Highland Base

Privacy Policy

Highland Base

Privacy Policy

1. Introduction

At Kerlingarfjöll ehf., we are committed to protecting your privacy and ensuring that your personal data is processed in a transparent, secure, and lawful manner.

Kerlingarfjöll ehf., company registration no. 690508-0950, Norðurljósavegur 9, 241 Grindavík, Iceland (“we”, “us”, or “our”), operates Highland Base Iceland, including its accommodation, dining, wellness, and related hospitality facilities, located in Kerlingarfjöll, Iceland.

This Privacy Policy explains how we collect, use, disclose and otherwise process your personal data, the purposes for which your personal data is processed, the legal bases on which we rely, and your rights in relation to the processing of your personal data.

For the purposes of Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”), Kerlingarfjöll ehf. is the data controller responsible for the processing of your personal data as described in this Privacy Policy.

2. Personal Data We Collect

The categories of personal data we collect and process depend on the products and services you use and your interactions with us.

We process personal data primarily to provide and improve our services, communicate effectively with our customers, protect the safety and security of our premises, guests, employees, and property, and to market our products and services where permitted by law.

We will only process your personal data where we have a lawful basis for doing so under Article 6 of the GDPR and, in the case of special categories of personal data, where the additional requirements under Article 9 of the GDPR are met.

2.1 Accommodation, Wellness Facilities, Restaurants and Related Services

When you book accommodation at Highland Base Iceland, access to our wellness facilities, a table at our restaurant, participation in one of our activities or guided tours, or any related services, we collect the personal data necessary to provide the service you have requested.

The personal data we may collect includes:

  • Name - Required to process your booking and welcome you at the scheduled time.

  • Email address - Used to send booking confirmations, payment receipts and updates regarding your booking, or to contact you for other reasons relating to your reservation where necessary.

  • Telephone number - In exceptional circumstances, we may contact you by telephone where we consider it necessary to provide important information regarding your booking and believe that email communication would not be sufficient.

  • Address and copy of identification documents - We only request this information when you book hotel accommodation, as we are required to do so under applicable law.

  • Payment information - Payment information is processed securely through our payment service provider, Planet.

  • Photographs of you at Highland Base Iceland - Where you have specifically requested this service from us.

  • Other information you voluntarily provide to us - This may include, for example, health information or requests for additional assistance.

2.2 Inquiries

When you submit a request, inquiry, complaint or feedback to us, we process your contact details and any other information you provide in order to respond to your inquiry and, where necessary, process and resolve your request.

2.3 Analytics and Market Research

We may use information derived from personal data that has been anonymized for analytics, market research, and statistical purposes to help us improve our products and services.

2.4 Our Website

When you visit our website, we may collect information about the use of the website through cookies and similar technologies. This information is used to provide website functionality, analyze website usage, and, where you have provided your consent, support marketing activities.

Detailed information about the cookies and similar technologies we use, including their purposes, providers, and retention periods, is available in our Cookie Declaration, which can be accessed through our cookie banner.

2.5 CCTV

We use CCTV cameras at our premises for security purposes and to protect the safety of our guests, employees, and property. Access to CCTV recordings and other information collected through CCTV is strictly controlled, and only specifically authorized employees have access to such information.

CCTV recordings are not retained for longer than 30 days unless they are required to be retained in connection with potential legal matters, such as accidents, theft, or other incidents requiring further review.

3. Legal Bases for Processing Personal Data

We process personal data based on one or more lawful bases under the GDPR, depending on the nature of the processing activity.

We process personal data based on the following lawful bases:

  • Performance of a contract (Article 6(1)(b) GDPR) Processing of your name, email address, phone number, and payment information is necessary for us to manage and fulfill your booking and provide the services you have requested.

  • Legitimate interests (Article 6(1)(f) GDPR) In certain circumstances, we process personal data based on our legitimate interests where this processing is necessary for our business operations and does not override your rights and freedoms. This applies to processing activities such as communicating with our customers, for example when responding to inquiries about our services or requests regarding customer rights under applicable data protection laws. We have a legitimate interest in responding to such inquiries and providing appropriate assistance. Processing of personal data through CCTV is based on our legitimate interests in maintaining security and protecting our premises, guests, employees, and property. We may also create and use anonymized information for analytics and market research purposes based on our legitimate interests in improving our products and services.

  • Consent (Articles 6(1)(a) and 9(2)(a) GDPR) Where applicable, we process personal data based on your consent. This may include situations where you voluntarily provide us with special categories of personal data, such as health information. We may also process information collected through non-essential cookies and similar technologies, such as analytics and marketing cookies, where you have provided your consent. Where you have chosen to receive newsletters, marketing communications, or other information from us, such processing is based on your consent. Where we process personal data based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal.

  • Legal obligation (Article 6(1)(c) GDPR) We process personal data where necessary to comply with legal obligations that apply to us. This legal basis applies, for example, to obligations relating to maintaining records of hotel guests’ addresses and copies of identification documents, and to retaining accounting records in accordance with applicable accounting and record-keeping requirements.

  • Vital interests (Article 6(1)(d) GDPR) We may process personal data where necessary to protect your vital interests or the vital interests of another individual. This legal basis may apply, for example, in the event of an accident or medical emergency at one of our premises.

4. Sharing Personal Data with Processors and Third Parties

We do not sell personal data.

We may share personal data with processors who provide services to us or provide services to our customers on our behalf where this involves processing personal data on our instructions. This may include, for example, providers of IT services, cloud solutions, payment services, and other services necessary to support our operations.

An example of a processor is our parent company, Blue Lagoon Ltd., which provides us with various support services, including IT, human resources, management, and finance services.

Where third parties act as data processors on our behalf, we ensure that appropriate data processing agreements are in place, requiring personal data to be handled securely, confidentially, and only for the purposes we specify. Processors only have access to the personal data necessary to perform their specific tasks and are prohibited from using it for any other purpose.

Some of these third parties may be located outside Iceland. We will not transfer personal data outside the European Economic Area (EEA) unless permitted under applicable data protection laws, for example where the European Commission has adopted an adequacy decision for the destination country or where appropriate safeguards are in place, such as Standard Contractual Clauses.

We may also disclose personal data:

  • When required by law, for example under a court order or at the request of law enforcement or other public authorities.

  • To our legal advisors to protect the company’s legal rights or the rights of our staff.

In addition, we may use third-party providers to assist us with website analytics, marketing, and improving our services. Depending on the service provided, these providers may act as our processors or as independent controllers. We only use non-essential cookies and similar technologies where you have provided consent. Further information about the cookies and technologies used on our website, including their purposes and providers, is available in our Cookie Declaration, which can be accessed through our cookie banner.

5. Retention of Personal Data

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required to comply with applicable legal obligations.

The length of the time we retain personal data may be determined by legal obligations that apply to us. For example, accounting records may be required to be retained for seven years from the end of the relevant financial year under applicable accounting legislation, and certain information relating to hotel guests may be required to be retained for a period of one year under applicable accommodation legislation.

When the retention period ends, we securely delete personal data or anonymize it so that it can no longer be used to identify you.

6. Personal Data Received from Third Parties

Where you have authorized a third party, such as a travel agency or booking service, to share your personal data with us (for example, to make a booking on your behalf), this Privacy Policy applies to our processing of that personal data once we receive it.

Where other service providers provide part of your service, stay, or travel arrangements, those providers are responsible for their own processing of personal data carried out by them. Their privacy policy and information about their processing activities should be available from those providers.

7. Payments and Security

Payments are processed through our payment service provider, Planet. Payment transactions are protected using appropriate security measures and are processed in accordance with the PCI DSS (Payment Card Industry Data Security Standard) to help ensure the secure handling of payment card information.

Our websites are secured using SSL certificates and encryption technologies designed to protect communications between our websites and your browser.

8. Your Rights

Under the GDPR, you have the following rights in relation to your personal data:

  • Access - request access to the personal data we hold about you and information about how we process it.

  • Correction - request that inaccurate or incomplete personal data be corrected.

  • Restriction of Processing - request that we restrict the processing of your personal data in certain circumstances, such as where you challenge the accuracy of the data or where you believe the processing is unlawful.

  • Erasure - request deletion of your personal data where applicable, for example where the data is no longer necessary for the purpose for which it was collected or where you withdraw your consent where processing is based on consent. This right does not apply where we are required to retain personal data by law.

  • Data Portability - receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and request that it be transferred to another controller where the processing is based on your consent and carried out by automated means. This right must not adversely affect the rights and freedoms of others.

  • Withdrawal of Consent - withdraw your consent at any time where processing is based on your consent. Withdrawal of consent does not affect the lawfulness of processing carried out before consent was withdrawn.

  • Object to Processing - object to processing based on our legitimate interests. You also have the right to object at any time to processing carried out for direct marketing purposes, including marketing communications such as newsletters.

  • Lodge a Complaint - lodge a complaint directly with the Icelandic Data Protection Authority (Persónuvernd) if you believe your rights have been violated.

To exercise any of the rights listed above, please contact us at info@highlandbase.is.

Please note that these rights are not absolute and may be subject to limitations under the GDPR, including where we are required to retain information to comply with legal obligations or where exercising a right would adversely affect the rights and freedoms of others.

9. Children under 13 years of age

We may provide services to families and may process personal data relating to children in connection with bookings or visits to our premises. We do not knowingly collect personal data from children under the age of 13 without appropriate involvement or authorization from a parent or legal guardian.

If a parent or legal guardian becomes aware that personal data has been provided by a child under the age of 13 without appropriate authorization, they should contact us immediately. If we become aware of such collection or use, we will take appropriate steps to address the situation, including deleting such data where required.

10. Job Applicants

If you apply for a position with us, we will process the personal data you provide as part of your application, such as your name, contact details, CV, cover letter, qualifications, interview notes, references, and any other information relevant to the recruitment process.

We process this information for the purpose of managing the recruitment process, assessing your suitability for employment, and taking steps at your request prior to entering into an employment contract.

We retain applicant data only for as long as necessary for the recruitment process and, where you have provided your consent, for a limited period thereafter to consider you for future employment opportunities.

Applicants also receive separate information describing how we process personal data during the recruitment process.

11. Personal Data Breaches

In the event of a personal data breach, we will notify the Icelandic Data Protection Authority (Persónuvernd) without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

If the breach is likely to result in a high risk to your rights and freedoms, we will also inform you directly without undue delay, unless otherwise required by applicable law.

12. Questions and Complaints

If you have any questions about this Privacy Policy or how we process your personal data, please contact us at:

Email: info@highlandbase.is Mail: Urriðaholtsstræti 2-4, 210 Garðabær, Iceland

If you believe that our processing of your personal data does not comply with applicable data protection laws, you have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd). Further information is available on its website: www.island.is/en/o/the-data-protection-authority

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or our services.

Any changes will become effective when the updated Privacy Policy is published on our website.

Last updated: July 2, 2026