Privacy policy BankID

Version 1.1 2018-05-17

  1. General
    1. BankID is an electronic identification and electronic signature service provider (“BankID” or “the Services”) which makes it possible for companies, banks, organizations and authorities to both identify and enter into agreement with private persons via the Internet. BankID is an electronic ID document comparable to a passport, driver’s license or other physical identification document.
    2. BankID is issued by any of the banks participating in the BankID-network, primarily the bank that issued your BankID (“the Bank”) which is responsible for your personal data. Finansiell ID-Teknik BID AB (“we” or “our”) is a Data Information Processor for the Bank for processing of your personal data within the framework of our Services. We own, maintain and develop the Services and supply the Services to the Bank. We only process your personal data at the request of the Bank and in accordance with the Bank’s instructions, with the exception of the process outlined in paragraph 1.5.
    3. We safeguard your privacy and strive always to protect your personal data to the best of our ability. This privacy policy (the “privacy policy”) describes the type of data about you processed within the framework of the Services; how we receive it, how it is used, how it is shared, and the measures taken to protect your personal data. We also describe the rights you hold regarding your personal data.
    4. When you use the Service a number of parties may be involved including the Bank or the party offering the e-service for which you choose to use your BankID. This privacy policy relates only to the process we carry out in our role as Data Information Processor (or Personal Data Controller according to paragraph 1.5) and describes the actual use of the BankID service. We therefore recommend that you also read the privacy policies of the other parties that may be involved in your use of BankID, for example the Bank and the party that offers the e-service for which you choose to use your BankID.
    5. We maintain the register of issued BankIDs, at the request of the Bank. We act as Personal Data Controller for this purpose only. This processing is undertaken in the interests of security and means we can block or blacklist deceased users who can no longer use the Services, and also to avoid anyone using the Services in such a person’s name. This activity is described further in paragraph 4.4.
  2. Who we are
    1. Finansiell ID-Teknik BID AB started in 2002 and is a technology company that owns, maintains and further develops BankID. We are owned by Danske Bank, Handelsbanken, Ikano Bank, Länsförsäkringar Bank, SEB, Skandiabanken och Swedbank. Our customers are the majority of Sweden’s main banks, which in turn sell and convey BankID to authorities, companies, organisations and private persons. All banks who offer BankID are listed at https://www.bankid.com/kontakt/utfaerdare.
    2. Finansiell ID-Teknik BID AB has the following company number and contact details:
      org. nr 556630-4928
      +46 8 441 81 50
      produktinfo@bankid.com
      Kungsgatan 33, 111 56 Stockholm.
    3. If you have questions about how your personal data can be gathered, used, protected and shared or if you want to exert your rights according to paragraph 8, you are welcome to contact the Bank or our data protection officer. You can reach the data protection officer at:
      +46 8 441 81 50
      dpo@bankid.com
  3. Gathering personal data
    1. Types of personal data processed
      At the request of the Bank we process the following personal data which you have given to the Bank or which we collect when you use the Services. The personal data processed consists of your
      1. First name, Last name and personal identification number;
      2. The bank which issued your BankID;
      3. The supplier of the e-service you have identified yourself with or signed a document with;
      4. Technical data such as publication or use such as time, IP-address, type of BankID and make and version of mobile phone or computer;
      5. Information that we can send notification messages to you via your mobile phone’s notification function.
      6. Geographic location at the time you get your BankID and at the time you use your BankID.
    2. How your data is gathered
      1. The Bank undertakes detailed physical identification of you and registers your data when you become a customer of the bank, and checks this data with the people’s register. When your bank issues your BankID the bank transfers your personal data to us so that your BankID can be created.
      2. We also receive updates from the Swedish Population Register (SPAR) with data about changes in the population in order to carry out the register maintenance described in paragraph 4.4.
  4. Purpose for data handling
    We process your data at the request of the Bank for the purpose described as follows in this paragraph 4. Your data will not be used in a manner that is not in keeping with the purpose for which the data was gathered. Note that specific data can be used even if you have not given your consent, if the data is needed to carry out the Services or if the Bank’s legal interest in using your data carries greater weight than your own.
    1. Supply of Services
      1. You can choose to use BankID for electronic identification or signature with most suppliers of e-services such as companies, banks, organizations and authorities. Your personal data can be used to guarantee that the right person used the e-identification BankID for such a supplier of e-services and the supplier can learn your personal data in the form of name, identification number and the name of your bank. This handling is done to complete the agreement about the supply of the Services between the Bank and yourself.
      2. When you use BankID the name of the supplier of the e-service you are identifying yourself with, or electronically signing with, is also processed. The name of the supplier of the e-service saved is the name shown to you in the BankID app. No data about why you have identified yourself or signature is saved. Depending on where you choose to use your BankID, your name can therefore reveal so-called sensitive data about you, such as for example ethnic origin, political, religious or philosophical activity or membership in a union or data about your health or sexuality. It is entirely up to you where you choose to identify yourself or to sign documents. This handling is based on your consent.
    2. Improve the Services
      At the request of the Bank we will use your data to produce for example aggregated/anonymous data to improve the Services, make the Services more user-friendly by for example improving bugs, to produce invoicing material for the Bank, for changing the interface and so on, as well as other improvement measures. This use is necessary for the Bank’s and our own ongoing interest in improving the Services. Statistics of BankID usage is published regularly on our website www.bankid.com/om-oss/statistik.
    3. Prevent misuse
      1. Your data can also be used to prevent misuse of the Service or to solve crime. By misuse is meant fraud or any attempt at unlawful use of another’s BankID, unlawful use of identity or other measures that are forbidden according to the law. This use is necessary for the Bank’s lawful interest in avoiding and preventing you from being subject to ID theft or that the Services are misused and to enable the Bank’s civil duties.
      2. Further process and analyze data regards your user behavior for the purposes above, that is to prevent the Service being misused and to protect you against unlawful identity use or ID theft. This usage can lead to an automatic decision that the Services can no longer be used. This handling depends on the agreement between you and the Bank.
    4. Register maintenance
      1. Your data will also be handled as described in paragraph 1.5. The aim of this is to block BankID for persons who have been removed from the population register primarily because the person is deceased, as well as prevent BankID being issued for such a user. The personal data we handle for this purpose is the personal data provided by the Swedish Population Register (SPAR) which consists primarily of your name, personal identification number and address. This action occurs every time your data in the population register is changed. As soon as we have carried out the registration all personal data is deleted, which means that in practice your personal data is handled for this purpose for a very limited period of time.
  5. How your personal data is shared
    Your data is not shared with any third party except in the manner described below.
    1. Service provider. The Bank can use a third party to handle one or several aspects of its operation, including handling or managing personal data. The Bank has employed us for this purpose to provide the Service to you and the Bank’s other customers. We may also use a third party for the same purpose. Your personal data can therefore be shared with these third parties when they are handling technical operations or application operations of the Services. When the Bank or us uses one of these providers within the framework of the Services, the Bank and/or we will create a Data Information Processor agreement and carry out other appropriate measures to ensure that your personal data is treated in a way that is in keeping with this privacy policy.
    2. To another bank in the BankID network. The Bank can provide data to other banks in the BankID network. This data is provided because it is necessary to fulfill the legal right of the banks in the BankID network to prevent your BankID being misused and for the banks to be able to defend their legal rights or to protect their rights.
    3. Supply of e-service. When you use your BankID in e-service your personal data is shared with the provider of the e-service you are using the Services with, ie the party you identify yourself to or sign a document with. Your data is shared because it is necessary for the Bank to carry out its agreement with you.
    4. The Bank and we can also share your personal data in any case where the Bank or we are obliged to do so according to the law
  6. How your data is protected
    1. Your personal data is stored on a system that is only accessible to the Bank, our employees and the service providers who need the data to carry out the service. Appropriate protection measures and safety standards are in place to protect your personal data from unauthorized access, unauthorized supply and misuse. The systems where personal data is handled are secure servers with limited access and where all communication occurs with secure encryption. Technical tools are also used, such as firewalls and monitoring tools, and all staff who come in contact with your personal data are trained in the importance of maintaining security and secrecy in relation to the personal data being handled.
    2. Every time personal data is transferred to the supplier of an e-service where you choose to use your BankID, the transfer of personal data is always encrypted with a technique called SSL and only transferred to an identified supplier of the e-service holding a valid agreement to use the Services in its operation.
    3. You can access and see data about the transaction or the BankID issued to you by logging in to your internet bank. This data is presented to you via an encrypted link to your browser, so-called https-technology, so that no unauthorized person can access the data.
  7. Storage period
    1. In general terms your data is stored for the time necessary for the purpose for which the data was originally gathered, or as otherwise required according to the relevant law.
    2. The Bank stores data relating to issuing or blocking of a BankID for 10 years from when the valid date for the BankID expires, for the purpose of fulfilling its legal duties according to the best practice for Swedish e-identification. Data stored includes your name, personal identification number, the bank you have your BankID with and some technical data relating to its issue, for example the IP address.
    3. The Bank will store the data relating to use of BankID for 5 years following the transaction for the purpose of fulfilling its legal duties according to the law. Information stored includes data relating to whose BankID was used, whether identification or signature was accomplished and the name of the supplier of the e-service, as well as some technical data relating to the usage such as for example the IP address.
  8. Your rights
    1. You have a number of rights relating to the handling of your personal data that you can claim to the Bank. These rights are described in this clause. To claim these rights you must approach the Bank. Note that Finansiell ID-Teknik BID AB acts as Data Information Processor in relation to the Bank and that you should always turn to the Bank regards the handling of your personal data.
    2. You have the right to receive notice and information about which of your personal data is processed, regardless of how it has been gathered. You can do this through the Bank, for example by logging in to your internet bank where there is data about which BankIDs have been issued with your personal identification number.
    3. You always have the opportunity to correct your personal data if it is incorrect by turning to the Bank. The easiest way to do this is to contact the Bank or to go via your internet bank, blocking your BankID and then getting a new BankID with the correct personal data.
    4. You have the right to ask that your personal data is deleted or that the processing of your personal data is limited. If you want to use these rights you should go to the Bank. Note however that your data will continue to be used by the Bank where the Bank has legal ground for handling your personal data, eg. if it is necessary to complete an agreement with you.
    5. You have the right at any time to protest against the Bank’s use of your personal data if the Bank’s handling is based on balance of interests ie that the Bank has had a legal interest in processing your personal data. If you protest, your personal data cannot be processed unless the Bank can produce compelling evidence carrying more weight than your interest.
    6. You have the right to have your data transferred to another service supplier (so-called data portability) according to the conditions outlined in the current personal data law.
    7. You have the right to recall a given consent at any time to the processing of personal data, by blocking your BankID at the Bank or through the blocking function in your BankID client. You can also block your BankID yourself via your internet banking so that it can no longer be used. If you block your BankID you are in effect revoking your consent.
    8. If you consider that the Bank or we are not processing your data in accordance with current personal data law you have the opportunity to complain to Datainspektionen, with contact details available at www.datainspektionen.se.
  9. Transfer of data
    The Bank stores and processes your data only within EU/EES and does not transfer it to any country outside the EU/EES. However this can occur if the supplier of the e-service you are using your BankID for operates outside the EU/EES. We therefore encourage you to always read the privacy policy for the service provider of the e-service you intend to use.
  10. Changes
    1. We reserve the right to change this privacy policy from time to time. If we change the privacy policy the new version is valid from the moment we publish it on our website www.bankid.com. You can see when we last updated it at the top of this privacy policy.
    2. If any change results in the reduced protection of your personal data, this change will not apply to the data we received from you before the change was made. This does not apply if you give your consent to the new version of the privacy policy, or if you use or obtain a new BankID after the change comes into play.