Privacy policy for BankID app
Version 2.0 – 19.12.2024 - English
The BankID app is downloaded to your iOS phone from the App Store or Android phone from Google Play, and you can use services available in the app more quickly and easily.
See also www.bankid.no for help using the BankID app.
Services in BankID app
With the BankID app you can:
- perform BankID services to identify you, sign something, log in or confirm a payment with BankID. The BankID app can replace your BankID code device, but you can also still use the code device.
- use the ID Check service to digitally verify your identity using your passport or national ID Card if you have been asked to do so.
- use the service ID Card in the BankID app that confirms your name and age in physical situations at merchants.
A prerequisite for activating BankID services and ID Card in the BankID app is that you have already been issued a BankID by your bank. You can also see which bank issued your BankID when you log in, or view certificate details in your online bank.
Data controller
It is the bank that issued your BankID that is the data controller when you use the BankID app for BankID services and ID Check. BankID BankAxept AS, org.nr. 927 611 929, act as a data processor.
BankID BankAxept AS is the data controller when you use the ID Card service in the BankID app.
What personal data do we process?
When using BankID services:
- Name, national identity number or D-number, nationality, telephone number and ID document represented when issuing your BankID
- name of the bank that issued your BankID
- unique identifier for identification of you and your BankID
- time of issuance, revocation and other changes in your BankID certificate
- your BankID's validity period and status
- transaction history (merchant name, time, transaction type, and transaction category)
When using the service ID Check:
- personal data read from the machine-readable zone (MRZ) of the passport/ID card and from the chip (name, date of birth, nationality, document number, document type and expiry date)
- face photo taken when you take a photo of the "photo page" of the passport/ID card
- facial image (selfie) taken with your smartphone (during visual identification)
- Log in session information
When using the service ID Card in the BankID app:
- personal data read from the machine-readable zone (MRZ) of the passport/ID card and from the chip (name, date of birth, nationality, document number, document type and expiry date)
- face photo taken when you take a photo of the "photo page" of the passport/ID card
- transaction history (name of merchant, time, what information was provided)
Digital behavioral information (for all services in the BankID app):
- Information about your digital devices, user environment (incl. IP address) and usage behavior (for transaction monitoring, fraud prevention, detection and management of security incidents).
Purposes
The bank and BankID BankAxept AS process personal data in order for you to use the app for BankID services, ID Check and ID Card in the BankID app. In addition, your personal data are used for billing, error correction, transaction monitoring, fraud prevention, detection and handling of security incidents, for reporting, for statistics, marketing and for improvement of the services.
The facial images processed in the ID Check service are used to verify you as a legitimate user. Implicitly, the facial images are also used for fraud detection, minimizing biases, and other improvements to the solution.
Where is your information obtained from?
From you – the personal data processed about you will mainly be obtained from you as the user of the services, in connection with the issuance of the services and from your devices when you use the services.
From third parties – in order to offer you services and comply with legal requirements, information will also be obtained from third parties. For example, in connection with identifying you when issuing BankID, information will be obtained from the Population Register, and when using the services, information will be collected from merchants (such as websites, online stores, or similar).
Legal basis for processing
The processing of your personal data in the BankID app takes place on the legal basis of
- Terms of use from your bank about BankID
- Terms of use from BankID BankAxept AS for ID Card in BankID app
- Consent for ID check
- Consent for personal marketing on social media.
- Legitimate interest when the bank and BankID BankAxept AS process personal data in transaction monitoring to handle security incidents and to prevent fraud, and to general information about our products and services. We also use legitimate interest when we provide you with general information about our products and services.
Use of sub-contractors and disclosure to others
Sub-contractors (such as IT service providers) may be used to collect, store or otherwise process personal data on our behalf. In such cases, an agreement will be entered into with the sub-contractor to ensure that the processing of the information is in accordance with the privacy regulations and other requirements for the processing of personal data. This applies regardless of whether the sub-contractors in Norway or in other countries within the EEA/EU area or outside the EEA/EU are used. The use of sub-contractors is not to be regarded as a disclosure of personal data.
For transfers to countries outside the EU/EEA, a valid transfer basis is required, and the following conditions must be met:
- The EU Commission has decided that an adequate level of protection exists in the country concerned, or
- Other adequate safeguards have been put in place and/or the sub-contractor has provided the necessary guarantees that the personal data will be processed in a secure manner, for example through the use of standard contractual clauses (EU standard clauses) approved by the EU Commission or the sub-contractor has valid Binding Corporate Rules (BCRs).
- When it comes to exceptions in special cases, for example to fulfill an agreement with you or cases where you give your consent to the specific transfer
In addition, personal data may be disclosed to law enforcement authorities or other authorities if there is a legal basis for doing so.
Retention
Personal data will not be stored longer than is necessary to fulfill the purpose of the processing. After this, the information will be deleted or anonymized, unless the information should or can be stored beyond this as a result of law or another legal basis.
Information about your BankID transactions will be stored in accordance to retention routines for BankID services, maximum 14 years.
Personal data processed in ID Check is automatically deleted after 30 days.
Personal data processed in ID Card in the BankID app is automatically deleted if the service has not been used for one year or when the ID document expires.
Use of cookies
A cookie is a small text file that is downloaded and stored on your phone when you open the application.
For the BankID app, only necessary cookies are used for basic functionality and security purposes and cannot be opted out.
For other uses of cookies, such as for personalized marketing purposes, we will obtain your consent.
Your rights
You have the right to demand restriction of processing and may, under certain conditions, object to further processing of personal data or demand that your personal data be transferred to yourself or another controller (data portability).
If the information we have about you is incorrect, you can send a request to have the information corrected, supplemented or deleted. For questions related to the processing of personal data, please contact the bank by telephone to customer service or via the contact form on the bank's website.
Personal data processed on the basis of your consent will be deleted when you withdraw your consent, unless there is a legal basis for further storage.
If you wish to exercise your rights of access, you can contact the bank with which you have entered into an agreement for BankID or see the bank's website for ordering access to your own personal data.
You are not entitled to access the information registered about you in order to fulfil investigation and reporting obligations for suspicious transactions pursuant to the Money Laundering Act, and for security work in the solution.
Once your request has been received, the bank will respond as soon as possible and no later than 30 days after the bank has received your request. If special circumstances do not enable the bank to respond within 30 days, the bank will send a preliminary reply justifying the delay, including information about the likely time for a response.
Data Protection Officer
The bank has a data protection officer. You can always contact the data protection officer if you have questions about the processing of your personal data in BankID and ID Check.
Information about the bank's data protection officer can be found on the bank's website.
Instructions for activating and using ID Card in the BankID app can be found on https://stoe.no. If you have further questions about the product, please call customer service at Kredinor AS on tel. 23118255.
Complaints
If you believe that your personal data has been processed in violation of data protection laws, you can contact the bank or complain to the Norwegian Data Protection Authority (“Datatilsynet”). You will find contact information here: www.datatilsynet.no.
Other
This privacy statement may be updated. The latest version is always available via BankID app.