Version 1.6 2023
BankID services in BankID app
With the BankID app, you can use BankID services to identify yourself, sign something, log in or verify a payment with BankID.
You can also use the "ID Check" service to identify yourself using your national passport or national ID card if you have been asked to do so.
A prerequisite for using BankID services is that you have already been issued a BankID by your bank.
Your bank is responsible for the processing
It is the bank that issued your BankID that is the data controller when you use the BankID app for BankID services.
Purpose of the processing
The bank will use your personal data to meet its obligation according to BankID service agreement with you. Your personal data is also used in connection with error correction, transaction monitoring, fraud prevention, detection, and handling of security incidents, for reporting, for statistics and for improving the application.
Types of personal data
Name, national identity number or D-number, nationality, telephone number and identification document.
Information about your BankID:
- name of the bank that issued your BankID
- unique identifier for identification of you and your BankID
- time of issuance, revocation and other changes in your BankID
- your BankID's validity period and status
- usage history
- merchant information
- transaction type
- transaction category
Digital behavioral information:
Information about your digital devices, user environment (incl. IP address) and usage behavior (for transaction monitoring, fraud prevention, detection and management of security incidents).
When using the ID Check service:
Biometric data (images)
- which are read from chip in passport/ID card
- Face image taken when you take photo of "photo page" of identification document
- facial image taken with your smartphone (visual identification)
Legal basis for processing
The legal basis for processing of your personal data in the BankID app are your BankID agreement between you and your bank.
The bank is also permitted to process personal data when this is necessary to protect a legitimate interest that outweighs your right to protection of personal privacy. The legitimate interest must be legal, predefined, real and justified by business operations. Example of processing based on legitimate interest are transaction monitoring to detect criminal acts.
In some cases, there are used consent as a legal basis for processing. For example, if you use the "ID Check" service, the legal basis for the processing of your personal data is your consent before you utilizing the service.
Use of suppliers and disclosure to others
The Bank may use data processors (e.g., IT service providers) to collect, store or otherwise process personal data on its behalf. In such cases, the bank will enter into agreements with the data processor to ensure that the processing of the information complies with the privacy regulations and the bank's requirements for the processing of personal data. This applies regardless of whether the bank uses data processors in Norway or in other countries within the EEA. The use of data processors is not to be regarded as a disclosure of personal data.
A valid legal basis is required for such transfer under the GDPR and any of the following conditions must be met:
- The European Commission has decided that an adequate level of protection exists in the country in question
- Other appropriate security measures have been taken and/or a data processor has provided appropriate guarantees that the personal data will be processed in a secure manner, for example using standard contractual clauses (EU Standard Clauses) approved by the European Commission or the data processor has valid Binding Corporate Rules (BCR).
- There are exceptions in special cases, for example to fulfil an agreement with you or cases where you consent to the particular transfer.
In addition, personal data may be disclosed to law enforcement authorities or other authorities if there is a legal basis for doing so.
Personal data will not be stored longer than is necessary to fulfill the purpose of the processing. After this, the information will be deleted or anonymized, unless the information should or can be stored beyond this as a result of law. Information about your BankID transactions will be stored by the bank as long as required by law.
Personal data processed on the legal basis of your consent will be deleted if you withdraw your consent, unless there is another legal basis for further processing.
A cookie is a small text file that is downloaded and stored on your phone when you open the application.
For the BankID app, only necessary cookies are used for basic functionality and security purposes and cannot be opted out.
You have the right to demand restriction of processing and may, under certain conditions, object to further processing of personal data or demand that your personal data be transferred to yourself or another controller (data portability).
If the information the bank has about you is incorrect, you can demand to have the information corrected, supplemented, or deleted. For other questions related to the processing of personal data, please contact the bank by telephone to customer service or via the contact form on the bank's website.
Personal data that the bank processes on the legal basis of your consent will be deleted when you withdraw your consent, unless there is a legal basis for further storage.
If you wish to exercise your rights of access, you can contact the bank with which you have entered into an agreement for BankID or see the bank's website for ordering access to your own personal data.
You are not entitled to access the information that the bank has registered about you in order to fulfil its investigation and reporting obligations for suspicious transactions pursuant to the Money Laundering Act, and for security work in the solution.
Once the request has been received, the bank will respond as soon as possible and no later than 30 days after the bank has received your request. If special circumstances do not enable the bank to respond within 30 days, the bank will send a preliminary reply justifying the delay, including information about the likely time for a response.
Data Protection Officer
The bank has a data protection officer. You can always contact the data protection officer if you have questions about the processing of your personal data.
Information about the bank's data protection officer can be found on the bank's website on data protection.
If you believe that the bank is processing personal data in violation of privacy legislation, you can contact the bank or complain to the Norwegian Data Protection Authority. You will find contact information here: www.datatilsynet.no