Privacy Policy, Finansiell ID-Teknik

Introduction

Finansiell ID-Teknik BID AB ("we", "our" or "us") processes personal data as a data controller for our own operations.

We protect your privacy and strive to always protect your personal data in the best possible way. This privacy policy ("Privacy Policy") describes how we collect and process personal data about you when contacting us and our business. The Privacy Policy also describes how we may communicate with you and what rights you have regarding your personal data and how you can exercise these rights.

Read about how we process personal data in our capacity of data processor within the framework of the BankID service on page Privacy policy, BankID

Data controller

Finansiell ID-Teknik BID AB is the data controller for all personal data processing within the framework of our business. 

Org. no: 556630-4928
Kungsgatan 33, 111 56 Stockholm
Email: info@bankid.com
Phone: +46 (0) 8 411 81 50

If you have any questions about how your personal data is collected, used, protected and shared, or if you wish to exercise your rights as set out in this Privacy Policy, please do not hesitate to contact our Data Protection Officer:

Email:dpo@bankid.com
Phone: +46 (0) 8 411 81 50

Collection

The personal data we process about you is collected when you visit our office, apply for work with us or otherwise in connection with your contact with us, for example via email or if you participate in a physical or digital meeting with us. We may also collect personal data from social media, authorities, consultancy agencies and recruitment companies or the company and/or organisation that you represent.

Processing

We only process your personal data if this is permitted under applicable data protection legislation. This means, among other things, that we must process your personal data for specified purposes and have a legal justification for the processing in the form of a so-called legal basis.

Below you can read about which categories of personal data we process, for which purposes and the legal bases for our personal data processing. You also see how long the personal data about you is stored with us and with whom we share it.

New business relationships

Purpose of the data processing
Contact and communication with you as a contact person for the purpose of creating a business relationship with you or the company or organisation you represent. This includes, among other things, communication via email about our business, our services and our ongoing activities.

Categories of personal data

The personal data we process include:

• first and last name,

• contact information such as email address, telephone number, place of residence and address,

• professional title and information about the company or organisation you represent, and

• information that you otherwise provide us with in connection with our communication with you.
  

Legal basis
Legitimate interest, where our legitimate interest is to create a business relationship with you or the company or organisation you represent.

Retention period
We process and save your personal data for a period of one year after the information was collected. If a business relationship is established between us and you or the company or organisation you represent during the time period, your personal data will continue to be processed in accordance with the section below, “Existing business relationships”.

Sharing of personal data
We will share your personal data with our CRM system provider.

Existing business relationships

Purpose of the data processing
Contact and communication with you in your capacity as, or as contact person for, one of our existing customers, partners, providers, integrators or other business contacts, with the aim of maintaining and developing our business relationship with you or the company or organisation you represent.

The purpose of this processing includes, among other things, standard administration of, and communication about, our customer, collaboration and provider agreements, as well as communication via email about our business, our services and ongoing activities.

Categories of personal data

The personal data we process include:

• first and last name,

• contact information such as email address, telephone number, place of residence and address,

• professional title and information about the company or organisation you represent, and

• information that you otherwise provide us with in connection with our communication with you.

Legal basis
The processing is required by us in order to enter into and/or fulfil agreements with you or the company or organisation you represent. If there is no agreement, the processing is based on legitimate interest, where our legitimate interest is to have contact and communicate with you or the company or organisation you represent.

Retention period
We process and save your personal data for as long as we have a business relationship with you or the company or organisation you represent, but no longer than two years from the time we were last in contact with each other due to the termination of our business relationship.

We may need to save personal data for a longer period of time for other purposes, for example if we need to take steps to establish, enforce or defend legal claims. We will also need to save personal data for a longer period of time to fulfil legal obligations, for example for accounting in accordance with the Swedish Accounting Act (for further information see section "Legal obligations and legal claims" below).

Sharing of personal data
We will share your personal data with our providers, partners, authorities and shareholders.

Marketing newsletter

Purpose of the data processing
Administration and communication of marketing communications in order to provide you with information about our business, our services and ongoing activities.

Categories of personal data

The personal data we process include:

• first and last name,

• contact information, such as email address, telephone number, place of residence and address, and

• professional title and information about the company or organisation you represent.

Legal basis
We only send marketing newsletters to you if you have registered for mailings. Our personal data processing is based on legitimate interest, where our legitimate interest is to be able to market ourselves and our services.

Retention period
We process and save your personal data in order to send marketing mailings to you as long as you have not unsubscribed from receiving further newsletters. You can unsubscribe at any time via the unsubscribe link included in our newsletter. We also delete your personal data if our newsletter does not reach you due to the email address being closed or deactivated.

Sharing of personal data
We will share your personal data with our email provider.

Technical newsletter and disruption information

Purpose of the data processing
Provision of information about technical information about and changes to BankID, aimed at companies and authorities that use the BankID service, developers and other interested parties, as well as email updates about operational disruption.

Categories of personal data

The personal data we process include:

• email address.

Legal basis
We will only send technical newsletters and disruption information to you if you have registered your email address for such newsletters. We then base our personal data processing on a balancing of interests where our legitimate interest is to be able to provide information about technical changes and operational disruptions.

Retention period
We process and save your personal data in order to send newsletters to you as long as you have not unsubscribed from receiving further newsletters. You can unsubscribe at any time via the unsubscribe link included in our newsletters. We also delete your personal data if our newsletters does not reach you due to the email address being closed or deactivated.

Sharing of personal data
We will share your personal data with our email provider.

Meetings, events and webinars

Purpose of the data processing
Invitations to and participation in meetings, events and webinars about BankID, aimed at companies and authorities that use the BankID service, developers and other interested parties.

Categories of personal data

The personal data we process include:

• first and last name,

• contact information, such as email address,

• professional title and information about the company or organisation you represent,

• information about dietary restrictions and preferences when it is necessary to serve food and beverages, and

• photo and video recording when necessary for the event and we have notified participants that this will take place.

Legal basis
Invitations to meetings, events and webinars will be sent to you if you have registered your email address for such invitations. Our personal data processing is based on legitimate interest, where our legitimate interest is to be able to arrange meetings, events and webinars.

Retention period
We process and save your personal data in order to send out invitations and to follow up with an information mailing after the meeting, event or webinar, after which the personal data are deleted. In the case of photos and video recording, we will provide you with additional information about how photos and the video recording are used and deleted.

Sharing of personal data
We will share your personal data with our webinar platform provider.

Recruitment of employees

Purpose of the data processing 
Selection and recruitment of candidates based on submitted application documents, interviews, references and, where applicable, personality and intelligence tests.

Categories of personal data

The personal data we process include:

• first and last name,

• contact information such as email address, telephone number, place of residence and address,

• application documents,

• images (if applicable),

• information provided about you in relation to interviews and references, such as reviews from previous employers, and

• test results from personality and intelligence tests.

Legal basis
Legitimate interest, where our legitimate interest is to be able to evaluate your merits and personal characteristics in connection with selection for and decisions on recruitment. If you are offered employment, certain processing is necessary for us to enter into and fulfil the employment agreement between you and us.

Retention period
As a basic principle, personal data that is collected about you in connection with your application for a job with us is deleted after the recruitment process has ended.

Sharing of personal data
We will share your name, personal identity number and application documents with our background check provider.

Recruitment of consultants

Purpose of the data processing
Selection and recruitment of candidates based on information provided by the consultancy agencies and interviews.

Categories of personal data

The personal data we process include:

• ·first and last name,

• contact information, such as email address and telephone number,

• application documents,

• images (if applicable),

• information that you provide in connection with an interview with us, and

• other information and reviews provided about you by the consultancy enterprise that has introduced you.

Legal basis
Legitimate interest, where our legitimate interest is to be able to evaluate your merits and personal characteristics in connection with selection for and decisions on recruitment. Certain processing may also be necessary for us to be able to enter into and/or fulfil an agreement with you.

Retention period
As a basic principle, personal data that is collected about you in connection with the recruitment process is deleted after the recruitment process has ended.

Sharing of personal data
We will share your name, personal identity number and application documents with our background check provider.

Camera surveillance

Purpose of the data processing
Camera surveillance of our physical premises and identification of external visitors via entrance camera before access to visitor premises is allowed, in order to protect the business against external attacks and to be able to subsequently investigate damage, unauthorised access or sabotage, as well as to be able to verify in real time events when fire alarms, tamper alarms or burglar alarms are activated.

Categories of personal data

The personal data we process include:

• video surveillance in real time,

• video recording of incidents.

Legal basis
Legitimate interest, where our legitimate interest is to be able to prevent and investigate crime and prevent unauthorised intrusions into our office premises.

Retention period
The personal data collected is saved for ten days and automatically deleted thereafter. The personal data can be saved longer if necessary to achieve the purpose of the recording, for example to investigate a crime. The personal data is thereafter deleted immediately.

Sharing of personal data
We will share your personal data with our surveillance system provider and authorities.

Legal obligations and legal claims

We may process your personal data in order for us to be able to fulfil our legal obligations according to law or other statute to which we are subject, or if court or government decisions require us to process data about you.

We may also process your personal data in order for you or the company or organisation you represent, us or a relevant third party to be able to establish, enforce or defend legal claims, for example in the event of an impending or ongoing dispute.

How your data is shared

Access to your personal data is limited to the categories of recipients that have been identified in section "Processing" above. Below you will find more information about these receivers. 

Providers
We use third-party providers to manage parts of our business. We will share your personal data with these providers in order for them to perform services on our behalf, such as providing us with support and business systems. When we use providers, we establish data processor agreements and take other appropriate measures to ensure that your personal data is processed in a manner consistent with this Privacy Policy.

Partners
We occasionally collaborate with external parties to improve our services and operations, such as advisors and educational companies. These actors process personal data as data processors for us in accordance with our instructions for processing. In the latter case, we establish data processor agreements and take other appropriate measures to ensure that your personal data is processed in a manner consistent with this Privacy Policy.

Shareholders
We will transfer your personal data to our shareholders and their representatives when we need to fulfil our information provision requirements according to law. Upon such transfer, we will take steps to ensure that the receiving party processes your personal data in a manner consistent with this Privacy Policy.

Authorities
We will also share your personal data with, for example, the Swedish Police Authority, the Swedish Tax Agency or other authorities when we are obliged to do so according to, for example, law or other statute or according to court or government decisions. In the event of such a transfer, we will take measures to minimise the personal data to that which is strictly necessary for the receiving authority to exercise its authority.

How your data is protected and where the processing takes place

We take security measures to ensure that our handling of your personal data takes place in a secure manner. For example, the systems in which the personal data are stored are only accessible to persons who need the personal data to fulfil their tasks. These persons are also informed about the importance of security and confidentiality in relation to the personal data we process. We take appropriate security measures and maintain appropriate security standards to protect your personal data against unauthorised access, disclosure and misuse. We also monitor our systems to detect vulnerabilities.

We store and process your personal data only within the EU/EEA and do not independently transfer any personal data outside the EU/EEA. However, we will transfer your personal data to our service providers who, either themselves or through their subcontractors, are located or have business operations in a country outside the EU/EEA. When transferring personal data outside the EU/EEA, we ensure that the transfer takes place in accordance with applicable data protection legislation before the personal data are transferred, for example by making sure that the country to which the personal data is transferred meets requirements for an adequate level of protection according to the decision of the European Commission, or by ensuring that the transfer is covered by appropriate protective measures in the form of, for example, standard contract clauses that the European Commission has established and additional appropriate measures to safeguard your rights and freedoms.

You will find information about the countries outside the EU/EEA that the European Commission has decided meet an adequate level of protection for permitted transfer of personal data on the European Commission's website.

The country outside the EU/EEA to which our providers currently transfer personal data is the USA.

Your rights

You have rights in relation to us and our processing of your personal data. Information about your rights can be found in this section. To exercise your rights, please contact the Data Protection Officer, see Section 2 for contact information.

Please note that we may need more information from you in order to, among other things, confirm your identity before proceeding with your request to exercise your rights.

Right to information and access
You have the right to receive confirmation of whether we are processing personal data concerning you. If this is the case, you also have the right to access this personal data through a so-called register extract, as well as additional information about the current processing, such as for what purpose or purposes the processing is taking place, the categories of personal data concerned and the recipients to whom the personal data has been disclosed.

Right of rectification
You have the right to have incorrect information about you corrected without delay. You also have the right to complete incomplete personal data.

Right of erasure
In certain cases, you have the right to request the erasure of your personal data without delay if:

• the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

• the personal data processing is based on your consent and you withdraw your consent to the processing in question;

• you object to processing being carried out on the basis of legitimate interest and your objection outweighs our or another party's legitimate interest in the processing;

• the personal data has been processed unlawfully; or

• the personal data must be erased to fulfil a legal obligation.

Right to restriction
You have the right to request that the processing of your personal data be restricted if:

• you contest the accuracy of the personal data, for a period of time that allows us to verify whether the personal data is accurate or not;

• the processing is unlawful and you oppose the erasure of your personal data and instead request the restriction of its use; 

• we no longer need to process the personal data for the purposes for which it was collected, while you need the personal data to establish, exercise or defend legal claims; or

• you have objected to the processing carried out on the basis of legitimate interest and are awaiting verification of whether your objection outweighs the legitimate interest of us or another party in continuing the processing.

Please note that your personal data may continue to be processed to the extent that we have a legal basis for this, for example if it is necessary to fulfil a legal obligation.

Right to object
You have the right to object to the processing of your personal data based on our or another party's legitimate interest. In such a case, in order to continue the processing, we must be able to show compelling legitimate reasons that outweigh your interests, rights and freedoms.

Right to data portability

If we process your personal data on the basis of your consent, you have the right to obtain the personal data that you have provided to us and that concern you in an electronic format. You have the right to have the personal data in question transferred from us directly to another data controller, where this is technically feasible. Please note that the right to data portability does not apply to personal data processed manually.

If our processing of your personal data is based on your consent, you always have the right to withdraw your consent at any time. Withdrawal of your consent does not affect the lawfulness of the processing based on the consent prior to it being withdrawn.

If you believe that we are not processing your personal data in accordance with applicable personal data legislation, you have the option of complaining to the Swedish Authority for Privacy Protection, whose contact information can be found at Imy's website.

Changes

We may change this Privacy Policy from time to time. If we change the Privacy Policy, the new version applies from the time it is published on our website. You can see when we last made updates at the top of this page.