Privacy

The Minister of the Interior and Kingdom Relations is responsible for the processing of personal data for DigiD. The DigiD is managed by Logius. Logius is part of the Ministry of the Interior and Kingdom Relations and manages government-wide IT facilities.

DigiD processes personal data for various purposes, namely for

• application and/or activation of DigiD possibly by checking the identity document
• use of DigiD
• supplying personal data to (government) organisations that use DigiD when a user requests digital access to a DigiD-protected website, portal or app
• ensuring the information security and reliability of DigiD, such as preventing abuse and improper use of DigiD and analysing (security) incidents
• providing user support, such as handling questions, problems and complaints
• providing personal details in accordance with a legal obligation

DigiD has several ways of logging in, namely with:

• username and password possibly supplemented by SMS authentication
• DigiD app with PIN code, possibly supplemented by ID check
• Identity card with PIN

The basis for the processing of personal data is the Decree on Digital Government (In Dutch: Besluit Digitale Overheid), which is based on the Digital Government Act (in Dutch, Wet Digitale Overheid or Wdo).

When applying for a DigiD, the following personal data is processed: 

• citizen service number
• name
• address
• postal code
• place of residence
• date of birth
• data to establish the residency or non-residency of the applicant
• telephone number and e-mail address of the applicant (optional)

When applying for a DigiD abroad the telephone number and e-mail address are mandatory. The issue of a DigiD abroad takes place via the DigiD desk.

Logging in with DigiD

When using DigiD, the following personal data is processed (regardless of the login method):

• citizen service number
• the IP address and characteristics of the software and hardware (including user agent, operating system, device name and app code) of the device used

Login method username and password supplemented by SMS code

Do you use this login method? Then the following additional personal data will be processed:

• User name and password
• Telephone number (if the user has opted for DigiD with SMS verification)

DigiD app login method

Do you use this login method? Then the following additional personal data will be processed:

• A unique (digital) key on the mobile device.
• A 5-digit PIN code of the user

Components of the DigiD app from Microsoft and Google, are included because of support and management functionality from app development. Specifically, Microsoft App Center components are needed for technical support and monitoring of app functioning, including information in case of app crashes. The Google Firebase component is needed for technical support of the push-notification functionality on the Google platform. No personal data is sent to Microsoft or Google in this process.

Adding one-time identity document check to the DigiD app (ID check)

The ID check takes place by reading the chip on the Dutch driving licence, passport or identity card via the DigiD app using an NFC reader on your mobile device. In addition to the data processed for DigiD and the use of the DigiD app, the following personal data are also processed for the ID check. When checking passport, driving licence or identity card:

• document number
• date of birth
• validity (date of expiry, retention or loss, including indication)
• Machine Readable Zone (MRZ) of the driving licence. The MRZ is a one-line series of numbers and letters and is located on the front of the driving licence
• The data in the chip of the identity document. For passport or identity card: issuing state or organisation, name, document number, nationality, date of birth, gender, validity dates;

For driving licence: document number.

Login method identity card/driving licence

Do you use this login method? Then the following additional personal data will be processed:

• Document code enabling the identity document to be recognized
• Citizen service number in an encrypted form or in a derived form.
• A 5-digit PIN of the identity document

While logging in with a Dutch identity card/driving licence, you use the DigiD app on a mobile device with NFC or a computer (Windows or MacOS) in combination with an external card reader.

Complaint handling, website operation, (security) incidents

The following data are processed for complaint handling, adequate operation of the website and analysis of (security) incidents:

• IP address and characteristics of the software and hardware used by the device with which the user logs in;
• user actions (such as data about logging in and about requesting, revoking or activating DigiD);
• visitor statistics, trend analysis and usability research regarding DigiD;
• questions, complaints and contact details (such as name, e-mail address and/or telephone number) of persons who contact the DigiD helpdesk.

Preventing and ending abuse and improper use Misuse and improper use may include:

• compromises and breaches of technical security such as hacking and DDoS attacks;
• when others use someone's digital identity (with or without permission) to do business with the government

Logius combats misuse and improper use to ensure continuity of our services. And to prevent people from falling victim to cybercrime such as phishing. We do this in cooperation with public service providers. We take every report seriously. If phishing is involved, we take the relevant websites, apps and domain names offline as a precaution. This reduces the chances of criminals taking off with sensitive data.

We cooperate with our chain partners in investigations to identify possible abuse and improper use of our services. If there are indications of abuse or improper use of DigiD, Logius may investigate further. In doing so, Logius and its partners may share data with each other. Based on the results of the investigation, Logius may decide whether measures such as suspending or revoking the DigiD are necessary.

After all, if others have someone's DigiD data, that person could be the victim of identity fraud. Working closely with other government organisations, Logius helps people when things go wrong. We contact the user and then remove the DigiD account so that someone can apply for a new account. This way, someone again possesses the only thing needed to do his or her business digitally with the government.

All data mentioned in section 4 can be used in the prevention and termination of abuse and improper use. However, only the most necessary data will be used for the investigation. Which data these are varies depending on the situation.

DigiD collects statistics in a system for analysis purposes. This is done to tailor DigiD even better to the user. A cookie with an anonymous visitor-id is used for this purpose. This visitor-id is used for repeat visits but cannot be traced back to a person. In addition, a part of the IP address is registered, showing from which countries people use DigiD.

Traceability to the original IPv4 address is limited by removing the last two groups of numbers from each IP address. With IPv6, this applies to the last five groups. The remaining part of the IP address is thus no longer traceable to an individual person. In this way there is no longer any personal data.

To be able to use DigiD, so-called session cookies are created as soon as the user logs in. A session cookie is necessary for the use of DigiD. The session cookie disappears as soon as the user logs out or when the session expires automatically after a certain time.

In the DigiD app, it is possible to disable the analytics software within the app. You can do this in the settings of the DigiD app, under the 'Settings' button.

To (government) institutions affiliated to DigiD, DigiD provides the citizen service number and the authentication level. The citizen service number is provided so that the (government) agency can establish the user's identity. The chosen authentication level is provided so that the (government) agency has an idea of the degree of certainty about the identity of the user who has logged in.

For its user support, Logius uses a private party to provide first-line support. In addition, Logius uses a private party to send a survey for a customer satisfaction survey to establish if the user is satisfied with the assistance provided.

These parties process personal data on behalf of Logius from users who contact the DigiD helpdesk. Processing agreements have been concluded with these parties. So when you contact the DigiD helpdesk, personal data is also processed by this party.

Furthermore, no personal data is provided to third parties without the user's prior unambiguous consent. Exceptions to this are a legal obligation to supply data (such as the legal obligation to supply data on request to investigation services), or the supply of data to a government body or legal person with a legal task that is necessary to safeguard the security and reliability of DigiD.

This means, among other things, that in the event of security incidents Logius may inform the affiliated (government) organisation(s) and provide necessary data. With the aim of preventing and ending abuse and improper use of DigiD. For example, when an unsafe DigiD has been used to (attempt to) view or change personal data.

Personal data is stored on ICT facilities located on Dutch territory and managed by Logius. Your personal data will not be transferred to countries outside the EU. It concerns a set of personal data consisting of user data and account data.

The data processed for the purposes of DigiD must be retained in accordance with the applicable statutory retention periods. These periods have been set to give citizens certain information if they request it. And to comply with the duty of care owed by the Minister of the Interior and Kingdom Relations to guarantee the security and reliability of DigiD.

The prescribed retention period may differ for each personal data, as different security aspects apply here. The retention periods for DigiD vary between a maximum of 6 weeks and a maximum of 5 years. For the exact retention periods, please see Article 12 of the Personal Data Processing Decree for Generic Digital Infrastructure.

We process your personal data in connection with the purposes described above. Regarding this processing, you can exercise the following rights by sending your request to DigiD:

• Right to know whether we process personal data about you and the right to access your personal data.
• Right to correct, supplement or restrict the processing of your personal data, considering the purposes described above.
• Right to delete your personal data, for example if it is no longer necessary for the purposes described above.
• Right to object to the processing of your personal data for reasons relating to your specific situation.

As a DigiD user, you can view your username, phone number, e-mail address and usage history by logging in to My DigiD on the DigiD website. The phone number and e-mail address can be changed by you.

You can submit a request by filling in the contact form or send a letter or send a letter (address: DigiD - Postbus 96810 - 2509 JE Den Haag, stating: personal data). To comply with the request, you will be asked to identify yourself.

After receiving your request, we will inform you via e-mail as soon as possible, and at the latest within one month, whether this request will be complied with. If your request is refused, we will communicate the reasons in writing to you.

We take appropriate technical and organisational measures to ensure that your personal data is adequately secured. These measures are described in the Regulation on the provisions of the Digital Government Act  (Regeling voorzieningen Wdo) and serve to prevent breaches of and damage to the security and processes of DigiD.

Information security also includes measures to ensure the reliability of DigiD. To identify and terminate abuse and improper use of DigiD, we carry out checks on the data. Should a DigiD account no longer be in safe hands, we can take appropriate measures; suspend or revoke a DigiD.

We ensure that the privacy statement is up to date and can always amend this privacy statement for this purpose. In that case, we will publish the amended privacy statement on this website, after which this privacy statement will take immediate effect.

You can pass on your questions, comments or suggestions to DigiD via the contact form, by telephone or by writing to P.O. Box 96810, 2509 JE The Hague.

The Ministry of the Interior and Kingdom Relations has a data protection officer. This officer supervises privacy legislation internally. You can contact this officer at postbusfg@minbzk.nl.

The Personal Data Authority supervises compliance with privacy legislation externally. You have the right to file a complaint about Logius with the authority. You can do so via the website or the Personal Data Authority, or call 088 - 180 52 50.

The Minister of the Interior and Kingdom Relations is responsible for the processing of personal data for DigiD Authorisation. DigiD Authorisation is managed by Logius. Logius is part of the Ministry of the Interior and Kingdom Relations and manages government-wide ICT facilities.

DigiD Authorisation processes personal data for various purposes, namely for

• application and/or activation of a (registered) authorization
• use of DigiD Authorisation
• providing personal data to (government) organisations that use DigiD Authorisation for their services
• ensuring the information security and reliability of DigiD Authorisation, including combating the misuse and improper use of DigiD Authorisation and the analysis of security and other incidents
• sending a notification with the status of the authorisation
• user support, including handling questions and complaints from users
• providing personal data pursuant to a legal obligation.

The basis for the processing of personal data is the Decree on Digital Government (In Dutch: Besluit Digitale Overheid), which is based on the Digital Government Act (in Dutch, Wet Digitale Overheid or WDO).

When applying to register an authorisation in DigiD Authorisation, the following personal data is processed:

• citizen service number;
• name;
• address;
• zip code;
• city;
• email address (optional);
• date of birth of the person being represented;
• citizen service number of the person requesting the registration.

Use of DigiD Authorisation

When using DigiD Authorisation, the following personal data is processed:

• email address (optional);
• citizen service number of the person being represented;
• citizen service number of the authorised person.

Complaint handling, website operation, (security) incidents

The following data are processed for complaint handling, adequate operation of the website and analysis of (security) incidents:

• IP address and characteristics of the software and hardware used by the device with which the user logs in;
• user actions (such as data about logging in and about requesting, revoking or activating authorisations);
• visitor statistics, trend analysis and usability research regarding DigiD Authorisation;
• questions, complaints and contact details (such as name, e-mail address and/or telephone number) of persons who contact the DigiD helpdesk.

Preventing and ending abuse and improper use

Misuse and improper use may include:

• compromises and breaches of technical security such as hacking and DDoS attacks;
• when others use someone's digital identity (with or without permission) to do business with the government

Logius combats misuse and improper use to ensure continuity of our services. And to prevent people from falling victim to cybercrime such as phishing. We do this in cooperation with public service providers. We take every report seriously. If phishing is involved, we take the relevant websites, apps and domain names offline as a precaution. This reduces the chances of criminals taking off with sensitive data.

We cooperate with our chain partners in investigations to identify possible abuse and improper use of our services. If there are indications of abuse or improper use of DigiD Authorisation, Logius may investigate further. In doing so, Logius and its partners may share data with each other. Based on the results of the investigation, Logius may decide whether measures such as suspending or revoking the authorisation are necessary.

All data mentioned in section 4 can be used in the prevention and termination of abuse and improper use. However, only the most necessary data will be used for the investigation. Which data these are varies depending on the situation.

DigiD Authorisation collects statistics in a system for analysis purposes. This is done to tailor DigiD Authorisation even better to the user. A cookie with an anonymous visitor-id is used for this purpose. This visitor-id is used for repeat visits but cannot be traced back to a person. In addition, a part of the IP address is registered, showing from which countries people use DigiD Authorisation.

Traceability to the original IPv4 address is limited by removing the last two groups of numbers from each IP address. With IPv6, this applies to the last five groups. The remaining part of the IP address is thus no longer traceable to an individual person. In this way there is no longer any personal data.

To be able to use DigiD Authorisation, so-called session cookies are created as soon as the user logs in. A session cookie is necessary for the use of the DigiD Authorisation website. The session cookie disappears as soon as the user logs out or when the session expires automatically after a certain time.

DigiD Authorisation provides (government) institutions affiliated to DigiD Authorisation with proof of validity of a specific authorisation registration. This certificate includes the citizen service numbers of the person being represented and the authorised representative. Upon request, DigiD Authorisation also provides an affiliated (government) organisation with an overview of all authorisation applications and authorisation registrations issued for the services of this (government) organisation.

For its user support, Logius uses a private party to provide first-line support. In addition, Logius uses a private party to send a survey for a customer satisfaction survey to establish if the user is satisfied with the assistance provided.

These parties process personal data on behalf of Logius from users who contact the DigiD helpdesk. Processing agreements have been concluded with these parties. So when you contact the DigiD helpdesk, personal data is also processed by this party.

Furthermore, no personal data is provided to third parties without the user's prior unambiguous consent. Exceptions to this are a legal obligation to supply data (such as the legal obligation to supply data on request to investigation services), or the supply of data to a government body or legal person with a legal task that is necessary to safeguard the security and reliability of DigiD Authorisation.

This means, among other things, that in the event of security incidents Logius may inform the affiliated (government) organisation(s) and provide necessary data. With the aim of preventing and ending abuse and improper use of DigiD Authorisation. For example, when an unsafe authorisation via DigiD Authorisation has been used to (attempt to) view or change personal data.

Personal data is stored on ICT facilities located on Dutch territory and managed by Logius. Your personal data will not be transferred to countries outside the EU. It concerns a set of personal data consisting of user data and account data.

The data processed for the purposes of DigiD Authorisation must be retained in accordance with the applicable statutory retention periods. These periods have been set to give citizens certain information if they request it. And to comply with the duty of care owed by the Minister of the Interior and Kingdom Relations to guarantee the security and reliability of DigiD Authorisation.

The prescribed retention period may differ for each personal data, as different security aspects apply here. The retention periods for DigiD Authorisation vary between a maximum of 6 weeks and a maximum of 5 years. For the exact retention periods, please see Article 12 of the Personal Data Processing Decree for Generic Digital Infrastructure.

We process your personal data in connection with the purposes described above. Regarding this processing, you can exercise the following rights by sending your request to DigiD Authorisation: 

• Right to know whether we process personal data about you and the right to access your personal data.
• Right to correct, supplement or restrict the processing of your personal data, considering the purposes described above.
• Right to delete your personal data, for example if it is no longer necessary for the purposes described above.
• Right to object to the processing of your personal data for reasons relating to your specific situation.

As a user of DigiD Authorisation, by logging in to DigiD Authorisation you can see what actions have been taken by you or the person you represent or have authorised.

You can submit a request by filling in the contact form or send a letter or send a letter (address: DigiD Machtigen - Postbus 96810 - 2509 JE Den Haag, stating: personal data). To comply with the request, you will be asked to identify yourself.

After receiving your request, we will inform you via e-mail as soon as possible, and at the latest within one month, whether this request will be complied with. If your request is refused, we will communicate the reasons in writing to you.

We take appropriate technical and organisational measures to ensure that your personal data is adequately secured. These measures are described in the Regulation on the provisions of the Digital Government Act  (Regeling voorzieningen Wdo) and serve to prevent breaches of and damage to the security and processes of DigiD Authorisation.

Information security also includes measures to ensure the reliability of DigiD Authorisation. To identify and terminate abuse and improper use in DigiD Authorisation, we carry out checks on the data. Should an authorisation in DigiD Authorisation no longer be in safe hands, we can take appropriate measures.

We ensure that the privacy statement is up to date and can always amend this privacy statement for this purpose. In that case, we will publish the amended privacy statement on this website, after which this privacy statement will take immediate effect.

You can pass on your questions, comments or suggestions to DigiD via the contact form, by telephone or by writing to P.O. Box 96810, 2509 JE The Hague.

The Ministry of the Interior and Kingdom Relations has a data protection officer. This officer supervises privacy legislation internally. You can contact this officer at postbusfg@minbzk.nl.

The Personal Data Authority supervises compliance with privacy legislation externally. You have the right to file a complaint about Logius with the authority. You can do so via the website or the Personal Data Authority, or call 088 - 180 52 50.