Principles of processing personal data in Nets' identification broker service
Nets Branch Norway ("Nets") processes personal data as the identification broker service provider subject to an assignment given by the holder of identification device to Nets in the Trust Network.
Nets processes personal data only in accordance with the Act on Strong Electronic Identification and Trust Services ("Identification Act") and the Personal Data Act, i.e. for Nets to perform and maintain the service, for invoicing, to protect its rights in case of disputes, investigation of cases of misuse, as well as upon request by the online service provider or the holder of the identification device. Nets stores data regarding the time and reason of the processing event as well as on the person processing the data.
The following data may be processed by Nets:
- First name and last name;
- Unique identifier (identity number);
- Date of birth;
- Data required for performing an individual identification event;
- Data on potential preclusions or restrictions on the use of identification device referred to in section 18 of the Identification Act
- Data content of the certificate as set out in section 19 of the Identification Act
The data is disclosed to the online service providers (the trusting parties). Identity numbers shall only be disclosed if the online service provider is entitled to process them under the Personal Data Act or other legislation. Nets may disclose personal data to its group companies for the purpose of performing the service and only in accordance with the Personal Data Act. Nets discloses personal data to the authorities if required by law and in accordance with the Personal Data Act.
Personal data shall not be transferred outside the European Union or the European Economic Area.
Personal data shall only be stored as long as it is necessary for the purposes of the processing and in accordance with the data retention periods set out in the Identification Act.
Personal data is protected from any unauthorized third party usage. Personal data is located at facilities which are protected by access control and supervision. The facilities are protected by multiple security zones. Access to each zone as well as logical access to machines, software and databases is protected. The system where the personal data exists may only be logged in with a user name and password. The right of use is granted only to those employees who process the data existing in the personal data file. The employees are subject to strict confidentiality obligations. All communications of sensitive information are protected by use of point-to-point encryption for confidentiality.