ICR Privacy and Cybersecurity Policy

Purpose

The purpose of this policy is to outline ICR’s commitment to:

  • Protecting personal and sensitive information, including data entrusted to us by our stakeholders

  • Securing our digital infrastructure, systems, and services against cybersecurity threats

  • Complying with applicable privacy and cybersecurity laws and standards, both in Iceland and globally

This policy ensures the responsible management of data and promotes a culture of trust, integrity, and accountability.

Scope

This policy applies to:

  • All ICR employees, contractors, board members, and interns

  • Third parties who access or process ICR data or systems

  • All personal data, registry data, and digital systems owned or managed by ICR

It covers activities across our digital operations, including www.carbonregistry.com, cloud platforms, communications, and employee devices.

Privacy Principles

ICR handles personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable laws. We follow these key principles:

Lawfulness, Fairness, and Transparency

We collect personal data only for legitimate purposes and inform individuals about how their data is used.

Data Minimization

Only the minimum necessary data is collected for a defined purpose.

Accuracy and Retention

We strive to keep data accurate and up to date. Personal data is retained only as long as necessary and then securely deleted or anonymized.

Security and Confidentiality

Personal data is protected against unauthorized access, alteration, or loss using appropriate technical and organizational measures.

Risk Assessment

  • ICR conducts regular cybersecurity risk assessments to identify vulnerabilities and threats that could affect information systems and personal data.

  • Risk assessments are used to inform security controls and ensure that appropriate mitigating actions are in place.

  • All identified risks are documented, tracked, and managed through established procedures

Rights of Individuals

We respect the rights of individuals, including:

  • Access to their personal data

  • Correction or deletion of incorrect data

  • Objection to or restriction of processing

  • Data portability

Cybersecurity Standards

ICR is committed to maintaining a secure digital environment for our employees, stakeholders, and users.

Access Control

  • Access to systems is granted based on job role and the principle of least privilege.

  • Strong, unique passwords and multi-factor authentication (MFA) are required.

Data Protection

  • All sensitive and personal data is encrypted in transit and at rest.

  • Personal data may not be stored on unauthorized devices or platforms.

  • Secure backup systems are maintained.

Device and Endpoint Security

  • Company devices must be protected with antivirus software and regular updates.

  • Remote access must be via secure VPNs.

  • Employees must report lost or stolen devices immediately.

Email and Communication Security

  • Staff must stay alert to phishing, scams, and malicious attachments.

  • Sensitive data must only be transmitted through secure, approved channels.

Cloud Services and Third-Party Vendors

  • All third-party vendors must meet ICR’s privacy and security standards.

  • Data processing agreements are signed with any provider that handles personal or registry data.

Data Sharing and Agreements

ICR ensures that all data shared with third parties is protected through robust Data Sharing Agreements (DSAs). These agreements are designed to outline the expectations and responsibilities for handling sensitive data, ensuring compliance with privacy regulations, and mitigating potential risks associated with data sharing.

Breach Response and Notification

If a data breach or cybersecurity incident occurs:

  1. Report immediately to the IT administrator or privacy officer

  2. The incident response team will assess and mitigate the breach

  3. If personal data is affected, data subjects and authorities will be notified as required by law

  4. A post-incident review will be conducted to improve controls

Responsibilities

Role

Responsibilities

Employees & Contractors

Follow privacy and security policies, protect access credentials and sensitive data, report incidents or suspicious activity promptly, and complete required training.

IT & Security Leads

Maintain cybersecurity infrastructure, enforce technical controls (e.g., access management, encryption), monitor systems, manage security incidents, and support secure architecture decisions.

CTO

Oversee GDPR compliance, act as the contact point for supervisory authorities and data subjects, advise on data protection impact assessments (DPIAs), and monitor internal privacy controls.

Leadership

Ensure adequate resources and support for data protection and cybersecurity programs; promote a culture of compliance, ethics, and transparency.

Third-Party Vendors

Adhere to agreed privacy and security standards

Enforcement

Violation of this policy may result in disciplinary action, including termination of access, employment, or contracts. In some cases, legal consequences may follow.

Policy Review

This policy is reviewed annually or whenever significant legal, technological, or organizational changes occur. Employees and stakeholders are encouraged to provide feedback.


Questions or Concerns? Contact: privacy@carbonregistry.com or your local IT/security representative.


Last updated