GDPR introduction
With the GDPR comes increased focus on the end-users ownership to his personal data, and that he should have insight into and control over what personal data is stored, for what purpose and when is transfered to a new service or legal entity. Each entity acting as a data processor needs a legal basis of treatment. In some cases a data processor can have a legal basis of treatment through a law, but in many other cases it is necessary to retrieve an explicit an informed consent from the end user, both for storing the data, and for the different purposes the data will be used.
The GDPR compliance of Additional Information
Additional information is an opt-in service that does not retrieve information about the end-user until he has consented to use it. He can also choose which information he wants to store in the service. No data will be delivered to Merchant without explicit consent from the end user, and the end-user can also choose not to share all of the data elements that the Merchant asks for.
The end-user can at any time choose to review or edit the information stored in Additional Information, or choose to stop using the service and have his personal data deleted. This is done either in the BankID / xID clients or through an administration interface. For xID users this can be done on http://www.bankid.no/xid.
Because of this, Merchants can trust that the personal data they get from Additional Information is retrieved and distributed with an explicit consent from the end-user, and as such is compliant with the GDPR.
Personal data after it is shared with the merchant
Additional information gives the end-user control over what data is stored, and to which Merchants this data is shared.
When the end-users choose to share data with the Merchant, further use of that data happens through an agreement between the end-user and the Merchant.
The end user will not be able to review, edit or delete the data that has already been shared with a Merchant, and will have to approach the Merchant to achieve this. Likewise the Merchant has to implement their own routines for letting the end-users control the data stored with them, in order to be compliant with the GDPR.
Consent for specific purposes
Please note that even if the personal data in Additional Information is given with the end-users consent, the Merchant will still have to retrieve a consent from the end-user to use that data for specific purposes, like marketing.