This privacy statement outlines how APA ehf., ID No. 610806-0230, Fálkavelli 7, 235 Keflavík Airport (hereinafter also referred to as ‘Airport Associates’, ‘the company’, or ‘we’) collects, records, stores, and shares personal information in connection with its operations as a data controller. Strong data protection is a priority for Airport Associates. We place great emphasis on respecting individuals’ rights and ensuring that personal information is always handled in accordance with applicable data protection laws and regulations, specifically Act No. 90/2018 on data protection and processing of personal information (hereinafter ‘data protection laws’).

At Airport Associates, personal information is processed in connection with the company’s operations and services. This statement applies to representatives and employees of clients if they are legal entities, contractors, suppliers, and partners. The statement also applies, where applicable, to other individuals, such as those who contact the company, visit its premises, or use the company’s website (hereinafter also referred to as ‘you’). The processing of personal information for job applicants and employees is addressed in a separate privacy statement.

The statement primarily addresses the processing of personal information when individuals:

• Engage in communication with us due to a service or business relationship.
• Contact the company, whether through email, phone, or social media.
• Visit our website, www.airportassociates.com, or our social media pages.
• Visit our premises.

What personal information do we process about you and for what purpose?

All processing of personal information by Airport Associates is conducted for clear, stated, and legitimate purposes. Airport Associates primarily processes your personal information to fulfil legal obligations imposed on the company; create, execute, and fulfil business contracts and other agreements related to the company’s daily operations; communicate with individuals, respond to inquiries, and address suggestions or complaints; ensure security and asset protection, inform or prevent legal violations or other criminal and/or reprehensible conduct; operate the website and improve user experience on the company’s website.

Airport Associates processes, as applicable, primarily the following personal information:

• Identification and access information: Name, social security number, address, job title, phone number, email address, and where applicable, driver’s license or passport number in connection with granting access to the restricted area of Keflavík Airport.
• Communication information: Information about communication with the company, including all suggestions and complaints, whether conducted in writing, electronically such as via email, by phone, verbally, or in another manner.
• Information collected through electronic monitoring: Audio and video recordings collected through electronic monitoring with surveillance cameras.
• Automatic registration of call data: All calls made through Airport Associates’ phone system are automatically recorded, including information about phone numbers dialled from the company’s phone numbers and phone numbers calling into the company’s phone numbers, along with information about call duration, date, and time.
• Technical and derived information: Information about equipment and devices used to connect to the company’s website, such as IP address, type of smart device, and actions you perform on the websites.
• Other information: The aforementioned list is not exhaustive, but the company may process other information about you that is necessary at any given time depending on the nature of the service, relationship, or communication you have with the company.

Use of our website or social media pages

When you use our website www.airportassociates.com, we may collect information about your usage, such as the referring website, the type of browser and operating system you use, the timing and duration of your visit, and which subpages you visit within the company’s website.

By using our social media pages, such as those operated by Meta, statistical information about visits to the page is collected, which the company processes along with the respective social media service. In connection with this processing, parties act as so-called joint controllers.

Where do we obtain personal information about you?

Airport Associates primarily collects personal information about you from yourself. In certain cases, you also indirectly provide personal information, such as when you visit our website where activity logging takes place.

In exceptional cases, your personal information may be provided to us by third parties, such as public entities, legal entities that do business with the company, or partners and processors, when the aforementioned parties have authorization to deliver such information.

What is the legal basis for the processing of personal information?

The collection and processing of your personal information in certain cases takes place where it is necessary to create or fulfil a contract between you and Airport Associates or to satisfy a legal obligation in accordance with Article 9 (1), points 2 and 3 of the Data Protection Act. In certain cases, the company requests your informed consent for the processing of personal information in accordance with the requirements of data protection laws. In such cases, you can withdraw your consent at any time, and the processing covered by the consent will cease after the withdrawal. However, the withdrawal of consent does not affect the processing of personal information prior to the withdrawal.

In certain cases, your personal information is processed because Airport Associates, yourself, or a third party has legitimate interests in the processing of the information. Such processing only takes place if the interests of the company and/or third parties in conducting the processing outweigh your privacy interests, following a specific assessment of interests. The following processing activities are carried out based on legitimate interests:

• Processing of personal information for the company’s marketing and promotional activities.
• Processing of personal information for network and information security purposes.
• Processing of personal information to ensure the basic functionality and security of the company’s website.
• Processing of personal information in connection with the preservation of material generated through electronic monitoring, for example, if it is necessary to preserve material to define, present, or defend legal claims in court or elsewhere.

Generally, Airport Associates does not process sensitive personal information about individuals covered by this privacy statement. However, exceptions may arise, for example, if information relating to accidents is collected through electronic monitoring with security cameras. In any instance where the company processes sensitive information, such processing is always carried out based on explicit authorization under the Data Protection Act.

With whom do we share your personal information and why?

It is possible that your personal information may be disclosed to third parties if required by law, such as to the Transport Authority, Isavia, the Police, the Tax Authorities, or other public institutions. Additionally, data about you may be disclosed to administrators or processors of information systems, including cloud services, or to external parties who process and/or store personal information for Airport Associates, such as professional advisors (e.g., lawyers or auditors). In cases where a third party is considered a processor, a data processing agreement is made with the relevant party to ensure the confidentiality and security of the personal information processed, in accordance with the requirements of data protection laws.

The aforementioned third parties may be located outside of Iceland. However, Airport Associates does not transfer personal information outside the European Economic Area unless it is in accordance with the provisions of data protection laws, such as based on standard contractual clauses or a notification from the Data Protection Authority regarding countries that provide adequate protection for personal information.

Airport Associates would like to point out that when you visit or contact us through our social media pages, such as those operated by Meta, the providers of the respective social media service may gain access to information, and we encourage you to familiarize yourself with their privacy policies.

Electronic monitoring with security cameras

Electronic monitoring is conducted with security cameras in and around Airport Associates’ facilities for security and asset protection purposes. Individuals visiting monitored facilities or areas may therefore be recorded on camera. The processing of information collected through electronic monitoring is based on the legitimate interests of the company, in accordance with Article 9 (1), point 6, of the Data Protection Act.

Personal information generated using security cameras will only be used if incidents arise concerning asset protection or the safety of individuals, such as theft, vandalism, or accidents. It must not be copied or provided to another party, except based on legal authorization, the consent of registered individuals, or according to the decision of the Data Protection Authority at any given time. Personally identifiable footage is therefore generally not disclosed to anyone other than the police, and then only in cases involving an accident or suspected criminal activity. However, footage may also be shared when necessary for Airport Associates to establish, exercise, or defend legal claims. In such cases, access to the footage may be granted, as required, to legal advisors, insurance companies, the opposing party, and the courts, in accordance with applicable laws and regulations. Footage captured by security cameras is automatically deleted after a maximum of 90 days unless it is necessary to retain it to establish, exercise, or where applicable defend legal claims, particularly in legal proceedings, provided that such retention is permitted by law, court order or directive from the relevant authority.

How long do we retain personal information about you?

Airport Associates retains personal information for as long as necessary according to the laws and regulations applicable to the company’s operations, or for as long as the company’s legitimate interests require and there is a reasonable cause.

Personal information generated through electronic monitoring is automatically deleted after a maximum of 90 days, unless the law permits or necessity requires further retention, such as to establish, exercise, or defend a claim due to legal proceedings or other such legal necessities. Personal information generated through action and incident logging in network and computer systems is retained for a maximum of 24 months for the purposes of network and information security.

Information subject to accounting laws is retained for 7 years from the end of the relevant fiscal year. Certain information may need to be retained longer, for example, if it is likely that Airport Associates will need to establish, exercise, or defend legal claims. In such cases, the retention period will be based on the rules regarding the statute of limitations for claims.

Security of your personal information

Airport Associates places great emphasis on ensuring the security of personal information at all stages of processing and strives to limit or reduce the processing of such personal information when not necessary through organizational and technical measures. Examples of such security measures include access controls to systems where information is stored. Additionally, staff receive regular training and education on data protection. These measures are intended to prevent human error, theft, fraud, and protect personal information against unauthorized access, loss, destruction, accidental alteration, and unlawful use.

Airport Associates emphasizes that access to personal information is restricted to staff who require it to fulfil the purposes of processing. The company’s staff are also informed of their duty to maintain confidentiality and ensure the security of personal information at the start of their employment.

The company has established procedures for handling potential security breaches in the processing of personal information, such as if there is suspicion that personal information has fallen into the hands of unauthorized individuals. In such cases, the Data Protection Authority, relevant supervisory institutions, and, where applicable, individuals are notified of the security breach in accordance with data protection laws.

Automated decision-making

Airport Associates does not engage in automated decision-making or automatically create personal profiles about the company’s employees, where personal information is used, for example, to assess certain aspects concerning individuals’ interests or to analyse or predict aspects related to matters such as reliability or behaviour. If this occurs, the company will provide information about it, such as by updating this privacy statement.

Your rights

Subject to the conditions further discussed in applicable data protection legislation, you have the right to:

• Receive information about what personal information the company has recorded about you and its origin, as well as information about how personal information about you is processed.
• Access and obtain a copy of all personal information processed about you, provided that the interests of others do not prevent this, such as due to the rights of others that should weigh heavier, or request that it be sent to a third party.
• Have incorrect, misleading, or incomplete personal information about you updated and corrected, as well as have its use blocked or deleted.
• Object if you wish to restrict or prevent the processing of your personal information, such as when the processing of your personal information is based on legitimate interests.
• Receive information about whether automated decision-making takes place, and if so, on what grounds such decision-making is based and a review of automated decision-making.
• Withdraw your consent for Airport Associates to collect, record, process, or store your personal information, when processing is based on that authorization. Withdrawal of consent shall not affect the legality of processing based on consent prior to its withdrawal.

If you wish to exercise your rights, you can send a written request to occurrence@airportassociates.com. We will confirm receipt of the request and respond within a month from receiving the request. If it is not possible to respond within a month, we will notify you of the delay in processing within a month.

You also have the right to contact the company’s data protection officer and/or file a complaint with the Data Protection Authority if you believe the company is not processing your personal information in accordance with data protection laws. Information about the Data Protection Authority can be found on the institution’s website, www.personuvernd.is.

Further information

You can contact the data protection officer at Airport Associates via the email address occurrence@airportassociates.com if any questions arise regarding the handling of personal information by the company or if you have suggestions or wish to exercise your rights provided by data protection laws.

Review and updates

Airport Associates reserves the right to regularly review this privacy statement and update it as necessary. If there is a substantive update, you will be notified of such before the updated statement takes effect. Minor changes, such as wording changes, take effect upon publication.

This statement was last updated on 07.05.2026.