Fara í efni

Brimborg Privacy Policy

Brimborg Privacy Policy

This Privacy Policy sets out how Brimborg ehf., reg. no. 701277-0239, Bíldshöfði 6, 110 Reykjavik, Iceland, handles the collection, recording, processing, storage and disclosure of personally identifiable information regarding its customers and individuals who interact with the Company in one way or another, e.g. by visiting its locations, through other means of communication, or by visiting the Company' websites as listed below, whether such personal information is stored electronically, on paper or by other means. This Privacy Policy is linked to from other Brimborg websites.

The statement is accessible on the Brimborg website, www.brimborg.is. Brimborg processes personal data in accordance with the applicable data protection law in Iceland as current at any time, as well as the relevant acts of the Agreement on the European Economic Area. The data protection law governs the processing, storage and disclosure of personal data, among other things.

We value your privacy
Brimborg places great importance on privacy, respects the rights of its customers and is committed to ensuring that the handling of personal data complies in all respects with the applicable laws and regulations at any given time, as well as the best practices of comparable entities.

What personal data do we collect and for what purposes?
Brimborg collects the following personal data about its customers:

  • Name
  • Identification number
  • Address
  • Postal code
  • Place
  • Telephone number
  • E-mail address
  • Driving license number when renting or test driving a vehicle
  • Enquires about vehicles, services, car rental, spare parts, tyres and other products
  • Communications history relating to enquiries
  • Compliments, tips and complaints submitted to Brimborg
  • Test drives of vehicles sold by Brimborg based on registration number
  • Information on vehicles purchased from Brimborg based on registration number
  • Information on vehicles rented from Brimborg based on registration number
  • Information on vehicle service history
  • Information on past purchases of vehicles, spare parts, services and rentals
  • Information about beneficial owners if the customer is a legal person
  • Information about the authority to represent and sign for legal persons
  • Information about political connections according to the requirements set out in the Act on Measures against money laundering and terrorist financing no. 140/2018.
  • Information from personal identity papers according to the requirements set out in the Act on Measures against money laundering and terrorist financing no. 140/2018.

Why do we collect personal data?
We collect personal data in order to keep a record of legally required financial information related to sales, products and services, to follow up on customer enquiries and customer test drives, and to ensure that customers are legally qualified to drive a requested vehicle. We also collect personal data in order to send out information on new vehicle models, to send out invitations to events held to introduce new vehicle models, to send out information on special offers on vehicles and other products and services, and to send out service surveys. We also collect personal data so that we can notify customers of scheduled services and vehicle recalls. Brimborg is also obliged to collect certain data according to the requirements set out in the Act on Measures against money laundering and terrorist financing no. 140/2018.

When you use the www.brimborg.is website, Brimborg collects information about the usage, including IP address, type or version of browser used, time and duration of visit, and what pages within www.brimborg.is you visit. The same applies to other Brimborg websites, including www.nyirbilar.brimborg.is, www.notadir.brimborg.is, www.veltir.is, www.max1.is, www.velaland.is, www.dollar.is, www.thrifty.is, www.sagacarrental.is, www.langtimaleigaabil.is, www.sendibilartilleigu.is, www. peugeotisland.is, www.mazda.is, www.citroen.is, www.ford.is, www.volvo.is, www.polestar.com og www.opelisland.is.

Camera surveillance
Surveillance cameras (digital cameras) have been installed in stores and premises of Brimborg and customers who visit Brimborg may therefore be recorded on camera. The processing of information collected through camera surveillance is based on the Company's legitimate interests, as the processing is carried out for security purposes and for the sake of protecting property.

Legal basis for processing
Brimborg collects and processes personal data on the following legal basis:

  • To perform a contract
  • On the basis of consent
  • To fulfil legal obligations
  • To protect the Company's legitimate interests

The legitimate interests of Brimborg include meeting the Company's objects as set out in its Articles of Association, maintaining customer relationships, managing personnel matters and organising the Company's operations, providing access to the Company's relevant information systems, compliance with internal and external rules, meeting documentation requirements and handling requests, complaints and claims from third parties.

These actions are necessary in order to carry out the Company's operations and require the collection and processing of personal data.

Collection of personal data about children
It is Brimborg's policy not to record, collect, process or store personal data about children under the age of 13.   

How long do we store your personal data?
Brimborg stores personal data for as long as necessary for the purposes set out above.  Brimborg stores personal data for as long as it is legally required and in accordance with the life of vehicles.  Personal data that appears on invoices is stored for seven years as required by the Icelandic Accounting Act. The storage of personal data is reviewed once a year. If the review of the storage of personal data reveals that Brimborg does not need to store the personal data for processing purposes or to meet a legal requirement, Brimborg will cease to process and store the data from that time forward. All personal data, which are collected in the due diligence process according to the requirements set out in the Act on Measures against money laundering and terrorist financing no. 140/2018, will be stored for at least 5 years from the time the business connection with the customer is terminated or from the time the business transaction took place.

From where do we collect personal data?
We collect personal data from customers, including both natural and legal persons, and government institutions.

When do we share personal data with third parties and why?
Brimborg does not sell personal data under any circumstances. Brimborg only discloses personal data to third parties where this is required by law or in the case of a car manufacturer or service provider, agent or contractor being hired by Brimborg to perform pre-determined work, e.g. to meet terms of service. In such cases Brimborg will enter into a data processing agreement with the party in question who receives the personal data. Such agreements include provisions that require the processor to keep the personal data secure and not to use it for any unauthorised purpose. Brimborg also shares personal data with third parties when necessary to protect vital interests of the Company, such as when collecting overdue payments or to meet the requirements of car manufacturers for notifications of vehicle sales.

Brimborg's Privacy Policy does not cover data or processing by third parties over which Brimborg has no control or responsibility. Customers of Brimborg are therefore encouraged to familiarise themselves with the privacy policies of third parties, including companies that host websites that may link to Brimborg, e.g. software companies such as Facebook, Apple, Google and Microsoft, as well as any payment service they may use.

Rights of data subjects
Data subjects have the right to:

  • receive information on what personal data Brimborg has recorded about the data subject in question and how it was collected, as well as information on how the personal data in question is processed
  • access the personal data being processed about the data subject in question or request that it be delivered to a third party

Data subjects also have the right to:

  • have their personal data updated and corrected if needed
  • have Brimborg erase their personal data if there is no objective or legal obligation to retain it
  • present objections if data subjects wish to restrict or prevent the processing of their personal data
  • revoke their consent for the collection, recording, processing or storage of their personal data by Brimborg, where processing is based on such consent
  • receive information on whether any automatic decision-making takes place and on what grounds such decision-making is based, and to review automatic decision-making
  • file a complaint with a regulatory authority

If data subjects wish to exercise their right they can request so in writing; Brimborg asks that they do so by using the following form, which can be submitted electronically through this site by clicking the "Form" button. Brimborg will confirm receipt of the request and will normally respond to requests within one month of receipt. If it is not possible to respond within a month, any delay in the response will be notified within that time.  


Security of personal data and notification of security breach
Brimborg places great importance on the security of personal data and has taken appropriate security measures to ensure the protection of personal data in line with this Privacy Policy.   

All Brimborg employees, who are authorised to process personal data, have entered into special confidentiality obligations.

In the event of a security breach concerning personal data which is considered to entail a significant risk to the liberty and rights of a data subject, the respective data subject will be notified without undue delay. For this purpose, a security breach means an event that leads to personal data being lost or destroyed, altered, displayed or accessed by an unauthorised person. Keep in mind that personal data shared by data subjects on social media is considered public information and not under Brimborg's control, as Brimborg has no control over such information and is not responsible for its use or publication.

Further information and Data Protection Officer
Further information on matters related to personal data can be obtained electronically by clicking the "Form" button or sending an e-mail to Brimborg.


Bíldshöfði 6
110 Reykjavík
re data protection

Review of our Privacy Policy
Brimborg's Privacy Policy is reviewed regularly and updated if needed. The Policy was last updated on 25.5.2022.