Version 1.3 2020-12-01
BankID is an electronic identification and electronic signature service provider (“BankID” or “the Services”) which makes it possible for companies, banks, organizations and authorities to both identify and enter into agreement with private persons via the Internet. BankID is an electronic ID document comparable to a passport, driver’s license or other physical identification document.
BankID is issued by any of the banks participating in the BankID-network, primarily the bank that issued your BankID (“the Bank”) which is responsible for your personal data. Finansiell ID-Teknik BID AB (“we” or “our”) is a Data Information Processor for the Bank for processing of your personal data within the framework of our Services. We own, maintain and develop the Services and supply the Services to the Bank. We only process your personal data at the request of the Bank and in accordance with the Bank’s instructions, with the exception of the process outlined in paragraph 1.5.
We maintain the register of issued BankIDs. We act as Personal Data Controller only for this purpose. This processing is undertaken in the interests of security and means that we regularly check the Swedish Population Register (SPAR) for the purpose of blocking BankIDs issued to deceased persons or other users who have been removed from the register, to prevent the Services being used in such a person’s name. This activity is described further in paragraph 4.4.
Who we are
Finansiell ID-Teknik BID AB started in 2002 and is a technology company that owns, maintains and further develops BankID. We are owned by Danske Bank, Handelsbanken, Ikano Bank, Länsförsäkringar Bank, SEB, Skandiabanken och Swedbank. Our customers are the majority of Sweden’s main banks, which in turn sell and convey BankID to authorities, companies, organisations and private persons. All banks who offer BankID are listed at https://www.bankid.com/kontakt/utfaerdare.
Finansiell ID-Teknik BID AB has the following company number and contact details:
org. nr 556630-4928
+46 8 411 81 50 firstname.lastname@example.org
Kungsgatan 33, 111 56 Stockholm.
If you have questions about how your personal data can be gathered, used, protected and shared or if you want to exert your rights according to paragraph 8 you are welcome to contact the Bank or our data protection officer. You can reach the data protection officer at: +46 8 411 81 50 email@example.com
Gathering personal data
Types of personal data processed
At the request of the Bank we process the following personal data which you have given to the Bank or which we collect when you use the Services. The personal data processed consists of your
First name, Last name and personal identification number;
The bank which issued your BankID;
The supplier of the e-service you have identified yourself with or signed a document with;
Technical data such as publication or use such as time, IP-address, type of BankID and make and version of mobile phone or computer;
Information that we can send notification messages to you via your mobile phone’s notification function.
Geographic location at the time you get your BankID and at the time you use your BankID.
Where applicable, details outlining obstacles to the issue of a new BankID based on your personal identification number.
How your data is gathered
The Bank undertakes detailed physical identification of you and registers your data when you become a customer of the Bank, and checks this data with the people’s register. When your bank issues your BankID the Bank transfers your personal data to us so that your BankID can be created.
We also receive updates from the Swedish Population Register (SPAR) with data about changes in the population in order to carry out the register maintenance described in paragraph 4.4.
Purpose for data handling
We process your data at the request of the Bank for the purpose described as follows in this paragraph 4. Your data will not be used in a manner that is not in keeping with the purpose for which the data was gathered.
Supply of Services
You can choose to use BankID for electronic identification or signature with most suppliers of e-services such as companies, banks, organizations and authorities. Your personal data can be used to guarantee that the right person used the e-identification BankID for such a supplier of e-services and the supplier can learn your personal data in the form of name, identification number and the name of your bank. This handling is done to complete the agreement about the supply of the Services between the Bank and yourself.
When you use BankID the name of the supplier of the e-service you are identifying yourself with, or electronically signing with, is also processed. The name of the supplier of the e-service saved is the name shown to you in the BankID app. No data about why you have identified yourself or signature is saved. Depending on where you choose to use your BankID, your name can therefore reveal so-called sensitive data about you, such as for example ethnic origin, political, religious or philosophical activity or membership in a union or data about your health or sexuality. It is entirely up to you where you choose to identify yourself or to sign documents. This handling is made for the bank in the BankID cooperation that has entered into an agreement to connect to the BankID service with the party you choose to identify against or sign documents at, to be able to determine, claim or defend legal claims relating to the agreement.
Improve the Services
At the request of the Bank we will use your data to produce for example aggregated/anonymous data to improve the Services, make the Services more user-friendly by for example improving bugs, to produce invoicing material for the Bank, for changing the interface and so on, as well as other improvement measures. This use is necessary for the Bank’s and our own ongoing interest in improving the Services. Statistics of BankID usage is published regularly on our website www.bankid.com/om-oss/statistik.
Prevent misuse and take safety precautions
Furthermore, information about your user behavior is processed and analyzed for the purposes described above, to prevent the Services being misused or otherwise used illegally - e.g. to protect you from unlawful identity use or ID theft. If there is evidence of unauthorized use or other illegal use of the Services, the continued use of the Services may be prevented and the issue of a BankID denied, based on the automated decision-making in the central system used for issuance of the BankID, which we offer at the request and instruction of the Bank. This action is a necessary step in maintaining the security and reliability of the Services based on the agreement between you and the Bank.
We may also process data based on your use of the Services to prevent, deter or investigate crime. This is done on behalf of the respective Bank when such action is necessary for the Bank’s or other’s lawful interest in avoiding and preventing you from being exposed to ID theft, or that the Services may be otherwise misused, as well as to safeguard legal claims or fulfill the Bank’s legal obligations.
Your data will also be used for maintenance of the register as described in paragraph 1.5. The purpose of this is to block and prevent BankID being used in any case where a BankID has been issued to persons who have been removed from the population register primarily because the person is deceased. The personal data we handle for this purpose is the personal data provided by the Swedish Population Register (SPAR) which consists primarily of your name, personal identification number and address. This action occurs every time your data in the population register is changed. As soon as we have carried out the registration, all personal data is deleted, which means that in practice your personal data is handled for this purpose for a very limited period of time.
How your personal data is shared
Your data is not shared with any third party except in the manner described below.
To another bank in the BankID network. The Bank can provide data to other banks in the BankID network. This data is provided because it is necessary to fulfill the legal right of the banks in the BankID network to prevent your BankID being misused and for the Banks to be able to defend their legal rights or to protect their rights. When the Bank shares your data for this purpose, the other banks in the BankID-network act as Personal Data Controllers for the data with the Bank. Even if you have the right to exercise your rights according to applicable law against each one of the Personal Data Controllers, the Bank still holds primary responsibility to fulfill its obligations to you and your exercising your rights according to applicable personal data legislation.
Supply of e-service. When you use your BankID in e-service your personal data is shared with the provider of the e-service you are using the Services with, ie the party you identify yourself to or sign a document with. Your data is shared because it is necessary for the Bank to carry out its agreement with you.
The Bank and we can also share your personal data in any case where the Bank or we are obliged to do so according, for example, the law or other authority, court or government decision.
How your data is protected
Your personal data is stored on a system that is only accessible to the Bank, our employees and the service providers who need the data to carry out the service. Appropriate protection measures and safety standards are in place to protect your personal data from unauthorized access, unauthorized supply and misuse. The systems where personal data is handled are secure servers with limited access and where all communication occurs with secure encryption. Technical tools are also used, such as firewalls and monitoring tools, and all staff who come in contact with your personal data are trained in the importance of maintaining security and secrecy in relation to the personal data being handled.
Every time personal data is transferred to the supplier of an e-service where you choose to use your BankID, the transfer of personal data is always encrypted with a technique called SSL and only transferred to an identified supplier of the e-service holding a valid agreement to use the Services in its operation.
You can access and see data about the transaction or the BankID issued to you by logging in to your internet bank. This data is presented to you via an encrypted link to your browser, so-called https-technology, so that no unauthorized person can access the data.
In general terms your data is stored for the time necessary for the purpose for which the data was originally gathered, or as otherwise required according to the relevant law.
The Bank stores data relating to issuing or blocking of a BankID for 10 years from when the valid date for the BankID expires, for the purpose of fulfilling its legal duties according to the best practice for Swedish e-identification. Data stored includes your name, personal identification number, the bank you have your BankID with and some technical data relating to its issue, for example the IP address.
The Bank will store the data relating to use of BankID for 5 years following the transaction for the purpose of fulfilling its legal duties according to the law. Information stored includes data relating to whose BankID was used, whether identification or signature was accomplished and the name of the supplier of the e-service, as well as some technical data relating to the usage such as for example the IP address.
You have a number of rights relating to the handling of your personal data that you can claim to the Bank. These rights are described in this clause. To claim these rights you must approach the Bank. Note that Finansiell ID-Teknik BID AB acts as Data Information Processor in relation to the Bank and that you should always turn to the Bank regards the handling of your personal data.
You are entitled to receive notice and information about which of your personal data are processed, no matter how they were collected. You can do this by turning to your Bank. You can also use the Bank’s self-service , either by logging in to your internet bank to see which BankID has been issued for your personal number, or else you can open your BankID app, select your BankID in the “Settings” tab and then select “View History “to see your usage history.
You always have the opportunity to correct your personal data if it is incorrect by turning to the Bank. The easiest way to do this is to contact the Bank or to go via your internet bank, blocking your BankID and then getting a new BankID with the correct personal data.
You have in some cases the right to ask that your personal data is deleted or that the processing of your personal data is limited. If you want to use these rights you should go to the Bank. Note however that your data will continue to be used by the Bank where the Bank has legal ground for handling your personal data, eg. if it is necessary to complete an agreement with you.
You have the right at any time to protest against the Bank’s use of your personal data if the Bank’s handling is based on balance of interests ie that the Bank has had a legal interest in processing your personal data. If you protest, your personal data cannot be processed unless the Bank can produce compelling evidence carrying more weight than your interest.
You have the right to have your data transferred to another service supplier (so-called data portability) according to the conditions outlined in the current personal data law.
You have the right to block your BankID at the Bank or through the blocking function in your BankID client. You can also block your BankID yourself via your internet banking so that it can no longer be used.
If you consider that the Bank or we are not processing your data in accordance with current personal data law you have the opportunity to complain to Datainspektionen, with contact details available at www.datainspektionen.se.
Transfer of data