Privacy Notice

Ylma ehf. is committed to safeguarding the privacy of our customers, guests and website visitors; this policy sets out how we will treat your personal information. This notice was last revised on October 10th, 2019. 


1. Legal framework 


Personal Data, defined in Article 4 (1) of The General Data Protection Regulation (GDPR),  cf. Article 3 (1)(2) of the Icelandic Act on Data Protection and the Processing of Personal Data No. 90/2018 (the Icelandic Data Protection Act), refers to any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 


It should be noted that GDPR does not apply to information already in the public domain. 

2. Legal basis for collecting and processing personal data 


The legal basis for data collection and processing carried out by Ylma ehf. is GDPR Article 6(1)(a-f), cf. Article 9(1)(1-6) of the Icelandic Data Protection Act. The mentioned articles allow processing when one of the following applies:


(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

3. Why do we collect and process data?


The primary service of Ylma ehf. is to provide guests with short term hotel rooms or apartments. Providing such services in an efficient manner may include the following steps and actions:


  • Bookings and requests: Receiving and handling bookings and booking requests through our websites, via telephone, email, social media or through third parties.


  • Payments and stay: Requesting and receiving personal data with regards to aspects such as payment, name, ID no., age, nationality, travel agent information, length of stay in Iceland and arrival times, in order to finalize agreements and provide accommodation.


  • Special needs and requests: Receiving and processing data with the aim of personalizing guest experiences, with regards to aspects such as preferences, special needs, allergies and other physical or mental conditions which may require special measures to be taken.  


  • In-house security and monitoring: Processing data recorded by security cameras on premises.


  • Direct marketing: Processing data provided by customers, such as email addresses, telephone numbers and IP numbers, in order to provide current, future or previous guests with up to date marketing material and information.


  • Analytics: Processing personal data for the purposes of customer analysis, assessment, profiling and direct marketing, on a personalised or aggregated basis, to help us with our activities and to provide you with the most relevant information.


  • Research: Processing personal data in order to determine the effectiveness of promotional campaigns and advertising and to develop our products, services, systems and relationships with you. 


  • Accounting information: Storing personal data in order to abide by Icelandic law, including Article 20 (1) of the Accounting Act No. 145/1994.


  • Other instances: We may process personal data in other instances, provided the processing rests on a sound legal basis as laid out under point 2 above. This may include, but is not limited to, instances when the processing is requested by the Data Subject or required by law. 


4. What data do we collect and process?


In order to offer the services described in point 3 in the most efficient manner, Ylma ehf. may collect and process data including, but not limited to, customer’s first and last names, ID No., credit card number, travel agent information, telephone number, nationality, country of residence, email address, IP address, video and audio recordings, special needs and preferences as well as any other data customers may provide in order for our service to be successfully carried out.


Furthermore, Ylma ehf. websites use cookies, which is a string of information that a website stores on a visitor's computer, and that the visitor's browser provides to the website each time the visitor returns. We may use both "session" cookies and "persistent" cookies on the website. We will use the session cookies to: keep track of you whilst you navigate the website. We will use the persistent cookies to: enable our website to recognise you when you visit. Session cookies will be deleted from your computer when you close your browser. Persistent cookies will remain stored on your computer until deleted, or until they reach a specified expiry date.  


5. How long do we keep personal data?


Ylma ehf. stores and processes personal data for the time necessary to fulfil the object of the processing as described under point 3 above, as well as in order to safeguard Ylma’s legitimate interests. Our policy is clear on not storing data for a longer period than contractual obligations or other customer, commercial or security interests demand. Please note that in some cases law may require the storing of certain data for a prescribed time period. An example is information belonging to accounting records, which is kept for seven years in accordance with Article 20 of the Icelandic Accounting Act No. 145/1994.


6. Disclosure and data storage


We may on occasions pass your Personal Information to third parties exclusively to process work on our behalf. We require these parties to agree to process this information based on our instructions and requirements consistent with this Privacy Notice, GDPR and the Icelandic Data Protection Act. 


We do not broker or pass on information gained from your engagement with us without your consent. However, we may disclose your Personal Information to meet legal obligations, regulations or valid governmental request, as also described under point 5. We may also enforce our Terms and Conditions, including investigating potential violations of our Terms and Conditions to detect, prevent or mitigate fraud or security or technical issues; or to protect against imminent harm to the rights, property or safety of Ylma ehf., our clients and/or the wider community. 


​Data is held in Iceland using different (multiple) servers. Data may also be stored on servers in countries within the EEA as well as in the United States. In the case of the United States, data is only stored with companies which have been recognised and registered within the Privacy Shield framework.


7. Your rights as a data subject 


Ylma ehf. is committed to providing and safeguarding all rights awarded to data subjects in GDPR and the Icelandic Data Protection Act. These rights may include, but are not limited to, right of access, right to object, right of rectification and the right to be forgotten under certain circumstances.


Furthermore, you have the right to request information including, but not limited to, the purpose of the processing as well as the legal basis for processing, categories of personal data collected, stored and processed, how long the data will be stored and processed and the source of personal data if it wasn't collected directly from you. 


The granting of all requests regarding information on personal data is subject to you providing sufficient identification.


8. Personal data of children 


We do not knowingly collect or solicit Personal Data from anyone under the age of 18 or knowingly allow such persons to book a room in one of our hotels. In the event we learn that we have collected Personal Data from a child under the age of 18 without verification of parental consent, steps will be taken promptly to remove that information. 


9. Changes to this notice 


We reserve the right to modify this Policy at any time. Any changes we make will be posted on this page.  


10. Contact us 


In the event that you wish to request any of the information on your personal data (see under point 7 above), have any questions regarding this privacy notice or wish to make a complaint about how your personal data is being processed by Ylma ehf. or its partners, please contact us and we will respond at quickest possible time. You can also contact the Icelandic Data Protection Authority (Persónuvernd).


Our contact details are:

Ylma ehf. 

Suðurlandsbraut 30

108 Reykjavík 


Tel: 003546250000 


The contact details for the Data Protection Authority are:


Rauðarárstígur 10

105 Reykjavík


Tel: 003545109600