Privacy Policy

Farbaetur places strong emphasis on the security and confidentiality of its customers’ personal data. This Privacy Policy explains what data we collect, how it is used, the legal basis for the processing, and what rights you have as a data subject.

1. Data controller

The data controller for the processing of personal data is: Justitia ehf.
ID No. (Kennitala): 6909220450
Email: farbaetur@farbaetur.is

2. Collection of personal data

We process, among other things, the following information: name and contact details (email address, phone number, home address), flight information (flight number, booking status, delays and cancellations), payment information when we pay out compensation, and copies of documents necessary to pursue a claim (e.g. boarding passes/flight tickets, booking reference, flight number

3. Purpose of the processing

Personal data is used to assess and pursue compensation under Regulation (EC) No. 261/2004, to contact you regarding the matter, to comply with legal obligations under laws and EEA rules, and to safeguard your rights and ours in connection with claims.

4. Legal basis

The processing is based on: contractual necessity, cf. Article 6(1)(b) of the General Data Protection Regulation (EU) 2016/679 (hereinafter the “GDPR”) (processing necessary for the performance of a contract), legal obligation, cf. Article 6(1)(c) GDPR (obligations relating to consumer law, compensation law, etc.), and legitimate interests, cf. Article 6(1)(f) GDPR (e.g. interests in defending our rights in legal proceedings).

5. Recipients of data

Data may be disclosed to airlines and their agents, the Icelandic Transport Authority (Samgöngustofa) and courts when we pursue claims, our partners who provide IT services or payment processing, and parties outside the EEA where necessary to fulfil a claim (e.g. airlines outside Europe). In such cases, we ensure that appropriate safeguards are in place.

6. Storage duration

We store personal data until claims have been concluded and in accordance with statutory data retention requirements (generally up to 4 years after the case is closed, unless a longer retention period is required by law).

7. Your rights

You have the right to access your personal data, request correction of inaccuracies, request deletion of data to the extent permitted by law, object to processing or request restriction of processing, and to data portability (transfer of data between service providers). You also have the right to lodge a complaint with the Data Protection Authority (Persónuvernd) if you believe processing is contrary to law.

8. Data security

We apply appropriate technical and organisational measures to ensure the security of personal data, including encryption, access controls, and regular monitoring.

9. Contact details

If you have questions or wish to exercise your rights under this policy, please contact us.