PRIVACY POLICY

1. GENERAL

1.1 This privacy policy (“Privacy Policy”) applies when Freja eID Group AB, Corp. ID. No. 556587-4376, Box 456, 194 04 UPPLANDS VÄSBY, Sweden (“Freja eID Group”) provides an electronic identification service via the Freja eID mobile application (“Service”).

1.2 You have registered as a user of the Service according to the Terms of Use for the Service. This Privacy Policy constitutes an integral part of the Terms of Use.

1.3 You should always feel secure when providing personal data to us. This Privacy Policy is designed to show you how your personal data is processed securely in accordance with applicable legislation.

1.4 When the Service is used, several parties can be involved. This Privacy Policy only applies in relation to the processing performed by Freja eID Group in its capacity as data controller. Therefore, Freja eID Group recommends that you also read the privacy policies of the other parties who may be involved in the use of the Service, for example, the parties who provide the services on which you can use your Freja eID.

1.5 In addition to the requirements set forth in the Terms of Use, you must also accept this Privacy Policy in order to use the Service. When we process your data based on your consent, you always have the right to withdraw your consent without this affecting your options to use the Service in other ways.

2. PERSONAL DATA CONTROLLER AND DATA PROTECTION OFFICER

2.1 Freja eID Group is the data controller for Freja eID Group’s processing of your personal data, and is responsible for ensuring that the processing is performed in accordance with applicable legislation.

2.2 To the extent that the Service relates to an employment ID or Organisation eID, the organisation is the personal data controller for the data they are responsible for about you in your role. For example, this can be in your role as an employee, customer or as member in an organisation. In these cases, Freja eID is the personal data processor.

2.3 Freja eID Group has appointed Mr. Tony Buss as the Data Privacy Officer (“Data Privacy Officer”). The Data Privacy Officer’s duty is also to monitor that Freja eID Group processes personal data in accordance with applicable legislation. Contact information for the Data Protection Officer is gdpr@frejaeid.se. +46 8 5272 7984.

3. HOW WE PROCESS YOUR PERSONAL DATA

3.1 Freja eID Group will process your personal data for the following purposes and for the following legal reasons.

3.2 You can withdraw your consent regarding Freja eID at any time, in accordance with point 1.5, by notifying Freja eID Group in written form.

3.3 Freja eID Group shall not process your personal information for automated decision-making or profiling.

3.4 In addition to accepting the Terms of Use and this Privacy Policy, you can choose to give consent for certain personal data processing as described below. The legal basis for us to process this data will be your explicit consent.

In other cases, where for example you are expected by an employer to use your Freja eID as a work tool, we will instead process your personal data as a personal data processor on behalf your employer, and the legal basis for processing will then be your employment contract with the employer. The legal basis for certain processing in the service is shown in the table below.

If you start with only using Freja eID as an Organisation eID or employee ID and later starts using Freja eID for other purposes, then Freja eID will be both a personal data processor and a personal data controller, depending on if you are using a service connected to your employer or a private service. For the private services, the legal basis applies as shown in the table below.

3.5 Freja eID is available at different trust levels (Basic, Added ID document and Plus). You will be able to see what trust level you are in the mobile application. If you try to access a service at a higher level than you have, you will need to upgrade to the corresponding level in order to access that service.

Freja eID Basic

For access to services that do not require your identity to be verified and only requires an email address.

Freja eID with an added ID document and Freja eID+

Some services require that your identity be verified when you use Freja eID to access their services or when you make electronic signatures with them.

In addition to the information processed for Freja eID Basic, the sections “Freja eID with an added ID document” and “Freja eID+” apply. Freja eID+ is issued get after you have done an extra validation of your identity through a physical ID check at an Freja eID agent.

3.6 The table shows which personal data we process at different trust levels, from lowest (Basic) to highest (Plus). Information collected at a lower trust level is also processed at a higher trust level.

PurposeLegal BasisCategories of Personal Data (Basic)Categories of Personal Data (Added Document and Plus)
For the Service in general
Providing, administering, developing and adapting the Service and allowing for support and customer service for you as a userThe processing is necessary to fulfil the agreement with you as a user
  • Email address(es) (one mandatory, two optional)
  • Information about your device, manufacturer, model and OS version
  • Name and gender
  • Country
  • Civil registration number (only countries that have one)
  • Address (for Sweden and Norway)
  • Image of your ID document
  • ID document number
  • ID document expiry date
  • High resolution image of your passport (if you registered with one)
  • Where, when, and by whom you were vetted physically (only for Freja eID Plus)
To be able to identify yourself physically and to other individuals with your eIDThe processing is necessary to fulfil the agreement with you as a user
  • Image of your face
We provide a transaction history for you, so you can monitor where and when your eID was usedThe processing is necessary to fulfil the agreement with you as a userTransaction history from when you identified yourself or signed with your eID, which service it was, at what time and which data you agreed to share
For secure verification of your identity
  • To ensure that the person who registered in the Freja eID mobile application is a living person and is the same person as the ID document holder
  • To enable you to restore your eID in the event of a loss of the device where Freja eID is installed
  • To enable an extra step of verification when identifying yourself
The processing is necessary to fulfil the agreement with you as a user
  • Image of your face
  • Video capture of face during taking of the ID photo
  • Where, when, and by whom you were vetted physically (only for Freja eID Plus)
For sharing personal data to a third party
Identifying yourself means you need to share some personal data to a third party. You will always approve this in the app before sharing. If you decline, no data is sharedExplicit consent from you as a user. You are informed about what data will be shared with the third party and you need to consent to sharingEmail address
  • Civil registration number (only countries that have one)
  • Country
  • Date of birth
  • Name and surname
  • ID photo taken with Freja eID
  • Address
  • Gender
About the Covid Certificate
This is only applicable if you choose to add your Covid Certificate in order to manage it in Freja eID.

The Covid Certificate is a digital service that you can use to store information about your Covid-19 status (on vaccines, tests, recovery) from the vaccinationsregistret (NVR) at Folkhälsomyndigheten (The Swedish Public Health Agency).

You can manage your Covid Certificate in Freja eID and share your Covid-19 status with an online service (e.g. airline booking) or by physically showing the certificate that can be read manually or as a QR code.

To use the Covid Certificate some personal
data needs to be shared with a third party that is the recipient of the information.

  • Explicit consent from you as a user when you add the Covid Certificate to Freja eID.
  • Explicit consent from you as a user when you share the data online with a third party.
  • Consent from you as a user when you share the data in a physical context via your mobile screen.
Not applicable on this levelPersonal data necessary to identify you as the holder of your Covid Certificate:

  • Name and surname
  • Date of birth
  • Covid certificate expiry date

Vaccine information:

  • Issuer of the vaccine certificate
  • Type of vaccine
  • Manufacturer
  • Vaccination date
  • No. of doses (you have received)
  • Country of vaccination
  • Unique vaccine certificate serial no.

Test information:

  • Test type
  • NAANAA-test name
  • RAT-test name and manufacturer
  • Date and time of test
  • Date and time of test results
  • Test results
  • Test center (where you got tested)
  • Country of testing
  • Issuer of the test certificate
  • Unique serial no. of the test certificate

Recovery information:

  • Date of the first positive test result
  • Country of testing
  • Date – valid until
  • Expiry date
  • Unique test certificate serial no.
For Organisation eID
This section only applies if an employer requires that you as an employee should identify yourself with Freja eID related to your work
  • Employment contract between you and your employer
  • Freja eID Group agreement with your employer on providing Organisation eID for processing employee data
  • Data related to your employment and the data your employer is the personal data controller for, such as your employment number or work email address
For geographic location*
Providing information about the nearest Freja eID agent for physical vetting of your ID documentConsent from you as a userGeographic location so you can find your way to a Freja eID agent
For information and marketing
Enable targeted marketing to you as a user of the Service and Freja eID Group’s similar services via regular mail, email, SMS or the application (including market and customer analyses and market research)Consent from you as a user
  • Email address(es) (one mandatory, two optional)
  • Telephone number (three optional)
  • Name and surname
  • Civil registration number (not applicable to the UK)
  • Date of birth
  • Address
  • Gender

* In addition to personal data stated in the table, we collect completely anonymised information about where Freja eID is used for physical identification in order to improve the service. No personal information is saved and you cannot be tracked based on this. You can turn off geographical location for Freja without any changes to the app, except that you would not be able to find Freja agents via the map anymore.

3.7 Processing your ID photo

The ID photo you take in when registering with Freja is used for strong verification of your identity and is compared with the portrait image on your ID document. The ID photo can also be used to validate your identity in situations where this can be considered to increase the security of the identification. This is done on your initiative and with your explicit consent each time. Your ID photo image can also be used if you want to reset Freja eID on a new device. The ID photo you took when registering may be shared with your express consent.

3.8 Processing health data within the scope of the Covid Certificate

The user can revoke their consent for storing the Covid Certificate at any time. In that case, all data about the Covid Certificate will be deleted.

When the Covid Certificate is stored in Freja eID that data is protected with hardware encryption.

Freja eID Group shall share this data for identification or signing only once the user has given their explicit consent via the Freja eID mobile application. Such data sharing can only be done with third parties that have a relying party agreement with Freja eID. Freja eID Group also enables the user to share information with others via the Freja eID should they choose so themselves.

Third parties who want to request users to share their Covid Certificate data via Freja eID through identification or signing need to have a relying party agreement along with an addendum that regulates the processing of Covid Certificate data. Freja eID Group is the data processor of the personal data related to the Covid Certificate. Once a third party receives the user’s Covid Certificate data, they shall become the data processor of that data.

For third parties who receive information from the Covid Certificate after the user has actively chosen to open the screen in the Freja eID mobile application and allowed the third party to read said information or scan the QR code, there is no requirement for a relying party agreement.

The data in the Covid Certificate shall automatically be deleted upon the expiry date of the information.

Should the legal basis for processing this data be revoked by a legislative institution in the EU or in Sweden, the handling of Covid Certificate data can be cancelled and all related data can be deleted from within the Freja eID mobile application.

3.9 Country-specific data

ID concept; The Service uses general concepts, processes and systems for managing user information, ID documents and trust levels for identity verification. Different identity-defining concepts are used in different countries.

National Data Protection Authority refers to the data protection authority of each country.

Civil registration number refers to an officially issued, nationally accepted number to identify an individual and is kept in a national population registry.

National registry refers to an official database of the population or the equivalent of this. If we do a lookup in such a national registry, it is stated in the table below.

Freja eID vetting agent refers to an approved agent that carries out a physical ID check on behalf of Freja eID. If we offer physical ID checks in a country, the partner is listed in the table.

Age refers to age limits, minimum age and age for own consent an to how these rules apply in different countries.

Other refers to other country-specific information that is stored, some of which is also stated in the table above. We list it here for greater clarity.

 ID ConceptAgeNational RegistryNational Data Protection AuthorityFreja eID AgentOther
SwedenPersonnummer (civil registration no.)Minimum 8 years and 13 years for own consentStatens personuppgiftsregister (SPAR)IntegritetsskyddsmyndighetenATGAddress
NorwayDate of birth/personnummer (civil registration no.)Minimum 8 years and 13 years for own consentNorsk Folkeregister/skatteetatenDatatillsynetAddress
United KingdomPassport no., date of birthMinimum 8 years and 13 years for own consentICO – Information Commissioners Office
DenmarkCPR-number (civil registration no.)Minimum 8 years and 13 years for own consentDatatilsynet
FinlandPersonbeteckning (civil registration no.)Minimum 8 years and 13 years for own consentOffice of the data protection Ombudsman
EstoniaIskukood (IK)Minimum 8 years and 13 years for own consentEstonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
LatviaPersonas kods (PK)Minimum 8 years and 13 years for own consentData State Inspectorate
LithuaniaAsmens kodasMinimum 8 years and 13 years for own consentState Data Protection Inspectorate
PolandPolish Powszechny Elektroniczny System Ewidencji Ludności (PESEL)Minimum 8 years and 13 years for own consentUrząd Ochrony Danych Osobowych (Personal Data Protection Office)
GermanyPassport number, Date of BirthMinimum 8 years and 13 years for own consentDer Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
RomaniaCod Numeric Personal (CNP)Minimum 8 years and 13 years for own consentThe National Supervisory Authority for Personal Data Processing
SlovakiaBirth Number (RC)Minimum 8 years and 13 years for own consentOffice for Personal Data Protection of the Slovak Republic
UkraineIndividual Identification NumberMinimum 8 years and 13 years for own consentUkrainian Parliament’s Commissioner for Human Rights (Ombudsman)
FranceINSEE codeMinimum 8 years and 13 years for own consentCommission Nationale de l’Informatique et des Libertés – CNIL
AustriassPINMinimum 8 years and 13 years for own consentÖsterreichische Datenschutzbehörde
ItalyCodice fiscaleMinimum 8 years and 13 years for own consentGarante per la protezione dei dati personali
SpainDocumento Nacional de IdentidadMinimum 8 years and 13 years for own consentAgencia Española de Protección de Datos (AEPD)
GreeceΠροσωπικός ΑριθμόςMinimum 8 years and 13 years for own consentHellenic Data Protection Authority
HungaryMinimum 8 years and 13 years for own consentHungarian National Authority for Data Protection and Freedom of Information
BelgiumBelgian National Number (BIS)Minimum 8 years and 13 years for own consentAutorité de la protection des données – Gegevensbeschermingsautoriteit (APD-GBA)
BulgariaEdinen grazhdanski nomer (EGN)Minimum 8 years and 13 years for own consentCommission for Personal Data Protection
CyprusMinimum 8 years and 13 years for own consentCommissioner for Personal Data Protection
CzechiaRodné číslo (RČ)Minimum 8 years and 13 years for own consentOffice for Personal Data Protection
IrelandPersonal Public Service NumberMinimum 8 years and 13 years for own consentData Protection Commission
Luxembourg13-digit identification codeMinimum 8 years and 13 years for own consentCommission Nationale pour la Protection des Données
MaltaMinimum 8 years and 13 years for own consentOffice of the Information and Data Protection Commissioner
The NetherlandsBurgerservicenummer (BSN)Minimum 8 years and 13 years for own consentAutoriteit Persoonsgegevens
PortugalNúmero de identificação civil or NICMinimum 8 years and 13 years for own consentComissão Nacional de Proteção de Dados – CNPD
SloveniaEnotna matična številka občana (EMŠO)Minimum 8 years and 13 years for own consentInformation Commissioner of the Republic of Slovenia
IcelandKennitalaMinimum 8 years and 13 years for own consentPersónuvernd
LiechtensteinMinimum 8 years and 13 years for own consentData Protection Authority, Principality of Liechtenstein
CroatiaOsobni identifikacijski broj (OIB)Minimum 8 years and 13 years for own consentCroatian Personal Data Protection Agency
AlbaniaNumri i Identitetit (NID)Minimum 8 years and 13 years for own consentThe Right to Information and Data Protection Commissioner
ArgentinaDocumento Nacional de IdentidadMinimum 8 years and 13 years for own consentAgencia de Acceso a la Información Pública
AustraliaTax File NumberMinimum 8 years and 13 years for own consentOffice of the Australian Information Commissioner
Bosnia and HerzegovinaJedinstveni matični broj građanaMinimum 8 years and 13 years for own consentThe Personal Data Protection Agency (DPA)
BrazilRegistro Geral (RG), Cadastro de Pessoas Físicas (CPF)Minimum 8 years and 13 years for own consentNational Data Protection Authority
CanadaSocial Insurance Number (SIN)Minimum 8 years and 13 years for own consentPIPEDA, PIPA Alberta, PIPA ‎BC, and CAI
Chile

RUN (Rol Único Nacional), RUT (Rol Único Tributario)

Minimum 8 years and 13 years for own consentSERNAC
ColombiaTarjeta de IdentidadMinimum 8 years and 13 years for own consentSIC and SOF
GeorgiaPersonal numberMinimum 8 years and 13 years for own consentState Inspector Service
Hong KongHKID numberMinimum 8 years and 13 years for own consentThe Office of the Privacy Commissioner for Personal Data (PCPD)
Japanマイナンバー (Individual Number)Minimum 8 years and 13 years for own consentPersonal Information Protection Commission
MalaysiaNational Registration Identification Card Number (NRIC No.)Minimum 8 years and 13 years for own consentPersonal Data Protection Commissioner
MexicoClave Única de Registro de PoblaciónMinimum 8 years and 13 years for own consentInstituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales
New Zealand Pass nr.Minimum 8 years and 13 years for own consentThe Privacy Commissioner’s Office
North MacedoniaЕдинствен матичен број на граѓанинотMinimum 8 years and 13 years for own consentThe Personal Data Protection Agency
PeruCUI numberMinimum 8 years and 13 years for own consentThe Directorate for the Protection of personal data
SingaporeNRIC numberMinimum 8 years and 13 years for own consentPersonal Data Protection Commission
SerbiaJedinstveni matični broj građanaMinimum 8 years and 13 years for own consentPoverenik za informacije od javnog značaja i zaštitu podataka o ličnosti
South Korea주민등록번호 (Resident’s Registration Number)Minimum 8 years and 13 years for own consentPIPC
TaiwanID numberMinimum 8 years and 13 years for own consentNational Development Council
United StatesSocial Security number (SSN)Minimum 8 years and 13 years for own consent

4. FOR HOW LONG DO WE STORE YOUR PERSONAL DATA?

4.1 Your personal data is stored as long as is needed to fulfil the objectives that require the data to be collected in accordance with this Privacy Policy and to comply with laws and regulatory requirements. Normally your personal data is stored for ten years in order for us to comply with the regulations. For information about how we store your health data related to the Covid Certificate, please see section 3.8.

4.2 At any time, you may cancel use of the Service by selecting “Deregister account” or a similar function in the Service and block the Service according to the instructions provided by Freja eID Group. Freja eID Group does not retain your personal data after you have cancelled use of the Service according to this section 4.2, unless it is required by law or to protect Freja eID Group’s legitimate interests, for example, in case of a legal proceeding.

5. WHO DO WE SHARE YOUR PERSONAL DATA WITH?

5.1 Freja eID Group will share your personal data with the parties you consent to sharing with, when identifying yourself with Freja eID. These are defined as third parties or specifically for Freja eID, Relying Parties as stated in the Terms of Use. If you do not consent to sharing your data, nothing will be shared. For information on how you can share your health data related to the Covid Certificate, please see the table in section 3.6.

Personal data, such as the image of your ID document will never be shared with a third party. The ID photo you took during registration may be shared with your express consent.

5.2 In certain situations, we share your information with sub-processors. They provide services and support related to the Service and group companies, for use by the recipient in order to fulfill the purposes of the processing of your personal data specified in item 3 above.

To 46elks AB, we provide the civil registration number, driving licence number and expiry date for lookups in the Swedish Transport Agency’s register. We provide the Swedish Police with the civil registration number, passport or national ID serial number and expiry date to enter in the Police Authority’s register for Swedish passports and ID documents. To AB Trav och Galopp, we provide the civil registration number, name, surname, ID document type, picture and serial number when registering for Freja eID Plus. These checks only apply to users in Sweden.

6. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

Freja eID Group will not transfer your personal data to any country outside the EU/EEA.

7. YOUR RIGHTS

7.1 Freja eID Group, in its capacity as the data controller, is responsible for ensuring that your personal data is processed in accordance with applicable law.

7.2 Freja eID Group shall, at your request or on its own initiative, correct, de-identify, delete or complete information that is determined to be incorrect, incomplete or misleading.

7.3 You have the right to require from Freja eID Group access, correction or deletion of your personal data (for example, if deletion is required according to applicable legislation), request restrictions on the continued processing of your personal data as well as the right to object to data processing (for example, if you question whether the personal data is correct or if the processing is legal). Freja eID Group shall notify each recipient regarding which personal data has been removed according to item 5 above if any corrections or deletions of the information as well as restrictions on further processing of the information occur according to item 7.

7.4 You are entitled to data portability, in other words, the right under certain circumstances to receive and transfer your personal data to another data controller in a structured, generally usable and machine-readable format.

7.5 Freja eID Group may process your personal data for direct marketing to you if you have consented to this. If you do not want Freja eID Group to use your personal data for direct marketing, you have the right to provide written notification of this to Freja eID Group at any time. Once Freja eID Group has received your notification, Freja eID Group shall cease processing your personal data for marketing purposes.

7.6 Once per calendar year, you are entitled to obtain an extract from the registry of Freja eID Group, free of charge with a signed, written request, indicating which personal data about you has been recorded, the purposes of processing the data and the recipients who have received the data or will receive the data. You are also entitled to receive information in the extract from the registry regarding where the data was collected, if the personal data was not collected from you directly, the occurrence of automated decision-making (including profiling) as well as the anticipated period during which the data will be stored or the criteria that are used to determine this period. Furthermore, you are also entitled, with the abstract from the registry, to receive information about your other rights as specified in section 7.

7.7 You are entitled to submit complaints regarding Freja eID Group’s processing of your personal data to your national data protection authority.

8. CHILDREN’S PERSONAL DATA

Children have the right to protection when using e-services, and a verified age check may restrict unwanted access to services directed at children. Children’s personal data is extra sensitive and Freja eID provides children with clear information about what the service entails. Freja eID continuously improves information, controls and protective measures adapted for children as well as guardians’ opportunities to give consent and manage the Service for their children.

Freja eID is available for children from the age of eight, with the guardian’s consent to the processing of the children´s personal data. Children from the age of 13 may, according to current data protection legislation, give their own consent.

If you as a guardian become aware that your child has submitted information to Freja eID and have objections or comments, you can contact us at the specified contact information.

9. PROTECTION OF YOUR PERSONAL DATA

You should always feel secure when providing personal data to us. Therefore, Freja eID Group has taken the necessary safety precautions to protect your personal data from unauthorised access, modification and deletion.

For security purposes, we perform register maintenance, which means that we block and establish a blocking list of deceased users who can no longer use the services, and to prevent others from using the Services in the name of such users.

10. COOKIES

Freja eID Group uses techniques similar to cookies to provide certain functions in the app. The information is stored in the form of a file containing the users encrypted session status (during an ongoing session) as well as the user settings that improve the user experience before a user is authenticated for the app (which are saved between sessions). For example, the information is used to remember the selected language for the app. This information is not provided to third parties. If you no longer want Freja eID Group to store or collect the information, you must cancel your use of the Service according to section 4.2 above.

11. CHANGES TO THIS PRIVACY POLICY

Freja eID Group has the right to change this Privacy Policy at any time. The latest and current version is published on the Freja eID Group website, www.frejaeid.com. In the event of significant changes in this policy, Freja eID Group will inform you in an appropriate manner, for example through information in the Freja eID mobile application, My pages, via email or via a notification in Freja eID.

If you do not accept the changed terms, you have the right to terminate the agreement with Freja eID Group before the changes take effect. You terminate the agreement by following the instructions in section 4.2 above.

12. CONTACT INFORMATION

Please do not hesitate to contact Freja eID Group if you have any questions about this Privacy Policy, the processing of your personal information or if you would like an extract from the registry. Freja eID Group’s contact information can be found under section 1 above.

13. CHATBOT USE

org.frejaeid.com website is using Tidio, a chat platform that connects users with the sales representatives of Freja eID Group. Any data collected is done so only with the explicit consent of users, and only after they have initiated the chat and agreed to the Consent Note . The messages and data exchanged are stored within the Tidio application. For more information, please refer to their Privacy Policy.

Freja eID Group is not making use of these messages or data other than to follow up on users’ registered issues or inquiries. Your personal data will be processed and transmitted in accordance with the General Data Protection Regulation (GDPR).