Privacy policy, BankID
Version 1.7, 18-09-2025
General
BankID is an e-identification and signature service (“BankID”) issued by one of the banks involved in the BankID partnership and it is, as a general rule, the bank (the “Bank”) that issued your BankID that, alone or jointly with the other banks in the BankID partnership, is the data controller for your personal data. Finansiell ID-Teknik BID AB ("we" or "our") is a personal data processor to the Bank regarding the processing of your personal data within the framework of BankID. We also provide other services within the framework of the BankID partnership, such as digital ID card. We exclusively process your personal data on behalf of the Bank and in accordance with the Bank's instructions, with the exception of the processing we carry out as a data controller which is further described below in the section "Our processing as a data controller".
We protect your privacy and strive to always protect your personal data in the best possible way. This privacy policy (the "Privacy Policy") describes what kind of information about you is processed, how we receive it, how it is used, how it is shared and what measures have been taken to protect your personal data. We also describe your rights regarding your personal data.
When you use BankID, a number of parties may be involved, such as the Bank or the party providing the e-service you choose to use your BankID with. We therefore recommend that you also read other parties' privacy policies that you may be affected by when you use BankID, such as the Bank and the party providing the e-service, for example, companies, banks, authorities or other organisations with which you choose to use your BankID.
For information about how we process personal data as a data controller for our other operations, see our privacy policy for our organization.
Who we are
Finansiell ID-Teknik BID AB was founded in 2002 and is a technology company that owns, manages and further develops BankID. We are jointly owned by Danske Bank, Handelsbanken, Länsförsäkringar Bank, SEB, Skandiabanken and Swedbank. Our customers are most of the large Swedish banks, which in turn sell and transfer BankID to authorities, companies, organisations and private individuals. Find banks issuing BankID.
Finansiell ID-Teknik BID AB has the following Corporate Identification Number and contact details:
CIN 556630-4928
+46 (0) 8 411 81 50
Email: produktinfo@bankid.com
Kungsgatan 33, 111 56 Stockholm.
If you have questions about how your personal data is collected, used, protected and shared or if you wish to exercise your rights under Your rights, then you are welcome to contact the Bank or our Data Protection Officer. You can reach the Data Protection Officer at:
Phone: +46 8 411 81 50
Email: dpo@bankid.com
How your personal data is gathered
The Bank carries out a thorough physical identification of you and records your data when you become a customer of the Bank and checks this information against the population register. On behalf of the Bank, we process personal data that you have provided to the Bank or that we collect when you use BankID. For example, when issuing your BankID, it is the Bank that transfers your personal data to us so that your BankID can be created.
We also receive updates from the Swedish National Personal Address Register (SPAR) with information about changes in the population register in order to be able to carry out the register maintenance described in the section “Register maintenance”.
How your personal data is processed
We only process your personal data if the processing is authorised under applicable data protection legislation. This means, among other things, that we must have support for the purposes of the processing in the form of a what is known as a legal basis. For more information about legal bases for personal data processing, visit IMY's list of legal bases under GDPR.
Below we describe in more detail the categories of personal data we process, the purposes and in relation to which service we process them and the legal grounds on which our processing of your personal data is based, including how long your data is saved with us and who we share it with.
These categories of personal data should be understood as follows:
Categories | Examples, personal data |
---|---|
Essential data | Name, age and personal identity number. |
Usage information | Identifications and signatures performed for e-service providers, which e-service provider you have identified yourself to or signed documents with. If applicable, depending on which e-service provider you use BankID with, we may disclose so-called sensitive personal data about you, for example, ethnic origin, political, religious or philosophical beliefs, trade union membership, or data concerning health or sexuality. |
Device information | Technical information generated upon issuance or use, such as time of use, IP address, logs, model of mobile phone or computer, operating system, version of BankID security software and type of BankID, which can be Mobile BankID, BankID on card or BankID on file for computer. |
Facial recognition data | Original photo (photo from the ID document), a comparison photo (newly taken photo of you) and the result of the match. |
ID card data | Information about the ID document (type of ID document; passport or national ID card) and MRZ code where applicable, that the ID document is currently valid and the original photo (photo from the ID document). |
Geographic location information | If you choose to share your location information within the BankID app, we also process data about geographic location at the time you get or use your BankID. |
Biometric data | Information that biometric processing has been carried out according to the sections “Extra control with facial recognition” or “Identification using facial recognition”. |
Data on reinforcement measures | Information that a reinforcement measure has been taken according to the sections "Verification of ID document" or "Extra control with facial recognition". |
P.I.N blocking data | Note on the blocking of the issuance of BankID based on your personal identification number and the date on which the blocking is automatically lifted. |
BankID blocking data | Information on which BankID has been blocked, the time of the block and the reason for the block. |
List of personal data processing
Use and issuance of BankID
Your personal data is processed so that the Bank can provide you with BankID and ensure that only you use your BankID for electronic identification or signature with e-service providers. Note that we do not receive any information about the purpose of the identification or the signature or what is being signed.
Specification | |
---|---|
Purpose of the data processing | Providing BankID |
Categories of personal data | Essential data, Usage data, Device information, Biometric data, and Geographic location information. |
Legal basis | Processing is necessary to fulfil the contract for the provision of BankID between the Bank and you. Furthermore, the Bank must be able to establish, assert or defend legal claims in relation to the party you choose to use your BankID with. |
Retention period | Essential data is saved for 11 years, |
Digital ID card
Your personal data is processed to activate the digital ID card in the BankID app and enable you to use the digital ID card to identify yourself as an alternative to showing your physical ID document. If you consent to the reinforcement measure set out in the section “Identification with facial recognition” below, your personal data relating to your physical ID document will also be processed for reinforcement with facial recognition.
See also more information under the section "Scanning a digital ID card" regarding personal data processing when scanning a digital ID card using a BankID app without an active BankID.
Specification | |
---|---|
Purpose of the data processing | Providing a digital ID card |
Categories of personal data | Essential data, Device information, and ID card data. |
Legal basis | Processing is necessary to fulfil the contract for the provision of BankID between the Bank and you. Furthermore, the Bank must be able to establish, assert or defend legal claims in relation to the party you choose to use your BankID with. |
Retention period | Essential data is saved for 11 years, |
Reinforcement measures
Verification of ID document
Your personal data is processed in order to carry out a reinforcement measure for certain new issuances of BankID or for a specific usage, identification or signature, in order to prevent misuse or other unauthorised use of BankID. In the event this reinforcement measure is carried out, you will be asked to photograph and tap your Swedish passport or national ID card issued by the police.
Specifikation | |
---|---|
Purpose of the data processing | Preventing unauthorised use of your BankID |
Categories of personal data | Essential data, Usage data, Device information, ID card data, and Geographic location information. |
Legal basis | The processing is necessary for the Bank's legitimate interest in preventing misuse and other unauthorised use of BankID. |
Retention period | Essential data is saved for 11 years, Information about reinforcement measures is saved for 11 years, ID card data is saved for 6 years, and |
Extra control with facial recognition
Your personal data is processed so that you can activate and use extra control with facial recognition, which is a reinforcement measure when you renew your BankID, get a new BankID or use your BankID. The purpose of extra control with facial recognition is to prevent unauthorised use of your BankID.
Extra control with facial recognition involves biometric processing of your personal data and consists of a real-time match of a recently taken comparison photo of you with an original photo from your ID document. The feature therefore involves personal data processing and this requires your consent. Consenting to and using extra control with facial recognition is voluntary and as an alternative, you always have the option to get and use BankID in the same way you did before. More information about how to do this is available on the Bank's website.
At the Bank’s request, we will also carry out manual sampling of the original photo, the comparison photo and the result of the facial recognition to verify and demonstrate that the technology works and gives a correct result.
If you already have a digital ID card in the BankID app, we will obtain the original photo from your digital ID card for processing during Extra control with facial recognition. Otherwise, we will use the original photo from the passport or national ID card you choose to scan.
Specification | |
---|---|
Purpose of the data processing | Preventing unauthorised use of your BankID Providing the reinforcement feature |
Categories of personal data | Essential data, Facial recognition data, and ID card data. |
Legal basis | You have given your consent to the processing. Regarding the manual sampling that is carried out, the processing is necessary to fulfil a legal obligation under PSD2 (EU 2015/2366) and supplementary regulation (EU 2018/289). |
Retention period | Essential data is saved for 11 years, Information about reinforcement measures is saved for 11 years, Data that a biometric measure has been performed is saved for 6 years, The comparison photo is only stored for 72 hours (to enable manual sampling) |
Identification using facial recognition
Your personal data is processed so that the Bank can perform secure online identification of you remotely instead of physical identification on site and with the aim of preventing unauthorised issuance of BankID.
Identification using facial recognition involves biometric processing of your personal data and consists of a real-time match of a recently taken comparison photo of you with an original photo from your ID document. The feature therefore involves personal data processing and this requires your consent. The consent only applies to this online identification, which means that you will need to consent again the next time you want to identify yourself online.
Consenting to and using online identification is completely voluntary, and you always have the option of getting BankID the same way you did before. More information about how to do this is available on the Bank's website.
At the Bank’s request, we will also carry out manual sampling of the original photo, the comparison photo and the result of the online identification to verify and demonstrate that the technology works and gives a correct result.
Specification | |
---|---|
Purpose of the data processing | Preventing unauthorised issuance of BankID |
Categories of personal data | Essential data, Facial recognition data, Device information, ID card data, and Geographic location information. |
Legal basis | You have given your consent to the processing. Regarding the manual sampling that is carried out, the processing is necessary to fulfil a legal obligation under PSD2 (EU 2015/2366) and supplementary regulation (EU 2018/289). |
Retention period | Essential data is saved for 11 years, Device information is saved for 11 years, Data that a biometric measure has been performed is saved for 6 years, Facial recognition data and ID card data are only saved for the time required to perform the online identification process itself. The original photo and comparison photo are only stored for 72 hours. The purpose is to enable manual sampling. |
Support cases
Your personal data is processed when you seek support for your BankID. The purpose of the processing is to help you with technical problems and to support you if you have any questions about functionality or other matters relating to the use of BankID and related services. Please note that it is primarily the Bank that will provide you with support in relation to your BankID.
Specification | |
---|---|
Purpose of the data processing | Providing support |
Categories of personal data | Information that you yourself provide in your support case. |
Legal basis | Processing is necessary to fulfil the contract for the provision of the BankID between the Bank and you. In the absence of a support agreement, the processing is necessary for the Bank's legitimate interest in providing support to you. |
Retention period | Information that you provide in your support case is saved for 1 year after the case is closed, unless storage is no longer required by law or to establish, assert or defend legal claims. |
Improving and maintaining the services
Your personal data is processed to produce aggregated/anonymous information to improve BankID and related services, make these services more user-friendly and secure, for example, by fixing bugs, producing billing information for the Bank, statistics, changing interfaces and other improvement measures.
Specification | |
---|---|
Purpose of the data processing | Improvement, maintenance and development of the Services |
Categories of personal data | Usage information, and Device information. |
Legal basis | The processing is necessary for the Bank's and our legitimate interest in collecting data so that we can continuously maintain and improve the functionality, content and security of the Services. |
Retention period | Your personal data is saved for 6 months. In most cases, however, the personal data collected is transformed into aggregated data (anonymised) at an earlier stage in connection with our statistical analysis. |
Blocking BankID
Your personal data is processed when you choose to block your BankID or when the Bank blocks your BankID. The banks have jointly decided which situations may be the basis for a Bank to block a BankID. This can be done, for example, if a BankID has been used in violation of the Terms of Use, such as in case of suspected fraud, attempted unlawful use of another person's BankID, unlawful identity management or other criminal act. You can read more in the agreement between you and your Bank where the terms and conditions for using BankID are stated. When a BankID is blocked, all issued BankID are automatically blocked. See more about blocking in the section "Register for blocking BankID".
Specification | |
---|---|
Purpose of the data processing | Preventing unauthorised use of BankID |
Categories of personal data | Essential data, and BankID blocking data |
Legal basis | The processing is necessary for the legitimate interests of the Banks in preventing improper use of BankID and thus to maintain the security and reliability of BankID. |
Retention period | Your personal data is saved for 11 years. |
Register for blocking BankID
Your personal data is processed to enable the creation of a register controlled by the Banks to prevent the issuance of BankID in cases where the Bank itself or another Bank has decided that issuance can no longer take place for a particular user. This is done for the purpose of taking security measures to prevent misuse or other use of BankID in violation of the Terms of Use between you and the Bank. In connection with this, the BankID issued for the user can also be blocked from continued use. The Banks' registers may only be used by the Banks for verification in connection with issuance and contain only the Swedish Personal Identity Numbers that the Banks will refuse at any given time when issuing new BankID, together with the time when the personal identity number is automatically deleted from the register.
It is the Banks who have jointly decided which situations can form the basis for entering a personal identification number in the register. For example, this can happen if a BankID has been used in violation of the Terms of Use, such as in the event of suspicion of fraud, attempted unauthorised use of another person's BankID, unauthorised identity management or other criminal act. You can read more in the agreement between you and your Bank where the terms and conditions for using BankID are stated.
The Banks are the joint data controller for the management of the register and have coordinated procedures in place to ensure that this happens correctly according to current personal data legislation, regardless of which Bank you are a customer of. Please note that the register is managed by the Banks on the basis of a special permit from the Swedish Data Protection Authority. If you have any questions about a Bank's decision to prevent you from using BankID, you should contact the Bank that made the blocking decision. No Bank other than the one that has made the blocking decision can handle these issues.
Specification | |
---|---|
Purpose of the data processing | Preventing misuse or other unauthorised use of BankID |
Categories of personal data | P.I.N blocking data |
Legal basis | The processing is necessary for the Banks' legitimate interests in preventing use of BankID in violation of the Terms of Use and in order to thereby maintain the security and reliability of BankID. |
Retention period | P.I.N blocking data is saved for 1 year after the block expires. |
Transaction monitoring
Your personal data is processed to enable analysis of data about your user behaviour to prevent BankID from being misused or used in an unauthorised manner, for example to protect you against identity fraud or ID theft. Furthermore, data based on your historical use of the BankID is also processed for the purpose of prevention or investigation of criminal offences. The Bank may use the information we share to block or suspend your continued use of BankID.
Specification | |
---|---|
Purpose of the data processing | Preventing misuse or other unauthorised use of BankID |
Categories of personal data | Essential data, Usage data, Device information, Data on the reinforcement measure, and Geographic location information. |
Legal basis | The processing is necessary for the Bank's legitimate interest in preventing misuse and other unauthorised use of the BankID, maintaining the security and reliability of BankID in accordance with the agreement between you and the Bank and defending legal claims or fulfilling the Bank's legal obligations under the Swedish Act (2017:630) on measures against money laundering and terrorist financing. |
Retention period | Your personal data is saved for 6 years. |
Automated decision-making when issuing BankID
We use so-called automated decision-making to support the Bank when issuing BankID. This means that the issuance of BankID can be denied based on automated decision-making in the central system used for issuing BankID and which we provide on behalf of, and under the instructions of, the Bank.
Please contact the Bank for more information on, or to exercise your rights regarding, automated decision-making.
Our processing as data controller
Maintenance of the register
Your personal data is processed in order to maintain the register consisting of issued BankID. The processing is carried out for security purposes and means that we carry out regular checks of all changes to the State Personal Address Register (SPAR) in order to block issued BankID for deceased users or other users who have been removed from the population register, in order to prevent BankID from being used in the name of such a user. This processing takes place every time your data in the population register is changed.
Specification | |
---|---|
Purpose of the data processing | Carrying out maintenance of the register Ensuring safety |
Categories of personal data | Essential personal data. |
Legal basis | The processing is necessary for our legitimate interest in preventing BankID from being used in another user’s name. |
Retention period | All personal data is deleted after the register maintenance has been carried out, which means that your personal data is processed for a very limited period. |
When scanning a digital ID card
Your personal data is processed to facilitate your use of a digital ID card in the section "Digital ID card" and to enable identification with third parties as an alternative to showing your physical ID document when third parties do not have an active BankID on the same phone.
Specification | |
---|---|
Purpose of the data processing | Providing digital ID card functionality |
Categories of personal data | Essential personal data, and ID card data. |
Legal basis | The processing is necessary to fulfil the agreement on the provision of the BankID app entered into between Finansiell ID-Teknik BID AB and you. |
Retention period | The personal data is processed and saved only as long as the scan view is active. |
Recipients of personal data
Below you will find information on which recipients we share your personal data with.
(a) Service providers. The Bank may use third parties to manage one or more aspects of its business, including the processing of personal data. For this purpose, the Bank has engaged us to provide BankID to you and the Bank's other customers. We also use third parties for the same purposes. We share all your data with our operations provider. Furthermore, we share the information that you provide in your support case with our support provider. When we or the Bank use service providers within the framework of BankID, we and/or the Bank establish data processing agreements and perform other appropriate measures to ensure that your personal data is processed in a manner consistent with this Privacy Policy.
(b) Another bank in the BankID partnership. The Bank shares P.I.N blocking data with other banks in the partnership within the framework of maintaining a blocking register. The data is shared because it is necessary for the fulfilment of the legitimate interest of the Banks in the partnership in avoiding misuse of your BankID and to enable banks to take security measures in relation to BankID, defend legal claims or exercise their rights.
(c) E-service providers. When you use your BankID in an e-service, your personal data is shared with the e-service provider with whom you use BankID, i.e. the party with whom you identify yourself or sign documents. The personal data shared is as follows: Essential data, Device information, Biometric data and Data on reinforcement measures. Your data is shared because it is necessary for the Bank to fulfil its agreement with you. E-service providers process personal data as data controllers according to their own terms and conditions and guidelines for processing personal data.
(d) Authorities and other parties. The Bank and we will share your personal data in cases where the Bank or we are obliged to do so, for example, by law or other statute or court or government decision.
How your data is protected
Your personal data is stored on systems that are only available to the Bank, our employees and the service providers who need the data for the performance of their services. In order to protect your personal data against unauthorised access, disclosure and misuse, appropriate safeguards are taken and security standards are maintained. Systems where personal data are processed are located on secure servers with limited access and all communication is protected through encryption. Furthermore, technical tools such as firewalls and monitoring tools are used and all personnel who may come into contact with your personal data are trained in the importance of maintaining security and confidentiality in relation to the personal data being processed.
Each time personal data is handed over to the e-service provider with whom you choose to use your BankID, the personal data is encrypted and only transferred to a securely identified e-service provider with a valid agreement to use BankID in its operations.
By logging in to your Bank online, you can access and view information about the BankID that have been issued to you. You can access your usage history yourself under “My history” in the BankID Security Application or the BankID app and this data is presented to you via an encrypted connection, so that no unauthorised person can access the data.
Your rights
You have a number of rights regarding the processing of your personal data that you can assert against the Bank or us. These rights are described in this section. To exercise these rights, you must contact the Bank, with the exception of the processing operations for which Finansiell ID-Teknik BID AB is the data controller. In essence, we are a data processor in relation to the Bank and you should almost always contact the Bank regarding the processing of your personal data.
You have the right to receive information about which of your personal data is processed, regardless of how it was collected. You can do this, for example, by contacting the Bank. You can also use the Bank's self-service function, either by logging in to your online bank to see which BankID have been issued with your personal identity number, and or by selecting "My history" in your BankID app or BankID Security Application to see all your usage history, regardless of the phone or computer from which it was issued.
You can always have any inaccurate data rectified immediately by contacting the Bank or us. You also have the right to complete incomplete data. The easiest way to do this is by contacting the Bank or by blocking your BankID via your Bank online and then getting a new BankID with the right personal data. If the name data in a BankID is no longer current, a new BankID must always be issued and the old outdated BankID must be blocked.
In certain cases, you have the right to request the immediate erasure of your personal data:
The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
The personal data processing is based on your consent and you withdraw your consent to the processing in question;
You object to processing being carried out on the basis of a balance of interests and your objection outweighs the Bank's, our or another party's legitimate interest in the processing;
The personal data has been processed unlawfully;
The personal data must be erased to fulfil a legal obligation.
However, please note that your data may continue to be processed to the extent that we or the Bank have a legal basis to process your personal data, for example, if it is necessary for the fulfilment of a contract with you or a legal obligation.
You have the right to request that the processing of your personal data be restricted if:
You contest the accuracy of the personal data, for a period of time that allows the Bank or us to verify whether the data is accurate or not;
The processing is unlawful and you oppose the erasure of your personal data and instead request the restriction of its use;
We or the Bank no longer need to process the data for the purposes for which it was collected, while you need the data to establish, exercise or defend legal claims;
You have objected to the processing carried out on the basis of a balance of interests and are awaiting verification of whether your objection outweighs the legitimate interest of the Bank, us or another party in continuing the processing.
However, please note that your data may continue to be processed to the extent that we or the Bank have a legal basis to process your personal data, for example, if it is necessary for the fulfilment of a contract with you or a legal obligation.
You have the right at any time to object to the Bank's or our processing of your personal data if the processing is based on a balance of interests, i.e. we or the Bank have a legitimate interest in processing your personal data. If you object, your personal data cannot be processed unless we or the Bank can demonstrate compelling legitimate grounds that outweigh your interest.
If the processing of your personal data is carried out on the basis of an agreement between the Bank and you, or on the basis of your consent, you have the right to have the personal data that you have provided to the Bank and that concerns you disclosed to you in an electronic format. You have the right to have the data in question transferred from the Bank directly to another data controller, where this is technically feasible. Please note that this right to "data portability" does not apply to data processed manually.
If the processing of your personal data is based on your consent, you always have the right to withdraw your consent at any time. Withdrawal of your consent does not affect the lawfulness of the processing based on the consent prior to it being withdrawn.
You have the right to block your BankID with the Bank at any time or through the settings feature in your BankID client. You can block your BankID via your online bank so that it can no longer be used.
If you believe that we or the Bank are not processing your data in accordance with applicable personal data legislation, you have the option of complaining to the Swedish Data Protection Authority, whose contact details can be found at imy:s website.
Data transfer
Both the Bank and we store and process your data only within the EU/EEA and do not transfer it to any country outside the EU/EEA. However, the e-service provider with which you use your BankID may operate outside the EU/EEA. We therefore encourage you to always read the privacy policy of the provider of the e-service you intend to use.
Changes
We may change this Privacy Policy from time to time. If we change the Privacy Policy, the new version will apply from the time we publish it on this page. You can see when we last made updates at the top of the page.