On this page you will find the privacy statement for DigiD and for DigiD Authorisation.
Date of last modification: January 20, 2025
On this page you will find the privacy statement for DigiD and for DigiD Authorisation.
Date of last modification: January 20, 2025
The Minister of the Interior and Kingdom Relations is responsible for the processing of personal data for DigiD. The DigiD is managed by Logius. Logius is part of the Ministry of the Interior and Kingdom Relations and manages government-wide IT facilities.
DigiD processes personal data for various purposes, namely for
DigiD has several ways of logging in, namely with:
The basis for the processing of personal data is the Decree on Digital Government (In Dutch: Besluit Digitale Overheid), which is based on the Digital Government Act (in Dutch, Wet Digitale Overheid or Wdo).
When applying for a DigiD, the following personal data is processed:
When applying for a DigiD abroad the telephone number and e-mail address are mandatory. The issue of a DigiD abroad takes place via the DigiD desk.
When using DigiD, the following personal data is processed (regardless of the login method):
Do you use this login method? Then the following additional personal data will be processed:
Do you use this login method? Then the following additional personal data will be processed:
Components of the DigiD app from Sentry are included because of support and management functionality from app development. Specifically, these components are needed for technical support and monitoring of app functioning, including information in case of app crashes. No personal data is sent to Sentry.
The Google Firebase component is needed for technical support of the push-notification functionality on the Google platform. The user can give and/or withdraw consent for this functionality.
The ID check takes place by reading the chip on the Dutch driving licence, passport or identity card via the DigiD app using an NFC reader on your mobile device. In addition to the data processed for DigiD and the use of the DigiD app, the following personal data are also processed for the ID check. When checking passport, driving licence or identity card:
For driving licence: document number.
Do you use this login method? Then the following additional personal data will be processed:
While logging in with a Dutch identity card/driving licence, you use the DigiD app on a mobile device with NFC or a computer (Windows or MacOS) in combination with an external card reader.
The following data are processed for user support, adequate operation of the website and analysis of (security) incidents:
Preventing and ending abuse and improper use Misuse and improper use may include:
Logius combats misuse and improper use to ensure continuity of our services. And to prevent people from falling victim to cybercrime such as phishing. We do this in cooperation with public service providers. We take every report seriously. If phishing is involved, we take the relevant websites, apps and domain names offline as a precaution. This reduces the chances of criminals taking off with sensitive data.
We cooperate with our chain partners in investigations to identify possible abuse and improper use of our services. If there are indications of abuse or improper use of DigiD, Logius may investigate further. In doing so, Logius and its partners may share data with each other. Based on the results of the investigation, Logius may decide whether measures such as suspending or revoking the DigiD are necessary.
After all, if others have someone's DigiD data, that person could be the victim of identity fraud. Working closely with other government organisations, Logius helps people when things go wrong. We contact the user and then remove the DigiD account so that someone can apply for a new account. This way, someone again possesses the only thing needed to do his or her business digitally with the government.
All data mentioned in section 4 can be used in the prevention and termination of abuse and improper use. However, only the most necessary data will be used for the investigation. Which data these are varies depending on the situation.
DigiD collects statistics in a system for analysis purposes. This is done to tailor DigiD even better to the user. A cookie with an anonymous visitor-id is used for this purpose. This visitor-id is used for repeat visits but cannot be traced back to a person. In addition, a part of the IP address is registered, showing from which countries people use DigiD.
Traceability to the original IPv4 address is limited by removing the last two groups of numbers from each IP address. With IPv6, this applies to the last five groups. The remaining part of the IP address is thus no longer traceable to an individual person. In this way there is no longer any personal data.
To be able to use DigiD, so-called session cookies are created as soon as the user logs in. A session cookie is necessary for the use of DigiD. The session cookie disappears as soon as the user logs out or when the session expires automatically after a certain time.
In the DigiD app, it is possible to disable the analytics software within the app. You can do this in the settings of the DigiD app, under the 'Settings' button.
To (government) institutions affiliated to DigiD, DigiD provides the citizen service number and the authentication level. The citizen service number is provided so that the (government) agency can establish the user's identity. The chosen authentication level is provided so that the (government) agency has an idea of the degree of certainty about the identity of the user who has logged in.
For its user support, Logius uses private parties to provide first-line support. In addition, Logius uses a private party to send a survey for a customer satisfaction survey to establish if the user is satisfied with the assistance provided.
These parties process personal data on behalf of Logius from users who contact the DigiD helpdesk. Processing agreements have been concluded with these parties. So when you contact the DigiD helpdesk, personal data is also processed by these parties.
Furthermore, no personal data is provided to third parties without the user's prior unambiguous consent. Exceptions to this are a legal obligation to supply data (such as the legal obligation to supply data on request to investigation services), or the supply of data to a government body or legal person with a legal task that is necessary to safeguard the security and reliability of DigiD.
This means, among other things, that in the event of security incidents Logius may inform the affiliated (government) organisation(s) and provide necessary data. With the aim of preventing and ending abuse and improper use of DigiD. For example, when an unsafe DigiD has been used to (attempt to) view or change personal data.
Personal data is stored on ICT facilities located on Dutch territory and managed by Logius. Your personal data will not be transferred to countries outside the EU. It concerns a set of personal data consisting of user data and account data.
The data processed for the purposes of DigiD must be retained in accordance with the applicable statutory retention periods. These periods have been set to give citizens certain information if they request it. And to comply with the duty of care owed by the Minister of the Interior and Kingdom Relations to guarantee the security and reliability of DigiD.
The prescribed retention period may differ for each personal data, as different security aspects apply here. The retention periods for DigiD vary between a maximum of 6 weeks and a maximum of 5 years. For the exact retention periods, please see Article 12 of the Personal Data Processing Decree for Generic Digital Infrastructure.
We process your personal data in connection with the purposes described above. Regarding this processing, you can exercise the following rights by sending your request to DigiD:
As a DigiD user, you can view your username, phone number, e-mail address and usage history by logging in to My DigiD on the DigiD website. The phone number and e-mail address can be changed by you.
You can submit a request by filling in the contact form or send a letter or send a letter (address: DigiD - Postbus 96810 - 2509 JE Den Haag, stating: personal data). To comply with the request, you will be asked to identify yourself.
After receiving your request, we will inform you via e-mail as soon as possible, and at the latest within one month, whether this request will be complied with. If your request is refused, we will communicate the reasons in writing to you.
We take appropriate technical and organisational measures to ensure that your personal data is adequately secured, by applying the Government information security baseline. As part of the Dutch Government, Logius must comply to this baseline. It encompasses all layers of the public sector: central government, municipalities, provinces and water boards. This means that this government baseline holds general security measures that are applicable to all information.
Information security also includes measures to ensure the reliability of DigiD. To identify and terminate abuse and improper use of DigiD, we carry out checks on the data. Should a DigiD account no longer be in safe hands, we can take appropriate measures; suspend or revoke a DigiD.
We ensure that the privacy statement is up to date and can always amend this privacy statement for this purpose. In that case, we will publish the amended privacy statement on this website, after which this privacy statement will take immediate effect.
You can pass on your questions, comments or suggestions to DigiD via the contact form, by telephone or by writing to P.O. Box 96810, 2509 JE The Hague.
The Ministry of the Interior and Kingdom Relations has a data protection officer. This officer supervises compliance on privacy legislation internally. You can contact this officer at postbusfg@minbzk.nl.
The Personal Data Authority supervises compliance with privacy legislation externally. You have the right to file a complaint about Logius with the authority. You can do so via the website or the Personal Data Authority, or call 088 - 180 52 50.
The Minister of the Interior and Kingdom Relations is responsible for the processing of personal data for DigiD Authorisation. DigiD Authorisation is managed by Logius. Logius is part of the Ministry of the Interior and Kingdom Relations and manages government-wide ICT facilities.
DigiD Authorisation processes personal data for various purposes, namely for
The basis for the processing of personal data is the Decree on Digital Government (In Dutch: Besluit Digitale Overheid), which is based on the Digital Government Act (in Dutch, Wet Digitale Overheid or WDO).
When applying to register an authorisation in DigiD Authorisation, the following personal data is processed:
When using DigiD Authorisation, the following personal data is processed:
The following data are processed for user support, adequate operation of the website and analysis of (security) incidents:
Misuse and improper use may include:
Logius combats misuse and improper use to ensure continuity of our services. And to prevent people from falling victim to cybercrime such as phishing. We do this in cooperation with public service providers. We take every report seriously. If phishing is involved, we take the relevant websites, apps and domain names offline as a precaution. This reduces the chances of criminals taking off with sensitive data.
We cooperate with our chain partners in investigations to identify possible abuse and improper use of our services. If there are indications of abuse or improper use of DigiD Authorisation, Logius may investigate further. In doing so, Logius and its partners may share data with each other. Based on the results of the investigation, Logius may decide whether measures such as suspending or revoking the authorisation are necessary.
All data mentioned in section 4 can be used in the prevention and termination of abuse and improper use. However, only the most necessary data will be used for the investigation. Which data these are varies depending on the situation.
DigiD Authorisation collects statistics in a system for analysis purposes. This is done to tailor DigiD Authorisation even better to the user. A cookie with an anonymous visitor-id is used for this purpose. This visitor-id is used for repeat visits but cannot be traced back to a person. In addition, a part of the IP address is registered, showing from which countries people use DigiD Authorisation.
Traceability to the original IPv4 address is limited by removing the last two groups of numbers from each IP address. With IPv6, this applies to the last five groups. The remaining part of the IP address is thus no longer traceable to an individual person. In this way there is no longer any personal data.
To be able to use DigiD Authorisation, so-called session cookies are created as soon as the user logs in. A session cookie is necessary for the use of the DigiD Authorisation website. The session cookie disappears as soon as the user logs out or when the session expires automatically after a certain time.
DigiD Authorisation provides (government) institutions affiliated to DigiD Authorisation with proof of validity of a specific authorisation registration. This certificate includes the citizen service numbers of the person being represented and the authorised representative. Upon request, DigiD Authorisation also provides an affiliated (government) organisation with an overview of all authorisation applications and authorisation registrations issued for the services of this (government) organisation.
For its user support, Logius uses private parties to provide first-line support. In addition, Logius uses a private party to send a survey for a customer satisfaction survey to establish if the user is satisfied with the assistance provided.
These parties process personal data on behalf of Logius from users who contact the DigiD helpdesk. Processing agreements have been concluded with these parties. So when you contact the DigiD helpdesk, personal data is also processed by these parties.
Furthermore, no personal data is provided to third parties without the user's prior unambiguous consent. Exceptions to this are a legal obligation to supply data (such as the legal obligation to supply data on request to investigation services), or the supply of data to a government body or legal person with a legal task that is necessary to safeguard the security and reliability of DigiD Authorisation.
This means, among other things, that in the event of security incidents Logius may inform the affiliated (government) organisation(s) and provide necessary data. With the aim of preventing and ending abuse and improper use of DigiD Authorisation. For example, when an unsafe authorisation via DigiD Authorisation has been used to (attempt to) view or change personal data.
Personal data is stored on ICT facilities located on Dutch territory and managed by Logius. Your personal data will not be transferred to countries outside the EU. It concerns a set of personal data consisting of user data and account data.
The data processed for the purposes of DigiD Authorisation must be retained in accordance with the applicable statutory retention periods. These periods have been set to give citizens certain information if they request it. And to comply with the duty of care owed by the Minister of the Interior and Kingdom Relations to guarantee the security and reliability of DigiD Authorisation.
The prescribed retention period may differ for each personal data, as different security aspects apply here. The retention periods for DigiD Authorisation vary between a maximum of 6 weeks and a maximum of 5 years. For the exact retention periods, please see Article 12 of the Personal Data Processing Decree for Generic Digital Infrastructure.
We process your personal data in connection with the purposes described above. Regarding this processing, you can exercise the following rights by sending your request to DigiD Authorisation:
As a user of DigiD Authorisation, by logging in to DigiD Authorisation you can see what actions have been taken by you or the person you represent or have authorised.
You can submit a request by filling in the contact form or send a letter or send a letter (address: DigiD Machtigen - Postbus 96810 - 2509 JE Den Haag, stating: personal data). To comply with the request, you will be asked to identify yourself.
After receiving your request, we will inform you via e-mail as soon as possible, and at the latest within one month, whether this request will be complied with. If your request is refused, we will communicate the reasons in writing to you.
We take appropriate technical and organisational measures to ensure that your personal data is adequately secured, by applying the Government information security baseline. As part of the Dutch Government, Logius must comply to this baseline. It encompasses all layers of the public sector: central government, municipalities, provinces and water boards. This means that this government baseline holds general security measures that are applicable to all information.
Information security also includes measures to ensure the reliability of DigiD Authorisation. To identify and terminate abuse and improper use in DigiD Authorisation, we carry out checks on the data. Should an authorisation in DigiD Authorisation no longer be in safe hands, we can take appropriate measures.
We ensure that the privacy statement is up to date and can always amend this privacy statement for this purpose. In that case, we will publish the amended privacy statement on this website, after which this privacy statement will take immediate effect.
You can pass on your questions, comments or suggestions to DigiD via the contact form, by telephone or by writing to P.O. Box 96810, 2509 JE The Hague.
The Ministry of the Interior and Kingdom Relations has a data protection officer. This officer supervises compliance on privacy legislation internally. You can contact this officer at postbusfg@minbzk.nl.
The Personal Data Authority supervises compliance with privacy legislation externally. You have the right to file a complaint about Logius with the authority. You can do so via the website or the Personal Data Authority, or call 088 - 180 52 50.