Privacy Policy
1 Objective and Responsibility
This Data Privacy Statement is to inform you about the nature, scope and purpose of Heinemann Travel Retail Iceland ehf. (“HEINEMANN”, “we”, “us”) processing of personal data in the Island Dutyfree webshop.
The data controller for the processing is Heinemann Travel Retail Iceland ehf. (Blikavöllur 5, 235 Keflavikurflugvöllur)
If you have any questions regarding data privacy, you can contact us at info@Islandutyfree.is.
2. Data Processing When Visiting Our Stores at the Airport
2.1 Video Surveillance
Our stores are under video surveillance. Video recordings are processed for the following purposes:
- protection of the domiciliary right
- prevention and investigation of criminal offences (in particular theft, attacks, fraud, damage and vandalism)
Legal Basis
The legal basis for the processing is Art. 6 (1) (f) GDPR (legitimate interests). Our legitimate interests are the protection of property and assets as well as the protection of customers, visitors and employees.
Recipients
A use or transfer of the video recordings that goes beyond this shall only take place to the extent that this is necessary within the framework of a possible criminal prosecution. In this case, the recipients shall be the competent law enforcement authorities. We use external service providers to operate the video surveillance.
Retention Period
The video recordings shall be deleted 14 days after they are made. They shall only be stored for a longer period if this is necessary in the specific individual case for the enforcement of legal claims or for the prosecution of criminal offences.
2.2 Processing boarding passes at the checkout
The sales of goods to travelers are exempt from excise tax under certain conditions. The tax exemption allows goods to be offered to travelers at low prices. In order to obtain tax exemption appropriate evidence must be provided to the tax and customs authorities. The transaction data of the underlying sale must therefore be supplemented by boarding pass information. For this reason, we will ask you to provide your boarding pass when you make a purchase with us.
Legal Basis
The legal basis for the processing of your personal data is the fulfillment of legal obligations pursuant to Art. 6 (1) (c) GDPR.
Recipients
If required, the records are submitted to the tax and customs authorities for verification, together with the proof of purchase.
Retention Period
Of the data read from the boarding pass, only the non-personal data "flight date", "departure and destination airport" and "flight number" are stored together with sales transaction data as proof of export within the tax-related retention periods.
2.3 Payment Service
For the best possible customer experience, we offer a range of electronic payment options.
Legal Basis
The legal basis for the processing of your personal data is the fulfilment of the purchase contract in accordance with Art. 6 (1) (b) GDPR.
Recipients
We use WORLDLINE for the processing of payments with Mastercard, Visa, Alipay, WeChat and American Express Europe S.A. for the processing of payments with the Amex Card. Depending on the payment method, transaction data such as IBAN, account number, card expiry date, card suffix, date/time of the transaction and payment amount are processed.
Retention Period
WORLDLINE stores and processes personal data for as long as it is necessary to fulfill its contractual and legal obligations.
3. Processing of your personal data through our online services
3.1 Processing of Logfiles
When visiting our website, personal data is automatically transmitted by the user's terminal device; this includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL, IP address and the requesting provider.
Legal Basis
The processing of this information is based on our legitimate interest according to Art. 6 (1) (f) GDPR in ensuring the smooth set-up of the connection and in ensuring the security of the processing.
Recipients
To provide this service, we use IT service providers.
Retention Period
The log files are automatically anonymized at the end of the session.
3.2 Cookie Consent Management
We use cookies, pixels and similar technologies, including those from third parties. For the purpose of recording and documenting your consent to the use of cookies, we use the Usercentrics Consent Management Platform (CMP).
Usercentrics stores opt-in/opt-out and timestamp, device and browser information and anonymized IP address in the local storage of your browser.
Legal Basis
The legal basis is Art. 6 (1) (c) GDPR and our legitimate interest pursuant to Art. 6 (1) (f) GDPR.
Recipients
We use IT service providers.
Retention Period
The consent data will be stored for one year.
3.3 “One for all” Customer Account
Our pre-order service can be used without creating a customer account. However, registration is required to use additional Heinemann services, such as participation in our loyalty program or use of our mobile app.
Creating a customer account also allows you to use the pre-order service in a more convenient way. If you have registered for an account, we store your pre-order history (previous orders) in order to enable you to reorder products more easily and to provide you with product recommendations within the webshop based on your previous purchases. Your pre-order history is available for review within your customer account in the webshop and in the app.
To create a customer account, participation in the loyalty program is required. For the purposes described above, we process the following personal data: first and last name, salutation, country, date of birth, email address and the password you choose. Providing a telephone number is optional. You can view, update or delete the information stored in your customer account at any time.
Legal Basis
The legal basis for our processing of your personal data is: Contractual obligations (Article 6(1)(b) GDPR): The legal basis for processing your personal data in connection with the creation and management of your customer account is the performance of the loyalty terms & conditions. Legitimate interest (Article 6(1)(f) GDPR): Our legitimate interest lies in providing a user‑friendly webshop experience by displaying product recommendations based on previous purchases. You have the right to object to this processing at any time.
Recipients
We provide this service with the assistance of IT service providers who act as processors under data processing agreements pursuant to Article 28 GDPR.
Retention Period
Your identification and contact data will be stored as long as your account is active.
3.4 Processing of pre-orders
Pre-orders can be placed either as a guest or through an All-for-one customer account (see section 3.2.4). In both cases, however, you must have a valid flight ticket. To verify your eligibility to place a pre-order and to hand over your pre-order as conveniently as possible near your departure gate, you will be asked to provide your flight route (departure date and time, departure airport and destination airport) or your flight number (flight number and departure date). Your flight data will be deleted immediately after the verification is successful. The order process cannot be completed without successful verification
After submitting your cart, you will receive a pickup ticket with your order ID and your name. For this purpose we process your account data or the information you provided when proceeding as a guest. The provision of the data is a requirement to initiate a sales contract. There are no negative consequences if you don’t provide the data. However, if you don’t provide or fail to provide the data, we can’t offer our services and goods.
Legal Basis
The legal basis for our processing of your personal data is the initiation of a sales contract (Article 6 (1) (b)).
Recipients
We provide this service with the assistance of IT service providers who act as processors under data processing agreements pursuant to Article 28 GDPR.
Retention Period
Your pre-order history will be kept as long as your account is active. If you have ordered as a guest, we will delete your personal data when the purpose for which it was collected no longer applies.
3.5 Abandoned Cart
If you have created an account and have not completed your pre-order, you may receive a reminder email, provided you have given marketing consent.
Legal Basis
Marketing consent (Art. 6 (1) (a) GDPR).
Recipients
We use IT service providers.
Retention Period
Your abandoned cart is retained as long as your account is active.
3.6 Preference List (only APP)
If you have an account, you can select preferred product categories during the APP installation process.
Legal Basis
Legitimate interest (Art. 6 (1) (f) GDPR).
Recipients
We use IT service providers.
Retention Period
Your preference list is kept as long as your account is active.
4. Customer Service
If you contact customer service, we process your contact data and message content to clarify your request.
Legal Basis
Art. 6 (1) (b) GDPR for purchase-related inquiries; otherwise legitimate interest (Art. 6 (1) (f) GDPR).
Recipients
We use the shared services of Gebr. Heinemann SE & Co. KG.
Retention Period
Data is deleted once no longer required and no statutory retention periods apply.
5. Sharing personal data with third parties
Disclosure only occurs within legal requirements. We may disclose data to accountants, lawyers and other advisors based on legitimate interests.
Transfers to third countries are based on adequacy decisions or standard contractual clauses.
6. Data Subject Rights
You have the following rights:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right not to be subject to automated decisions
- Right to lodge a complaint
- Right to withdraw consent
7. Right to Object
You may object at any time to processing based on Art. 6 (1) (e) or (f) GDPR.
8. Automated Decision-Making including profiling
No automated decision-making or profiling takes place.
Status: May 2026