Service status:

Our privacy policy

Version 1.4 2021-07-01

1. General

1.1 BankID is an electronic identification and electronic signature service provider (“BankID” or “the Services”) which makes it possible for companies, banks, organizations and authorities to both identify and enter into agreement with private persons via the Internet. BankID is an electronic ID document comparable to a passport, driver’s license or other physical identification document. BankID fulfills the requirements for assurance level 3 within the Swedish Identification (eID) framework and is reviewed by the Agency for Digital Government (DIGG).

1.2 BankID is issued by any of the banks participating in the BankID-network, primarily the bank that issued your BankID (“the Bank”) which is responsible for your personal data. Finansiell ID-Teknik BID AB (“we” or “our”) is a Data Information Processor for the Bank for processing of your personal data within the framework of our Services. We own, maintain and develop the Services and supply the Services to the Bank. We only process your personal data at the request of the Bank and in accordance with the Bank’s instructions, with the exception of the process outlined in paragraph 1.5.

1.3 We safeguard your privacy and strive always to protect your personal data to the best of our ability. This privacy policy (the “privacy policy”) describes the type of data about you processed within the framework of the Services; how we receive it, how it is used, how it is shared, and the measures taken to protect your personal data. We also describe the rights you hold regarding your personal data.

1.4 When you use the Service a number of parties may be involved including the Bank or the party offering the e-service for which you choose to use your BankID. This privacy policy relates only to the process we carry out in our role as Data Information Processor (or Personal Data Controller according to paragraph 1.5) and describes the actual use of the BankID service. We therefore recommend that you also read the privacy policies of the other parties that may be involved in your use of BankID, for example the Bank and the party that offers the e-service for which you choose to use your BankID.

1.5 We maintain the register of issued BankIDs. We act as Personal Data Controller only for this purpose. This processing is undertaken in the interests of security and means that we regularly check the Swedish Population Register (SPAR) for the purpose of blocking BankIDs issued to deceased persons or other users who have been removed from the register, to prevent the Services being used in such a person’s name. This activity is described further in paragraph 4.4.

2. Who we are

2.1 Finansiell ID-Teknik BID AB started in 2002 and is a technology company that owns, maintains and further develops BankID. We are owned by Danske Bank, Handelsbanken, Ikano Bank, Länsförsäkringar Bank, SEB, Skandiabanken och Swedbank. Our customers are the majority of Sweden’s main banks, which in turn sell and convey BankID to authorities, companies, organisations and private persons. All banks who offer BankID are listed at https://www.bankid.com/kontakt/utfaerdare.

2.2 Contact information:
organization number: 556630-4928
Phone: +46 8 411 81 50
Email: produktinfo@bankid.com
Address: Kungsgatan 33, 111 56 Stockholm.

2.3 If you have questions about how your personal data can be gathered, used, protected and shared or if you want to exert your rights according to paragraph 8 you are welcome to contact the Bank or our data protection officer. You can reach the data protection officer at:
Phone: +46 8 411 81 50
Email: dpo@bankid.com

3. Gathering personal data

3.1 Types of personal data processed

At the request of the Bank we process the following personal data which you have given to the Bank or which we collect when you use the Services. The personal data processed consists of your

a. First name, Last name and personal identification number;
b. The bank which issued your BankID;
c. The supplier of the e-service you have identified yourself with or signed a document with;
d. Technical data such as publication or use such as time, IP-address, type of BankID and make and version of mobile phone or computer.
e. Type of ID and MRZ-code where applicable.
f. Information that we can send notification messages to you via your mobile phone’s notification function.
g. (g) Geographic location at the time you receive or use your BankID.
h. Where applicable, details outlining obstacles to the issue of a new BankID based on your personal identification number.

3.2 How your data is gathered

3.2.1 The Bank undertakes detailed physical identification of you and registers your data when you become a customer of the Bank, and checks this data with the people’s register. When your bank issues your BankID the Bank transfers your personal data to us so that your BankID can be created.

3.2.2 We also receive updates from the Swedish Population Register (SPAR) with data about changes in the population in order to carry out the register maintenance described in paragraph 4.4.

Purpose for data handling

We process your data at the request of the Bank for the purpose described as follows in this paragraph 4. Your data will not be used in a manner that is not in keeping with the purpose for which the data was gathered.

4.1 Supply of services

4.1.1 You can choose to use BankID for electronic identification or signature with most suppliers of e-services such as companies, banks, organizations and authorities. Your personal data can be used to guarantee that the right person used the e-identification BankID for such a supplier of e-services and the supplier can learn your personal data in the form of name, identification number and the name of your bank. This handling is done to complete the agreement about the supply of the Services between the Bank and yourself.

4.1.2 When you use BankID the name of the supplier of the e-service you are identifying yourself with, or electronically signing with, is also processed. The name of the supplier of the e-service saved is the name shown to you in the BankID app. No data about why you have identified yourself or signature is saved. Depending on where you choose to use your BankID, your name can therefore reveal so-called sensitive data about you, such as for example ethnic origin, political, religious or philosophical activity or membership in a union or data about your health or sexuality. It is entirely up to you where you choose to identify yourself or to sign documents. This handling is made for the bank in the BankID cooperation that has entered into an agreement to connect to the BankID service with the party you choose to identify against or sign documents at, to be able to determine, claim or defend legal claims relating to the agreement.

4.2 Improve the services

4.2.1 At the request of the Bank we will use your data to produce for example aggregated/anonymous data to improve the Services, make the Services more user-friendly by for example improving bugs, to produce invoicing material for the Bank, for changing the interface and so on, as well as other improvement measures. This use is necessary for the Bank’s and our own ongoing interest in improving the Services. Statistics of BankID usage are published regularly on our website www.bankid.com/om-oss/statistik.

4.2. To improve the Service and better understand how the BankID app is used, we also gather anonymous information relating to the use of the BankID-app, for example choice of language and the functions used in the app. This information does not constitute personal information and cannot be connected to you. You have the option to refuse the gathering of this information by choosing this option under Settings in the BankID-app.

4.3 Prevent misuse and take safety precautions

4.3.1 Your data can also be used in safety precautions to prevent misuse or other illegal use of the Services. On behalf of the Banks, we store and make available the register controlled by the Banks to prevent a BankID being issued whenever the Bank itself or another Bank has decided it should no longer be available to certain users. In this instance, the BankID issued to that user may be blocked from continued use. The Bank register can only be used by the Banks for controls related to issuing BankIDs and consists of only the personal identification numbers the Banks should refuse to issue a new BankID to, including the time that the personal identification number was automatically removed from the register. The Banks jointly decide the conditions that determine when a social security number is added to the register (you can read more in the agreement between you and your Bank outlining the terms of use of the Services). This can happen, for example, if a BankID is used which violates the terms of use of the Services, such as suspicion of fraud, an attempt at unlawful use of another’s BankID, unlawful use of identity or other criminal act. The register is managed by the Banks, supported by special permission from IMY (Swedish Authority for Privacy Protection). The use of the Banks' register is necessary for the legitimate interests of the Banks in preventing fraudulent use of the Services, and to maintain the security and reliability of the Services. The Banks are jointly Personal Data Controllers in managing the register and have coordinated procedures to manage this correctly in accordance with current personal data legislation, regardless of the Bank you are a customer of. If you have questions about a Bank’s decision to prevent you from using the Services, you should contact your Bank.

4.3.2 For some new releases of BankID, we undertake an additional safety measure to prevent misuse or other illegal use of the Services. When a new issue of BankID is requested, you will therefore be asked to scan your passport or national ID card. We process and read the MRZ code on the ID document to (i) ensure we issue BankID to the right person, (ii) ensure that you are not blocked from obtaining BankID and iii) check that you have a valid ID purpose.

4.3.3 We may also process data based on your use of the Services to prevent, deter or investigate crime. This is done on behalf of the respective Bank when such action is necessary for the Bank’s or other’s lawful interest in avoiding and preventing you from being exposed to ID theft, or that the Services may be otherwise misused, as well as to safeguard legal claims or fulfill the Bank's legal obligations.

4.4 Register maintenance

4.4.1 Your data will also be used for maintenance of the register as described in paragraph 1.5. The purpose of this is to block and prevent BankID being used in any case where a BankID has been issued to persons who have been removed from the population register primarily because the person is deceased. The personal data we handle for this purpose is the personal data provided by the Swedish Population Register (SPAR) which consists primarily of your name, personal identification number and address. This action occurs every time your data in the population register is changed. As soon as we have carried out the registration, all personal data is deleted, which means that in practice your personal data is handled for this purpose for a very limited period of time.

5. How your personal data is shared

Your data is not shared with any third party except in the manner described below.

a. Service provider.

The Bank can use a third party to handle one or several aspects of its operation, including handling or managing personal data. The Bank has employed us for this purpose to provide the Service to you and the Bank’s other customers. We may also use a third party for the same purpose. Your personal data can therefore be shared with these third parties when they are handling technical operations or application operations of the Services. When the Bank or us uses one of these providers within the framework of the Services, the Bank and/or we will create a Data Information Processor agreement and carry out other appropriate measures to ensure that your personal data is treated in a way that is in keeping with this privacy policy.

b. To another bank in the BankID network.

The Bank can provide data to other banks in the BankID network. This data is provided because it is necessary to fulfill the legal right of the banks in the BankID network to prevent your BankID being misused and for the Banks to be able to defend their legal rights or to protect their rights. When the Bank shares your data for this purpose, the other banks in the BankID-network act as Personal Data Controllers for the data with the Bank. Even if you have the right to exercise your rights according to applicable law against each one of the Personal Data Controllers, the Bank still holds primary responsibility to fulfill its obligations to you and your exercising your rights according to applicable personal data legislation.

c. Supply of e-service.

When you use your BankID in e-service your personal data is shared with the provider of the e-service you are using the Services with, ie the party you identify yourself to or sign a document with. Your data is shared because it is necessary for the Bank to carry out its agreement with you.

d. The Bank and we can also share your personal data in any case where the Bank or we are obliged to do so according, for example, the law or other authority, court or government decision.

6. How your data is protected

6.1. Your personal data is stored on a system that is only accessible to the Bank, our employees and the service providers who need the data to carry out the service. Appropriate protection measures and safety standards are in place to protect your personal data from unauthorized access, unauthorized supply and misuse. The systems where personal data is handled are secure servers with limited access and where all communication occurs with secure encryption. Technical tools are also used, such as firewalls and monitoring tools, and all staff who come in contact with your personal data are trained in the importance of maintaining security and secrecy in relation to the personal data being handled.

6.2 Every time personal data is transferred to the supplier of an e-service where you choose to use your BankID, the transfer of personal data is always encrypted with a technique called SSL and only transferred to an identified supplier of the e-service holding a valid agreement to use the Services in its operation.

6.3 You can access and see data about the transaction or the BankID issued to you by logging in to your internet bank. This data is presented to you via an encrypted link to your browser, so-called https-technology, so that no unauthorized person can access the data.

7. Storage period

7.1 In general terms your data is stored for the time necessary for the purpose for which the data was originally gathered, or as otherwise required according to the relevant law.

7.2 The Bank stores data relating to issuing or blocking of a BankID for 10 years from when the valid date for the BankID expires, for the purpose of fulfilling its legal duties according to the best practice for Swedish e-identification. Data stored includes your name, personal identification number, the bank you have your BankID with and some technical data relating to its issue, for example the IP address.

7.3 The Bank will store the data relating to use of BankID for 5 years following the transaction for the purpose of fulfilling its legal duties according to the law. Information stored includes data relating to whose BankID was used, whether identification or signature was accomplished and the name of the supplier of the e-service, as well as some technical data relating to the usage such as for example the IP address.

8. Your rights

8.1 You have a number of rights relating to the handling of your personal data that you can claim to the Bank. These rights are described in this clause. To claim these rights you must approach the Bank. Note that Finansiell ID-Teknik BID AB acts as Data Information Processor in relation to the Bank and that you should always turn to the Bank regards the handling of your personal data.

8.2 You are entitled to receive notice and information about which of your personal data are processed, no matter how they were collected. You can do this by turning to your Bank. You can also use the Bank's self-service, either by logging in to your internet bank to see which BankID has been issued for your personal number, or else you can open your BankID app, select your BankID in the "Settings" tab and then select "View History "to see your usage history.

8.3 You always have the opportunity to correct your personal data if it is incorrect by turning to the Bank. The easiest way to do this is to contact the Bank or to go via your internet bank, blocking your BankID and then getting a new BankID with the correct personal data.

8.4 You have in some cases the right to ask that your personal data is deleted or that the processing of your personal data is limited. If you want to use these rights you should go to the Bank. Note however that your data will continue to be used by the Bank where the Bank has legal ground for handling your personal data, eg. if it is necessary to complete an agreement with you.

8.5 You have the right at any time to protest against the Bank’s use of your personal data if the Bank’s handling is based on balance of interests ie that the Bank has had a legal interest in processing your personal data. If you protest, your personal data cannot be processed unless the Bank can produce compelling evidence carrying more weight than your interest.

8.6 You have the right to have your data transferred to another service supplier (so-called data portability) according to the conditions outlined in the current personal data law.

8.7 You have the right to block your BankID at the Bank or through the blocking function in your BankID client. You can also block your BankID yourself via your internet banking so that it can no longer be used.

8.8 If you consider that the Bank or we are not processing your data in accordance with current personal data law you have the opportunity to complain to from IMY (Swedish Authority for Privacy Protection), with contact details available at www.imy.se.

9. Transfer of data

The Bank stores and processes your data only within EU/EES and does not transfer it to any country outside the EU/EES. However this can occur if the supplier of the e-service you are using your BankID for operates outside the EU/EES. We therefore encourage you to always read the privacy policy for the service provider of the e-service you intend to use.

10. Changes

10.We reserve the right to change this privacy policy from time to time. If we change the privacy policy the new version is valid from the moment we publish it on our website www.bankid.com. You can see when we last updated it at the top of this privacy policy.

News