LSR collects various categories of personal data as necessary in accordance with its role and legal obligations, including Articles 9 and 11 of the Icelandic Data Protection Act, the Act on Pension Funds, and the Act on LSR. LSR does not engage in automated decision-making.

Examples of personal data collected by LSR include:

• Name
• Email address
• Telephone number
• National ID number
• Home address
• Marriage certificate
• Salary information
• Employer
• Bank account number
• Pension entitlement information
• Collection and payment information
• Withholding tax information
• Information on assets, liabilities, and pledges
• Transfer information
• IP addresses
• Signatures

LSR also collects the following specific categories of personal information data:

• Health information
• Nationality
• Union membership

The purposes of processing include:

• Fulfilling statutory duties and the role of the pension fund
• Communicating with other pension funds
• Responding to inquiries, requests, and complaints
• Managing loan activities
• Conducting analyses

When the website (www.lsr.is) is used, information is collected about the user's visit, including IP address, browser type or version, timing and duration of the visit, and which subpages are viewed. Here you can find information on cookies. 

LSR collects and processes personal information on the basis of the authorisations provided in the Data Protection Act:

• To fulfil contractual obligations
• To fulfil legal obligations
• Based on consent
• To protect the vital interests of fund members
• To protect the legitimate interests of the fund. 

LSR does not register, collect, process, or store personal data on children under 13 years of age unless necessary for the correct payment of spousal or child pensions.

LSR retains personal data for as long as necessary to fulfil the original purpose of processing or as required by law. Data relating to members is kept only as long as needed for LSR to perform its statutory duties.

LSR collects personal data from members, employers, public authorities, and other pension funds.

LSR does not, under any circumstances, sell personal data. LSR only discloses personal data to third parties with consent or where such disclosure is required by law.

LSR is permitted to disclose personal data to a third party (a processor) if the party in question is a service provider, agent, or contractor engaged by LSR to perform predefined tasks. In such cases, LSR enters into a data processing agreement with the party receiving the personal data. These agreements stipulate, among other things, the processor’s obligation to keep the personal data secure and to not use it for any other purpose. LSR also shares personal data with third parties when necessary to protect the fund’s vital interests, such as in the collection of overdue claims.

Personal data may also be shared with other pension funds when applicable, based on the member’s consent, to streamline case handling—e.g., when a member holds pension rights in more than one pension fund and applies for payment or division of rights. LSR does not transfer or store personal data outside the EEA or in countries that are not considered safe according to the Icelandic Data Protection Authority.

Members shall have access to the personal data that LSR processes about them and to the origin of that information. A request for access to personal data must be submitted by email or in another written form, and LSR will ensure adequate identification of the individual before processing the request or releasing any data.

The rights of members under the Data Protection Act are as follows:

• The right to have personal data updated and corrected if necessary
• The right to have LSR delete personal data if there is no substantive or legal obligation to retain it
• The right to object if a member wishes to limit or prevent the processing of their personal data
• The right to withdraw consent for LSR to collect, record, process, or store personal data when processing is based on that consent
• The right to request that the data be sent to other service providers under certain circumstances
• The right to obtain information on whether automated decision-making takes place, on what grounds such decision-making is based, and to request a review of any automated decision-making, should it occur
• The right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd) if the member deems it necessary

A member wishing to exercise their rights may send a written request to personuvernd@lsr.is. LSR will confirm receipt of the request and will generally respond within one month of receiving it. If it is not possible to respond within that timeframe, the fund will notify the member of the delay.