Til að skoða þessa síðu á íslensku / to view this page in Icelandic
smelltu hér / click here

COSTCO WHOLESALE ICELAND EHF. PRIVACY POLICY

Last updated 25 May 2018

Costco Wholesale Iceland ehf. ("Costco", "we" or "us"), ID No. 700614-0690, Borgartún 26, 105 Reykjavík, is the data controller for purposes of processing personal data as explained in this Privacy Policy.

This Privacy Policy explains our privacy practices for our members and customers who shop in our Icelandic warehouse store, contact customer service, use our website (located at www.costco.is) or otherwise interact with us. We encourage you to review our Privacy Policy from time to time to make sure you understand how we process your personal data and the choices you have with respect to such processing.

Please note that we provide additional or different privacy notices in connection with certain products, services or programs. In addition, personal data that you provide when you visit Costco's warehouses or websites outside of Iceland are governed by the privacy policies of the Costco entities in those other countries.

Costco's Commitment to Personal Data and Privacy

We respect your right to privacy. We maintain and use your Personal Data in accordance with applicable laws on data protection.

We do not share or disclose Personal Data to third parties without your prior consent except as set forth below or by fulfilling other criteria of the Data Protection Act for such disclosure (see Section D). In addition, your ability to make informed choices about how your information is processed is important to us. This Privacy Policy explains our policy regarding the collection, use, disclosure and protection of Personal Data.


A. What is Personal Data?

"Personal Data" is any information relating to an identified or identifiable natural person ('data subject'). Personal Data can be a name, contact information, telephone number, e-mail address, debit/credit card number, the photograph included on your Costco membership card, Internet (IP) address and information about an individual's purchases. Personal Data also includes medical information collected through our pharmacies and optical centers (see Section I).

Personal Data does not include "aggregate" information. Aggregate information is data we collect about a group or category of products, services or customers, from which individual customers cannot be identified. In other words, information about how you use a service may be collected and combined with information about how others use the same service, but no Personal Data will be included in the resulting data. Likewise, information about the products you purchase may be collected and combined with information about the products purchased by others. Aggregate data helps us understand trends and customer needs so that we can better consider new products and services, and tailor existing products and services to customer desires.

As a convenience to our members, we allow the primary cardholder to add his/her spouse or others to a membership account, but each member, including add-on members, must agree to Costco's membership terms and conditions and his or her Personal Data will be handled in accordance with this privacy policy.

B. What Personal Data is collected by Costco?

We collect the following personal data of our members:

  • Name.
  • ID no. ("kennitala").
  • Membership number.
  • Photograph.
  • Email address.
  • Address.
  • Phone number.
  • Purchase history.

We collect this Personal Data, such as when you:

  • Sign up for or renew your Costco membership
  • Use our website (www.costco.is) or agree to receive news about specials or other promotions;
  • Place an order or purchase products or services, at our warehouse store, or return or exchange items;
  • Contact us for any reason including questions, inquiries, comments, complaints or requests; such as by replying to enquiries by mail, by telephone through customer service or in person at our warehouse;

In order to obtain a membership card so you can shop in our warehouse, we will need to take a photograph of you and retain it in the warehouse.

We may also take video footage through video surveillance systems at our warehouse to protect the rights, property or safety of Costco, our customers, our employees, or the public.

In addition, we may automatically collect some information when you visit our website, such as your computer's IP address or your device ID and operating system, the site from which you linked to us, your site activity, the time and date of your visit, and your purchases. This information may be collected through the use of cookies and web beacons (for more details, see our Cookie Policy.

We also receive information from third parties who help us correct our records, prevent fraud, and provide services or special promotions or products. We may combine any of this information with the other Personal Data we maintain about you, including for the purposes of better tailoring any promotional or marketing materials which we send you.

C. How does Costco use Personal Data?

The Personal Data we collect is generally used to process your requests or transactions, validate your membership, provide you with high-quality service, tell you about opportunities we think will be of interest and administer your account, including distribution of our own surveys and publications. The specific purposes for which we process your personal data are set out below:

  • Process and administer your membership request or renewal and manage and administer your membership (the legal basis for this processing is the performance of the membership agreement between you and Costco);
  • To provide products and services to you, which includes processing payments, sending notifications (via email or SMS/text message) related to your purchases, recording purchase history and processing exchanges and returns (the legal basis for this processing is the performance of the purchase agreement between you and Costco);
  • To respond to queries or complaints from you, including if you contact our customer service team (the legal basis for this processing is your consent);
  • Alert you about product recalls or safety issues and respond to your questions about products or deliveries (the legal basis for this processing is compliance with our legal obligations under Icelandic consumer protection law);
  • Manage our internal operations, including for planning, resource allocation, policy development, quality improvement, monitoring, audit, investigations, evaluations and reporting (the legal basis for this processing is our legitimate interest in understanding shopping behavior, improving our selection of products and services, and exploring ways to develop and enhance our business);
  • To detect, investigate and prevent fraudulent transactions and other illegal activities and protect against harm to the rights, property or safety of Costco and our members, customers, employees or the public, including by using video surveillance systems (the legal basis for this processing is our legitimate interest in preventing fraud and protecting and securing our premises, members, customers, employees and the public);
  • To comply with our legal obligations, including our tax obligations, those related to the prevention of fraud and money laundering, and those required for you to benefit from rights recognized by law (the legal basis for this processing is compliance with our legal obligations under Icelandic law related to, for instance, taxation, money-laundering and terrorism financing and consumer protection law);
  • To analyze your use of our website (the legal basis for this processing is our legitimate interest in improving our website and better understanding user needs and expectations);
  • • If you consent to receive mail, email or SMS/text message, to provide you with promotional information about Costco and third-party products and services, such as advertising, marketing, surveys, coupons, offers and product recommendations ("Promotional Information"). The marketing communication we send you may be tailored based on your membership account details and purchase history so we can provide you with information and offers we think will be of particular interests to you. You may contact us at any time to decline Promotional Information, see Section G (the legal basis for this processing is our legitmate interest in providing information about products and services that may be of interest to you, unless applicable law requires us to obtain your consent, in which case we will do so).

D. How does Costco share Personal Data with third parties?

We share information in the following circumstances:

  1. Our affiliates and entities that belong to the Costco group.
  2. Costco may share your Personal Data with any of our corporate affiliates for the purposes described in this privacy policy.

  3. Service Providers and Contractors
  4. We contract with others to perform services on our behalf. For example, we retain companies to process debit and credit card payments, manage our customer care centre, distribute emails, process rebates or analyse and correct or update our data.

    We have also engaged service providers to provide us with cloud computing services. Cloud computing is the provision of network-based services, located on remote computers, that allow individuals and businesses to use software and hardware operated by third parties. Examples of these services include online file storage, webmail and online business applications. Service providers have policies and processes in place to ensure that the confidentiality of information in their care is properly safeguarded at all times. As of the date of this policy, our cloud computing service providers process and store information in the European Economic Area ("EEA") and other jurisdictions (please see Section E (Cross-Border Transfers) for more information).

    If any of these service providers need access to your Personal Data, we require them to use it only to perform the services for us. We also require that they maintain the confidentiality of the information and/or return the information to us when they no longer need it.

  5. Third-Party Services
  6. If you purchase, apply for or request Third Party Services, information you provide will be shared with the third party offering the Third Party Service. For example, if you register for the Costco Auto Programme, we may share membership details with participating dealers to confirm your enrolment in the programme. In turn, information you provide to these third parties may in turn be shared with us along with information about your use of the particular Third Party Service. We are not responsible for any additional information you provide directly to these third parties, and we encourage you to become familiar with their privacy and security practices and policies before disclosing information to them.

  7. Primary Costco Account Holder
  8. Each membership account has an individual primary account holder who is authorised to designate and remove add-on members and make other account management decisions. Please be aware that information about all activities occurring under the account, including transactions completed by add-on members, will be available to the primary account holder.

  9. Consent. We also share personal data with third parties, other than those described above, when we have your consent to do so.

  10. In addition, we may disclose Personal Data in the good faith belief that we are lawfully authorised to do so, or that doing so is reasonably necessary to protect you, to comply with legal process or authorities, to respond to any claims, or to protect the rights, property or personal safety of the Costco companies, our shoppers, our members, our employees and the public. This includes disclosure of information to control or investigate fraud. Personal Data may be disclosed or transferred as part of, or during negotiations of, any merger or sale of company assets or acquisition.

E. Cross-Border Transfers

Your personal data will be transferred to countries outside of the EEA and, in some cases, the laws of these countries do not provide the same level of protection of your personal data as those in Iceland. For example, we transfer personal data to our corporate affiliates, located in the United States, Canada, Australia, Japan, South Korea, Taiwan and Mexico, for the purposes described in this Privacy Policy. We also transfer personal data to service providers that process personal data for us in the United States, Canada and other locations (as an example, Google and Microsoft process personal data for us in various data center locations, including those listed at http://www.google.ca/about/datacenters/inside/locations/ and https://azure.microsoft.com/en-us/global-infrastructure/regions/

Costco ensures, with the signature of Standard Contractual Clauses adopted by the European Commission, that personal data transferred outside the EEA is maintained with at least the same level of security and protection for personal data that is required under the applicable legislation. Copies of the Standard Contractual Clauses we use to facilitate the transfer of data outside the EEA are available here and here.

F. How does Costco protect Personal Data?

We have physical, administrative and technical security measures in place to help protect Personal Data from damage, loss, alteration, destruction or unauthorized access, processing or use, while it is under our control. With regard to credit card data, we are required to process and maintain payment card data in accordance with the data security rules adopted by credit card companies such as Visa, MasterCard and American Express.

G. How long does Costco retain Personal Data?

Costco will retain your personal data for as long as necessary to achieve the purposes for which such data was collected, unless a longer retention period is required under applicable law. For example, we need to keep records about our members' purchase histories in order to honor our returns policy. If you want to return an item you bought from us several years ago, we need to be able to confirm when and where you bought it. For this reason, we generally keep records about our members' accounts and purchase histories for a minimum of 10 years. In addition, when you consent to receive marketing communications from us, we retain your email address and information about your marketing preferences for the duration of your membership, unless you opt out of receiving such communications or terminate your membership.

H. What Personal Data Rights do you have?

Subject to certain limitations and exceptions, you have a number of legal rights in relation to the processing of your personal data, including:

  • A right to obtain information: You have the right to request information about how we process your personal data.
  • A right of access: You have the right to request access to, or a copy of, the personal data we process about you.
  • A right of rectification: You have the right to request that we correct or supplement inaccurate or incomplete personal data we process about you.
  • A right of erasure: You have the right to request that we delete personal data about you.
  • A right to restriction of processing: You have the right to request that we restrict processing of your personal data, so that we can store such data but not further process it.
  • A right to data portability: You have the right to request that we provide the personal data which you provided to us in a structured, commonly used and machine-readable format, and you have the right to transmit such data to another controller without hindrance from Costco.
  • A right to object to processing: You have the right to request that we stop processing personal data about you (for example, when your personal data is processed for direct marketing purposes, you have the right to object to the processing of such data at any time by writing to personuvernd@costco.is or clicking on the "unsubscribe" link available at the bottom of the messages received).
  • A right to revoke your consent: When our processing is based on your consent, you have the right to revoke such consent at any time.
  • The right to file a complaint: You have the right to file a complaint regarding our data protection practices with a supervisory authority. You can do so by contacting Persónuvernd (www.personuvernd.is).

To exercise these rights, please email us at personuvernd@costco.is or click here.

I. Pharmacy and Optical Centres

If you purchase prescription medications, eyeglasses, or contact lenses from us, we collect and retain in our files your prescription information. We have appropriate technical and operational measures in place to protect your health-related information. Health-related information is also not subject to any cross-border transfers.

If you request or receive government funding for optical devices or services, we may share your health information with the relevant government agency. Costco and our service providers may collect, use or disclose your personal health information in connection with:

  1. providing you with the health services you request;

  2. storing electronic health records within onsite servers;

  3. processing or obtaining payment for government-funded health services (for example, obtaining authorisation from your insurer or a government agency for payment);

  4. internal management purposes, including planning, resource allocation, policy development, quality improvement, monitoring, audit, evaluation and reporting.

We process your personal health information where necessary for the provision of healthcare or treatment to you.

We may also disclose personal health information without your knowledge or consent if a law, regulation, search warrant, subpoena or court order legally authorises us or requires us to do so or to protect the rights, property or personal safety of Costco, its customers, employees or other members of the public. We may also be required to disclose certain personal health information in order to maintain standing with professional health bodies, including those for pharmacists, and opticians.

J. Online Specifics

  1. Links to Other Sites
  2. We may allow you to link from our web site to web sites of third parties who we allow to offer goods, information and/or services. If it is not clear from the context that you are being directed to a third party site, we endeavour to notify you that you are visiting a site where a different privacy policy applies. In general, any Personal Data you provide on the linked pages is provided directly to that third party and is subject to that third party's privacy policy. We are not responsible for the content or privacy and security practices and policies of websites to which we link. We encourage you to learn about their privacy and security practices and policies before providing them with Personal Data.

  3. Accessing Costco on Your Mobile Device
  4. Before we collect or send the location of your mobile device, we will ask for your consent. Your general consent to your mobile service provider to allow (or disallow) location-based services does not automatically apply to us.

    In general, you do not need to provide any Personal Data to connect with us via your mobile device.

K. Use of costco.is Website by Minors

We encourage parents to take an active interest in their children's use of the Internet. We do not intend to collect information from minors. If you are under 18, you should not provide information on the costco.is website.

L. Questions or Concerns

If you have any questions or concerns about this Privacy Policy or would like to contact us for any reason, you can visit the membership desk at our warehouse store, call 532 5555, send us an email at personuvernd@costco.is or you can contact our Data Protection Officer by writing to privacy@costco.com..

M. Changes to this Privacy Policy

We may change this Privacy Policy at any time, but will alert you that changes have been made by indicating at the top of the Privacy Policy the date it was last updated. We encourage you to review our Privacy Policy to make sure you understand how your Personal Data will be used. If we make a material change to how we use Personal Data and the new uses are unrelated to uses we disclose in this Privacy Policy, we will communicate the changes in advance.