VENTURE LEGAL EHF.‘S PRIVACY POLICY

INTRODUCTION
Venture Legal ehf., reg. no. 440124-2160 (the “Company”) has resolved to ensure the reliability, confidentiality and security of all personal data that is processed within the Company.
This Privacy Policy applies to personal data relating to individuals who are the Company’s clients, individuals who contact the Company, contacts representing legal entities in business with the Company, as well as other contacts (“Data Subjects“).
This Privacy Policy is intended to inform Data Subjects about what personal data the Company collects, how the Company uses such personal data and who has access to the data.
If a Data Subject is unsure of how this Privacy Policy concerns the Data Subject, please contact Höskuldur Eiríksson (hoskuldur@venturelegal.is), the Company’s Privacy Supervisor, for more information.

1. PURPOSE AND LEGAL REQUIREMENTS
The Company seeks to comply with all applicable privacy legislation and this Privacy Policy is based on the Act on Data Protection and the Processing of Personal Data no. 90/2018 (the “Data Protection Act”).

2. WHAT CONSTITUTES PERSONAL DATA?
Personal data within the meaning of this Privacy Policy is any data about a personally identified or a personally identifiable person, i.e. data that can be directly or indirectly attributed to a particular indi-vidual. Data which is not personally identifiable does not constitute personal data.

3. DATA SUBJECT’S PERSONAL DATA WHICH THE COMPANY PROCESSES
The Company collects and store various personal data about Data Subjects. Different types of personal data may be collected about Data Subjects depending on whether they are clients of the Company or whether the Data Subject represents a legal entity which is a client of the Company.
Where the Data Subject is a client which is an individual, the Company collects the following data on the Data Subject:

(a) contact information, such as name, address or place of stay, phone number and email address;
(b) identification number;
(c) information from our communication with the Data Subject;
(d) bank account information, including information on VAT number and special instructions relating to invoicing.

When Data Subject is a legal entity, the Company collects specific information regarding the repre-sentatives of such parties, in particular:

(a) contact information, such as name, phone number and email address; and
(b) communication history.

The Company may also obtain information regarding politically exposed persons within the meaning of the Act on Measures against Money Laundering and Terrorist Financing No. 140/2018 (“Money Laun-dering Act”). Politically exposed persons are natural persons, domestic or foreign, who have been en-trusted with prominent public functions, together with their immediate family and close associates.

In addition to the above data, the Company may also collect and process other data with which Data Subjects or representatives/contacts of Data Subjects provide the Company themselves, as well as data that the Company processes for its activities, including its main activities, which is the provision of legal services. The data is processed primarily in order to be able to fulfil formal and informal service agreements with the Company’s clients and to perform any other duties resulting from the Company’s service to clients, but also on the basis of our legitimate interests of ensuring that clients receive good service. Also, data may be processed on the basis of a legal obligation, irrespective of the services the Company has undertaken to provide to its clients, e.g. obligations relating to rules on money launder-ing or accounting laws.
As a general rule, the Company receives personal data directly from a Data Subject or a Data Subjects’ representative. However, data may also come from third parties, such as Creditinfo, Keldan, public au-thorities, courts, service providers to Data Subjects, counterparties and other lawyers. Personal data may also be collected online, from various websites, social media and databases. If personal data is re-ceived from a third party in other instances, the Company will endeavour to notify its Data Subject thereof.
Data on Data Subjects and representatives/contacts of Data Subjects processed for the purpose of ini-tiating business are stored for 4 years from the end of business or, in case of a long-term business re-lationship, from the end of the business relationship. Data covered by the Accounting Act are stored for 7 years from the end of the relevant fiscal year. As a rule, data concerning the Company’s actual legal services will be stored for longer, as their processing may prove necessary for establishing, maintaining or defending legal claims. In that case, the retention period is subject to rules on the expiration of claims that may generally take a maximum of 14 years. However, the data may be deleted earlier for operational efficiency.

4. PROCESSING OF INFORMATION OF OTHERS WHO CONTACT THE COMPANY OR VISIT THE COM-PANY’S WEBSITE
When individuals contact the Company, the Company generally processes the individual’s contact data and communication history with the Company.
When individuals visit the Company’s website, the Company may process specified data which is col-lected via cookies. The Company only uses necessary cookies, based legitimate interests. Non person-ally identifiable data is also collected on the website‘s traffic.

5. DIRECT EMAIL
The Company may send newsletters and invitations to events and courses organized by the Company to its clients, client contacts and others who have registered to the Company’s mailing list. The pro-cessing of e-mail addresses for such purposes is based on the Company’s legitimate marketing inter-ests and helps us ensure that client’s experience great quality service.
If a Data Subject does not wish to be on the Company’s mailing list, the Data Subject can unsubscribe by sending an email to venturelegal@venturelegal.is or by pressing the unsubscribe button in the email.

6. SHARING DATA WITH THIRD PARTIES
The Company may share Data Subject’s personal data with third parties, such as in connection with their contractual relationship with the Company, or in relation to the legal services provided to Data Subjects or the client which Data Subjects represent. For example, data about a Data Subject may be shared with a debt collector for the collection of debts or to other third parties, such as an external adviser or con-tractor, in connection with counsel given to the Data Subject or the protection of a Data Subject’s inter-ests.
A Data Subject’s personal data may also be delivered to a third party to the extent permitted or re-quired on the basis of applicable laws or rules, such as to public authorities, the courts, counterparties in a dispute, witnesses, partners of a Data Subject or other invested parties, and in order to respond to legal measures such as a house search, subpoenas or a court order.
Also, personal data might be shared with third parties who supply the Company with information tech-nology services and other services related to processing and which form part of the Company’s activi-ties.
These entities may be located outside of Iceland. However, the Company will not transfer personal data outside of the European Economic Area unless permitted by applicable privacy legislation, such as based on standard contractual clauses, your consent or a notice issued by the Icelandic Data Protection Authority (Persónuvernd) listing countries which ensure an adequate level of data protection.

7. HOW IS DATA SECURED?
The Company seeks to take appropriate technical and organizational measures to protect personal da-ta with particular regard to their nature. These measures are intended to protect personal data against being lost or changed by accident and against unauthorized access, copying, use or dissemination.

8. CHANGES AND CORRECTIONS TO PERSONAL DATA
It is important that the personal data processed by the Company is both accurate and appropriate. Therefore, it is important that the Company is notified of any changes that may occur to a Data Sub-ject’s personal data.
A Data Subject has the right to have unreliable personal data about it corrected. Taking into account the purpose of the processing of a Data Subject’s personal data, the Data Subject also has the right to have incomplete personal data completed, including by submitting additional information.

9. A DATA SUBJECT’S RIGHTS CONCERNING THE PERSONAL DATA PROCESSED BY THE COMPANY
Data Subjects have the right to obtain confirmation on whether the Company processes personal data about them or not, and if so, the Data Subject may request access to the data and how it is processed. Data Subjects may also be entitled to a copy of the data. In certain circumstances, Data Subjects may request from the Company that the Company sends data which Data Subjects have provided the Com-pany with or that originates with a Data Subject, directly from a third party.
Under certain circumstances, Data Subjects may request that their personal data be deleted without de-lay, e.g. where retention of the data is no longer necessary in light of the purpose of the processing or because a Data Subject has withdrawn its consent for the processing of the personal data and the pro-cessing is not based on any other legal basis. If the processing is based on a Data Subject’s consent, it may at any time withdraw such consent.
If Data Subjects do not want to have their data deleted, e.g. because it needs it for its defence against a claim, but the Data Subject nevertheless does not want it to be processed further by the Company, it may request its processing to be limited.
If the processing of a Data Subject’s personal data is based on legitimate interests of the Company, the Data Subject also has the right to object to such processing.
The above rights of Data Subjects are not absolute. Thus, laws may obligate the Company to reject a request for deletion or access to data. In addition, the Company may reject a Data Subject’s request in due to the Company’s rights, such as on the basis of intellectual property rights or the rights of other parties, such as to privacy, if the Company considers these rights to prevail.
In case of a situation where the Company cannot meet a Data Subject’s request, the Company will seek to explain why the request was rejected, subject to any limitations on the basis of legal obligation.

10. INQUIRIES AND COMPLAINTS TO THE DATA PROTECTION AUTHORITY
If a Data Subject wishes to exercise the rights described in Article 8-9 of this Privacy Policy, or if a Data Subject has any questions regarding this Privacy Policy or how the Company processes its personal da-ta, please contact the Company.
If a Data Subject disagrees with the Company’s processing of personal data, it may submit a communi-cation to the Data Protection Authority (www.personuvernd.is).

11. AMENDMENTS
The Company may from time to time amend this Privacy Policy to align with amendments to the Data Protection Act, regulations or changes in how the Company processes personal data.
Any amendments to this Privacy Policy shall become effective after an updated version has been pub-lished on the Company’s website.
This Privacy Policy was approved on 31 January 2024.