ICR Privacy and Cybersecurity Policy
Purpose
The purpose of this policy is to outline ICR’s commitment to:
Protecting personal and sensitive information, including data entrusted to us by our stakeholders
Securing our digital infrastructure, systems, and services against cybersecurity threats
Complying with applicable privacy and cybersecurity laws and standards, both in Iceland and globally
This policy ensures the responsible management of data and promotes a culture of trust, integrity, and accountability.
Scope
This policy applies to:
All ICR employees, contractors, board members, and interns
Third parties who access or process ICR data or systems
All personal data, registry data, and digital systems owned or managed by ICR
It covers activities across our digital operations, including www.carbonregistry.com, cloud platforms, communications, and employee devices.
Privacy Principles
ICR handles personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable laws. We follow these key principles:
Lawfulness, Fairness, and Transparency
We collect personal data only for legitimate purposes and inform individuals about how their data is used.
Data Minimization
Only the minimum necessary data is collected for a defined purpose.
Accuracy and Retention
We strive to keep data accurate and up to date. Personal data is retained only as long as necessary and then securely deleted or anonymized.
Security and Confidentiality
Personal data is protected against unauthorized access, alteration, or loss using appropriate technical and organizational measures.
Risk Assessment
ICR conducts regular cybersecurity risk assessments to identify vulnerabilities and threats that could affect information systems and personal data.
Risk assessments are used to inform security controls and ensure that appropriate mitigating actions are in place.
All identified risks are documented, tracked, and managed through established procedures
Rights of Individuals
We respect the rights of individuals, including:
Access to their personal data
Correction or deletion of incorrect data
Objection to or restriction of processing
Data portability
Cybersecurity Standards
ICR is committed to maintaining a secure digital environment for our employees, stakeholders, and users.
Access Control
Access to systems is granted based on job role and the principle of least privilege.
Strong, unique passwords and multi-factor authentication (MFA) are required.
Data Protection
All sensitive and personal data is encrypted in transit and at rest.
Personal data may not be stored on unauthorized devices or platforms.
Secure backup systems are maintained.
Device and Endpoint Security
Company devices must be protected with antivirus software and regular updates.
Remote access must be via secure VPNs.
Employees must report lost or stolen devices immediately.
Email and Communication Security
Staff must stay alert to phishing, scams, and malicious attachments.
Sensitive data must only be transmitted through secure, approved channels.
Cloud Services and Third-Party Vendors
All third-party vendors must meet ICR’s privacy and security standards.
Data processing agreements are signed with any provider that handles personal or registry data.
Data Sharing and Agreements
ICR ensures that all data shared with third parties is protected through robust Data Sharing Agreements (DSAs). These agreements are designed to outline the expectations and responsibilities for handling sensitive data, ensuring compliance with privacy regulations, and mitigating potential risks associated with data sharing.
Breach Response and Notification
If a data breach or cybersecurity incident occurs:
Report immediately to the IT administrator or privacy officer
The incident response team will assess and mitigate the breach
If personal data is affected, data subjects and authorities will be notified as required by law
A post-incident review will be conducted to improve controls
Responsibilities
Role
Responsibilities
Employees & Contractors
Follow privacy and security policies, protect access credentials and sensitive data, report incidents or suspicious activity promptly, and complete required training.
IT & Security Leads
Maintain cybersecurity infrastructure, enforce technical controls (e.g., access management, encryption), monitor systems, manage security incidents, and support secure architecture decisions.
CTO
Oversee GDPR compliance, act as the contact point for supervisory authorities and data subjects, advise on data protection impact assessments (DPIAs), and monitor internal privacy controls.
Leadership
Ensure adequate resources and support for data protection and cybersecurity programs; promote a culture of compliance, ethics, and transparency.
Third-Party Vendors
Adhere to agreed privacy and security standards
Enforcement
Violation of this policy may result in disciplinary action, including termination of access, employment, or contracts. In some cases, legal consequences may follow.
Policy Review
This policy is reviewed annually or whenever significant legal, technological, or organizational changes occur. Employees and stakeholders are encouraged to provide feedback.
Questions or Concerns? Contact: privacy@carbonregistry.com or your local IT/security representative.
Last updated