2. PERSONAL DATA CONTROLLER AND DATA PROTECTION OFFICER
2.1 ZADA Solutions is the data controller for ZADA Solutions’s processing of your personal data, and is responsible for ensuring that the processing is performed in accordance with applicable legislation.
2.2 To the extent that the Service relates to an employment ID or Organisation ID, the organisation is the personal data controller for the data they are responsible for about you in your role. For example, this can be in your role as an employee, customer or as member in an organisation. In these cases, ZADA is the personal data processor.
2.3 ZADA Solutions has appointed Mr. Andreas Sigurdsson as the Data Privacy Officer (“Data Privacy Officer”). The Data Privacy Officer’s duty is also to monitor that ZADA Solutions processes personal data in accordance with applicable legislation. Contact information for the Data Protection Officer is [email protected]. +46-723-520535.
3. HOW WE PROCESS YOUR PERSONAL DATA
3.1 ZADA Solutions will process your personal data for the following purposes and for the following legal reasons.
3.2 You can withdraw your consent regarding ZADA at any time, in accordance with point 1.5, by notifying ZADA Solutions in written form.
3.3 ZADA Solutions shall not process your personal information for automated decision-making or profiling.
In other cases, where for example you are expected by an employer to use your ZADA as a work tool, we will instead process your personal data as a personal data processor on behalf your employer, and the legal basis for processing will then be your employment contract with the employer. The legal basis for certain processing in the service is shown in the table below.
If you start with only using ZADA as an Organisation eID or employee ID and later starts using ZADA for other purposes, then ZADA will be both a personal data processor and a personal data controller, depending on if you are using a service connected to your employer or a private service. For the private services, the legal basis applies as shown in the table below.
3.5 ZADA is available at different trust levels (Basic and Plus). You will be able to see what trust level you are in the mobile application. If you try to access a service at a higher level than you have, you will need to upgrade to the corresponding level in order to access that service.
For access to services that do not require your identity to be verified and only requires an email address or an issued credential.
ZADA+ is issued after you have done an extra validation of your identity through a physical ID check at an ZADA agent.
Your digital credentials. Our digital identity technology and digital wallets are designed to provide a secure method for consumers to access and exchange identity-related information (“digital credentials”) when dealing with various organisations including when they use financial and other services and when purchasing goods and services. These digital credentials are stored on the end-user’s device. Where the end-user chooses to upload his or her data to the cloud (for example for back-up purposes), We may host the data on our servers or through third-party cloud service providers. We may also hold encryption keys relating to your encrypted data. Where We provide the data hosting service, users’ data is held on our servers in an encrypted form that does not enable the identification of specific individuals, even by ZADA itself.
3.7 Commercial Communications. To the extent permitted under applicable law, We may use the information We collect or receive from you to communicate directly with you in relation to our services and technologies. Subject, where necessary, to obtaining your consent to receiving such communications. We may also use the information to send you service-related notices (e.g., account verification, technical and security notices).
3.8 Processing biometric data
Data for strong verification of your identity in the form of a 3D image of your face is collected and is a form of biometrics, i.e. a technical method (statistical and mathematical method) that can be used to measure a face electronically, in order for a computer to be able to identify a person more easily. Biometric data is only used to verify the identity at the point of registering and is never shared with any third party. The biometric data can only be used with your explicit consent when you want to restore your eID or when you need to confirm your identity for a higher level of security.
3.9 Country-specific data
ID concept; The Service uses general concepts, processes and systems for managing user information, ID documents and trust levels for identity verification. Different identity-defining concepts are used in different countries.
National Data Protection Authority refers to the data protection authority of each country.
Civil registration number refers to an officially issued, nationally accepted number to identify an individual and is kept in a national population registry.
National registry refers to an official database of the population or the equivalent of this. If we do a lookup in such a national registry, it will be stated clearly
ZADA vetting agent refers to an approved agent that carries out a physical ID check on behalf of ZADA. If we offer physical ID checks in a country, the partner is listed in the table.
Age refers to age limits, minimum age and age for own consent and to how these rules apply in different countries.
4. FOR HOW LONG DO WE STORE YOUR PERSONAL DATA?
4.2 At any time, you may cancel use of the Service by selecting “Deregister account” or a similar function in the Service and block the Service according to the instructions provided by ZADA Solutions. ZADA Solutions does not retain your personal data after you have cancelled use of the Service according to this section 4.2, unless it is required by law or to protect ZADA Solutions’s legitimate interests, for example, in case of a legal proceeding.
5. WHO DO WE SHARE YOUR PERSONAL DATA WITH?
Personal data such as the image of your ID document or your biometrical data will never be shared with a third party.
5.2 In certain situations, we share your information with sub-processors. They provide services and support related to the Service and group companies, for use by the recipient in order to fulfill the purposes of the processing of your personal data.
6. YOUR RIGHTS
6.1 ZADA Solutions, in its capacity as the data controller, is responsible for ensuring that your personal data is processed in accordance with applicable law.
6.2 ZADA Solutions shall, at your request or on its own initiative, correct, de-identify, delete or complete information that is determined to be incorrect, incomplete or misleading.
6.3 You have the right to require from ZADA Solutions access, correction or deletion of your personal data (for example, if deletion is required according to applicable legislation), request restrictions on the continued processing of your personal data as well as the right to object to data processing (for example, if you question whether the personal data is correct or if the processing is legal). ZADA Solutions shall notify each recipient regarding which personal data has been removed according to item 5 above if any corrections or deletions of the information as well as restrictions on further processing of the information occur according to item 6.
6.4 You are entitled to data portability, in other words, the right under certain circumstances to receive and transfer your personal data to another data controller in a structured, generally usable and machine-readable format.
6.5 ZADA Solutions may process your personal data for direct marketing to you if you have consented to this. If you do not want ZADA Solutions to use your personal data for direct marketing, you have the right to provide written notification of this to ZADA Solutions at any time. Once ZADA Solutions has received your notification, ZADA Solutions shall cease processing your personal data for marketing purposes.
6.6 Once per calendar year, you are entitled to obtain an extract from the registry of ZADA Solutions, free of charge with a signed, written request, indicating which personal data about you has been recorded, the purposes of processing the data and the recipients who have received the data or will receive the data. You are also entitled to receive information in the extract from the registry regarding where the data was collected, if the personal data was not collected from you directly, the occurrence of automated decision-making (including profiling) as well as the anticipated period during which the data will be stored or the criteria that are used to determine this period. Furthermore, you are also entitled, with the abstract from the registry, to receive information about your other rights as specified in section 6.
6.7 You are entitled to submit complaints regarding ZADA Solutions’s processing of your personal data to your national data protection authority.
7. CHILDREN’S PERSONAL DATA
Children have the right to protection when using e-services, and a verified age check may restrict unwanted access to services directed at children. Children’s personal data is extra sensitive and ZADA provides children with clear information about what the service entails. ZADA continuously improves information, controls and protective measures adapted for children as well as guardians’ opportunities to give consent and manage the Service for their children.
ZADA is available for children from the age of eight, with the guardian’s consent to the processing of the children´s personal data. Children from the age of 13 may, according to current data protection legislation, give their own consent.
If you as a guardian become aware that your child has submitted information to ZADA and have objections or comments, you can contact us at the specified contact information.
8. PROTECTION OF YOUR PERSONAL DATA
You should always feel secure when providing personal data to us. Therefore, ZADA Solutions has taken the necessary safety precautions to protect your personal data from unauthorised access, modification and deletion.
For security purposes, we perform register maintenance, which means that we block and establish a blocking list of deceased users who can no longer use the services, and to prevent others from using the Services in the name of such users.
ZADA Solutions uses techniques similar to cookies to provide certain functions in the app. The information is stored in the form of a file containing the users encrypted session status (during an ongoing session) as well as the user settings that improve the user experience before a user is authenticated for the app (which are saved between sessions). For example, the information is used to remember the selected language for the app. This information is not provided to third parties. If you no longer want ZADA Solutions to store or collect the information, you must cancel your use of the Service according to section 4.2 above.
If you do not accept the changed terms, you have the right to terminate the agreement with ZADA Solutions before the changes take effect. You terminate the agreement by following the instructions in section 4.2 above.
11. CONTACT INFORMATION