How is privacy/GDPR taken into account?

This service is designed with privacy built-in from the start. No data is stored with the merchant. Instead, the store receives confirmation that the customer is the correct person and the data they have agreed to receive from the service. The log at BankID is owned solely by the end customer. All data about the end customer is encrypted, and only the end customer via the BankID app can allow access and display of this data.