Norðurál’s Personal Privacy Rules

Service suppliers, applicants and other external parties


Norðurál (also referred to as “the company” and “we“) is committed to ensuring the reliability, confidentiality and security of personal information processed within the company. These privacy rules cover the staff of service suppliers from whom the company purchases services and other persons who enter Norðurál’s business premises in Grundartangi, as well as those persons who apply for jobs with the company (hereafter collectively referred to as “you“).

These privacy rules are intended to inform you about what personal information the company collects, how the company uses such personal information and who gets access to the information.

Norðurál means both Norðurál Grundartangi ehf. and Norðurál ehf.

If you are unsure about how the Privacy Policy applies to you, please contact your Human Resources Manager for more information. Contact information for the head of personnel services can be found at the end of the rules.

Purpose and legal obligation

Norðurál strives to comply with all aspects of personal protection legislation, and these rules are based on Act no. 90/2018 on personal protection and processing of personal information.

What is personal information?

Personal information in the sense of these rules is any kind of information about an identified or identifiable person, i.e. information that can be traced directly or indirectly to a specific person. Data that is not personally identifiable is not personal data.

Personal information that Norðurál collects and processes about you

Different personal information may be collected, depending on the nature of your relationship with the Company.

A. Service provider staff

The following is information that Norðurál works with about service supplier personnel who work for the company:

  • contact information such as name, email address and phone number; and
  • Social Security number.

For the staff of service suppliers who work within Norðurál’s business area in Grundartangi, the following information is also processed:

  • passport photo;
  • signing on receipt of training, such as on electronic monitoring;
  • worksheets and/or time sheets;
  • footage from security cameras;
  • access information and information about presence in the activity area;
  • information about purchased meals at a canteen,
  • attendance registration for security courses, and
  • as the case may be, information about work accidents or other safety anomalies.

As a general rule, Norðurál collects personal information directly from the service supplier’s staff or another contact at the relevant service supplier. In cases where personal information is obtained from a third party, the company will endeavor to provide information about this.

B. Individuals who visit Norðurál’s activity area

The following is information that the company works with about external parties visiting Norðurál’s activity area in Grundartangi:

  • contact information such as name, company, phone number, arrival and departure times; and
  • footage from security cameras.
C. Job applicants

In principle, Norðurál works with the following information about applicants:

  • contact information, such as name, social security number, address, phone number and email address;
  • job applications, recommendations and information from job interviews; and
  • information about education, training and work experience.

For applicants who progress to an interview, Norðurál also collects the following information, as applicable:

  • information on driver’s license and machine license; and
  • information about clean criminal record or not.


In addition to the above-mentioned information, Norðurál may also collect and process other information that the applicants themselves provide to the company (e.g., marital status).

In principle, Norðurál collects personal information directly from applicants. In cases where personal information is obtained from a third party, the company will endeavor to inform applicants of this.

In addition to the above-mentioned information, Norðurál may also collect and process other information that you may provide to the company, such as e-mails to Norðurál and account information and information that is necessary for the company’s operations.

Norðurál will endeavor to preserve personal data as necessary based on the purpose of the processing, unless otherwise permitted or required by law.

Information about the work of the service provider’s people that is processed for security at work (security cameras and access controls) is retained for up to 90 days. Contact information is retained as long as the relevant employee works for the service supplier. The same goes for passport photos. In addition, information about work accidents is generally not kept longer than 20 years from the accident, unless necessary. Accounting data is kept for 10 years due to Norðurál’s analytical needs. Information about applicants is kept for 6 months from the end of the recruitment process. If it is a general application, the application is kept for 6 months from the last update of the application. In the event of employment, information is stored in accordance with the privacy policy of the company’s staff. Other information that the company may work with is kept as long as there is a legitimate reason.

Why do we collect personal information and on what basis?

Norðurál undertakes that all processing of personal data is legal, fair and transparent. Information will only be collected for specific, specific and legitimate purposes and that collection and processing do not go beyond what is necessary based on the purpose of the processing. Processing shall in all cases be sufficient, appropriate and limited to what is necessary for the purpose of the processing.

The contact information of the service supplier is necessary for the company based on the contract, since the company cannot fulfill its obligations based on the contract with the service supplier except to be able to communicate with his staff.

Information about purchased meals in the canteen is also processed on the basis of a contract, i.e. so that Norðurál can send the relevant service supplier an invoice.

Other information is processed on the basis of the company’s legitimate interests, for security and property protection purposes. This applies to access and attendance records, which have the purpose of allowing the company to have an overview of everyone who works within the company’s area of activity at any given time, as well as the processing involved in keeping track of who has attended security courses. Attendance records are also used to compare timestamps with invoices, whether work by quote or hourly work. Furthermore, passport photos are kept to be able to identify service supplier personnel. Camera surveillance is also used for security and asset protection purposes based on the company’s legitimate interests.

Information obtained on the basis of security considerations is necessary so that the company can fulfill its obligations towards service suppliers, employees as well as others who may be within the company’s activity area if the area has to be evacuated. As well as to ensure that everyone who works within the activity area knows the area and the safety and environmental rules that apply within the company’s activity area.

Information about applicants is processed for the purpose of assessing the applicant’s suitability for a specific job and to assess whether a contract should be concluded with that person. The processing is therefore carried out on the basis of the applicant’s request to conclude a contract with Norðurál. In terms of the processing of information about the content of criminal records, the processing is also based on Norðurál’s legitimate interests.

In cases where the collection and processing of personal information requires the consent of the applicant, the person concerned is always permitted to withdraw such consent. All communications in connection with such withdrawal or change in the content of the consent shall be directed to the Head of Human Services.

In addition, Norðurál may in some cases process personal data on the basis of legal obligations, such as labor legislation and tax legislation. Examples include information about work-related accidents and other safety anomalies.

Disclosure to third parties

Norðurál may pass on your personal information to consultants, other contractors and other third parties due to their work for the company in connection with a contract or employment process. The company may also give access to the personal information that Norðurál processes about you to third parties who are in charge of the company’s IT affairs. Does this apply to the time records of the service supplier’s staff? Also, certain computer systems of the company, where information about service supplier personnel is processed, are hosted and operated by Norðurál’s parent company, Century Aluminum, in the United States. These third parties appear as so-called processors and they are bound by contract with Norðurál to maintain confidentiality and protect the security of the personal information they handle on behalf of the company.

Third parties who provide us with services according to the above may be located outside of Iceland. Norðurál will not share personal information outside the European Economic Area unless this is permitted on the basis of relevant personal protection legislation. All transfers to Norðurál’s parent company are based on the standard contract terms of the European Commission.

Finally, personal information about you may be provided to the extent permitted or required on the basis of relevant laws or regulations, such as to the Norwegian Labor Inspectorate in the event of a work-related accident. Your personal information may also be disclosed to third parties in response to legal action such as search warrants, subpoenas or court orders. Delivery may also be necessary in an emergency or to ensure the safety of Norðurál’s staff or third parties.

How is the security of personal information guaranteed?

Norðurál strives to take appropriate technical and organizational measures to protect personal information, with particular regard to its nature. These measures are intended to protect personal information against accidental loss or alteration and against unauthorized access, copying, use or disclosure.

Changes and corrections of personal information

It is important that the personal information that the company works with is both correct and relevant. It is therefore important that you are notified of any changes that may occur to your personal information while working for the company.

The service supplier must inform Norðurál when its employees leave the company.

The staff of the service supplier have the right to have their unreliable personal information corrected. Taking into account the purpose of processing personal information, employees shall have the right to have incomplete personal information about them completed, including by submitting additional information.

Your rights regarding the personal data processed by the company

You have the right to be confirmed whether or not we process personal information about you, and if so, you can request access to the information and information about how the processing is done. You may also have the right to receive a copy of the information. Under certain circumstances, you can ask the company that we send information that you yourself have provided to us or that you have provided directly to a third party.

In certain circumstances, you can request that personal data about you be deleted without delay, for example when the retention of the information is no longer necessary based on the purpose of the processing or because you have withdrawn your consent to the processing of the personal data if there is no other basis to that processing.

In cases where the collection and processing of personal information requires the consent of the service supplier’s staff, the person concerned is always entitled to withdraw their consent. All communication in connection with such withdrawal or change in the content of the consent must be directed to the purchasing department or the Head of Human Resources Services.

If you do not want your information to be deleted, for example because you need it to defend against a claim, but still want it not to be further processed by the company, you can request that its processing be limited.

However, your right to delete personal data is not without priority. Thus, laws or regulations may authorize or oblige the company to refuse a request for the deletion of personal information.

Please direct all requests for erasure and/or restriction of processing to the Head of Human Resources Services who can also provide you with further information about your rights.

When individuals exercise their rights based on the Personal Protection Act, the company processes basic information for the purpose of identifying the person and responding to the request. If a person requests access to personal information that can be found in data that also contains information about a third party, the person’s request may be forwarded to the relevant third party for the purpose of requesting the person’s consent for access to the data to be granted.

Inquiries and complaints to Personal Protection

If you want to use the rights described above, or if you have any questions regarding the rules or the way the company processes your personal data, please contact the head of the department of personnel services cf. contact information below.

If you are dissatisfied with the company’s processing of personal information, you can send a message to Personal Protection ( ).

Contact information

We have designated the Head of Human Resources to oversee the enforcement of this Privacy Policy. Below you can find his contact information:

Email address:

As mentioned above, these rules refer to Norðurál ehf. and Norðurál Grundartangi ehf. as Norðurál. The companies also, depending on the circumstances, appear as joint responsible parties, for example with regard to IT services.

Contact information of the companies:

Norðurál ehf.
Skógarhlíð 12
105 Reykjavík

Norðurál Grundartangi ehf.
301 Akranes


Norðurál may from time to time change these privacy rules in accordance with changes in relevant laws or regulations or due to changes in the way the company processes personal information. If changes are made to these privacy rules, an updated version of the rules or such will be announced on the company’s website.

Any changes that may be made to the rules take effect after the updated version has been presented on Norðurál’s website.

These privacy rules were established on July 10, 2018. These revised and updated privacy rules were then published on November 29, 2022.