Click & Collect service only available upon departure.
  • Login New customer? Register now
Duty Free Alcohol Allowances Upon Arrival
Pre-order up to 10 hours in advance for Departure
Please check your details in the fields marked in red.

Data Protection Statement

1 Objective and Responsibility

This Data Privacy Statement is to inform you about the nature, scope and purpose of Heinemann Travel Retail Iceland ehf. (“HEINEMANN”, “we”, “us”) processing of personal data in the Island Dutyfree webshop.

The data controller for the processing is Heinemann Travel Retail Iceland ehf. (Blikavöllur 5, 235 Keflavikurflugvöllur)

If you have any questions regarding data privacy, you can contact us at info@Islandutyfree.is.

2. Data Processing When Visiting Our Stores at the Airport

2.1 Video Surveillance

Our stores are under video surveillance. Video recordings are processed for the following purposes:

  • protection of the domiciliary right
  • prevention and investigation of criminal offences (in particular theft, attacks, fraud, damage and vandalism)

Legal Basis

The legal basis for the processing is Art. 6 (1) (f) GDPR (legitimate interests). Our legitimate interests are the protection of property and assets as well as the protection of customers, visitors and employees.

Recipients

A use or transfer of the video recordings that goes beyond this shall only take place to the extent that this is necessary within the framework of a possible criminal prosecution. In this case, the recipients shall be the competent law enforcement authorities. We use external service providers to operate the video surveillance.

Retention Period

The video recordings shall be deleted 14 days after they are made. They shall only be stored for a longer period if this is necessary in the specific individual case for the enforcement of legal claims or for the prosecution of criminal offences.

2.2 Processing boarding passes at the checkout

The sales of goods to travelers are exempt from excise tax under certain conditions. The tax exemption allows goods to be offered to travelers at low prices. In order to obtain tax exemption appropriate evidence must be provided to the tax and customs authorities. The transaction data of the underlying sale (name and number of the airport store, date of the transaction, quantity and price of the goods sold, number of the cash register and the cash register receipt) must therefore be supplemented by boarding pass information as this serves as our documentation for rightful tax refunds. For this reason, we will ask you to provide your boarding pass when you make a purchase with us.

Legal Basis

The legal basis for the processing of your personal data is the fulfillment of legal obligations pursuant to Art. 6 (1) (c) GDPR.

Recipients

If required, the records are submitted to the tax and customs authorities for verification, together with the proof of purchase.

Retention Period

Of the data read from the boarding pass, only the non-personal data "flight date", "departure and destination airport" and "flight number" are stored together with sales transaction data as proof of export within the tax-related retention periods.

2.3 Payment Service

For the best possible customer experience, we offer a range of electronic payment options.

Legal Basis

The legal basis for the processing of your personal data is the fulfilment of the purchase contract in accordance with Art. 6 (1) (b) GDPR. There is no statutory or contractual obligation for you to provide your data. Nevertheless, if you don’t provide your data, we cannot offer you the respective service.

Recipients

We use WORLDLINE (Worldline Financial Services (Europe) S.A., Atrium Business Park, 33, rue du Puits Romain, 8070 Bretrange, Luxemburg) for the processing of payments with Mastercard, Visa, Alipay, WeChat and American Express Europe S.A. (address) for the processing of payments with the Amex Card. Depending on the payment method, in particular IBAN or account number and bank sort code, card expiry date and card suffix and other transaction data (e.g. date/time of the transaction, payment amount) are processed.

Retention Period

WORLDLINE stores and processes personal data for as long as it is necessary to fulfill its contractual and legal obligations. More Information on the data protection provisions of WORLDLINE can be found at https://worldline.com/en-lu/compliancy/data-privacy. The privacy notice of American Express can be found here: https://www.americanexpress.com/nl-nl/bedrijf/legaal/privacy-centrum/?inav=nl_legalfooter_privacy_centrum

3. Processing of your personal data through our online services

3.1 Processing of Logfiles

When visiting our website, personal data is automatically transmitted by the user's terminal device; this includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.

Legal Basis

The processing of this information is based on our legitimate interest according to Art. 6 (1) (f) GDPR in ensuring the smooth set-up of the connection and in ensuring the security of the processing (e.g. for the prevention and investigation of cyber attacks) pursuant to Art. 5 (1) (f) GDPR.

Recipients

To provide this service, we use IT service providers.

Retention Period

The log files are automatically anonymized at the end of the session.

3.2 Cookie Consent Management

We use cookies, pixels and similar other technologies (collectively referred to as “cookies”), including those from third parties, which we need to operate the website and to monitor performance (“essential cookies”) and to display personalized advertising (“marketing cookies”). For the purpose of recording and documenting your consent to the use of cookies, we use the Usercentrics Consent Management Platform (CMP).

Usercentrics stores opt-in/opt-out and timestamp, device and browser information and anonymized IP address in the local storage of your browser so that your individual settings are saved for further visits to our website and the consent field is not displayed again each time.

Legal Basis

The legal basis for our processing of your personal data is according to Art. 6 (1) (c) GDPR our obligation to comply with Telecommunications Digital Services Data Protection Act (TDDDG) and our legitimate interest pursuant to Art. 6 (1) (f) GDPR. Our legitimate interest lies in the efficient management of consent data and optimizing user experience.

Recipients

To provide this service, we use IT service providers.

Retention Period

The consent data (consent given and withdrawal of consent) will be stored for one year, provided that there are no legal obligations to retain data.

4. Customer Service

If you have any questions or problems regarding our products and services, you can contact our customer service team by phone, email or by using the contact form. In this case, a customer ticket will be created and, depending on the communication channel you have chosen, we will process your contact data such as your email address, name and telephone number together with any other personal data contained in your message in order to clarify your request.

Legal Basis

If the processing of personal data is related to a purchase (e.g. complaint or return), the legal basis is Art. 6 (1) (b) GDPR (contract initiation and execution). Otherwise, the processing is based on our legitimate interest in accordance with Article 6 (1) (f) GDPR. Our legitimate interest lies in ensuring customer satisfaction through good service.

Recipients

We use the shared services of Gebr. Heinemann SE & Co. KG for customer service. Beyond that, your data will not be passed on to third parties, unless this is necessary to process your request or required by law.

Retention Period

The personal data relating to your service ticket will be deleted as soon as it is no longer required to process your request and no statutory retention requirements or warranty and guarantee rights exist.

5. Sharing personal data with third parties

Besides what is described above, disclosure of personal data to third parties only occurs within the framework of legal requirements. We only disclose personal data of users to third parties, if this is required e.g. for billing purposes or other purposes, if the disclosure is necessary to ensure the fulfilment of contractual obligations towards the users (in accordance with Article 6 (1) (b) of the GDPR). We may also disclose personal data to accountants, lawyers and other external advisors based on our legitimate interests in professional consulting services (in accordance with Article 6 (1) (f) of the GDPR and Article 5 (2) (f).

If we engage subcontractors for our online service, we have made appropriate contractual arrangements as well as adequate technical and organizational measures with these companies.

6. Data Subject Rights

You have the following rights with regards to the processing of your personal data:

  • Right of access to your personal data
  • Right to rectification of your personal data
  • Right to erasure (‘right to be forgotten’)
  • Right to restriction of processing of your personal data
  • Right to not be subject to an automated decision, including profiling
  • The right to lodge a complaint with a competent data protection supervisory authority
  • Right to withdraw consent at any time where processing is based on Article 6 (1) GDPR, Article 9 (1) GDPR or Article 5 (1) of the KVKK without affecting the lawfulness of processing based on consent before its withdrawal

7. Right to Object

You have at any time the right to object, on the grounds relating to your particular situation, to processing your personal data concerning you which is based on point (e) or (f) of Article 6 (1), including profiling based on those provisions. In case of objection, we will no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

8. Automated Decision-Making including profiling

Automated decision-making including profiling referred in Article 22 (1) and (4) GDPR does not exist within our processing activities of your personal data.

9. Notification Service

We offer you the option of subscribing to an email list to receive a notification as soon as a previously announced service is available.

Legal Basis

The legal basis for our processing of your email address is our legitimate interest in providing good customer service and promoting our new services, according to Article 6 (1) (f) GDPR. You can object to this processing by not using the service.

Recipients

To provide this service, we use IT service providers.

Retention Period

Your email address will be deleted after the notification has been sent.

Status: April 2025