Key Benefits:
Decision of 17 May 2016, laying down rules on the processing of personal data in the provision for the generic digital infrastructure DigiD, DigiD Authorize, Mining and BSN-Link Registry (Decision Processing Personal Data Generic) digital infrastructure)
We Willem-Alexander, at the grace of God, King of the Netherlands, Prince of Orange-Nassau, etc. etc. etc.
On the nomination of Our Minister of Internal Affairs and Kingdom Relations of 18 January 2016, no. 2016-0000023784 DCB/CZW/SB;
Having regard to Article X, third paragraph, of the Electronic Messaging Act Tax Service ;
The Department for the Advisory Board of the State Hearing (Opinion of 8 April 2016, No No. W04.160008/I);
Having regard to the further report of Our Minister of Internal Affairs and Kingdom Relations of 10 May 2016 No. 2016-0000267641 BZK/CZW/SB;
Have found good and understand:
For the purpose of this Decision:
authorizing DigiD and DigiD: a public body which, or a legal person with a statutory task, other than a public body, who, in the exercise of his or her mission or competence, offers a service for electronic circulation between him and users of DigiD and Authorize DigiD and use DigiD and DigiD Respectively, respectively;
Buying company of MyGovernment: a public body which, or a legal person with a statutory task, other than a public body, which makes use of MyGovernment in the exercise of its functions or powers;
authentication: an electronic process for the verification and confirmation of the identity of a natural or legal person, or of the origin and integrity of data;
authorizing visitor from MyGovernment, DigiD or DigiD: the person who visits MyGovernment, DigiD or DigiD Authorize, but does not login or whose electronic application procedure for a DigiD is not completed;
BSN-Link Registry: the provision that establishes a relationship between a unique identifier on a private authentication tool and the civil service number of the holder;
Civil Service Number: the number, for the purpose of Article 1 (b) of the general provisions Act civil service number ;
DigiD: The provision for electronic authentication means and electronic authentication accessible via the web address www.digid.nl;
Authorize DigiD: the provision for electronic registration of authorisations reachable through the web address.
user of DigiD: a natural person enrolled in the basic registration persons, in the possession of a civil service number and of whom the electronic application procedure for a DigiD has been completed;
Authorize User from DigiD: the authorised representative, the represented, or a natural or legal person, who makes use of the provision DigiD Authorisation;
User of MyGovernment: a natural person enrolled in the basic registration persons, in the possession of a civil service number, and for whom a MyGovernment account is available;
Delegate: Authorize a User of DigiD Authority who can perform actions on behalf of the represented (right);
Delegate to MyGovernment: a user of MyGovernment or a legal person, who, with a permission authorized in DigiD Authorising, can see certain messages from the represented in MyGovernment;
Mygovernment: the provision reachable through the web address mine. government.nl for the e-messaging service the Message box, and the Provision of Information Lopened Cases and Personal Data;
MyOverhesion account: the domain of a user of MyGovernment on MyOverness,
Notification: a attention sent to the MyGovernment user by e-mail or another channel after a message has been placed in the Message Box or an alteration to Lopened Cases has taken place;
Our Minister: Our Minister of Home Affairs and Kingdom Relations;
public body: public body as referred to in Article 1 (c) of the general provisions Act civil service number ;
personal data: which is understood to be Article 1 of the Personal Data Protection Act ;
represented: a natural person who, for the purposes of representing his interests in circulation with the customers of DigiD Authorize, is represented by an authorised representative;
represented in MyGovernment: a natural person who, with a authorised authorisation registered in DigiD Authorising, grants an authorised agent in MyGovernment access to its messages to the extent that they are within the scope of the authorisation.
Our Minister for the establishment, making, maintenance, operation, security and reliability of DigiD shall process the following personal data:
a. to DigiD 's visitors: data on origin and features of the network traffic and the features of the DigiD visitor' s software and hardware used that are relevant to the adequate operation and security of supply;
b. For DigiD visitors who started an application process, but did not complete, also the civil service number and the date and time of the request and the reason why the request was not successful;
c. over users of DigiD:
1. the name and the necessary information to reflect this correctly, date of birth, date of death, nationality, data to enable the residency or non-residency of persons to be established in the basic registration and the address;
2. a number which can be used to identify a person, including the civil service number, the number of a Dutch passport or of a Dutch, identity card and passport or the passport. identity card, such as the validity dates;
3 °. the account information, including the mobile phone number, email address, user name, encrypted password, and other information associated with the account;
4 °. The usage data including the IP address and attributes of the software and hardware used of the device with which the user of DigiD is logged in, actions of the user, the authentication level chosen by the DigiD user, the website of the institution where the user of DigiD applies for a DigiD or from whom DigiD user logs with DigiD, session data, including cookies, and other data relating to the type and time, characteristics of the Use;
5 °. data relevant to the adequate functioning of the device, including at least the characteristics of the software and hardware used by DigiD's user.
6 °. data is necessary to support the user, including the civil service number and other data that is processed when the DigiD user is supported.
Our Minister is processing for the establishment, provision, conservation, operation, security and reliability of DigiD Authorize the following personal data:
a. To authorize visitors to DigiD: Data from the origin and characteristics of the network traffic and the features of the software and hardware used by the visitor to DigiD Authorize that are relevant to the adequate functioning and security of the Provision;
b. Authorize about users of DigiD:
1. the name and the necessary information to reflect this correctly, the date of death, the address and of the represented also the date of birth;
2 °. the civil service number;
3 °. user information regarding the authorization relationships, including their requests, and profile data;
4 °. the usage data, including IP address information and the attributes of the software and hardware used by the device used to empower the user of DigiD Authorize on the DigiD Authorize website, acts of the user of DigiD Authorize (login, request, revoke, and activate), DigiD Authorize Recipient for which the User of DigiD Authorize is authorized, as well as the time when this is done, session data, including cookies, and other data with relation to the type and time of use, characteristics of the use,
5 °. data relevant to the adequate functioning of the facility under which the characteristics of the software and hardware used are authorised by the user of DigiD;
6 °. data necessary to support the user, including the civil service number and other data that is processed when supporting the digiD user's authority.
Our Minister processed for the establishment, making, maintenance, operation, security and reliability of MyGovernment the following personal data:
a. on Visitors of Mining: data on the origin and characteristics of the network traffic and the characteristics of the software and hardware of the visitor of MyGovernment used that are relevant to the adequate functioning and security of the Provision;
b. about Users of Mindedness:
1 °. name and necessary data to reflect this correctly, date of birth, date of death, nationality, data to determine whether a natural person qualifies as User of MyGovernment for which the Message box is used. must be available, and the address;
2 °. the civil service number,
3 °. the account information, which includes data on the creation and modification of the Mining Account, email address or other channel to which the User of Mining Notifications receives notifications, and details of its verification, the screen name, and the customer or customers of MyGovernment selected by the User of MyGovernment in respect of whom the User of MyGovernment has made known in the messages preferences of MyGovernment that it is sufficiently electronic is reachable for receiving electronic messages in the Message Box, meta-data that is associated with messages or case data, credentials, and other data or changes thereof associated with the account;
4 °. usage data, including data on the navigation and operations of the user of MyGovernment in the provision including retrieval, display, or modification of data or failure of functions, data on the transmission of Notifications and their potential failure, and other information relating to the type, time and characteristics of use;
5 °. data relevant to the adequate functioning of the provision, including session cookies, data on the origin and characteristics of the network traffic and the characteristics of the software and hardware used;
6 °. data necessary to support the user of MyGovernment, including the civil service number and other data that are processed in user support;
c. about the represented in MyGovernment and the Delegate in MyGovernment:
1 °. the name and date of birth of the represented in Mining Government and the necessary data to return it correctly to the Delegate in MyGovernment;
2 °. the civil service number of the represented in MyOvergen;
3 °. The usage data, including data on the dispatch of notifications and any failure thereof, data on the actions of the delegate in MyGovernment with respect to the data of the represented in Mining Government, including understood data change, including data on failure of functions, and other data relating to the type, time and characteristics of use;
4 °. modifications of the meta data of the message or messages to which the authorisation relates.
Our Minister processed for the establishment, provision, maintenance, operation, security and reliability of the BSN-Link Registry the following personal data about the user of a private-sector authentication tool, who wants this medicine use for the reduction of services provided by public bodies and natural and legal persons, other than public bodies, who are entitled to use the civil service number:
a. the name and the necessary data to display it correctly, the date of birth and the date of death;
b. The civil service number;
c. the unique identifying attribute on the private authentication means;
d. the date of registration and the possible deregistration of the link between the private authentication tool and the civil service number;
e. the time of login to the public service provider.
Our Minister is providing to the customers of DigiD:
a. the civil service number for the purposes of determining the identity of the DigiD;
b. The authentication level chosen by the DigiD user and the IP address.
Our Minister, at the request of customers of DigiD Authorize, shall provide:
a. Proof of validity of a specific authorisation registration for services of the customer concerned;
b. An overview of all the authorization requests and the authorization registrations issued for the services of the customer concerned.
Our Minister is providing a buying company of MyGovernment:
a. the civil service number and, where applicable, the status of the applicable User ' s message preference of MyGovernment, prior to delivering and confirming the surrender of messages and data, or their failure, for the purposes of the operation of the Services of MyGovernment;
b. At the request of a customer who has designated the Messaging Box of MyGovernment as a mandatory channel for electronic messaging, information or a user of a Mining Government account to which the execution of that task relates. account has been or has not been deployed, and its civil service number.
Our Minister provides the civil service number of the user of a private authentication tool, who wishes to use this means for the reduction of services by public bodies and natural and legal persons other than public bodies, who are have the right to use the civil service number in encrypted form to the intended public bodies and natural and legal persons, other than public bodies or those acting on their behalf.
Without prejudice to the provisions of the Articles 6 to 9 , Our Minister does not provide any information about any visitor or user of DigiD, Delegate or MyGovernment to any person other than the visitor or the user himself without the prior approval of the visitor or the user, unless:
(a) a provision to a public body or a legal person having a statutory task which is necessary to ensure the security and reliability of the provision in question; or
b. he is entitled to do so on the basis of a legal provision.
1 The data about visitors to DigiD, intended in Article 2 (a) and (b) , kept for up to 18 months.
2 The name and the necessary data to reflect this correctly, date of birth, date of death, nationality, data to determine the residency or non-residency of the basic registration persons and the address, Intended in Article 2 (c) (1) , kept for up to 6 weeks.
3 The usage data referred to in Article 2 (c), below 4 ° , kept for a maximum of 5 years, except that session data is only kept until the user logs out.
4 A number that can be used to identify a person as intended in Article 2 (c) (2) , it shall be kept:
a. During the application process up to 18 months, or;
b. For as long as its corresponding DigiD is valid, and once that is no longer the case up to 5 years.
5 The account data specified in Article 2 (c) (3) , which are required for the current use of DigiD, such as the current mobile phone number and email address, current user name, current password, account ID, and account status are kept for as long as its corresponding DigiD valid, and once that is no longer the case for up to 5 years.
6 The other account information specified in Article 2 (c) (3) , kept for up to 18 months.
7 The data relevant to the adequate functioning of the provision specified in: Article 2 (c), below 5 ° , kept for so long the DigiD user is logged in.
8 The data necessary for user support, intended to be used in Article 2 (c) (6) , are kept for the duration of the support and then up to 18 months.
1 The data on visitors to DigiD Authorize, intended to Article 3 (a) , kept for up to 18 months.
2 The name and the necessary data to reflect this correctly, the date of death, address and date of birth, meant in Article 3 (b) (1) , kept for up to 6 weeks.
3 The usage data referred to in Article 3, part b, below 4 ° and 5 ° , will be kept for up to 5 years, except that session data is only kept until the moment of logging out by the user of DigiD Authorize.
4 The civil service number is kept for so long the associated authorization request or authorization registration has not been terminated, and as soon as it has been terminated for up to 5 years.
5 The user data specified in Article 3 (b) (3) , retained as long as authorization or authorization registration has not been terminated and has been terminated for a maximum period of 5 years.
6 The data necessary for user support, intended to be used in Article 3 (b) (6) , are kept for the duration of the support and then up to 18 months.
1 The data on visitors to MyGovernment, intended in Article 4 (a) , kept for up to 18 months.
2 The data about users of MyGovernment, intended to be used in Article 4, part b, below 4 ° and 5 ° , are kept for up to 5 years, except that session cookies are only kept until the moment of logging out.
3 The data on a user of MyGovernment and its Mining Account, intended in Article 4, part b, below 1 °, 2 ° and 3 ° , are kept for as long as the corresponding MyGovernment account exists, and once the account has been lifted, up to 1 year, except nationality, date of birth, date of death and data to determine whether a natural person Qualifies as the User of MyGovernment for which the Message Box must be available, which will be retained for the duration of the creation or verification process.
4 The data necessary for user support, intended to be used in Article 4 (b) (6) , are kept for the duration of the support and then up to 18 months.
5 The retention period of the data on the represented and the authorised representative, Article 4 (c) , is as follows:
a. The data, within the meaning of 1 ° and 2 °, shall continue to be stored until the time of logout;
b. The data, referred to below 3 °, shall not be kept for a maximum of five years;
c. the data, under 4 °, remains kept for as long as the MyGovernment account exists, and once that account has been lifted, up to 1 year.
6 For the purpose of the data, Article 4 , which are involved or relevant to the investigation into an incident involving integrity, confidentiality or system availability, is referred to in paragraphs 1 and 5 of the first, third and fourth paragraphs of the Convention. retention period of 18 months or 1 year extended to 36 months.
The retention period of the data specified in: Article 5 , is as follows:
a. Name, date of birth and date of death shall no longer be kept than is necessary to verify the accuracy of the data;
b. The civil service number shall be kept for a maximum of 18 months after registration of the coupling;
c. The unique identifying attribute on the private authentication means shall be kept for a maximum of 18 months after the registration of the coupling;
d. the date of registration and any deregistration of the coupling shall be kept for up to 18 months;
e. the time of login to the public service provider shall be kept for up to 18 months.
After the expiry of the retention period, the data shall be destroyed as soon as possible.
This Decision shall enter into force as from the day following the date of issuance of the Official Gazette, in which it is placed and shall operate back to 1 November 2015.
This decision is cited as: Processing personal data processing generic digital infrastructure.
Charges and orders that this Decision will be placed in the Official Journal by means of the note of explanatory note accompanying it.
Wassenaar, 17 May 2016
William-Alexander
The Minister of Home Affairs and Kingdom Relations,
R.H.A. Plastrong
Published the 27th of May 2016The Minister for Security and Justice,
G.A. van der Steur
