Privacy Policy – Version 1.4 31.08.2022

 

BankID services in the BankID app

With the BankID app, you can perform BankID services to identify yourself, sign something, log in or confirm a payment with BankID.

You can also use the "Identity check" service (ID-Check) to identify yourself using a passport or national ID card if you have been asked to do so.

A prerequisite for using the BankID services is that you have already been issued a BankID by your bank. You can see which bank has issued your BankID by logging in to "My BankID" via www.bankid.no/privat/.

 

Your bank is responsible for the processing

It is the bank that has issued your BankID that is the data controller when you use the BankID app for BankID services.

Purpose of processing

We process your personal data so that you can use the app for BankID services. We also use your personal data in connection with error correction, for fraud reporting, for the preparation of statistics and for the improvement of the application.

The following personal data is processed for BankID services:

Personal data in the form of

  • name
  • national identity number or D-number
  • nationality

 

Information about your BankID:

  • name of the Bank that issued your BankID
  • unique identifier and serial number for identifying you and your BankID
  • time of issuance, revocation and other changes in your BankID
  • your BankID's validity period
  • user environment and usage behavior (BankID fraud monitoring)

 

Information from your BankID app

  • date and time when the BankID app was created and changed
  • user status: in use or blocked

 

Information about your (mobile) device

  • mobile number and mobile operator affiliation
  • mobile device manufacturer and model
  • device ID for notifications/push notifications
  • operating system version
  • network type
  • IP address
  • time zone
  • installed apps with known security weaknesses
  • preferred Language
  • device health

 

BankID transactions you have used the app for in the form of

  • PID (unique identification of certificate holder)
  • merchant name
  • action (identifying, signing, log in, or confirming a payment) 
  • transaction date and time
  • document that could potentially contain personal data (by BankID signing)

 

Aggregated statistics related to

  • date and time
  • interaction 

When using the service "Identity check", the following data are process in addition

  • document type – passport or national ID card
  • expiry date/period of validity of passport/ID card
  • issuing country
  • document number

 

Biometric data (images) of user:

  • face image read from chip in passport/ID card using BankID app
  • facial photo taken when user takes photo of the "photo page" in passport/ID card
  • facial image taken with the user's smartphone (during visual identification)

 

Legal basis for processing

The processing of your personal data in the BankID app takes place based on your "BankID Agreement" between you and your bank.

In some cases, we use consent as a legal basis for processing. For example, if you use the "Identity Check" service, you must consent before carrying out legitimation with a passport or national ID card.

 

Use of suppliers and disclosure to others

The bank may use data processors (such as IT service providers) to collect, store or otherwise process personal data on its behalf. In such cases, the bank will enter into agreement with the data processor to ensure that the processing of the information complies with the privacy regulations and the bank's requirements for processing personal data. This applies regardless of whether the bank uses data processors in Norway or in other countries within the EEA. The use of data processors is not to be regarded as a disclosure of personal data.

In addition, personal data may be disclosed to law enforcement or other authorities if there is a legal basis for it.
 

Transfer to third countries

In some special cases, your data may be processed by a data processor outside the EEA. A valid basis for such transfer under the GDPR is required and one of the following conditions must be met:

  • The European Commission has decided that there is an adequate level of protection in the country in question
  • Other appropriate security measures have been taken, and/or a data processor has provided the necessary guarantees that the personal data will be processed in a secure manner, for example using EU Standard Contractual Clauses approved by the European Commission, or the data processor has valid Binding Corporate Rules (BCR).
  • Exceptions apply in special cases, for example to fulfil an agreement with you or cases where you give your consent to the specific transfer.

 

Storage

Personal data will not be stored longer than is necessary to fulfil the purpose of the processing. After this, the information will be deleted or anonymized, unless the information must or can be stored beyond this as a required by law. Information about your BankID transactions will be stored by the bank for as long as required by law.

Personal data processed based on your consent will be deleted if you withdraw your consent, unless there is another legal basis for further processing.

Use of cookies

A cookie is a small text file that is downloaded and stored on your phone when you open the application.

For the BankID app, only necessary cookies are used for basic functionality and security purposes and cannot be opted out.

 

Your rights

You have the right to request restriction of processing and may, under certain conditions, object to further processing of personal data or have your personal data transferred to yourself or another data controller (data portability).

If the information the bank has about you is incorrect, you can request to have the information corrected, supplemented or deleted. For other questions related to the processing of personal data, contact the banks customer service by phone or via the contact form on the bank's website.

You can correct some information yourself by logging in to "My BankID" via www.bankid.no/privat/

Personal data that the bank processes based on your consent is deleted when you withdraw your consent, unless there is a legal basis for further storing.
If you wish to make use of your rights of access, you can contact the bank you have entered into an agreement on BankID with or see the bank's website for ordering access to your own personal information.

You do not have the right to access the information that the bank has registered about you in order to fulfil its investigation and reporting obligations for suspicious transactions under the Anti-Money Laundering Act, and for security work in the solution.

Once the access request has been received, the bank will respond as soon as possible, and no later than 30 days after the bank has received your order. If special circumstances do not enable the bank to respond within 30 days, the bank will send a preliminary response in which the bank justifies the delay, including information about the probable time of response.

Data Protection Officer

The bank has a data protection officer. You can always contact the data protection officer if you have questions about the processing of your personal data.

Information about the bank's data protection officer can be found on the bank's website, in the data protection section.

 

Complaints 

If you believe that the bank processes personal data in violation of privacy legislation, you can contact the bank or complain to the Data Protection Agency. You can find contact information for the Agency on www.datatilsynet.no

 

Other

This text may be updated. The latest version is always available via the BankID app.