Privacy

The Minister of the Interior and Kingdom Relations is responsible for the processing of personal data for DigiD. The DigiD is managed by Logius. Logius is part of the Ministry of the Interior and Kingdom Relations and manages government-wide IT facilities.

DigiD processes personal data at several times, such as:

• when DigiD is applied for and/or activated
• when DigiD is used
• when personal data is provided to organisations that use DigiD
• when personal data is processed in order to ensure the (information) security and reliability of DigiD and to analyse (security) incidents
• when user support is providing, including handling questions and complaints from users
• when personal data is issued pursuant to a statutory obligation
• when the security of the DigiD app is enhanced by checking the identity document (optional)

Several login methods are available for DigiD:

• username and password
• username and password plus SMS authentication
• DigiD app

The processing of personal data is based on the Decree on Processing of Personal Data in the Generic Digital Infrastructure), which is based on the Electronic Data Interchange (Tax and Customs Administration) Act (Wet elektronisch berichtenverkeer belastingdienst).

When you apply for a DigiD, the following personal data is processed:

• citizen service number
• name
• street address
• zip code (postcode)
• town
• date of birth
• data to establish whether or not the applicant is a Dutch resident
• the applicant's phone number and email address (optional)

If the application is submitted through the DigiD service desk, the number of the identity document and the nationality of the applicant are also processed and it is mandatory to provide the phone number and email address.

Logging in with DigiD

When you use DigiD, the following personal data is processed (regardless of the login method):

• citizen service number
• username
• password
• phone number (not mandatory)
• email address (not mandatory)
• (validity) data of the user's Dutch identity document

Login method username and password plus SMS verification code

If you use this login method, the following additional personal data is processed:

• phone number (mandatory if the user has opted for DigiD with SMS verification)

Login method DigiD app

If you use this login method, the following additional personal data is processed:

• the IP address and features of the software and hardware used on the mobile device
• the name and version of the operating system of the mobile device
• the unique device identifier of the mobile phone
• a 5-digit PIN code of the user
• the mobile phone number if the app is used on a mobile phone

Adding a once only check of your identity document to your DigiD app (ID check)

More and more organisations require that you add an ID check of your passport, identity card or driving licence to the DigiD app. By adding the ID check you can do more with your DigiD app. During the check, the chip on the Dutch driving licence or identity document is scanned with your DigiD app using an NFC reader. You can perform the ID check with the DigiD app on a smartphone or tablet with an NFC reader. Besides the data processed for DigiD and the use of the DigiD app, the following additional personal data is processed for this ID check.

After checking the passport or identity card:

• document number
• date of birth
• validity data (expiry date, as well as any withholding or loss, including an indication thereof)

After checking driving licence:

• driving licence number

Login method identity card

If you use this login method, the following additional personal data is processed:

• identity document type
• sequence number, which is used for recognising an identity document

You have to use the DigiD app for logging in with an identity card. Please see 'Login method DigiD app' for which additional data is being processed by the app. Is your DigiD app installed on your computer (Windows or MacOS)? Then the following additional data is processed:

• IP address
• name and version of the operating system of your computer

Complaints handling, operation of website, (security) incidents

The following data is processed for complaints handing, the satisfactory operation of the website and the analysis of (security) incidents:

• the IP address and features of the software and hardware used on the device with which the user logs in
• the user's actions (e.g. data about logging in and about applying for, revoking and activating authorisations)
• visitor statistics, trend analysis and usability research concerning DigiD
• questions, complaints and contact details (such as name, email address and/or phone number) of persons who contact the DigiD and DigiD Authorisation helpdesk

In order to be able to use DigiD, session cookies are created as soon as the user logs in. The use of the session cookie is necessary for the use of the DigiD login screen. The session cookie disappears as soon as the user logs out or when the session expires automatically after a certain period of time.

DigiD collects statistics in a system for analysis purposes. This is done in order to tailor DigiD even better to the user.

To draw up statistics, we use a cookie with an anonymous visitor ID. This visitor ID cannot be traced back to a person, but can be used in recurrent visits. The IP address of the network in which DigiD is used is also processed. In order to minimise the intrusion on the privacy of the visitor or user, DigiD has taken measures to limit the traceability to the original IP address as much as possible. The last two groups of 8 bits (two octets) of each IP address are removed before it is added to the work files. This anonymises the IP address, so that the data are no longer personal data.

As a user you can disable this analytical software in the DigiD app. You can do this in the settings of the DigiD app, under the 'Settings' button.

DigiD provides the citizen service number and the authentication level to (government) institutions that are affiliated with DigiD. The citizen service number is provided so that the (government) institution can establish the identity of the user. The selected authentication level is provided so that the (government) institution has an idea of the extent to which there is certainty about the identity of the user who has logged in.

For user support Logius relies on a private party, which takes care of the so-called ''primary support". In addition, Logius relies on a private party to send a customer satisfaction survey to establish whether users are satisfied with the help provided.

On behalf of Logius, these parties process personal data of users who contact the DigiD and DigiD Authorisation helpdesk. Data processing agreements have been concluded with these parties. This means that when you contact the DigiD and DigiD Authorisation helpdesk, personal data is also processed by these processors.

Otherwise, no personal data is provided to third parties without the prior unambiguous consent of the user, except if there is a statutory obligation to provide data (such as the statutory obligation to provide data to authorities investigating criminal offences), or where data is provided to a government body or legal entity with a statutory task that is necessary to ensure the security and reliability of DigiD and/or DigiD Authorisation.

The data processed for DigiD must be kept in accordance with the applicable statutory retention periods. These retention periods have been set in order to be able to provide citizens with particular information when they request it, and to fulfil the duty of care of the Minister of the Interior and Kingdom Relations to guarantee the security and reliability of these facilities.

The prescribed retention period may differ per type of personal data, because different security aspects apply to each type. The maximum retention periods for DigiD range from 6 weeks to 5 years. For the exact retention periods, please refer to Section 11 and Section 12 of the Decree on Processing of Personal Data in the Generic Digital Infrastructure.

We process your personal data for the purposes described above. You can exercise the following rights with regard to this processing by sending a request to DigiD:

• Right to know whether we process personal data about you and the right to access your personal data.
• Right to rectify or supplement your personal data or to limit the processing of your personal data, taking into account the purposes described above.
• Right to have your personal data deleted, for example if this data is no longer needed for the purposes described above.
• Right to object to the processing of your personal data for reasons related to your specific situation.

As a DigiD user, you can view your username, phone number, citizen service number, email address and user history by logging into My DigiD on the DigiD website. You can personally change the phone number and email address.

You can submit a request by email (to info@digid.nl) or by sending a letter (DigiD - Postbus 96810 - 2509 JE Den Haag), citing "personal data"). To be able to comply with the request, you will be asked to identify yourself.

After receiving your request, we will inform you by email as soon as possible, and at the latest within one month, whether this request will be complied with. If your request is refused, we will inform you of the reasons for this in writing.

If you do not agree with the response to a request or have a complaint regarding the processing of your personal data, you can submit this type of complaint to the Dutch Data Protection Authority or bring an action. You can read more about submitting a complaint to the Dutch Data Protection Authority here: https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/privacyrechten/klacht-indienen-bij-de-ap.

We take appropriate technical and organisational measures to ensure that your personal data is adequately protected. These measures are described in the Regulation on GDI Facilities and are aimed at preventing breaches of and damage to the security and processes of DigiD.

We may amend this privacy statement at any time. In that case, we will publish the amended privacy statement on our website https://www.digid.nl, whereupon this privacy statement will take immediate effect.

The Minister of the Interior and Kingdom Relations is responsible for the processing of personal data for DigiD Authorisation. DigiD Authorisation is managed by Logius. Logius is part of the Ministry of the Interior and Kingdom Relations and manages government-wide ICT facilities.

DigiD Authorisation processes personal data at several times, such as:

• when a (registered) authorisation is applied for and/or activated
• when DigiD Authorisation is used
• when personal data is provided to organisations that use DigiD Authorisation
• when personal data is processed in order to ensure the (information) security and reliability of DigiD Authorisation and to analyse (security) incidents
• sending a notification with the status of the authorization
• when providing user support, including handling questions and complaints from users
• when personal data is issued pursuant to a statutory obligation

The processing of personal data is based on the Decree on Processing of Personal Data in the Generic Digital Infrastructure), which is based on the Electronic Data Traffic (Tax and Customs Administration) Act (Wet elektronisch berichtenverkeer belastingdienst).

When you apply for the registration of an authorisation in DigiD Authorisation, the following personal data is processed:

• citizen service number
• name
• street address
• postcode
• town
• email address (optional)
• date of birth of the person being represented
• citizen service number of the person applying for the registration

When you use DigiD Authorisation, the following personal data is processed:

• email address (optional)
• citizen service number of the person being represented
• citizen service number of the authorised representative

The following data is processed for complaints handing, the satisfactory operation of the website and the analysis of (security) incidents:

• IP address and features of the software and hardware used on the device with which the user logs in
• the user's actions (e.g. data about logging in and about applying for, revoking and activating authorisations)
• visitor statistics, trend analysis and usability research concerning DigiD and DigiD Authorisation
• questions, complaints and contact details (such as name, email address and/or phone number) of persons who contact the DigiD and DigiD Authorisation helpdesk.

In order to be able to use DigiD Authorisation, session cookies are created as soon as the user logs in. The use of the session cookie is necessary for the use of the DigiD Authorisation website. The session cookie disappears as soon as the user logs out or when the session expires automatically after a certain period of time.

DigiD Authorisation collects statistics in a system for analysis purposes. This is done in order to tailor DigiD Authorisation even better to the user.

For the purpose of compiling statistics, the IP address of the network in which DigiD Authorisation is used is processed. In order to minimise the intrusion on the privacy of the visitor or user, DigiD Authorisation has taken measures to limit the traceability to the original IP address as much as possible. For example, an anonymous "Visitor ID" is calculated and the last 6 digits of each IP address are deleted before they are added to the work files. In this way, the IP address is anonymised, meaning that no personal data is collected.

DigiD Authorisation provides affiliated (government) organisations with a certificate confirming the validity of a specific authorisation registration. This certificate contains the citizen service numbers of the person being represented and the authorised representative. Upon request, DigiD Authorisation will also provide an affiliated (government) organisation with an overview of all authorisation applications and authorisation registrations that have been issued for the services of this (government) organisation.

For user support Logius relies on a private party, which takes care of the so-called ''primary support". In addition, Logius uses a private party to send a customer satisfaction survey to establish whether users are satisfied with the help provided.

On behalf of Logius, these parties process personal data of users who contact the DigiD and DigiD Authorisation helpdesk. Data processing agreements have been concluded with these parties. This means that when you contact the DigiD and DigiD Authorisation helpdesk, personal data is also processed by these processors.

Otherwise, no personal data is provided to third parties without the prior unambiguous consent of the user, except if there is a statutory obligation to provide data (such as the statutory obligation to provide data to authorities investigating criminal offences), or where data is provided to a government body or legal entity with a statutory task that is necessary to ensure the security and reliability of DigiD and/or DigiD Authorisation.

The data processed for DigiD Authorisation must be kept in accordance with the applicable statutory retention periods. These retention periods have been set in order to be able to provide citizens with particular information when they request it, and to fulfil the duty of care of the Minister of the Interior and Kingdom Relations to guarantee the security and reliability of these facilities.

The prescribed retention period may differ per type of personal data, because different security aspects apply to each type. The maximum retention periods for DigiD Authorisation range from 6 weeks to 5 years For the exact retention periods, please refer to Section 11 and Section 12 of the Decree on Processing of Personal Data in the Generic Digital Infrastructure.

We process your personal data for the purposes described above. You can exercise the following rights with regard to this processing by sending a request to DigiD:

• right to know whether we process personal data about you and the right to access your personal data
• right to rectify or supplement your personal data and to limit the processing of your personal data, taking into account the purposes described above.
• right to have your personal data deleted, for example if this data is no longer needed for the purposes described above
• right to object to the processing of your personal data for reasons related to your specific situation

As a user of DigiD Authorisation, by logging into DigiD Authorisation you can see which actions have been performed by you or by the person you represent or the person you have authorised.

You can submit a request by email (to info@digid.nl) or by sending a letter (DigiD/DigiD Authorisation - Postbus 96810 - 2509 JE Den Haag, quoting "personal data"). To be able to comply with the request, you will be asked to identify yourself.

After receiving your request, we will inform you by email as soon as possible, and at the latest within one month, whether this request will be complied with. If your request is refused, we will inform you of the reasons for this in writing.

If you do not agree with the response to a request or have a complaint regarding the processing of your personal data, you can submit this type of complaint to the Dutch Data Protection Authority or bring an action. You can read more about submitting a complaint to the Dutch Data Protection Authority on the website of the Dutch Data Protection Authority.

We take appropriate technical and organisational measures to ensure that your personal data is adequately protected. These measures are described in the Regulation on GDI Facilities and are aimed at preventing breaches of and damage to the security and processes of DigiD Authorisation.

We may amend this privacy statement at any time. In that case, we will publish the amended privacy statement on our website https://machtigen.digid.nl, whereupon this privacy statement will take immediate effect.