KEF Privacy Notice

What data do we collect and process? We collect, and process IP addresses assigned internally, device, Mac addresses and names of connected devices.

Why do we process your data? We process your data to provide you with a free internet connection and manage access to relevant networks, such as guest networks, office networks, operator networks, or other more specific networks. The processing is necessary to fulfil contractual obligations, i.e. provide you with the service.

We also process the data for the purpose of, and on the basis of our legitimate interest in, improving the service, as it is our assessment that your interests, privacy and freedom do not outweigh our interests.

How long do we retain your data? We'll retain your data for 30 days.

Do we share your data? No.

Where do we store your data? Data is stored on web servers located within the European Economic Area (EEA).

What data do we collect and use? In two market surveys (ASQ and Consumer Audit), passengers are asked to fill out a survey at the departure gate.

In the ASQ survey, passengers are provided with a tablet from the survey company Epinion and asked to answer questions about their satisfaction with various services. They also answer questions about their background such as their age, gender, nationality and place of residence, as well as providing information about their flight number, destination, date, time of day, whether they are departing or transit passengers, and more. Personally identifiable information is not solicited and all questions are optional. Epinion receives this information, imports it into Excel, and sends updated ACI results monthly and quarterly through Power BI. Aggregate results are published, and percentages and averages can be viewed.

Consumer Audit is only carried out once a year, from July to September, and is executed in the same way as the ASQ survey. Passengers are provided with a tablet which they return after completing the survey. They are asked about their satisfaction with various aspects of the shopping and dining area, and their attitudes and behaviour in the area. They are asked about demographic variables such as their age, gender, nationality, residence, reason for travel, whether they are departing or transit passengers, and more. Data from these surveys is always aggregated – the data can be sorted by specific groups, such as age groups or type of passenger (transit or departing passenger). When we receive the data, information cannot be traced to individual respondents.

In Retail X, passengers are asked if they want to fill out a short questionnaire when connecting to the internet at Keflavík Airport. They can choose whether to participate or opt out, in which case they are immediately connected to the network. Passengers can also scan QR codes in shops and restaurants to answer the questionnaire. The questionnaire contains questions about satisfaction with the main service elements in shopping and restaurant services. Responding passengers are also asked if they want to share their e-mail address with us and receive one survey about their experience and services at Keflavík Airport. Providing an e-mail address is optional. The company Retail X sends the e-mail addresses to Gallup, which is responsible for sending out the customer surveys on behalf of Isavia to the collected e-mail addresses.

Why do we process your data and on the basis of what authorisation? We use the results to assess the service level at Keflavik Airport and identify where improvements are needed. We also use the results to further identify the needs of passengers and how we can better meet them.

We process the information that is considered personally identifiable based on the consent that you provide to us when you choose to respond to surveys, both RetailX and the follow-up survey from Gallup.

How long do we retain your data? ASQ and Consumer Audit results are retained indefinitely as responses cannot be traced back to individuals.

As for the Retail X survey, the company deletes the e-mail addresses as soon as they have been sent to Gallup. Gallup deletes the e-mail addresses 30 days after collecting the data and processing the survey.

Do we share your data? We only share personally identifiable information with our data processors, RetailX and Gallup.

Where do we store your data? Data is stored on web servers located within the European Economic Area (EEA).

What data do we collect and process? Full name of the PRM passenger, flight number, estimated flight time and occasionally the booking number. We also record the PRM code that specifies the type of assistance a passenger needs (WCHR, WCHC, BLND, DEAF, DEAF/BLND, DPNA), as well as additional codes in some cases (SVAN, WCMP, WCBD, WCBW, WCLB). We receive this data from SITA, a company that serves as a global communications platform for the aviation industry.

We also record the time when a service begins, i.e. when a staff member meets with the passenger, and the timing of various stages of the journey through the terminal until the service has been completed.

Why do we use your data and on the basis of what authorisation? To provide the service using appropriate staff and equipment, which we are legally obliged to do, cf. Regulation No. 475/2008 concerning the rights of disabled persons and persons with reduced mobility when travelling by air, which transposes Regulation (EC) No. 1107/2006 on the same matter. The processing of sensitive information contained in the PRM codes is permitted on the basis of significant public interest, cf. Article 11(7) of Act No. 90/2018.

We also use the data to identify how we can improve our services, which we do on the basis of our legitimate interests.

How long do we retain your data? Data is retained for 60 days.

Do we share your data? We share your data with the airline which you travelled with to KEF when necessary due to comments on the service from the airline, e.g. if there was a delay in a flight related to the service.

Where do we store your data? Data is stored on web servers located within the European Economic Area (EEA).

What data do we collect and process? Keflavik Airport (KEF) collects data in cooperation with shops and restaurants in the KEF restricted area for the purpose of improving services to passengers. The data collected is transaction data for each transaction, summarising the amount and time of the transaction, the number of purchased items, and a traceable unique identifier in the boarding pass. We then link the data to other data that is generated when your boarding pass is scanned in the restricted area, showing your movement through KEF, as well as to your flight data.

Why do we collect this data, and on the basis of what authorisation? We use the data to produce statistical data to analyse and understand the shopping behaviour of passengers and the factors impacting it to ensure that the services provided meet the needs of passengers. For example, we use the statistical data to make the best possible decisions about service offerings in tenders for retail and restaurant facilities.

We may use the data when necessary to protect our legitimate interests and the interests of retailers at the site, provided that we determine that your privacy, interests and freedom do not outweigh these interests. The legitimate interests of us and our retailers are increasing profit margins by reducing waste, increasing services by taking into account the service needs of different passenger groups, and improving the marketing of KEF to passengers and airlines.

How long do we retain your data? The data will be sent daily from retailers to a web service database, where it will be assigned a random unique identifier and retained for 72 hours. After 72 hours, only the random identifiers, which cannot be traced to individuals, remain. From the receipt of the data to the deletion of personally identifiable information, the risk of traceability is minimised, e.g. by limiting the access to the database and maintaining an activity log on access.

Do we share your data? No.

Where do we store your data? Data is stored on web servers located within the European Economic Area (EEA).

Who is responsible for the use of the data? Isavia is not solely responsible for this data use. We and the entities operating shops and restaurants at the airport are jointly responsible for the use of your shopping data for this purpose.

What data do we collect and process?

• Baggage sorting: All baggage passing through Keflavík Airport is registered. The BSM (baggage source message) is scanned from the barcode (unique baggage number) on the baggage tag. It includes the passenger's name and surname, flight date and time, point of departure, destination, baggage class, and passenger status.
• Screening and search: X-ray screening is used for baggage. If an x-ray screening results in a staff member having to search the baggage, information on the bar code, date and time of the search, the flight number, the airline and its service providers, information on any removed items and, where applicable, specific comments in accordance with aviation security standards are recorded.

Why do we collect this data, and on the basis of what authorisation?

• Baggage sorting: This information is collected to ensure that no unaccompanied baggage goes on board and so that the baggage can be traced through the baggage system, thus preventing that baggage will be lost and never reunited with its owner. The automatic baggage sorting system also depends on this information to ensure that baggage ends up in the correct aircraft. The processing is necessary for your airline's services to you and our services to the airlines, so our processing is therefore authorised on the basis of being necessary to fulfil contractual obligations.
• Screening and search: Screening and search of hold baggage is carried out on the basis of our legal obligation, i.e. in accordance with aviation security standards, cf. Regulation (EU) 2015/1998, cf. Regulation No. 750/2016 on aviation security. The registration of baggage search is for the purpose of informing the airline and ground handling company servicing the passenger about the search.

How long do we retain your data?

• Baggage sorting: Data is retained for a maximum of 72 hours from the flight departure.
• Screening and search: X-ray search data is retained for less than 24 hours. Data on baggage search is retained for three months.

Do we share your data?

• Baggage sorting: The baggage system’s service provider, Beumer, has access to data.
• Screening and search: We share information about baggage search with your airline and its ground handling company.

Where do we store your data?

• Data is stored on web servers located within the European Economic Area (EEA).

Who is responsible for the use of the data?

• Baggage sorting: The airlines
• Screening and search: Isavia.

What data do we collect and use? When passengers book parking lots at KEF, the following information is recorded: Name, surname, telephone number, e-mail address and licence plate number. You can also choose to share your flight number or enter the estimated time of your entry and exit.

When passengers book Premium Parking, the following information is also recorded: Flight information (date and time of arrival, date and time of departure, and flight number). Furthermore, if you book Premium Parking, we will take photos of your vehicle. If someone other than you picks up the vehicle, we will also record their contact details.

Why do we collect this data, and on the basis of what authorisation? We process personal data in order to provide you with the services you are requesting, i.e. to fulfil our contract with you for the services.

We process your licence plate in several ways; for the vehicle to enter or exit a parking lot, a photo of the licence plate is taken to see whether a parking space for the vehicle has already been booked. In general, this doesn't matter, but when parking lots are full, this is used to prevent vehicles from entering a parking lot without finding a free parking space. We also use the data to count vehicles in a parking lot at any given time to gain a better overview of our operations.

Keflavik Airport may process the personal data of guests for marketing purposes. Once you have booked a parking space at Keflavik Airport, we can use your personal data to send you newsletters, inform you if you have not completed the booking process or keep you informed about relevant products and services offered by Keflavik Airport. By analysing your personal data, we can send you personalised content that are appropriate for you. For example, if you have booked parking several times a year, we may send you an offer for new service components. We base this processing of your personal data on your consent. If you do not want Keflavik Airport to use this personal data for these purposes, you can always opt out of this processing of your personal data by using the relevant link in the newsletter to unsubscribe.

How long do we retain your data? The information you share when booking is deleted four years after you use Keflavik Airport’s parking services.

If you receive a newsletter from us, we will process your e-mail address until you unsubscribe. We will provide an option to unsubscribe in each newsletter.

Do we share your data? We share data with our data processor, AeroParker. We share data about your booking with our data processor Autopay Technologies to know if there is a reservation for your licence plate number. We share data about rental vehicles with Stefna ehf. for intermediation purposes.

Where do we store your data? Data is stored on web servers located within the European Economic Area (EEA).

We are the data controllers for electronic surveillance via CCTV cameras in the terminal.

The main purpose of electronic surveillance is security, asset protection, and aviation security. However, the resulting footage may also be used to monitor the utilisation of structures and for their potential development and modification. Video footage may also be used for personnel training. When footage is used for purposes other than security, asset protection, and aviation security, efforts are made to make individuals non-identifiable. Our authorisation for the processing of personal data resulting from electronic surveillance is based on our legal obligations, including for the purpose of aviation security, and our legitimate interests in providing security and protecting assets, furthering the development of the airport, improving services and training personnel.

The footage is accessible to a small group of staff members. Our data processor Dallmeier may be granted restricted access for error detection and updates. Footage containing information on accidents or criminal offences may be handed over to the police. Footage may also be provided to an insurance company if necessary due to an insurance claim.

When processing video footage from the surveillance, individuals who have passed through the surveillance area and their actions are usually visible.

You have the right to view footage where you can be identified. You also have the right to obtain a copy of such footage, provided that it does not impair the rights and freedom of others.

Footage is retained for 30 days, except in limited cases where a longer retention period is permitted by law.

Note that other operators in the airport may also use electronic surveillance in their operations. Their electronic surveillance is not our responsibility.

Data provided by you

You may directly or indirectly provide us with your personal data when you use any of our services through our website or contact us via our web portals. This information may include:

• Contact information: Name, address, email address, telephone number, etc.
• Payment information: Credit and debit card information

Data we collect about you

When you use our services (e.g., booking a parking space or receiving flight notifications via social media), we may collect the following information:

• Contact information: Name, email address, phone number, etc.
• nformation on goods and services: Information about the goods and services you purchase from us
• Financial information: Negative payment remarks, if applicable
• Historical information: Purchase, payment, and credit acceptance history
• Information about interaction between you and Isavia: Interaction via Isavia's website
• Device information: IP address, language settings, browser settings, time zone settings, etc.
• Geographical information: Your geographical location

Cookies

Name

Purpose

Google Analytics

_ga

_gat

_gid

nmstat

These cookies are used to collect information about how visitors use our website. We use the information to compile reports and to help us improve the website. The cookies collect information anonymously, including the number of visitors to the website and blog, where visitors have come to the website from, and the pages they visited.

Accessibility settings

userstyles

Cookies used to configure the best accessibility settings for the web for users with reading difficulties, e.g. dyslexia and visual impairment.

Siteimprove

siteimproveses

nmstat

sz_notrack

Cookies used to help the website perform as best it can, for example by improving accessibility, SEO, content quality, and security issues. 

Facebook Advertising

fr

_fbp

These cookies will help deliver our advertising to users who have already visited our website when they are on Facebook or on a digital platform powered by Facebook Advertising. 

Allowing cookies is not strictly necessary for the website to work, but doing so will provide you with a better browsing experience. These cookies are allowed as the default, but you can delete or block them. If you do so, some features may not work as intended. If you indicate your approval by clicking ‘I understand’ on the cookies banner, we will receive all cookies from the website.

All data collected by Isavia is used to perform and improve the company's customer service. In this way, we collect necessary data to enter fulfill contractual relationship or to respond to your inquiries.

Isavia does not share personal data with unauthorized parties. In some cases, data is shared if necessary for a specific data processing and then only for the purpose specified.

Isavia stores your data securely in accordance with its procedures for each processing activity.

The duration for which we keep your information varies:

• Isavia is subjected to law No 77/2014 on Public Archives and must preserve all documents which shall be archived for 30 years, after which they are submitted to the National Archives. This includes for example Freedom of Information enquiries and all queries received through our web portals.
• Other personal data is stored only as long as necessary and then deleted in accordance with Isavia's internal procedures.

According to data protection law you have the right to know about and access any personal data that we may retain about you, as well as to receive information about the processing of such data. You may also, in some cases, have the right to:

• Withdraw your consent
• Rectify personal data
• Have your personal data deleted
• Object to the processing of personal data
• Restrict the processing of personal data
• Transfer your personal data to a third party

If you request access to personal data that is being processed by Isavia or its subsidiaries, you'll need to sign in with your electronic certificate here in the authentication portal and fill out a request for your personal data. Click here to log in.

We are subject to the Public Archives Act and are prohibited from altering or destroying data retained under the Act without the permission of the National Archives of Iceland. However, individuals may have the right to have their data rectified and to have their comments stored with them.

You also have the right to file a complaint with the Icelandic Data Protection Authority about the processing of your personal data. In the event of a dispute over the handling of your personal data, you can submit a complaint to the Icelandic Data Protection Authority. Further information may be found at personuvernd.is.

Isavia ohf. is the data controller for the processing of personal data carried out on its behalf.

Isavia ohf. is located at Leifur Eiríksson Air Terminal, 235 Keflavik Airport.

Isavia's main telephone number is 424-4000 and the e-mail address is [email protected].

Inquiries, comments and suggestions regarding personal data and privacy can be sent to [email protected].

Isavia has adopted an information security policy, carried out risk assessments and taken appropriate security measures to ensure the security of the company's information systems. The company’s information security policy can be found here.

In the event of an incident concerning the handling of personal data, an incident report must be submitted. The report form can be found by clicking here.

You can contact Isavia’s Data Protection Officer by sending an e-mail to [email protected].

You also send a letter to Isavia by post, in which case the envelope must be addressed to the Data Protection Officer.