Privacy Policy
Privacy GTS Pass
Updated: Feb 24th, 2026
GTS ehf. operates public buses in Reykjanesbær on the basis of a service agreement with the municipality.
GTS also maintains GTS Pass (the “GTS app”) which is an app where individuals can buy and manage tickets and season passes and use them to pay for trips on Reykjanesbær’s public buses.
The objective of the policy is to ensure that GTS’s customers and other individuals, as appropriate at any given time, are informed of how the company collects and processes personal data.
GTS is concerned about the privacy of the individuals it provides services to. Accordingly, the Company always ensures compliance with the provisions of Act No. 90/2018 on Data Protection and the Processing of Personal Data, and other more specific laws concerning the personal data of individuals.
GTS is the controller of the personal data that the company collects and processes about individuals in connection with the company’s operations and the services provided.
You can send a written inquiry about the processing of personal information to the email address gts@gts.is.
1. Processing of personal data by GTS
What is personal information?
Personal data is defined in Article 3(1)(2) of the Data Protection Act, which is any information that can be directly or indirectly linked to a specific individual, such as by reference to an identifier, an online identifier or other characteristic elements. Information that is non-personally identifiable is not considered personal information.
Sensitive personal data is defined in Article 3(1)(3) of the Data Protection Act, e.g. health information, information on race, ethnic origin, trade union membership, political views or religion.
The processing of personal data refers to all handling and use of personal data, such as collection, registration, storage, alteration or deletion. Article 3(1)(4) of the Data Protection Act contains a more detailed definition of the processing of personal data.
What personal data is processed at GTS?
GTS primarily receives personal data from the data subject himself. GTS may also process information from third parties, e.g. from municipalities or other public bodies.
In particular, GTS collects the following personal data:
• Registration and contact information, such as name, ID number, e-mail address and telephone number. When creating an account in the GTS app, you choose whether to register with an email address and/or phone number.
• Payment information, such as invoices, account information and payment information.
• Information on the purchase of tickets and season passes and the timing of the purchase.
• Information on the conditions for special discount terms.
• Information about how you use the Service.
• Contact information, e.g. about email communications you choose to have with GTS.
• Footage from security cameras in GTS wagons.
• Other information that is necessary for the contractual relationship with the purchase of services.
For what purposes does GTS process personal data?
GTS only processes personal data about data subjects to the extent necessary and permitted by law.
GTS processes personal data in particular for the following purposes:
• To do this, fulfill agreements with individuals and provide access to GTS’s services.
• In order to ensure that individuals can enjoy the discount terms to which they are entitled.
• In order to fulfill a service agreement for the operation of public buses in Reykjanesbær and to fulfill legal obligations that rest on the municipality.
• For property and security purposes, in particular to ensure the safety of passengers and bus drivers and to ensure safety and traceability of services.
• In order to safeguard the legitimate interests of GTS ehf.
GTS uses information about individuals only for the purpose specified as the reason for their collection, unless there is a need to use it for other purposes, in which case the consent of the data subject will be sought.
On what basis does GTS process personal data?
GTS processes personal data primarily on the basis of the following sources:
• On the basis of the data subject’s consent.
• In order to fulfil an agreement that GTS has entered into or is preparing with a customer.
• In order to comply with a legal obligation.
• In order to protect the legitimate interests of the company.
How is the processing of personal data at GTS?
GTS processes personal data on a lawful basis and in accordance with the Data Protection Act No. 90/2018 and other applicable laws and administrative orders. Care is taken to ensure that the processing complies with the following data protection principles:
• Personal data is processed in a lawful, fair and transparent manner.
• Personal data is obtained for clearly specified, legitimate and objective purposes and is not further processed for other and incompatible purposes.
• No further personal data is processed than is necessary in relation to the purpose of the processing.
• Care is taken to ensure that personal information is reliable.
• Personal information is not stored longer than necessary.
• The security of the personal information and appropriate precautions are taken into account.
How long is personal data stored at GTS?
Personal data is only retained for as permitted by law and for as long as necessary to fulfil the purpose for which it was collected. Different retention periods generally apply depending on the type and nature of the personal data.
Surveillance camera footage is not retained for more than 30 days, unless permitted by law. However, the retention period may be longer if it is necessary in order for a claim to be delimited, presented or defended due to court proceedings or other such legal necessities.
Certain information that GTS processes for the benefit of Reykjanesbær may be subject to disclosure according to the Act on Public Archives No. 77/2014.
Other information is securely deleted or de-identified following the necessary retention period, to the extent permitted by law.
2. Electronic monitoring
Electronic monitoring takes place in GTS buses for the purpose of security and property protection. We work with footage that is created during the monitoring, where individuals who have passed through the monitored area and their activities can be seen. The location of surveillance cameras is determined with regard to the purpose of monitoring. The places where monitoring takes place are clearly marked
The monitoring is based on the company’s legitimate interests in security and asset protection.
Footage is only viewed if it is necessary for incidents concerning property preservation or security, e.g. due to an accident, theft or vandalism.
3. Disclosure of personal data to third parties
GTS never rents or sells personal information. GTS does not disclose personal data outside the European Economic Area (EEA) except in accordance with applicable law.
No personal data is disclosed to third parties other than may be necessary for contractual obligations, legitimate interests and in accordance with data protection legislation or on the basis of the data subject’s consent.
Information may be shared with GTS processors, e.g. hosting providers. In such cases, the rights of data subjects are guaranteed by a processing contract.
Footage with information about accidents or criminal conduct may be provided to the police on the basis of a legal obligation. Video material may also be provided to insurance companies if it is necessary for insurance matters. In other respects, footage is not disclosed to others except on the basis of authorisation in accordance with the Data Protection Authority’s rules on electronic monitoring, No. 50/2023 or the Act on Data Protection and the Processing of Personal Data, No. 90/2018.
Furthermore, laws, regulations, court rulings or instructions from the authorities may stipulate GTS’s obligation to hand over personal data, such as to the police or other public bodies.
4. Security of personal information
The security of personal information is ensured as far as possible, but GTS has implemented information security arrangements, among other things to ensure the security of personal information in the company’s custody. Access to personal information is controlled so that access is limited to those who need it at any given time.
5. Your rights
You have the right to know whether your personal data is being processed, the purpose and permissions for it and the retention period. You also have the right to access your personal data.
You have the right to have incorrect personal data about you corrected. You may have the right to have personal data about you deleted, e.g. if the information is no longer necessary for the purpose for which it was obtained. If processing is based on your consent, you have the right to withdraw that consent.
However, these rights are not without limitations. Laws can set restrictions on what data can be deleted or in which cases an individual has the right to data about him/herself.
For further information on the content of the above-mentioned rights, reference is made to Act No. 90/2018 on Data Protection and the Processing of Personal Data. If you believe that the processing of personal data is not in accordance with the laws that apply to it, you can send a request to the Data Protection Authority, www.personuvernd.is.
6. Policy review
GTS reserves the right to revise and update this Privacy Policy without notice. The updated Privacy Policy will take effect once it is posted.
This policy was set on 24.02.2026 and was last amended on 16.03.2026.