WHAT PERSONAL INFORMATION WE MAY COLLECT AND FOR WHAT PURPOSES
Our online shop
When you purchase a product from our online shop we first and foremost collect and use the personal information you provide to service and process your purchase order and to improve our services.
Please be aware that if you do not wish to provide us with personal information, e.g. which is necessary for the performance of a contract or which we are legally required to process, we may not be able to provide you with the product requested.
The information we may collect and process include:
- Identification and contact information, such as name, email address, phone number, shipping and billing address.
- Payment details, such as credit card number, expiration date, and CVC code.
- Choice of shipping method.
- Tracking information.
- Information on your purchase that you have especially submitted to us, e.g. a gift message.
- Purchase history.
- Record of our communication and correspondence with you.
- Customer feedback and complaints.
Your personal information may be used to:
- Process your order.
- Send you status and updates on a product you have purchased.
- Carry out accounting, billing and other administrative tasks.
- Provide third party services, e.g. warehouse and courier services.
- Respond to inquiries, requests and feedback you have submitted, e.g. through our website or by email.
- Send you tracking information for your purchases.
- Improve our products and services.
- To meet legal and regulatory requirements.
The processing of contact information, payment details, choice of shipping method and tracking information is based on contractual requirements.
The processing of communication and correspondence with you, customer feedback and such can be based on contractual requirements, your consent, our legitimate interests of ensuring good services or our legitimate interests of processing requests concerning the rights of individuals. Whenever we process personal information based on your consent, you may withdraw your consent at any time.
The processing of your personal information is in some cases also based on legal requirements, e.g. the applicable Accounting Act.
Blue Lagoon Skin Care Club and inquires sent to us
If you become a member of our Blue Lagoon Skin Care Club we process your contact information for the purpose of communicating with you. We may use your personal information to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. The personal information is processed based on your consent.
When you send us requests, inquiries, complaints or feedback we process your contact information as well as the information you send us in order for us to respond. Personal information is processed based on your consent or our legitimate interests.
You will not receive any communication from us that is unsolicited or not related to a product that you have purchased or inquired about.
When processing is based on your consent you have the right to withdraw your consent at any time without affecting the lawfulness of the processing based on your consent before its withdrawal. You can write to us at firstname.lastname@example.org with “Privacy“ in the subject line and withdraw your consent. Each marketing communication sent to you via e-mail will also provide you with the option to unsubscribe from receiving any further marketing material from us.
Additional use for analysis and market research
We may use pseudonymized or anonymized information generated from your personal information to carry out analysis and market research so that we can understand how to improve the products and services we offer and make sure that our products meet the needs of our customers. The personal information is processed based on our legitimate interests to improve our products and services.
PRESERVATION OF YOUR PERSONAL INFORMATION
Your personal information will be kept for the duration needed to be used in conformity with the original purpose of its collection unless otherwise necessary to comply with legal requirements. In some cases for example your personal information may be stored for seven years from the closure of the accounting year in question in accordance with Article 20 of the Icelandic Accounting Act No. 145/1994.
SHARING OF PERSONAL INFORMATION WITH THIRD PARTIES AND WITHIN THE BLUE LAGOON GROUP
We may share personal information with third parties (e.g. data processors) to faciliate our services, provide requested services on our behalf and/or to assist us in analyzing our services and products. For example, we share personal information with our partner who provides us with marketing and customer care support. Our warehouse partner and its courier services also have selected access to your personal information for delivery purposes only. Personal information might also be shared with third parties who supply us with information technology services, cloud services and payment services.
These third parties have access to your personal information only to perform specific tasks on our behalf and are obligated not to disclose or use your information for any other purposes. These third parties may be located outside of Iceland. However, we will not transfer personal information outside the European Economic Area unless permitted by applicable privacy legislation, such as based on standardized contractual terms, your consent or a notice issued by the Data Protection Authority listing states granting personal information adequate protection.
Your personal information may be shared within the Blue Lagoon group, with Blue Lagoon Ltd., as Blue Lagoon Ltd. might provide us with certain services, such as IT support, accounting services, sales and marketing support.
We do reserve the right to disclose your personal information when required to do so by law, subpoena or a court order, or by the reasonable requests of law enforcement or a government entity. We also reserve the right to disclose your personal information to our legal representatives to uphold our legal rights as a business or the rights of our employees.
Any disclosure of personal information by us to a third party will only be made on a confidential basis.
Payment transactions are operated through our partner Adyen. Payment transactions are safeguarded at all times. They are PCI DSS (Payment Card Industry Data Security Standard) certified to insure safe transactions of payment card information. Our websites are secured with SSL certificates with the highest level of encryption and security. SSL stands for Secure Sockets Layer and provides secure, encrypted communications between a website and an internet browser.
Personal information is stored and managed inhouse or by third parties who must comply with privacy laws and regulations and carry out appropriate security safeguards in order to protect leakage, loss and damage of information.
In case of a personal data breach, we will without undue delay and not later than 72 hours after becoming aware of it, notify the personal data breach to the Icelandic Data Protection Authority, unless the personal data breach is unlikely to result in a risk to your rights and freedoms. When the personal data breach is likely to result in a high risk to your rights and freedoms, we will communicate the personal data breach to you without undue delay unless otherwise stated by law.
YOUR RIGHTS REGARDING PROCESSING OF YOUR PERSONAL INFORMATION – WITHDRAWAL OF CONSENT
You have the right to access your personal information at all times and to have the information corrected if inaccurate or incorrect. You have the right to restrict processing concerning your personal information if you contest the accuracy of the information. The processing may be restricted for a period enabling us to verify the accuracy of the information. You also have the right to restrict the processing of your personal information if the processing is considered unlawful or if we no longer need the information for the purposes of processing but you don‘t want the information erased.
If the processing of your personal informaton is based on our legitimate interests, you also have the right to object to such processing. You have the right to object at any time to the processing of your personal information to the extent that it is related to direct marketing purposes.
You have the right to have personal information erased if the information is no longer necessary in relation to the purposes for which it was collected, you have withdrawn your consent on which the processing is based or your information has been unlawfully processed. An exception to this shall be made if personal information is required to be kept in accordance with law, e.g. the applicable Accounting Act.
You have the right to transfer personal information concerning you, which you have provided to us, to another party when the processing has been based on your consent and the processing is carried out by automated means. This right shall however not adversely affect the rights and freedoms of others.
We may require you to provide an appropriate proof of identity if you make a request in accordance with the aforementioned, e.g. a copy of a government issued ID, such as your passport or driving licence and your signature.
We do not intentionally collect personal information from minors (children under 13). If a minor has provided us with information, a parent or guardian of the minor should contact us and we will remove the information from our database immediately.
You have the right to lodge a complaint to the Icelandic Data Protection Authority (Persónuvernd), Rauðarárstígur 10, 105 Reykjavík, Iceland (www.personuvernd.is) if you disagree with our processing of personal information. You are also entitled to submit a complaint to a data protection authority in the member state of the European Economic Area where your habitual residence is or your place of work.
15th July 2020