Fara í efni

Brimborg Privacy Policy

Brimborg's Privacy Policy

This Privacy Policy describes how Brimborg ehf., ID no. 701277-0239 Bíldshöfði 6, 110 Reykjavík manages the collection, registration, processing, storage, and sharing of personally identifiable information about their clients and individuals who communicate with the company in one manner or another, e.g. by visiting operating stations, by other communication means, or by visiting the company’s website and other as listed below, whether the personal information is stored electronically, on paper or by other means. References are made to the Privacy Policy on other of Brimborg’s websites.

The statement is accessible on Brimborg’s website, www.brimborg.is. Brimborg processes all personal information in accordance with current Personal Data Protection Act in effect in Iceland at any given time, as well as the relevant provisions contained in the EEA Agreement. The Act covers, e.g., the processing, storing and sharing of personal information.

Personal data protection is important to Brimborg
Strong personal data protection is extremely important to Brimborg, and we recognise the importance of respecting the rights of our clients, as well as ensuring that all handling of personal data remains in compliance with applicable regulations at any time and in accordance with the best practices of comparable bodies.

What personal information does Brimborg collect, and what is the purpose of the collection?
Brimborg collects the following personal information about their clients:

  • Name
  • ID No.
  • Address
  • Postcode
  • Place
  • Telephone
  • E-mail address
  • Driving licence number for car rental or test driving
  • Queries made about vehicles, services, car rental, spare parts, tires, and other products.
  • Communication history regarding queries
  • Compliments, comments and complaints sent to Brimborg
  • Test driving of Brimborg’s vehicles by registration number
  • Registration numbers of vehicles bought and sold
  • Client number (identification number) and model year of sold vehicles.
  • Vehicle service history
  • Transaction history of purchases of vehicles, spare parts and services, and car rental
  • What currency is used buying and renting vehicles
  • Actual owners if the client is a legal entity
  • Information about the holder of the powers of procurement or others that represent the client
  • Information about political connections, cf. regulations on action against money laundering and the financing of terrorism
  • Information found on accepted identification cf. regulations on action against money laundering and the financing of terrorism
  • Information found in tachographs

Purpose of gathering personal information
The purpose of gathering personal information is to fulfil the statutory requirement of managing financial information on sales of products and services, follow up on queries from clients and offers to clients as well as having an overview of test driving history and guaranteeing that clients are authorised to operate the relevant vehicles. The purpose is also to be able to send information on new models, launch invitations, special offers on cars and other products and services, as well as sending quality of service surveys. In addition, the purpose is to be able to send announcements on upcoming services and recalls due to liability. Brimborg is also obligated to collect certain data in accordance to laws and regulation on action against money laundering and the financing of terrorism.

When the website www.brimborg.is is used Brimborg collects date on its use, i.e. IP address, type or version of browser used, timing and duration of the visit and which sub-pages are visited on the www.brimborg.is.website. The same arrangement applies to Brimborg’s other websites such as www.nyirbilar.brimborg.is, www.notadir.brimborg.is, www.veltir.is, www.max1.is, www.velaland.is, www.dollar.is, www.thrifty.is, www.sagacarrental.is, www.langtimaleigaabil.is, www.sendibilartilleigu.is, www. peugeotisland.is, www.mazda.is, www.citroen.is, www.ford.is, www.volvo.is, www.polestar.com and www.opelisland.is.

Camera surveillance
Shops and the operating area of Brimborg are equipped with surveillance cameras (digital cameras) and individuals that come to the premises of the company may therefore be recorded. The processing of the information collected by camera surveillance is based on the legitimate interests of the company, as the processing is carried out for the purpose of security and property protection.


Brimborg’s vehicles may be equipped with tachographs that transmit location signals. In such cases, the customer will be informed, as well as provided with further information included in the rental agreement regarding the data processing involved, its purpose and handling.

Legal grounds for processing
Brimborg collect´s and processes personal information based on the following authorisations:

  • To fulfil contractual obligations
  • On the basis of consent
  • Fulfilling the legal requirements of the company
  • To protect the legitimate interests of the company

The legitimate interests of Brimborg involve actions that are necessary to fulfil the object of the company according to its Articles of Association, attending to business relations with our customers, managing employee issues and organising the execution of the work of the company, providing access to the appropriate information systems of the company, complying with internal and external rules, documentation requirements and handling of requests, complaints and claims from third parties.

These actions are necessary to manage the company’s operations and include the need to collect and process personal information.

Processing of personal data for children
The policy of Brimborg is to not register, collect, process or store personal information for children under 13 years of age.

How long is the information kept?
Brimborg stores personal information for the time necessary to fulfil the object of the processing as described above. Brimborg stores personal information while obligated under the law and in accordance with the lifetime of vehicles. Personal information stated on invoices is stored for seven years in accordance with accounting legislation. Personal information that is collected during due diligence check in compliance with laws on action against money laundering and the financing of terrorism is stored for a minimum of five years after the contractual agreement with the client is completed or from the time the business in question was conducted.

A review of the personal data stored is performed once a year. If it becomes apparent on review of the personal data stored that Brimborg no longer requires the data for processing or due to a legal obligation to store personal information, Brimborg will stop processing and storing personal information from that time.

From whom does Brimborg collect information?
We collect personal information from clients, both individuals and legal entities and public institutions.

When does Brimborg share personal information with third parties and why?
Under no circumstances does Brimborg sell personal information. Brimborg only discloses personal information to third parties as required by law or in the case of a vehicle manufacturer or service provider, agent or contractor who is appointed by Brimborg to work a predetermined task, i.e. to fulfil service agreements and increase the quality of the vehicle manufacturer’s services. In such cases, Brimborg makes a processing agreement with the person receiving the personal information. Such agreements stipulate, inter alia, the obligation of processors to keep personal information safe and to not use it for other purposes. Brimborg also shares personal information with third parties when this is necessary to protect the company’s critical interests, such as collecting on non-payments or to fulfil the vehicle manufacturer’s notification requirements of vehicle sales.

Brimborg’s Privacy Policy does not extend to information or processing by third parties, and Brimborg has no control or responsibility for their use or disclosure. Clients of Brimborg are encouraged to familiarise themselves with the personal privacy policy of third parties, e.g. by the web hosting providers of sites that may refer to Brimborg, software companies such as Facebook, Apple, Google and Microsoft, along with the payment service you choose to use.

Rights of registered entities
Registered entities have the right to receive:

  • information on what personal information Brimborg has collected on them, its origin, as well as information on how this personal information is processed
  • access to the personal information processed about them and to request that such information is sent to a third party

It is also the right of registered entities to:

  • have personal information updated and corrected if necessary
  • have Brimborg delete personal information if there are no objective reasons or legal obligations to store such information
  • submit objections if they wish to limit or prevent the processing of their information
  • withdraw their approval that Brimborg may collect, record, process or store their personal information when the processing is based on such approval
  • receive information on whether automatic decision making is carried out, what the reasoning is behind such decision making and a review made of such automatic decision making
  • submit a complaint to regulatory bodies should they see reason to do so

If registered entities want to utilise their rights they can send a written inquiry and Brimborg requests that it be done using the following form that can be sent electronically from the website by clicking the button “Form”. Brimborg will confirm receipt of the request and will normally respond to requests within a month from receipt. In the event that it is not possible to respond within one month, a notification of the delay will be sent out within that time period.


Security of personal data and notifications of security breaches
Security during the processing of personal information is important to Brimborg, and the company has taken the appropriate technical and organisational security measures to ensure the protection of personal information in tune with its policies on security.

All Brimborg employees that are authorised to process personal information have accepted special confidentiality obligations.

In the event of a security violation involving personal information and when such violation is considered to pose considerable risk to the freedom and rights of a registered entity, they will be notified without undue delay. In this sense, a security violation is considered an event that results in personal information being lost or deleted, changed, disclosed or accessed by an unauthorised person. Please note that personal information that the party in question shares on social media, is considered public information and not under the control of the company, as Brimborg cannot control such information and is not responsible for its use or disclosure.

Further information and Data Protection Officer (DPO)
Further information on issues regarding personal information can be accessed electronically by clicking the button “Form” or posting a letter to Brimborg. Brimborg’s Data Protection Officer (DPO) is Svana Rebekka Róbertsdóttir.


Bíldshöfði 6
110 Reykjavík
d/t privacy protection

Review and revision of Brimborg’s Privacy Policy

Brimborg’s Privacy Policy is reviewed regularly and updated if necessary. The most recent update of the policy was on 20.02.2024.