the ISO newsletter or join the group Friends of the Iceland Symphony Orchestra. When signing up for these, customers must provide an e-mail address, but in the case of the newsletter, providing a name, telephone number, and national ID number is voluntary. When joining Friends of the Iceland Symphony Orchestra, prospective members must provide their full name and national ID number and select an annual fee. This information is not stored on the website itself but on a secure website hosted by Zenter. An ISO employee who acts as a representative of Friends of the ISO has access to information on members for marketing purposes. Individuals can unsubscribe from the above-mentioned lists at any time; cf. Section 2 above.

Traffic on the ISO website is measured so as to determine which events and news releases attract the interest of individuals who use the website, after the individuals have given their consent on the site. Website traffic is measured with cookies using Google Analytics and Facebook Pixel. Very few cookies gather information that can identify individuals; instead, attempts are made to gather general information, such as what types of users visit the site, what types of devices they use when they visit, how the site is used, or general information on the user’s location. The data that the ISO processes are used solely to track the use of the website.

Individuals can delete cookies that are stored on their devices by changing their web browser settings; alternatively, they can install a browser extension such as Privacy Badger. Google also offers an extension that allows users to refuse Google Analytics measurements, as well as offering the possibility of changing user registrations in its advertising network, including refusing them entirely.

The aforementioned information is used to:


  • Ensure that tickets are delivered to the correct users.
  • Send information to individuals if changes are made to events for which tickets have been purchased.
  • Send tickets to individuals by mail upon request.
  • Send information to individuals about other ISO events upon request.
  • Customise information about events compatible with individuals’ areas of interest and send it to them upon request.
  • Conduct analysis and market research.
  • Resolve disputes and carry out operational tasks (such as bookkeeping) and management tasks (such as responding to requests to delete personal data).


8. Third parties


Material on the ISO website includes links to third-party websites, such as Harpa’s website (where tickets to ISO events are sold via the ticket sales system). The ISO does not control these websites, and other personal data protection policies may be in effect there. The ISO encourages you to familiarise yourself with the personal data protection policies of the parties concerned, as the ISO’s policy does not extend to these third parties or their processing of personal data.

The ISO does not provide personal data to third parties except on the basis of contractual agreements relating to the purposes described in Section 7 or as required by law.

9. Visits to Harpa – electronic monitoring


The ISO’s premises in Harpa are monitored with security cameras. The data controller is Harpa, and according to Harpa’s personal data protection policy, the data are processed on the basis of legitimate interests, for the purpose of ensuring safety and protecting Harpa’s assets.

The resulting data are not manipulated or provided to others unless this is done with the consent of the data subject or as required by law, such as in incidents involving accidents or alleged criminal conduct. Audio and video material gathered during the monitoring process is deleted automatically at the end of a specified period of time, except in those instances when objective circumstances and regulatory provisions result in its processing.

10. Recordings of concert performances


At certain concerts, the ISO engages an external party such as the Icelandic National Broadcasting Service to prepare an audio and/or video recording of the performance. No personal information about customers is shared during this process, although members of the audience could appear on the recordings or live broadcasts. If the event is recorded, this is specified in the concert programme or promotional materials advertising the performance.

11. Employees and job applicants


The ISO processes personal data on applicants for positions with the Orchestra or the Iceland Symphony Youth Orchestra (ISYO). The processing of personal data on employees, artists and instrumentalists engaged for specific events, and job applicants is described in the ISO’s internal personal data protection policy for employees and applicants, which can be obtained by all of the parties concerned from the Director of Human Resources or the Personal Data Protection Officer.

12. Disclosure


The ISO places emphasis on ensuring that personal data are always handled in accordance with the Act on the Protection of Privacy and Processing of Personal Data, and that the security of the data is satisfactorily ensured. Information provided by individuals is not disclosed to others than those whose jobs necessitate handling the data. ISO employees pledge to observe full confidentiality concerning all personal data on individuals and ISO guests that they handle, and they pledge not to disclose any more information to data processors than is necessary.

13. Data storage


The ISO is required to operate in accordance with the Act on Public Archives, no. 77/2014, and is therefore prohibited from destroying documents and data that it handles without the permission of the National Archives. This obligation entails, among other things, that the ISO must deliver all data that it receives, together with all data created by the organisation, to the National Archives for permanent storage.

14. Individuals’ rights under the Data Protection Act


The ISO places emphasis on respecting the rights of individuals who entrust their personal data to the organisation, and on enabling individuals to exercise their rights vis-à-vis the organisation by directing the following queries to the ISO:

Right of access to personal data. Individuals may request confirmation of whether the ISO processes personal data on them, what the purpose of such processing is, what types of data are involved, who the recipients are (if any), and how long the data will be stored.

Right to transfer personal data. Individuals are entitled to receive personal data provided to the ISO in a commonly used electronically readable format or, if the individual concerned so requests, to have such data delivered to others whom the individual concerned specifies as recipients.

Right to rectification and erasure of personal data. The ISO places emphasis on ensuring that the data with which it works are correct and reliable; therefore, it requests that individuals inform the organisation of all changes in their circumstances that may affect personal data processing. This may include changes in an individual’s e-mail address, telephone number, and address. Individuals may also request that the organisation delete any personal data on them that it is not legally required to store.

Right of protest and right to restrict processing of personal data. Individuals are entitled to lodge a protest against the processing of personal data. Individuals may also request that processing of their personal data be restricted for a specified time if they consider the data to be incorrect.

15. Copying and erasure of personal data; complaints


According to the current Data Protection Act, you may request a copy of your personal data if they are processed by the ISO. You may file such a request at no charge unless the request is obviously groundless or is excessive. The ISO will do everything in its power to respond to such a request within one month of receiving it.

Your request must be made in writing and must contain the following information:

1. Name, e-mail address, telephone number, and postal address.

2. Information on the nature of your request.

In addition, we ask you to provide the following:

3. Your signature and the date of the request.

4. A copy of official identification such as a passport or driver’s licence, so that we can confirm the identity of the person making the request.

5. If the request is being made on behalf of another individual, a signed authorisation from that person is required.

Please send your request to:

Iceland Symphony Orchestra
att’n: Personal Data Protection Officer
Austurbakki 2
101 Reykjavík

16. Amendments to the Iceland Symphony Orchestra’s personal data protection policy

The ISO may amend its personal data protection policy, and it encourages individuals to re-acquaint themselves with it on a regular basis. The most recent version of the policy will be posted on this website at all times.

Approved at a Board meeting held on 2 June 2021