Nets DanID privacy policy

​NETS DANID PRIVACY POLICY

Version 1.12

Our organisation and data processors

Our organisation and data processors
Nets DanID A/S
(CVR number 30808460)
Lautrupbjerg 10
DK-2750 Ballerup

Contact information for the Nets DanID data protection officer is:

E-mail address: dpo@nets.eu

Nets DanID A/S (hereinafter "Nets DanID") is the issuer of electronic certificates and One-Time-Password (OTP) devices that can be used by service providers using Nets DanID's electronic log-in and signing services. Nets DanID collects and manages electronic identities, issues and manages advanced certificates such as OCES digital signatures and maintains blocking services.

Nets DanID A/S is a wholly-owned subsidiary of Nets Denmark A/S (CVR number 20016175). Nets DanID A/S is established in Denmark and primarily offers its services in the Nordic region.

Nets DanID's IT systems and websites are hosted at locations in Denmark and Norway. Nets DanID uses the following major external suppliers:

• IBM Danmark A/S
• Strålfors Information Logistics A/S
• Unwire Danmark
• CGI, Denmark
• Gemalto Danmark
• Akamai
• KMD

Policy
This privacy policy is designed with the inspiration of "God Privacy Praksis" (good privacy practices) (ISBN: 87-7353-635-0) published by ITEK and the Confederation of Danish Industry.

This privacy policy applies to Nets DanID's online services and information provided through www.nemid.nu and the Nets DanID pages at www.nets.eu.

Private browsing
You can always search for information on Nets DanID's website without providing any personal information. Nets DanID does not automatically collect personal information, nor does it link anonymised technical information to specific users. Nets DanID uses cookies only for the collection of anonymised technical information; see below under the section on cookies and technical information.

Nets DanID does not link to any other websites where you are required to upload your information.

Processing of your personal data
Nets DanID collects the personal data that you provide intentionally and voluntarily when you wish to use a Nets DanID online service. We also collect your address information from the CPR register as regards to private NemID.

The purpose of this privacy policy is to state how we collect, protect and use your personal data. The protection of your personal data is intrinsic to the way Nets DanID collects and processes your information.

Nets DanID lays down the following principles for the collection and processing of your personal data:

• You decide what data we collect about you.
• Regardless of the source from which this data is collected or stored, Nets DanID processes your personal data in accordance with the Danish Act on the processing of personal data and the related executive order on security from time to time in effect.
• Nets DanID ensures that your personal data is not changed to something incorrect, is not disclosed to unauthorised persons and is not otherwise abused.
• For NemID employee digital signature, the administrator can update information about the individual employee.
• Nets DanID only collects personal information about you that is necessary to process your enquiries and requests for online services or information through our website or www.nemid.nu.
• Nets DanID does not use aggregated information for purposes other than those stated at the time of collection on Nets DanID-associated websites.
  Nets DanID will never collect personal information about you without informing you in advance, for example via NemID conditions for online banking and public digital signatures, via the on-screen dialog or on paper at the time of collection. You can find the NemID conditions for online banking and public digital signatures as well as information on the processing of personal data when issuing NemID here.
• When you use NemID on a service provider's website, the service provider will view the information provided in the certificate and the information you provide to the service provider.
• Nets DanID will not disclose your personal data to any other data controller unless there is a legal, regulatory or governmental obligation to do so; see exceptions in the section on disclosure below.
• In most cases, Nets DanID's disclosure of your personal data to private controllers requires your specific consent at the point of disclosure; see exceptions in the section on disclosure below.
• You are entitled, free of charge, to find out what personal data we process about you, once every six months.
• You can always request Nets DanID to block your personal data and thus make it inaccessible for future use. You cannot expect deletion of historical information held for the purposes of Nets DanID's technical and security audit trail.
• If you have NemID employee digital signature, please contact your administrator to get your digital signature revoked.
• Nets DanID will automatically delete your personal data no later than six years after you have ceased to have/hold a NemID.

Purpose and basis for processing

The purpose of Nets DanID's collection of personal data about you is to be able to provide Nets DanID's online services. In connection with ordering an online service from Nets DanID and entering personal data, the purpose of collection will be described in more detail in the specific instance.

Our legal basis for processing your information is the agreement on the issuing and administration of NemID, which we have entered into either with you for private NemID or with your company for NemID employee digital signature.

Nets DanID also processes collected personal data for the purpose of fraud detection. Where fraud is suspected, Nets DanID may disclose your personal data to the police.

What information
You can always visit our website and search for information without providing any personal information. See section on cookies.

If you want to view your usage history, you can log on to the self-service portal at www.nemid.nu for personal users, or www.medarbejdersignatur.dk for business users.

If you wish to use online services, you will be asked to provide specific personal information. Some information is a prerequisite for using a service, while other information is optional.

For personal customers, for example, providing an e-mail address is optional, whereas an e-mail address is required for business customers (employee digital signature). For both, giving your mobile number is optional. The mobile number is used, for example, to provide a temporary password if you have revoked your NemID and want to release it again.

Unless otherwise stated at the time of collection, we will only process the following information about you:

Private NemID:

Your name, address and CPR number (e-mail and mobile number).

NemID employee digital signature:

Your name, address, CVR number and e-mail address (mobile number)

This is necessary in order for us to uniquely identify you.

If you have also given your e-mail address (optional for private users) and mobile number, this will also be included in our processing.

Disclosure of data
Nets DanID may disclose information about your CPR number to public authorities within the framework of applicable legislation on the processing of personal data.

Nets DanID may only disclose your personal data to another data controller if there is a legal, regulatory or governmental obligation to do so.

To restrict fraud involving your Internet banking, Nets DanID will disclose information about the IP address used the previous time you used your NemID, to your bank.

Furthermore, Nets DanID will not disclose your personal data to other companies outside or within the Nets Holdings Group without your specific consent. You will find more information about the information that will be disclosed relating to issuing a NemID when placing your request at www.nemid.dk.

Cookies and technical information
We collect anonymised information about the use of our services and visits to our sites for statistical purposes (e.g. number of visits to the various pages), and to improve our services. For security purposes, we also collect information about the PC you use to log on to our website (not personal data).

The information we collect about the PC includes:

• Browser type
• Computer type
• Operating system
• Type of connection (ISDN, ADSL, etc.)
• Screen resolution

This information or your online behaviour are not linked to your personal information.

We also collect:
• Information about the IP address from which you log-on
• PC checksum (technique for calculating unique identification of a PC)
• Information about service providers you visit if you have opted into this
• Information about what time your personal NemID was used. For NemID for employee digital signature, it is only possible to opt in to this if you have selected NemID with a code card (not for a key file).

This information may be used to investigate fraud or attempted fraud involving NemID.

We use cookies on our own website to optimise and enhance your browsing experience. Nets DanID uses Adobe Analytics by Adobe Systems for tracking. Tracking data may be stored outside the EEA, in which case this will be done subject to applicable legislation on the processing of personal data and the application of the EU model contract or the US Privacy Shield principles.

Our applications also use cookies to keep a session between your PC and the application running (session cookies).

When using the code file client for employee digital signature, log files are generated on the PC where the code file client is installed. The code file client is an option for using an employee digital signature via a locally stored OCES certificate on the employee's PC.

Various types of log files are created that are necessary for the proper functioning of the code file client, and may be used in the event of an investigation into fraud or attempted fraud. We therefore recommend not write-protecting or deleting these log files. The log files do not contain information about user behaviour on the web. Nets DanID cannot view the files, but will be dependent on the user submitting them in a specific technical support situation.

Security
Nets DanID has implemented several technical and organisational measures to safeguard your personal information from unauthorised access or modification, loss, corruption or other fraud.

Our employees and data processors are subject to a duty of non-disclosure regarding the information processed on Nets DanID IT systems.

When you are asked to provide personal information, this is always done via a secure, encrypted connection.

Nets DanID complies with the requirements of the certificate policies, which can be viewed at https://www.nemid.nu/dk-da/om-nemid/historien_om_nemid/oces-standarden/oces-certifikatpolitikker/. Nets DanID has developed and maintains a continuous Certification Practice Statement, which can be viewed at http://www.trust2408.com/repository/.

Nets DanID's security function conducts continuous Security Compliance Reviews to ensure that Nets DanID complies with its Certification Practice Statement. The security function is a self-contained, independent function separated from the IT operations organisation.

Nets DanID also has a Privacy Manager continually verifying compliance with this policy and "God Privacy Praksis" (good privacy practices).

Furthermore, Nets DanID is subject to system auditing. The systems auditor produces an annual systems statement of assurance on whether Nets DanID has complied with the requirements of the Certification Policies and Certification Practice Statement, as well as whether the overall data, systems and operational security of Nets DanID is satisfactory. The systems review is implemented by the Nets DanID's external systems auditor, PwC.

Access
You can log on to www.nemid.nu with NemID and see what information Nets DanID has registered about you, at any time and at no cost.

To contact Nets DanID, please see the contact details under the "Enquiry" section. You can find out at any time what information we process about you, and obtain a copy. We respond free of charge to a maximum of two requests per year for access to the personal data processed about you.

To safeguard against unauthorised requests for access to your personal information, we always respond to a request for access to your personal data by sending the information to your registered address as listed in the national register (CPR) or by answering an e-mail signed by you. If we send a reply by e-mail, the reply will be encrypted.

Rectification or erasure of personal data
You may ask Nets DanID to rectify the personal information that Nets DanID has registered about you at any time if the information is incorrect – or you may do so yourself via self-service at www.nemid.nu. You may also ask for your personal information to be made unavailable for future use. Just e-mail Nets DanID at nemid-registerindsigt@nets.eu.

Erasing your personal information will result in your no longer being able to use Nets DanID services. You cannot expect deletion of historical information held for the purposes of Nets DanID's technical and security audit trail.

Marketing
Nets DanID will not sell or disclose your personal information for marketing purposes. Nets DanID and the companies in the Nets group use your e-mail address and mobile phone number to serve you in relation to Nets DanID's services and similar services from other companies in the Nets group. If we send marketing material to you electronically, we do so in compliance with applicable marketing practices legislation.

However, we are not responsible for the use by others of personal information that is publicly available or that appears on the certificate when you use your certificate, or when you provide information to a service provider's website where you have used NemID to authenticate yourself or sign an agreement.

Changes to Privacy Policy
We update this privacy policy when we deem it necessary, e.g. when we offer new services. Changes from the previous version will appear in the change log below and earlier versions of the privacy policy can be obtained by contacting Nets DanID.

This version 1.12 is approved and published.

Changes from previous version:
Version 1.0 to 1.1
PC checksum correction.

Version 1.1 to 1.2
Specification of cookie usage and additions related to security.

Version 1.2 to 1.3
Correction in relation to the collection of technical information and change in how previous versions of this policy can be requested.

Version 1.3 to 1.4
Clarification in the section on the processing of your personal data. The text "Any disclosure to another data controller is made at your request and in your interests" in bullet point 8 has been deleted. Nets DanID is required to provide information to the authorities if there is a legal basis for doing so, whether or not this is in the user's interests.

Clarification in section on cookies and technical information. The text of the last paragraph relating to log files placed by the NemID applet has been adjusted as a result of the adoption of the Danish Executive Order on information and consent when storing or accessing information in end-user terminal equipment.

The last sentence of the penultimate paragraph (session cookie clause) has been deleted. Session cookies cannot be deselected, as these are necessary for the user's PC to maintain the connection to the website. These session cookies are subject to the opt-out requirement provided for in Section 4 of the Danish Executive Order on information and consent when storing or accessing information in end-user terminal equipment (the "Cookies Executive Order").

Auditor has changed from PwC to KPMG.

Version 1.4 to 1.5
"Dead link" to "God Privacy Praksis" (good privacy practices) has been removed and replaced with the document's ISBN number.

Addition of exception in section on disclosure.

Version 1.5 to 1.6
Ownership of Nets Denmark A/S changed to Bain Capital, Advent International and ATP.

Version 1.6 to 1.7
Link: http://www.signatursekretariatet.dk/certifikatpolitikker.html
Corrected to: https://www.nemid.nu/dk-da/digital_signatur/oces-standarden/oces-certifikatpolitikker/
e-mail: info@nets-danid.dk.
Corrected to: info@danid.dk.

Version 1.7 to 1.8
Corrected e-mail: info@nets-danid.dk to: info@danid.dk.

Version 1.8 to 1.9
Corrected e-mail: info@nets-danid.dk to: nemid-registerindsigt@nets.eu.

Version 1.9 to 1.10
List of major subcontractors updated.
NemID technical support phone number updated
Deleted "OECD's Privacy Policy Generator available at: www.oecd.org/sti/privacygenerator as well as"

Version 1.10 to 1.11
Changed the reference from Safe Harbor to Privacy Shield Principles.
Link https://www.nemid.nu/dk-da/digital_signatur/oces-standarden/oces-certifikatpolitikker/
Corrected to https://www.nemid.nu/dk-da/om-nemid/historien_om_nemid/oces-standarden/oces-certifikatpolitikker/

Version 1.11 to 1.12

Compliance with the obligations set out in the GDPR (in particular articles 13 and 14). Auditor changed from KPMG to PwC. Ownership of Nets Denmark A/S has been deleted.

Enquiry
You can always contact us using the following contact information:

Nets DanID A/S
Lautrupbjerg 10
DK-2750 Ballerup
nemid-registerindsigt@nets.eu
NemID technical support 44892422

If you are not satisfied with Nets DanID's handling of your enquiry regarding the processing of your personal data, you can complain to:

The Danish Data Protection Agency
Borgergade 28
DK-1300 Copenhagen K
Telephone: +45 33 19 32 00

Links to other service providers
The Nets DanID website may have links to the websites of other service providers. Nets DanID is not responsible for the content of other service providers' websites, and this privacy policy does not apply to those service providers' websites.