Privacy declaration DigiD and DigiD Authorisation

This declaration briefly describes who is responsible for processing the personal data for DigiD and DigiD Authorisation, which personal data of the user of DigiD and DigiD Authorisation is processed and for what purpose. It also describes to whom the personal data can be given, the rights of the user and how these rights can be exercised. In the Decision concerning the processing of personal data generic digital infrastructure, this processing of personal data is described comprehensively and fully (Gazette 2016, 195, only in Dutch).

Who is responsible for the processing of the personal data?

The Minister of the Interior and Kingdom Relations is responsible for processing personal data for DigiD and DigiD Authorisation. Logius is responsible for managing DigiD and DigiD Authorisation. Logius forms part of the Ministry of the Interior and Kingdom Relations and maintains government-wide ICT solutions.

Why are personal data processed?

DigiD and DigiD Authorisation process personal data as part of several processes:  

  • the application for and/or activation of DigiD or a (registered) authorisation;
  • the use of DigiD and DigiD Authorisation;
  • the provision of personal data to third parties;
  • the processing of personal data in relation to guaranteeing the security and trustworthiness of DigiD and DigiD Authorisation;
  • dealing with the questions and complaints of users.

Which personal data are processed?

The following personal data are processed when applying for a DigiD: 

  • Citizens Service Number, the name, the address;
  • postcode;
  • town or city;
  • date of birth;
  • information in order to be able to establish the residency or non-residency of the applicant;
  • applicant’s telephone number and email address (optionally)

If the application is made at the DigiD service desk, the number of the applicant's Dutch identity document and nationality are also processed.

When DigiD is used, the user's following personal data is processed:

  • Citizens Service Number;
  • user name;
  • password;
  • telephone number (compulsory if the user has opted for DigiD with extra verification via SMS);
  • email address (not compulsory);
  • (validity) data of the user's Dutch identity document.

When applying to register an authorisation in DigiD Authorisation, the following personal data are processed:

  • Citizens Service Number;
  • name;
  • address;
  • postcode;
  • town or city;
  • date of birth of the person who is being represented;
  • Citizens Service Number of the person applying for the registration.

When using DigiD Authorisation, the following personal data are processed:

  • Citizens Service Number of the person being represented;
  • Citizens Service Number of the authorised representative.

Furthermore, the following data is processed for complaints handling, proper functioning of the website and the analysis of (security) incidents for both DigiD and DigiD Authorisation:

  • the IP address and attributes of the software and hardware that are used for the device the user logs in with;
  • the user's actions (such as changing the password or logging into a government agency);
  • the website of the (government) agency where the user applies for a DigiD or the agency where the user logs in with DigiD; the time of the start and end of the log-in session;
  • questions, complaints and contact details (such as email address and/or telephone number) of people who contact the DigiD and DigiD Authorisation Help Desks.

To be able to use DigiD and DigiD Authorisation, so-called session cookies are created as soon as the user logs in. The session cookie is needed in order to be able to use the DigiD and DigiD Authorisation websites. The session cookie disappears as soon as the user logs out or when the session ends automatically after a certain amount of time.

To whom are personal data given?

DigiD gives the Citizens Service Number and the authentication level to (government) bodies that are affiliated with DigiD. The Citizens Service Number is provided to enable the (government) body to establish the user's identity. The authentication level that is selected is given so that the (government) body has an understanding of the level of assurance there is about the identity of the user who has logged in.

DigiD Authorisation provides affiliated (government) bodies with proof of validity of a specific authorisation registration. Included in this proof of validity are the Citizens Service Numbers of the person who is represented and the authorised representative.

Otherwise, no personal data is given to third parties without the prior unambiguous consent of the user; an exception to this rule is a legal duty to provide data (such as the legal duty to provide data to investigation services when asked to do so).

What rights does the user have?

At his or her request, each user is able to access the personal data that is processed by DigiD and/or DigiD Authorisation. At the user's request, his or her personal data can be corrected, supplemented, deleted or blocked, unless this is not allowed pursuant to a legal provision.

The user can submit a request to access the data by sending an email to info@digid.nl or a letter to: DigiD/DigiD Authorisation - P.O. Box 96810 - 2509 JE The Hague, quoting: access to personal data.To be able to fulfil the request to access the data, the user will be asked to identify himself or herself. A request for correction, supplementation or deletion of personal data can be submitted in the same way as a request to access the data.

A DigiD user can view his user name, telephone number, Citizens Service Number, e-mail address and usage history by logging in to Mijn DigiD (My DigiD) at DigiD's website. The user is able to change the telephone number and email address.

By logging in to DigiD Authorisation, a DigiD Authorisation user can see what activities have been performed by him or by the person that he represents or has authorised.

Test with Remote Document Authentication

In addition to the personal data mentioned above, Logius is also processing personal data for a test with Remote Document Authentication (RDA). Logius conducts this test together with RDW for the purpose of examining safer ways of authentication. 

RDA is a technique which provides the user access to online public services. It does so with a substantial level of assurance: after the user successfully logged in with his DigiD username and password, he scans his Dutch identity document with a card reader. 

The card reader communicates with a contact-free chip in the identity document and determines through cryptographic processes whether the chip is authentic, unaltered and belongs to the person that wants to log in. 

For the purpose of the RDA test, the following personal data is being processed in addition to the personal data mentioned above:

  • For the purpose of the key register of persons:

    • Citizen service number

  • For the purpose of communicating with the chip in the identity document:

    • The user’s date of birth
    • The document’s unique number
    • The document's validation date 

  • For the purpose of determining whether the user should legally own the identity document:

    • The expiration date of the document
    • The indication whether the document is expired or missing

  • If the user owns several valid identity documents, another identity document is needed to indicate which dataset belongs to the identity document.

The processing of the aforementioned personal data is included in the notifications register of the Ministry of the Interior and Kingdom Relations. Please see the web page of this notifications register (only in Dutch).