Last Updated: October 2023
1. Introduction
Varist ehf. (referred to as “Varist”, “we”, and “us” throughout this Privacy Policy) is dedicated to safeguarding your personal data (referred to as “data”) and respecting your privacy. Varist collects and further processes personal data pursuant to Regulation (EU) 2018/1725 and the Icelandic regulation on Personal Privacy.
To contact us, refer to the contact details provided at the end of this Privacy Policy in section 17.
This Privacy Information is intended to help you better understand how we collect and process your data when you use our websites (hereinafter “Websites”), our products and services (hereinafter together “Services”), and what rights you have regarding our collection and processing of your data.
This Privacy Information also incorporates by reference the most current version of our Websites Terms of Use (available at Varist’s Website).
If you or your organization subscribe to Varist’s Services or have another agreement with Varist, the terms of that agreement may contain additional privacy-related notices or rules.
2. Responsible controllers
When you or your organization engage with us, establish, seek to establish a contract, or express interest in a job, Varist ehf. registered at Skútuvogur 2, 104 Reykjavík, Iceland with the registration number 601207-0870 is responsible for the collection and processing of data on our Websites and Services. All processing operations are carried out pursuant to the applicable law (Listed in section 1).
In instances where we receive data from end users in connection with the provision of our Services, the onus for data collection and processing lies with the respective client on whose behalf we are acting, rather than Varist. Further details on this subject are available in section 4. c.
3. Changes to this Privacy Information
We will update this Privacy Information in order to address changes in our privacy practices and/or recent legal updates. We encourage you to periodically visit this page. The date of the latest update of this information is noted at the top of this Privacy Information.
4. How and why we Collect Data
a) Data provided by you
When engaging with our Websites, utilizing our Services, or reaching out to us, we may request specific information to facilitate communication, such as your name, company affiliation, job role, company address, work phone number, and email address, to name a few.
While it’s possible to navigate our websites without submitting personal data, certain applications and features necessitate data sharing. Such instances may encompass, but are not restricted to:
- Subscribing to receive marketing materials, white papers and newsletters.
- Registering and participating in online web seminars or other sponsored events.
- Using the customer area, interactive features or online tools.
- Registering and participating in trials for the use of our Services; and/or
- Submitting enquiries to us.
Your data is employed for establishing and managing your account, delivering requested marketing communications (refer to point 6), furnishing the Services you’ve requested, and responding to your inquiries. The data submitted to Varist’s through the Services is stored in databases that facilitate effortless return visits without re-registration. This stored data might also be used for sales and marketing initiatives. Varist retains the data you submit to enable your utilization of these features.
b) Data we collect through automatic tracking technology
When interacting with our websites, we may automatically collect certain data from your devices. This data might encompass your IP address, device specifications, operating system particulars, unique device IDs, browser type, browser language, and technical data. Additionally, we may gather information on how your device interacts with our site, including page visits and link clicks.
Varist employs automated data collection tools, like cookies, embedded web links, and web beacons, for improved content management. Cookies are small text files stored on your hard drive when visiting a website, and they don’t access files on your hard drive.
Data obtained from cookies enhances user experience by delivering tailored features or advertisements. Furthermore, this data is instrumental for marketing research, website enhancement, and improved content structure. We may also employ this data to assess our website’s technical capabilities for improvement.
Most web browsers accept cookies automatically, but browser settings can be adjusted to disable cookies. Notifications for proposed cookie installations can be enabled, allowing users to disable them. However, disabling cookies may limit access to certain features (such as Service-related offers).
Presently, collected data from cookies is processed in an aggregated manner, rendering it non-personally identifiable. Correlation with personally identifiable information may occur, but only for identification purposes, and will abide by this Privacy Information. For more information on our cookies, .
We and our service providers may use clear gifs (web beacons) to manage content on our websites, tracking effectiveness. These small, embedded graphics with unique identifiers track online user movements and offer comparable functionality to cookies. Unlike cookies, clear gifs are discreetly placed on web pages and are about the size of a period. We may link information from clear gifs to customer data.
When corresponding via HTML-capable email (e.g., marketing emails), we employ “format sensing” tech using pixel tags. These tags indicate whether an email has been received and opened, assisting in assessing communication effectiveness. Unsubscribing from these emails is possible (see point 6, “Subscribe and Unsubscribe to Newsletters”).
c) Data collection in connection with the provision of our Services
We utilize your data to grant access to Services, facilitate operational maintenance, and ensure Service efficiency. This data also aids in monitoring Service performance, enforcing our and ensuring compatibility with third-party systems/products/Services. Improving and expanding Services, assessing product/Service/feature lifecycles, conducting research, and addressing technical issues are additional uses. Statistical analysis and trend identification are part of this process.
Data Processing on Behalf of a Controller
When Varist’s enterprise clients collect or receive end user data that is subsequently made accessible through our Services, Varist processes this data on their behalf. Varist processes this data solely in line with the data processing agreement and client instructions. In such cases, Varist acts as a processor, and this processing adheres to the Privacy Policy of the responsible client, rather than this Privacy Information.
d) Further processing of your data
In general, we process data to provide, operate, maintain, enhance, and promote our Websites and Services, ensuring your use of them.
Furthermore, we reserve the right to process your data for the following purposes:
- Marketing: Occasionally contact you either by ourselves or through a third party acting on our behalf.
- Contract fulfilment: To complete or process transactions with you or your organization and to send you related information, including purchase information and invoices.
- Contact: Responding to product inquiries, requests for product information, product demonstrations or to address technical, customer service, administrative, or security-related matters.
- Analysis: To analyse statistical information and provide it to third parties without personal reference.
- Security: To investigate and prevent fraudulent transactions, unauthorized access to our Services and Websites, and other illegal activities.
- For any other purpose specified in this Privacy Information and/or our Terms of Use.
5. Additional information for the processing of applicant data
If you have applied for a job with us, the purpose of processing your data submitted to us is to properly select our new employees.
Data we receive from job applicants (such as CVs and references) are processed to evaluate the respective application and to ensure the proper selection of our new employees. We handle this data in accordance with our internal company policies, which are consistent with this Privacy Information and the applicable law.
The provision of all data is voluntary, but if you choose not to provide us with certain data, we may not be able to assess your application and as a result, you may be excluded from the application process.
The scope of the data we process depends on the data you provide in your application. Our processing may also include information we collect via third parties, such as a recruitment agency, or where we are required by law to carry out background checks to verify your personal suitability for a particular position.
If we employ you, we will process your data for the duration of the employment relationship (and beyond, if applicable, in accordance with applicable law). These periods may be reasonably extended in the event of any claims made or legal proceedings for the duration of such proceedings and their resolution. The same applies if, in certain cases, we are legally obliged to process certain data for a longer period.
6. Retention of data
We retain your data as long as needed to fulfil the purpose of collection or further processing of the information. Data might also be retained to meet legal, tax, or accounting requirements, resolve disputes, or enforce agreements.
7. How to access and control your personal data
You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular, the right to access your personal data and to rectify them in case your personal data are inaccurate or incomplete. You can also make choices about the collection and use of your data by Varist. You can control your personal data that Varist has obtained, and exercise your data protection rights, by contacting Varist, via [email protected]. In some cases, your ability to access or control your personal data will be limited, as required or permitted by applicable law. How you can access or control your personal data will also depend on which Services you use and where you are resident. See sections 14, 15 and 16.
8. Disclosure of data to third parties
We collaborate with trusted service providers across various domains, including IT, marketing, human resources, sales, and CRM management, who process your data on our behalf. When required by law, we establish data processing agreements with these service providers. We are committed to ensuring your data’s security through meticulous selection and ongoing monitoring of our service providers. They adhere to comprehensive technical and organizational safeguards to protect your data and comply with relevant data protection laws. We provide clear instructions to these service providers on how to handle your data in alignment with applicable privacy regulations.
While Varist holds a steadfast commitment to safeguarding your data and does, there are specific circumstances in which data sharing may occur. These situations are managed with the utmost responsibility and security.
- Suspected Violations and Legal Compliance: If Varist reasonably suspects that you have violated our, misused your rights in relation to our Websites or Services, or engaged in actions or omissions that could infringe upon applicable laws, rules, or regulations, we may share your data with law enforcement agencies, competent authorities, and third parties. This sharing is essential to address the consequences of any wrongful actions.
- Legal Obligations and Protection: In instances where it is necessary to conform to applicable laws, court orders, legal processes, or regulatory requirements, we may disclose your data. This disclosure could be crucial for asserting our legal rights, defending against legal claims, or responding to lawful requests from law enforcement agencies or regulatory bodies. Moreover, when it’s necessary to safeguard our agents, employees, customers, or the public, we may disclose data to protect property, interests, or personal safety. In some situations, legal restrictions may prevent us from providing prior notice of such disclosures, and we reserve the right to exercise our discretion accordingly.
- Operational Changes and Partnerships: If Varist undergoes operational changes, restructures its services through alternative frameworks or legal structures, or becomes part of a merger or acquisition, your data may be shared with the new entity, provided that this entity commits to adhere to the terms outlined in this Privacy Policy.
We may share data and relevant information about your interactions with the Websites or Services with entities connected to or affiliated with Varist, such as subsidiaries, sister companies, parent companies, and service providers (including email service providers). This sharing is primarily carried out to facilitate communication on our behalf, ensuring that these entities adhere to applicable privacy regulations when utilizing the shared data.
Furthermore, Varist may transfer anonymous information to affiliated entities, suppliers, business partners, advertisers, and third parties. Such transfers are conducted while upholding the principles of data protection and privacy.
This comprehensive disclosure framework underscores our dedication to responsible and secure data-sharing practices, consistently aligning with your privacy needs and regulatory expectations. If you have any concerns or inquiries regarding our data-sharing practices, we encourage you to reach out to us using the contact information provided in section 17.
9. International transfer of personal data
As a globally operating company with a presence in numerous countries, Varist spans offices and operations across the world. This expansive reach may lead to the storage of your data not only within the European Economic Area (EEA) but also in diverse countries and territories worldwide. This strategic global approach enables us to fulfil our commitment to serving you efficiently and effectively. Consequently, data accessibility and transfers occur from various geographic locations, including those where Varist conducts its operations. It’s important to recognize that the methods of data transfer may vary based on factors such as customer location and the specific Services engaged.
To safeguard your data as it journeys across international borders, we have diligently Our foremost priority is ensuring that your data remains shielded in accordance with your expectations and the stipulations of this policy.
One of the pivotal measures we have embraced involves the deployment of the European Commission’s standard contractual clauses for the transference of personal data. These clauses have been meticulously incorporated to uphold data protection standards established by the European Union. Should you desire, we are more than willing to provide you with a copy of these standard contractual clauses upon request. This embodies our unwavering dedication to preserving the integrity and privacy of your data.
Furthermore, our commitment extends to our collaborations with third-party service providers and partners. In alignment with our steadfast approach to data protection, we have similarly introduced comprehensive safeguards in our partnerships with these entities. By implementing appropriate measures, we reinforce the security and confidentiality of your data even when it is accessed and managed by third-party entities.
10. Data processing on third-party websites
When you navigate our Websites, you may encounter hyperlinks that lead you to third-party websites. These connections can sometimes be discernible at a glance, while at other times, they might not immediately catch your attention. It’s important to note that while these hyperlinks facilitate your exploration of external websites, the responsibility for the collection, utilization, upkeep, sharing, and revelation of data and information on these third-party platforms falls outside our purview.
As advocates of your privacy, we urge you to exercise mindfulness and diligence when interacting with these external websites. Every website operates under its own set of privacy policies and practices. Therefore, we encourage you to familiarize yourself with the distinct privacy guidelines governing each website you visit.
While we’re committed to safeguarding your data within our own domains, we lack jurisdiction over the privacy protocols adopted by external entities. Your discernment and attentiveness in navigating these third-party websites are pivotal in ensuring your data remains under your control and adheres to your expectations of privacy.
11. Social networks
As part of our commitment to engaging with our customers and sharing valuable information, we maintain publicly accessible profiles on various social networks. These platforms offer us the opportunity to communicate with users, provide insights about our company, and bolster our online presence across the digital landscape.
Our active involvement on platforms like LinkedIn, Twitter, and YouTube is aimed at presenting our company in a comprehensive manner and fostering meaningful connections. It’s important to note that when you visit our profiles on these platforms, especially if you’re logged into your respective account, your interaction might be linked to your user profile.
These social networks often utilize your data for market research and advertising purposes, and it’s possible that this processing occurs beyond the confines of the European Union. This can potentially introduce certain complexities, impacting your ability to fully exercise your data rights. It’s worth highlighting that even if you’re not logged in or don’t possess an account on a specific social network, your data might still undergo processing.
Typically, this processing is facilitated by mechanisms such as cookies stored on your device and the storage of your IP address. For a comprehensive understanding of these specific processing activities and to explore options to manage your preferences, we recommend referring to the privacy statements and resources provided by the operators of the respective networks:
(please see below).
a) LinkedIn
Operator of the network: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
Privacy Policy: https://www.linkedin.com/legal/privacy-policy
Options to object: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
b) Twitter
Operator of the network: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland
Privacy Policy: https://twitter.com/en/privacy
Options to object: https://twitter.com/personalization (without login) or https://twitter.com/settings/account (with login).
c) YouTube
Operator of the network: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Privacy Policy: https://policies.google.com/privacy
Options to object (via opt-out plug-in): https://tools.google.com/dlpage/gaoptout?hl= en
Settings regarding advertising: https://adssettings.google.com/authenticated (with Log In)
12. Children´s data
At Varist, we are committed to maintaining a safe and secure online environment, especially for minors. With this in mind, we do not knowingly collect any data from individuals under the age of 16 through our Websites and/or Services. If you become aware that your child has provided their data to us without your consent, we kindly request that you reach out to Varist using the contact information provided below in point 17. Should we become aware that a child under the age of 18 has inadvertently shared their data with us, we will promptly take steps to delete this information from our records.
Furthermore, our practices align with the Children’s Online Privacy Protection Act (COPPA), a regulatory framework that mandates parental consent for online services to be utilized by individuals under the age of 13. For additional guidance on safeguarding children’s online privacy, we recommend visiting the U.S. Federal Trade Commission’s (FTC) website, accessible at http://www.ftc.gov/privacy/privacyinitiatives/childrens.html.
Your child’s safety online is paramount, and we strive to ensure that our practices comply with relevant regulations and guidelines to provide a secure digital experience for all users. If you have any concerns or questions about your child’s data or online privacy, please don’t hesitate to contact us via email at [email protected]
13. Security of data processing
The security of your data is of paramount importance to us. We have implemented robust measures to ensure the protection and integrity of the information you entrust to us.
When you input sensitive information on our Websites, rest assured that we utilize SSL (Secure Socket Layer) technology to encrypt the transmission of this data. This encryption safeguards your information during its journey across the internet, making certain that it remains confidential and secure.
To counter unauthorized access, maintain data precision, and guarantee the accurate use of data, we have taken diligent steps to establish appropriate physical, electronic, and managerial protocols. These measures are designed to fortify and secure the data we collect online and process. Moreover, we enforce strict access controls to ensure that only those employees with specific authorization can access confidential information within our systems.
While we have implemented robust safeguards, it is important to acknowledge that technical limitations and the potential for unlawful interception exist, raising the possibility that electronic communications and data transmissions might not be entirely immune to breaches. Given this reality, we urge you to recognize your role in maintaining security.
Your partnership in maintaining data security is crucial, and together, we can uphold the confidentiality and integrity of your information.
14. CCPA Disclosure
This section is only applicable to California residents for purposes of compliance with the California Consumer Privacy Act of 2018 (“CCPA”). Defined terms used in this section, including but not limited to “Business Purpose”, “Consumers,” “Personal Information” and “Sale” (or “Sell”) are used as such terms are defined by and interpreted pursuant to the CCPA.
The categories of Personal Information we have collected about Consumers, for which we have disclosed for a business purpose, in the preceding 12 months are (please refer to the table at the top of this Privacy Information for more detail):
(1) Identifiers, such as name and Social Security number;
(2) Personal information, as defined in the California safeguards law, such as contact information and financial information;
(3) Characteristics of protected classifications under California or federal law, such as sex and marital status;
(4) Commercial information, such as transaction and account information;
(5) Internet or network activity information, such as browsing history and interactions with the Websites;
(6) Geolocation data, such as device location;
(7) Audio, electronic, visual, thermal, olfactory, and similar information, such as video, photography and call and video recordings;
(8) Professional or employment-related information, such as work history and prior employer.
(9) Education information, such as school and date of graduation;
(10) Inferences drawn from any of the Personal Information listed above to create a profile about, for example, an individual’s preferences and characteristics; and
(11) The sources we have collected this Personal Information from are: directly from California residents or their representatives.
In the past 12 months, however, we have not “sold” Personal Information relating to California residents within the meaning of the CCPA. For purposes of this Privacy Information, “sold” means the disclosure of Personal Information for monetary or other valuable consideration.
If you are a California resident, you may request that we disclose to you the following information covering the 12 months preceding your request:
(a) the categories of Personal Information that we collected about you and the categories of sources from which we collected such Information;
(b) Business or commercial purpose for collecting Personal Information about you;
(c) Third-Party Disclosure, the categories of Personal Information about you that we disclosed to third parties for a business purpose and the categories of third parties to whom we disclosed such Personal Information (if applicable); and
(d) Specific Pieces of Personal Information: Identification of the specific pieces of Personal Information collected about you.
Furthermore, if you are a California resident, you possess the right to request the deletion of Personal Information collected from you.
To facilitate responsive handling of your requests, we might necessitate identity verification through certain information or identification. Instances may arise where we are unable to fulfil your requests, such as instances where we can’t verify your identity or confirm the relevancy of maintained Personal Information. Exceptions might also apply where another consumer’s rights or freedoms would be negatively impacted, or where certain Personal Information isn’t subject to CCPA access or deletion rights (e.g., information concerning employees or contractors used for employment or vendor management). Despite any potential exceptions, rest assured that you are entitled to be free from discriminatory treatment for exercising your CCPA rights.
15. For persons in California
California residents have the right, under California Civil Code Section 1798.83, to inquire about the information we have disclosed to third parties for their direct marketing purposes. If you are a California resident and wish to request information about such disclosures, please contact us using the information provided in Section 17 (Contact Us) below. We will provide you with the requested information within the time frame required by law.
Please note that this section is relevant if your company engages in direct marketing activities targeting California residents. If your company does not engage in such activities, you may consider omitting this section. Always tailor your privacy policy to reflect the specific practices and obligations of your business
16. For persons in the EU or EEA and the United Kingdom
This section outlines important information for individuals who reside within the European Union (EU), the European Economic Area (EEA), or the United Kingdom. Your data protection rights and our practices vary depending on your location. Please read this section carefully.
a) Legal basis for processing
The legal basis for the collecting and processing of your data depends on the data and the specific context in which it is collected by us.
Where it is necessary to obtain your prior consent to the processing of your data by us (e.g. for sending newsletters to you), we will obtain your consent and use it as a base for our processing of your data in accordance with Art. 6 para. 1 (a) of the General Data Protection Regulation (GDPR).
In other instances, we process your data when necessary for:
- The performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such contract (Art. 6 para. 1 (b) GDPR) including the conclusion or performance of an employment contract.
- Complying with a legal obligation to which we are subject (Art. 6 para. 1 (c) GDPR).
- Safeguarding legitimate interests (Art. 6 para. 1 (f) GDPR) pursued by us or another person, provided that this is only done in circumstances where these legitimate interests are not overridden by your interests or fundamental rights and freedoms requiring the protection of personal data.
b) Purposes of data processing
To the extent that Varist acts as a processor for their clients (i.e., the respective controller), Varist processes end-user data in accordance with the data processing agreement entered into with the client and in accordance with the instructions given by their clients. The data processing in these cases is not governed by our Privacy Information (please see above under point 4. c).
We process data about the use of our Websites for the purpose of properly managing our Websites, improving their performance, ensuring their security, and adapting their content to your preferences. In addition, we collect this data for internal purposes, including conducting data analysis, testing, research and statistics for marketing and survey purposes. The legal basis of our activities is your consent, except in cases where the use of this data is essential for the functioning of our Websites (electronic provision of a service to you in this context), in which case the legal basis is our legitimate interest.
If you wish to conclude or have concluded a contract with us, the purpose of processing your data is the provision of pre-contractual steps or the performance of the contract.
c) Duration of processing
As a rule, your data is processed as follows:
- On the basis of your consent: until the consent is revoked or until the purpose for which it was given is fulfilled.
- With regard to the conclusion or performance of a contract: for the duration of the contract and its performance.
- On the basis of our legitimate interest: until you object to the processing or until the purpose for which the data was processed is fulfilled.
These durations may be extended if required by law or for potential claims within the statutory limitation period or longer.
d) Your rights in relation to the processing of your data
You have the following rights:
(i) Information about your data
You can ask us for information about your data at any time:
- Whether we process your data.
- If so, for what purposes do we process your data.
- What categories of data do we process.
- If applicable, who the recipients of your data are.
- The expected duration of the processing or the criteria for determining that duration.
- If the data is not collected from you, any available information about the source of the data.
You are also entitled to a copy of the data.
(ii) Rectification
If information about you is or has become inaccurate or incomplete, you have the right to request that it be corrected or completed.
(iii) Withdrawal of consent
You may withdraw your consent to the processing of your data at any time without affecting the lawfulness of the processing that was made on the basis of the consent prior to its withdrawal.
(iv) Right to erasure
In certain situations, GDPR gives you the “right to be forgotten”. You can invoke this right if:
- Your data is no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- You have withdrawn your consent to the processing of your data and there is no other legal ground for further processing.
- You object to the processing of your data and there are no overriding legitimate grounds for further processing.
- You object to the processing of your data for marketing purposes.
- Your data is processed unlawfully.
- Your data has to be erased in order to comply with a legal obligation.
(v) Restriction of processing
You may request that we restrict our processing to solely storing your data if:
- You contest the accuracy of the data we process (for a period of time that allows us to verify the accuracy of the data).
- The processing of your data infringes applicable law, but you would prefer the processing to be restricted instead of the data being erased.
- Varist no longer needs your data for the purposes of processing, but you need it for the establishment, exercise or defence of legal claims.
- You have objected to the processing of your data (please see below point 7.), but only until such time as it is determined that our legitimate grounds override yours.
(vi) Data portability
You have the right to receive your data in a structured, commonly used and machine-readable format and also to transmit your data to another controller or to have us transmit your data if the processing is based on your consent or on a contract and is carried out by automated means.
(vii) Objection
You have the right to object to some processing that we carry out with your data for reasons related to your particular situation.
This applies in particular in the following cases:
- If our processing is based on our legitimate interest.
- If we process your data for scientific or historical research purposes or for statistical purposes.
- If, despite your objection, we determine that there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or the basis for the establishment, exercise or defence of legal claims, we will continue to process the data affected by the objection to the extent necessary. If you do not agree with our assessment of the situation, you may exercise your right to lodge a complaint with a supervisory authority (please see next section).
If your data is processed for direct marketing purposes, you have the right to object to this processing at any time. After your objection, your data will no longer be processed for such purposes.
(viii) Complaint with a supervisory authority
In connection with our actions as data controllers, you have the right to lodge a complaint with a supervisory authority. A list of competent data protection authorities in the EU and their contact details can be found at https://edpb.europa.eu/about-edpb/board/members_en. The competent authority in the UK is the Information Commissioner’s Office https://ico.org.uk/global/contact-us/. Of course, we encourage you to contact us first. You can find our contact details in the section below.
17. Contact us
You may contact Varist using the ‘Contact Us’ feature that can be found at https://varist.com/contact. We will make every effort to provide you with a prompt response to your question. In addition, Varist´s General Counsel is responsible for overseeing compliance with this Privacy Information. You can reach our General Counsel by email via [email protected].
You can reach the Data Protection Officer of Varist and the Privacy Team by email at [email protected]