PRIVACY POLICY
1. GENERAL
1.1 This privacy policy (“Privacy Policy”) applies when Freja eID Group AB, Corp. ID. No. 556587-4376, Box 456, 194 04 UPPLANDS VÄSBY, Sweden (“Freja eID Group”) provides an electronic identification service via the Freja eID mobile application (“Service”).
1.2 You have registered as a user of the Service according to the Terms of Use for the Service. This Privacy Policy constitutes an integral part of the Terms of Use.
1.3 You should always feel secure when providing personal data to us. This Privacy Policy is designed to show you how your personal data is processed securely in accordance with applicable legislation.
1.4 When the Service is used, several parties can be involved. This Privacy Policy only applies in relation to the processing performed by Freja eID Group in its capacity as data controller. Therefore, Freja eID Group recommends that you also read the privacy policies of the other parties who may be involved in the use of the Service, for example, the parties who provide the services on which you can use your Freja eID.
1.5 In addition to the requirements set forth in the Terms of Use, you must also accept this Privacy Policy in order to use the Service. When we process your data based on your consent, you always have the right to withdraw your consent without this affecting your options to use the Service in other ways.
2. PERSONAL DATA CONTROLLER AND DATA PROTECTION OFFICER
2.1 Freja eID Group is the data controller for Freja eID Group’s processing of your personal data, and is responsible for ensuring that the processing is performed in accordance with applicable legislation.
2.2 To the extent that the Service relates to an employment ID or Organisation eID, the organisation is the personal data controller for the data they are responsible for about you in your role. For example, this can be in your role as an employee, customer or as member in an organisation. In these cases, Freja eID is the personal data processor.
2.3 Freja eID Group has appointed Mr. Tony Buss as the Data Privacy Officer (“Data Privacy Officer”). The Data Privacy Officer’s duty is also to monitor that Freja eID Group processes personal data in accordance with applicable legislation. Contact information for the Data Protection Officer is [email protected]. +46 8 5272 7984.
3. HOW WE PROCESS YOUR PERSONAL DATA
3.1 Freja eID Group will process your personal data for the following purposes and for the following legal reasons.
3.2 You can withdraw your consent regarding Freja at any time, in accordance with point 1.5, by notifying Freja eID Group in written form.
3.3 Freja eID Group shall not process your personal information for automated decision-making or profiling.
3.4 In addition to accepting the Terms of Use and this Privacy Policy, you can choose to give consent for certain personal data processing as described below. The legal basis for us to process this data will be your explicit consent.
In other cases, where for example you are expected by an employer to use your Freja eID as a work tool, we will instead process your personal data as a personal data processor on behalf your employer, and the legal basis for processing will then be your employment contract with the employer. The legal basis for certain processing in the service is shown in the table below.
If you start with only using Freja as an Organisation ID or employee ID and later start using Freja for other purposes, then Freja will be both a personal data processor and a personal data controller, depending on if you are using a service connected to your employer or a private service. For the private services, the legal basis applies as shown in the table below.
3.5 Freja is available at different trust levels (Basic, Added ID document and Plus). You will be able to see what trust level you are in the mobile application. If you try to access a service at a higher level than you have, you will need to upgrade to the corresponding level in order to access that service.
Freja eID Basic
For access to services that do not require your identity to be verified and only requires an email address.
Freja eID with an added ID document and Freja eID+
Some services require that your identity be verified when you use Freja to access their services or when you make electronic signatures with them.
In addition to the information processed for Freja Basic, the sections “Freja with an added ID document” and “Freja eID+” apply. Freja eID+ is issued get after you have done an extra validation of your identity through a physical ID check at an Freja eID agent, or have had your identity verified by using a biometric ID document during registration.
3.6 The table shows which personal data we process at different trust levels, from lowest (Basic) to highest (Plus). Information collected at a lower trust level is also processed at a higher trust level.
| Purpose | Legal Basis | Categories of Personal Data (Basic) | Categories of Personal Data (Added Document and Plus) |
|---|---|---|---|
| For the Service in general | |||
| Providing, administering, developing and adapting the Service and allowing for support and customer service for you as a user | The processing is necessary to fulfil the agreement with you as a user |
|
|
| To be able to identify yourself physically and to other individuals with your eID | The processing is necessary to fulfil the agreement with you as a user |
| |
| We provide a transaction history for you, so you can monitor where and when your eID was used | The processing is necessary to fulfil the agreement with you as a user | Transaction history from when you identified yourself or signed with your eID, which service it was, at what time and which data you agreed to share | |
| For secure verification of your identity | |||
| The processing is necessary to fulfil the agreement with you as a user |
| |
| For sharing personal data to a third party | |||
| Identifying yourself means you need to share some personal data to a third party. You will always approve this in the app before sharing. If you decline, no data is shared | Explicit consent from you as a user. You are informed about what data will be shared with the third party and you need to consent to sharing | Email address |
|
| About the Covid Certificate | |||
| This is only applicable if you choose to add your Covid Certificate in order to manage it in Freja eID. The Covid Certificate is a digital service that you can use to store information about your Covid-19 status (on vaccines, tests, recovery) from the vaccinationsregistret (NVR) at Folkhälsomyndigheten (The Swedish Public Health Agency). You can manage your Covid Certificate in Freja eID and share your Covid-19 status with an online service (e.g. airline booking) or by physically showing the certificate that can be read manually or as a QR code. To use the Covid Certificate some personal |
| Not applicable on this level | Personal data necessary to identify you as the holder of your Covid Certificate:
Vaccine information:
Test information:
Recovery information:
|
| For Organisation ID | |||
| This section only applies if an employer requires that you as an employee should identify yourself with Freja eID related to your work |
|
| |
| For geographic location* | |||
| Providing information about the nearest Freja eID agent for physical vetting of your ID document | Consent from you as a user | Geographic location so you can find your way to a Freja eID agent | |
| For information and marketing | |||
| Enable targeted marketing to you as a user of the Service and Freja eID Group’s similar services via regular mail, email, SMS or the application (including market and customer analyses and market research) | Consent from you as a user |
|
|
* In addition to personal data stated in the table, we collect completely anonymised information about where Freja eID is used for physical identification in order to improve the service. No personal information is saved and you cannot be tracked based on this. You can turn off geographical location for Freja without any changes to the app, except that you would not be able to find Freja agents via the map anymore.
3.7 Processing your ID photo
The ID photo you take in when registering with Freja is used for strong verification of your identity and is compared with the portrait image on your ID document. The ID photo can also be used to validate your identity in situations where this can be considered to increase the security of the identification such as when you wish to reset your PIN in Freja. This is done on your initiative and with your explicit consent each time. Your ID photo image can also be used if you want to reset Freja on a new device. The ID photo you took when registering may be shared with your express consent.
3.8 Processing health data within the scope of the Covid Certificate
The user can revoke their consent for storing the Covid Certificate at any time. In that case, all data about the Covid Certificate will be deleted.
When the Covid Certificate is stored in Freja that data is protected with hardware encryption.
Freja eID Group shall share this data for identification or signing only once the user has given their explicit consent via the Freja mobile application. Such data sharing can only be done with third parties that have a relying party agreement with Freja. Freja eID Group also enables the user to share information with others via the Freja should they choose so themselves.
Third parties who want to request users to share their Covid Certificate data via Freja through identification or signing need to have a relying party agreement along with an addendum that regulates the processing of Covid Certificate data. Freja eID Group is the data processor of the personal data related to the Covid Certificate. Once a third party receives the user’s Covid Certificate data, they shall become the data processor of that data.
For third parties who receive information from the Covid Certificate after the user has actively chosen to open the screen in the Freja mobile application and allowed the third party to read said information or scan the QR code, there is no requirement for a relying party agreement.
The data in the Covid Certificate shall automatically be deleted upon the expiry date of the information.
Should the legal basis for processing this data be revoked by a legislative institution in the EU or in Sweden, the handling of Covid Certificate data can be cancelled and all related data can be deleted from within the Freja mobile application.
3.9 Age and Handling of Minors’ Personal Data
The service is available for individuals from the age of five. Parental consent is required for individuals under 13 years old.
Parents of children under five years old can use Freja for certain e-services to read and send the child’s passport information to, for example, a government authority.
3.10 Country-Specific Information
Freja can be used to create an e-ID from a large number of countries, and a current list of supported countries is available here.
The processing of personal data, as specified in section 3.6, is the same for all these countries, but there are local variations in how personal identity numbers are defined, and some countries do not have personal identity numbers at all. The data contained in passports may also vary between countries, and Freja reads the data available in the passport’s data fields. No such data is shared without the user’s explicit consent.
For users with a Swedish personal identity number or a verified coordination number, personal data is cross-checked against SPAR (the National Address Register).
For users obtaining Freja Plus with a driver’s license or an ID card issued by the Swedish Tax Agency, a physical ID verification is required at a store that acts as an agent for ATG (Aktiebolaget Trav och Galopp), which handles some of your personal data during the ID verification process.
4. FOR HOW LONG DO WE STORE YOUR PERSONAL DATA?
4.1 Your personal data is stored as long as is needed to fulfil the objectives that require the data to be collected in accordance with this Privacy Policy and to comply with laws and regulatory requirements. Normally your personal data is stored for ten years in order for us to comply with the regulations. For information about how we store your health data related to the Covid Certificate, please see section 3.8.
4.2 At any time, you may cancel use of the Service by selecting “Deregister account” or a similar function in the Service and block the Service according to the instructions provided by Freja eID Group. Freja eID Group does not retain your personal data after you have cancelled use of the Service according to this section 4.2, unless it is required by law or to protect Freja eID Group’s legitimate interests, for example, in case of a legal proceeding.
5. WHO DO WE SHARE YOUR PERSONAL DATA WITH?
5.1 Freja eID Group will share your personal data with the parties you consent to sharing with, when identifying yourself with Freja eID. These are defined as third parties or specifically for Freja eID, Relying Parties as stated in the Terms of Use. If you do not consent to sharing your data, nothing will be shared. For information on how you can share your health data related to the Covid Certificate, please see the table in section 3.6.
Personal data, such as the image of your ID document will never be shared with a third party. The ID photo you took during registration may be shared with your express consent.
5.2 In certain situations, we share your information with sub-processors. They provide services and support related to the Service and group companies, for use by the recipient in order to fulfill the purposes of the processing of your personal data specified in item 3 above.
To 46elks AB, we provide the civil registration number, driving licence number and expiry date for lookups in the Swedish Transport Agency’s register. We provide the Swedish Police with the civil registration number, passport or national ID serial number and expiry date to enter in the Police Authority’s register for Swedish passports and ID documents. To AB Trav och Galopp, we provide the civil registration number, name, surname, ID document type, picture and serial number when registering for Freja eID Plus. These checks only apply to users in Sweden.
6. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
Freja eID Group will not transfer your personal data to any country outside the EU/EEA.
7. YOUR RIGHTS
7.1 Freja eID Group, in its capacity as the data controller, is responsible for ensuring that your personal data is processed in accordance with applicable law.
7.2 Freja eID Group shall, at your request or on its own initiative, correct, de-identify, delete or complete information that is determined to be incorrect, incomplete or misleading.
7.3 You have the right to require from Freja eID Group access, correction or deletion of your personal data (for example, if deletion is required according to applicable legislation), request restrictions on the continued processing of your personal data as well as the right to object to data processing (for example, if you question whether the personal data is correct or if the processing is legal). Freja eID Group shall notify each recipient regarding which personal data has been removed according to item 5 above if any corrections or deletions of the information as well as restrictions on further processing of the information occur according to item 7.
7.4 You are entitled to data portability, in other words, the right under certain circumstances to receive and transfer your personal data to another data controller in a structured, generally usable and machine-readable format.
7.5 Freja eID Group may process your personal data for direct marketing to you if you have consented to this. If you do not want Freja eID Group to use your personal data for direct marketing, you have the right to provide written notification of this to Freja eID Group at any time. Once Freja eID Group has received your notification, Freja eID Group shall cease processing your personal data for marketing purposes.
7.6 Once per calendar year, you are entitled to obtain an extract from the registry of Freja eID Group, free of charge with a signed, written request, indicating which personal data about you has been recorded, the purposes of processing the data and the recipients who have received the data or will receive the data. You are also entitled to receive information in the extract from the registry regarding where the data was collected, if the personal data was not collected from you directly, the occurrence of automated decision-making (including profiling) as well as the anticipated period during which the data will be stored or the criteria that are used to determine this period. Furthermore, you are also entitled, with the abstract from the registry, to receive information about your other rights as specified in section 7.
7.7 You are entitled to submit complaints regarding Freja eID Group’s processing of your personal data to your national data protection authority.
7.8 Freja eID Group AB is a company registered in Sweden, and the Swedish data protection authority is IMY – the Swedish Authority for Privacy Protection.
8. CHILDREN’S PERSONAL DATA
Children have the right to protection when using e-services, and a verified age check may restrict unwanted access to services directed at children. Children’s personal data is extra sensitive and Freja eID provides children with clear information about what the service entails. Freja eID continuously improves information, controls and protective measures adapted for children as well as guardians’ opportunities to give consent and manage the Service for their children.
Freja eID is available for children from the age of five, with the guardian’s consent to the processing of the children´s personal data. Children from the age of 13 may, according to current data protection legislation, give their own consent.
If you as a guardian become aware that your child has submitted information to Freja eID and have objections or comments, you can contact us at the specified contact information.
For children under the age of five, parents can, in certain cases, use Freja to read and share the child’s passport information with, for example, authorities.
9. PROTECTION OF YOUR PERSONAL DATA
You should always feel secure when providing personal data to us. Therefore, Freja eID Group has taken the necessary safety precautions to protect your personal data from unauthorised access, modification and deletion.
For security purposes, we perform register maintenance, which means that we block and establish a blocking list of deceased users who can no longer use the services, and to prevent others from using the Services in the name of such users.
10. COOKIES
Freja eID Group uses techniques similar to cookies to provide certain functions in the app. The information is stored in the form of a file containing the users encrypted session status (during an ongoing session) as well as the user settings that improve the user experience before a user is authenticated for the app (which are saved between sessions). For example, the information is used to remember the selected language for the app. This information is not provided to third parties. If you no longer want Freja eID Group to store or collect the information, you must cancel your use of the Service according to section 4.2 above.
11. CHANGES TO THIS PRIVACY POLICY
Freja eID Group has the right to change this Privacy Policy at any time. The latest and current version is published on the Freja eID Group website, www.frejaeid.com. In the event of significant changes in this policy, Freja eID Group will inform you in an appropriate manner, for example through information in the Freja eID mobile application, My pages, via email or via a notification in Freja eID.
If you do not accept the changed terms, you have the right to terminate the agreement with Freja eID Group before the changes take effect. You terminate the agreement by following the instructions in section 4.2 above.
12. CONTACT INFORMATION
Please do not hesitate to contact Freja eID Group if you have any questions about this Privacy Policy, the processing of your personal information or if you would like an extract from the registry. Freja eID Group’s contact information can be found under section 1 above.
13. CHATBOT USE
org.frejaeid.com website is using Tidio, a chat platform that connects users with the sales representatives of Freja eID Group. Any data collected is done so only with the explicit consent of users, and only after they have initiated the chat and agreed to the Consent Note . The messages and data exchanged are stored within the Tidio application. For more information, please refer to their Privacy Policy.
Freja eID Group is not making use of these messages or data other than to follow up on users’ registered issues or inquiries. Your personal data will be processed and transmitted in accordance with the General Data Protection Regulation (GDPR).