Privacy policy, BankID service

1. General

1.1 BankID is an e-identification and signature service ("BankID") that enables companies, banks, organisations and authorities to both identify and enter into agreements with private individuals on the Internet. BankID is an electronic ID document comparable to passports, driving licences and other physical IDs. BankID meets trust level 3 requirements in accordance with the Swedish eID quality mark and is audited by the Swedish Digital Administration Authority (DIGG).

1.2 BankID is issued by one of the banks involved in the BankID partnership and it is, as a general rule, the bank (the “Bank”) that issued your BankID that alone or, together with the other banks in the BankID partnership, is the joint data controller for your personal data. Financial ID-Teknik BID AB ("we" or "our") is a personal data processor to the Bank regarding the processing of your personal data within the framework of BankID. We also provide other services within the framework of the BankID partnership, such as digital ID cards and Get BankID digital with a Swedish passport or a national ID card issued by the Police. BankID and other services provided by us are in this document referred to as a "Service" and collectively the "Services". We own, manage and further develop the Services and are a supplier of the Services to the Bank. We process your personal data exclusively on behalf of the Bank and in accordance with the Bank's instructions, with the exception of the processing set out in paragraph 1.5 and certain processing in paragraph 4.2 regarding the Digital ID Card Service.

1.3 We protect your privacy and strive to always protect your personal data in the best possible way. This Privacy Policy (the "Privacy Policy") describes what kind of information about you is processed within the framework of the Services, how we receive it, how it is used, how it is shared and what measures have been taken to protect your personal data. We also describe your rights regarding your personal data.

1.4 When you use the Services, a number of stakeholders may be involved such as the Bank or the operator providing the e-service you choose to use your BankID with. The Privacy Policy applies only to the processing that we carry out in our capacity as a data processor (or data controller in accordance with paragraph 1.5 or 4.2) and describes the actual use of the Services. We therefore recommend that you also read other parties' privacy policies that you may be affected by when you use BankID, such as the Bank and the operator providing the e-service, such as pharmacies or supermarkets, with which you choose to use your BankID.

1.5 We carry out maintenance of the register consisting of issued BankIDs: We are the data controller only for this processing. The processing is done for security purposes and means that we carry out regular checks against the State Personal Address Register (SPAR) in order to block issued BankIDs for deceased users or other users who have been removed from the population register on other grounds, in order to prevent the Services from being used in the name of such users. This processing is further described in Section 4.5.

2. Who we are

Finansiell ID-Teknik BID AB was founded in 2002 and is a technology company that owns, manages and further develops BankID. Finansiell ID-Teknik AB is jointly owned by Danske Bank, Handelsbanken, Ikano Bank, Länsförsäkringar Bank, SEB, Skandiabanken and Swedbank. Our customers are most of the large Swedish banks, which in turn sell and transfer BankID to authorities, companies, organisations and private individuals. All banks issuing BankID are listed here.

Finansiell ID-Teknik BID AB has the following Corporate Identification Number and contact details:

CIN 556630-4928
+46 (0) 8 411 81 50
Email: produktinfo@bankid.com
Kungsgatan 33, 111 56 Stockholm.

If you have questions about how your personal data is collected, used, protected and shared or if you wish to exercise your rights as set out in Section 7, you are welcome to contact the Bank or our Data Protection Officer. You can reach the Data Protection Officer at:
Phone: +46 8 411 81 50
Email: dpo@bankid.com

3. How your personal data is gathered

3.1 The Bank carries out a thorough physical identification of you and records your data when you become a customer of the Bank and checks this information against the population register. On behalf of the Bank, we process personal data that you have provided to the Bank or that we collect when you use the Services. For example, when issuing your BankID, it is the Bank that transfers your personal data to us so that your BankID can be created.

3.2 We also receive updates from the Swedish National Personal Address Register (SPAR) with information about changes in the population register in order to be able to carry out the register maintenance described in Section 4.5.

4. How your personal data is processed

4.1 Introduction

We only process your personal data if the processing is authorised under applicable data protection legislation. This means, among other things, that we must have support for the purposes of the processing in the form of a so-called legal basis, which for our part mainly means one of the following grounds:
Fulfilment of contract – the processing is necessary for us to provide you with our services or otherwise fulfil contracts that you have entered into with the Bank or us, or to take steps at your request before entering into a contract.

If you are acting on behalf of someone else, such as a representative of a company, our processing is based on a balancing of interests and our legitimate interests in being able to enter into or fulfil the agreement with the person you represent.

Fulfilment of legal obligations – the processing is necessary to fulfil legal obligations under such as a law or other statute to which we are subject or a court or authority decision that requires us to process data about you.

Balancing of interests – the processing is necessary for purposes relating to our, the Bank's or a third party's legitimate interests, provided, however, that your interests or fundamental rights or freedoms are take precedence (in which case the processing is prohibited).

Consent – the processing takes place on the basis of your prior consent, where we have a responsibility to clearly inform you of the processing you consent to and the possibility of easily withdrawing your consent to our further processing. '

Below we describe in more detail the categories of personal data we process, the purposes and in relation to which Service we process them and the legal grounds on which our processing of your personal data is based, including how long your data is stored with us.

4.2 The provision of the Services
Below we list the Services we provide and the relevant personal data processing operations.

BankID

The purpose of the data processing Is to maintain the Service and to be able to ensure that the right person has used the e-identification BankID for electronic identification or signature with providers of e-services such as companies, banks, organisations and authorities.

Categories of personal data:
The personal data we process relates to:

• First name, last name and personal ID number,

• The Bank that issued your BankID,

• The e-service provider with which you have identified yourself or signed documents with,

• If applicable, depending on where you use your BankID, the name of the e-service provider may reveal so-called sensitive personal data about you, such as ethnic origin, political, religious or philosophical beliefs, trade union membership, or data concerning health or sexuality,

• Technical information at issuance or use, such as time, IP address, type of BankID and type and version of mobile phone or computer,

• Information on the ID document (type of ID document; Swedish passport or national ID card) and MRZ code where applicable,

• Information on consenting to us sending notification messages to you via your mobile phone's notification function;

• Geographic location information at the time you acquire or use your BankID, and

• Where applicable, note obstacles to the issuance of new BankIDs based on your Swedish personal identity number.

Legal basis:
Processing is necessary to fulfil the contract for the provision of the Service between the Bank and you. The bank in the BankID partnership that has entered into an agreement to connect to the BankID service with the party you choose to identify yourself or sign documents with, to establish, enforce or defend legal claims relating to the agreement.

Retention period:
The Bank retains data relating to the issue or blocking of a BankID for ten years after the expiry date of the BankID in order to establish, exercise or defend claims. What is saved is your name, Swedish Personal Identity Number, which bank you have acquired BankID from and some technical information about the issue such as IP address.

The Bank retains information about the use of BankID for five years after the transaction in order to fulfil its legal obligations under the law and the regulations for Swedish e-identification. What is retained is an indication of whose BankID was used, whether it was through identification or a signature, as well as the name of the e-service provider and certain technical information about the time of use, such as IP address.

Sharing of personal data:
We will share your personal data with our service providers, the bank that issued your BankID, the e-service provider and public authorities.

Get BankID online with a Swedish passport or national ID card
The purpose of the data processing Is to give existing customers of the Bank the option of using the Online Identification Service under certain conditions instead of having to visit a bank branch. The service involves comparing the picture of you on the ID document with the recently taken comparison image of you and analysing this with the aid of the facial recognition feature. Note that the images will be compared using facial recognition technology which means that the processing includes so-called biometric data. A further analysis (live-test) is carried out to confirm that the comparison image is of an actual living person. At the Bank’s request, we will also carry out manual sampling of the original image, the comparison image and the result of the online identification to verify and demonstrate that the technology works and gives a correct result.

Categories of personal data:
The personal data we process relates to:

• First name, last name and personal ID number,

• The Bank performing the online identification,

• Technical information for the online identification, such as time, IP address, and version of mobile phone or computer,

• Information on the ID document (type of ID document; Swedish passport or national ID card) and MRZ code, where applicable;

• The validity of the ID document at the time,

• Original photo (i.e. photo from the ID document),

• Comparison photo (i.e. new photo of you),

• The result of the online identification, and

• Geographical location information at the time you perform the online identification.

Legal basis:
You have given your consent to the processing.
With regard to the manual sampling carried out, the processing is necessary to fulfil a legal obligation under PSD2 (EU 2015/2366) and supplementary regulation (EU 2018/289) that requires the Bank's method for strong customer authentication to be documented, regularly tested, evaluated and audited by independent auditors. In addition, the Compliance Framework for the Swedish eID quality mark also requires technical checks.

Retention period:
The Bank stores your personal identity number, information from the ID document including the original photo and the comparison photo in order to fulfil the Bank's legal obligations in terms of customer knowledge and to safeguard against legal claims. If the processing leads to the issue of a BankID, the personal data will be stored in accordance with what is stated above for the issue of a BankID.
In terms of the samples, the original photo, the comparison photo and the result of the online identification will only be stored for 72 hours.

Sharing of personal data:
It is only the Bank that issued your BankID that can access your personal data.

Digital ID card
The purpose of the data processing Is to add a digital ID card to the BankID app and enable you to use a digital ID card to identify yourself to third parties instead of showing your physical ID document.

Categories of personal data:
The personal data we process relates to:

• First name, last name, age, original photo and personal identity number,

• Which e-service provider you have identified yourself with,

• Technical information when using the digital ID card, such as time, IP address, and mobile phone version,

• Information on the ID document when you activated the digital ID card (type of ID document; Swedish passport or national ID card) the validity period of the ID document and MRZ code if applicable, and

• That the ID document is valid at the time.

Legal basis:
Processing is necessary to fulfil the contract for the provision of the Service between the Bank and you. The bank in the BankID partnership that has entered into an agreement to connect to the BankID service with the party with which you choose to identify yourself, to establish, enforce or defend legal claims relating to the agreement.

Retention period:
We store the personal data for as long as you keep on using the Service, or as long as the original ID document is valid or as long as the current BankID is valid (whichever is shorter). You as a user can at any time choose to terminate the Digital ID Card Service or block your BankID through the settings in the BankID app.

Sharing of personal data:
It is only the Bank that issued your BankID that can access your personal data. If you use a digital ID card to identify another user via the BankID app, your personal data will be shared with that user.

4.3 Improving and maintaining the Services

Common to the Services and our websites
The purpose of the data processing Is, on behalf of the Bank, to produce, for example, aggregated/anonymous information to improve the Services and our various websites that support or describe the Services, to make the Services and our websites more user-friendly by, for example, fixing bugs, producing invoicing data for the Bank, changing interfaces, etc. and other improvement measures. In order to improve the Services and understand how the BankID app is used, we also collect anonymised information relating to the use of the BankID app, for example, the language selection and which app features are being used. The information does not include personal details and cannot be linked to you. You have the option to refuse consent for this collection of data under Settings in the BankID app.

Categories of personal data:
The personal data we process relates to:

• IP address, and

• Other technical information generated when visiting our web pages, such as the type of technical device you used, browser, navigation on our pages and times of visits (browser information, the time zone from where you visited our website, other web traffic information).

Legal basis:
The processing is necessary for the Bank's and our legitimate interest in collecting data for so that we can continuously maintain and improve the functionality, content and security of the Services and our websites. Statistics on the use of BankID are regularly published on here.

The collection of information using cookies is based on your consent, with the exception of those uses that are strictly necessary to enable you to use our website appropriately. For more information on how we use cookies, refer to our cookie policy.

Retention period:
We store information about how users interact with the Services and our website for a maximum of six (6) months. In most cases, however, the personal data collected is transformed into aggregated data (anonymised) at an earlier stage in our statistical production.

Sharing of personal data:
We will only share anonymised and aggregated statistics with our service providers.

4.4 Preventing abuse and taking security measures

BankID blocking and unblocking registers
The purpose of the data processing is to, on behalf of the Banks, store and make available a register that the Banks control to prevent the issuance of the BankID in cases where the Bank itself or another Bank has decided that issuance can no longer take place for a particular user. This is in order to take security measures to prevent abuse or other unauthorised use of the Services. In connection with this, the BankIDs issued for the user can also be blocked from continued use. The banks' registers may only be used by the Banks for verification in connection with issuance and contain only the Swedish Personal Identity Numbers that the Banks shall refuse at any given time when issuing new BankIDs, together with the time when the personal identity number is automatically deleted from the register.

It is the Banks that have together decided which situations can form the basis for registering a personal identity number in the register (you can read more in the agreement between you and your Bank where the terms and conditions for use of the Services are stated). This can be done, for example, if a BankID has been used in violation of the Terms of Use of the Services, such as in case of suspicion of fraud, attempted unlawful use of another's BankID, unlawful identity management or other criminal act.

Categories of personal data:
The personal data we process relates to:

• If applicable, a note on the blocking of the issuance of BankID based on your personal identification number and the date on which the blocking is automatically lifted; or

• If applicable, information on which BankID has been blocked and the date of the blocking.

Legal basis:
The processing is necessary for the legitimate interests of the Banks to prevent improper use of the Services and thus to maintain the security and reliability of the Services. The Banks are jointly responsible for the management of the register and have coordinated procedures to ensure that this is done correctly in accordance with current personal data legislation, regardless of which Bank you are a customer of. Please note that the register is managed by the Banks with the support of special authorisation from the Swedish Authority for Privacy Protection. If you have questions about a bank's decision to prevent you from using the Services, you should contact your bank.

Retention period:
We retain the personal data related to the blocking until the blocking ends. Information that a BankID has been blocked is retained for ten years from the point that the BankID was issued.

Sharing of personal data:
We will share your personal data with banks and authorities.

Reinforcement measure for certain new releases of the BankID or for certain uses of the BankID.
The purpose of the data processing Is to carry out an additional reinforcement measure for certain new issues of the BankID or for certain uses, identifications or signatures, in order to prevent abuse or other unauthorised use of the Services. In the event of a reinforcement measure, you will therefore be asked to photograph and swipe your Swedish passport or national ID card issued by the police. We will process and read the MRZ code on the ID document in order to ensure that we issue the BankID to the right person or that the BankID is used by the right person.

Categories of personal data:
The personal data we process relates to:

• Personal identity number,

• Information on ID document (type of ID document; Swedish passport or national ID card) and MRZ code if applicable, and

• That the ID document is valid at the time.

Legal basis:
The processing is necessary for the Bank's and our legitimate interest in preventing abuse or other unauthorised use of the Services.

Retention period:
The Bank retains personal data in relation to the issuance of a BankID for ten years from the expiry date of the BankID in order to establish, exercise or defend claims. The Bank retains personal data in relation to transactions for five years from the transaction in order to fulfil its legal obligations under law and the regulations for Swedish e-identification.

Sharing of personal data:
We will share your personal data with the e-service providers that requested the reinforcement, the bank that issued your BankID and public authorities.

Transaction monitoring
The purpose of the data processing Is to analyse your user behaviour to prevent the Services from being misused or otherwise used in an unlawful manner, such as to protect you from unlawful identity management or ID theft. Furthermore, data based on your historical use of the Services is also processed for the purpose of prevention or investigation of criminal offences. In the event of an indication of unauthorised use or other unauthorised use of the Services, the continued use of the Services may be prevented by denying the issuance of a BankID based on automated decision-making in the central system used for the issuance of BankIDs and which we provide on behalf of and at the instruction of the Bank.

Categories of personal data:
The personal data we process relates to:

• The personal data processed under section 4.2,

• Information on how you use our Services,

Legal basis:
The processing is necessary for the Bank's and our legitimate interest to prevent misuse and other unauthorised use of the Services, to maintain the security and reliability of the Services in accordance with the agreement between you and the Bank and to defend legal claims or fulfil the Bank's legal obligations under the Act (2017:630) on measures against money laundering and terrorist financing.

Retention period:
We store the personal data in accordance with section 4.2

Sharing of personal data:
We will only share your personal data with the bank that issued your BankID and public authorities.

4.5 Maintenance of the register
The purpose of the data processing Is to perform such register management as described in paragraph 1.5. The purpose of register management is to block and prevent the use of the BankID in the event that the BankID has been issued to persons who have been removed from the population register, most frequently because the person has died. This processing takes place every time your information in the population register changes.

Categories of personal data:
The personal data we process relates to information provided by the Swedish state personal address register (SPAR), which consists of:

• Name;

• Personal identity number; and

• Address.

Legal basis:
The processing is necessary for our legitimate interest in preventing the Services from being used in the name of such users.

Retention period:
As soon as we have performed the described register maintenance, all personal data is deleted, which in practice means that your personal data is processed for this purpose for a very limited period.

Sharing of personal data:
We will not share your personal data with any third parties.

5. How your data is shared

Access to your personal data is limited to the categories of recipients that have been identified in section 4. Below you will find more information on the recipients with whom we share the data.

(a) Service providers. The Bank may use third parties to manage one or more aspects of its business, including the processing of personal data. For this purpose, the Bank has engaged us to provide the Service to you and the Bank's other customers. We also use third parties for the same purposes. Your personal data will therefore be shared with these third parties when they manage the technical or application use of the Services. When the Bank or we use service providers within the framework of the Services, the Bank and/or we establish personal data processing agreements and perform other appropriate measures to ensure that your personal data is processed in a manner consistent with this Privacy Policy.

(b) To another bank in the BankID partnership. The Bank may share information with other Banks in the BankID partnership. The data is shared because it is necessary for the fulfilment of the legitimate interest of the Banks in the BankID partnership to avoid misuse of your BankID and for banks to be able to take security measures in relation to the Services, defend legal claims or exercise their rights. In addition, when the Bank shares your data for this purpose, the other banks in the BankID partnership are jointly responsible for the data with the Bank. However, even if you have the right to exercise your rights under applicable law against each of the controllers, the Bank remains primarily responsible for fulfilling the obligations relating to you and your exercise of your rights under applicable personal data legislation.

(c) Partners. We cooperate with external parties to improve our services and operations, such as advisers. These parties process personal data either as data controllers according to their own terms and conditions and guidelines for processing personal data, or as our data processors according to our instructions for the processing. In the latter case, we establish data processing agreements and take other appropriate measures to ensure that your personal data is processed in a manner consistent with this Privacy Policy.

(d) E-service providers When you use your BankID in an e-service, your personal data is shared with the e-service provider with whom you use the Services, i.e. the party with whom you identify yourself or sign documents. Your data is shared because it is necessary for the Bank to fulfil its agreement with you. E-service providers process personal data as data controllers according to their own terms and conditions and guidelines for processing personal data.

(e) The Bank and we will share your personal data in cases where the Bank or we are obliged to do so under, for example by law or other constitution or court or government decision.

6. How your data is protected

6.1 Your personal data is stored on systems that are only available to the Bank, our employees and the service providers who need the data for the performance of their duties. In order to protect your personal data against unauthorised access, disclosure and misuse, appropriate safeguards are taken and security standards are maintained. Systems where personal data is processed are located on secure servers with limited access and all communication is done with secure encryption. Furthermore, technical tools such as firewalls and monitoring tools are used and all personnel who may come into contact with your personal data are trained in the importance of maintaining security and confidentiality in relation to the personal data being processed.

6.2 Each time personal data is handed over to the e-service provider with whom you choose to use your BankID, the transfer of the personal data is encrypted using a technology called SSL and only to a securely identified e-service provider with a valid agreement to use the Services in its operations.

6.3 By logging in to your internet bank, you can access and view information about the BankID(s) issued to you and this information is presented via an encrypted connection with your browser, so-called https technology, so that no unauthorised persons can access the data.

7. Your rights

7.1.1 You have a number of rights regarding the processing of your personal data that you can assert against the Bank or us. These rights are described in this section. To exercise these rights, you must contact the Bank, with the exception of the processing operations for which Finansiell ID-Teknik BID AB is the data controller. In essence, we are a data processor in relation to the Bank and you should almost always contact the Bank regarding the processing of your personal data.

7.1.2 You have the right to receive information about which of your personal data is processed, regardless of how it was collected. You can do this, for example by contacting the Bank. You can also use the Bank's self-service, either by logging in to your online bank to see which BankIDs have been issued with your personal identity number, and or by selecting "My history" in your BankID security programme to see all your usage history, regardless of the phone or computer from which it was issued.

7.1.3 You can always have any inaccurate data rectified immediately by contacting the Bank or us. You also have the right to complete incomplete data. The easiest way to do this is by contacting the Bank or by blocking your BankID via your online bank and then obtaining a new BankID with the right personal data. If the name data in a BankID is no longer relevant, a new BankID must always be issued and the old outdated BankID must be blocked.

7.1.4 In certain cases, you have the right to request the immediate erasure of your personal data:

• The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

• The personal data processing is based on your consent and you withdraw your consent to the processing in question;

• You object to processing being carried out on the basis of a balance of interests and your objection outweighs the Bank's, our or another party's legitimate interest in the processing;

• The personal data has been processed unlawfully;

• The personal data must be erased to fulfil a legal obligation.

However, please note that your data may continue to be processed to the extent that the Bank or we have a legal basis to process your personal data, if for example it is necessary for the fulfilment of a contract with you or a legal obligation.

7.1.5 You have the right to request that the processing of your personal data be restricted if:

• You contest the accuracy of the personal data, for a period of time that allows the Bank or us to verify whether the data is accurate or not;

• The processing is unlawful and you oppose the erasure of your personal data and instead request the restriction of its use;

• The Bank or we no longer need to process the data for the purposes for which it was collected, while you need the data to establish, exercise or defend legal claims;

• You have objected to the processing carried out on the basis of a balance of interests and are awaiting verification of whether your objection outweighs the legitimate interest of the Bank, us or another party in continuing the processing.

However, please note that your data may continue to be processed to the extent that the Bank or we have a legal basis to process your personal data, if for example it is necessary for the fulfilment of a contract with you or a legal obligation.

7.1.6 You have the right at any time to object to the Bank's or our processing of your personal data if the processing is based on a balance of interests, that is the Bank or we have a legitimate interest in processing your personal data. If you object, your personal data cannot be processed unless the Bank or we can demonstrate compelling legitimate grounds that outweigh your interest.

7.1.7 If the processing of your personal data is carried out on the basis of an agreement with you or on the basis of your consent, you have the right to have the personal data that you have provided to us and that concerns you disclosed to you in an electronic format. You have the right to have the data in question transferred from us directly to another controller, where this is technically feasible. Please note that this right to "data portability" does not apply to data processed manually.

7.1.8 If the processing of your personal data is based on your consent, you always have the right to withdraw your consent at any time. Withdrawal of your consent does not affect the lawfulness of the processing based on the consent prior to it being withdrawn.

7.1.9 You have the right to block your BankID with the Bank at any time or through the settings feature in your BankID client. You can block your BankID via your online bank so that it can no longer be used.

7.1.10 If you believe that the Bank or we are not processing your data in accordance with applicable personal data legislation, you have the option of complaining to the Swedish Data Protection Authority, whose contact details can be found at www.imy.se.

8. Data transfer

8.1 Both the Bank and we store and process your data only within the EU/EEA and do not transfer it to any country outside the EU/EEA. However, the e-service provider against which you use your BankID can operate outside the EU/EEA. We therefore encourage you to always read the privacy policy of the provider of the e-service you intend to use.

9. Changes

9.1 We may change this Privacy Policy from time to time. If we change the Privacy Policy, the new version will apply from the time we publish it on our website, www.bankid.com. You can see when we last made updates at the top of this Privacy Policy.