At Digidentity, we respect your privacy, and we are committed to protecting your personal data. In this Privacy Statement, we will provide you with information about how we collect, process and protect your personal data.
Who are we?
This Privacy Statement describes Digidentity B.V.'s collection and use of personal data. References in this Statement to "Digidentity", "we" or "us" shall mean Digidentity B.V. (registered in the Netherlands under company number 27322631), being the data controller for the data processing.
What is the purpose of this Statement?
With every service we provide, we take the protection of your privacy and personal data seriously. We ensure the collection and processing of personal data for the services provided is in compliance with applicable privacy and data protection law (including but not limited to the EU General Data Protection Regulation (GDPR)).
We do not allow anyone to use or access your personal data for any other purposes than those set out in this Statement.
In this Statement, we provide you with information about how Digidentity collects and processes your personal data during any interaction with us or while on our website (www.digidentity.eu). This includes any personal data provided upon purchasing our services. The Statement also informs you on how to exercise your rights.
It is important that you read both this Privacy Statement, our General Terms & Conditions and any service specific Terms & Conditions.
How can you contact us?
If you have any questions, comments or requests concerning this Privacy Statement, please contact our Data Protection Officer (by e-mail, postal service or phone) using the contact details set out below.
- E-mail address: firstname.lastname@example.org
- Postal address: P.O. Box 19148, 2500 CC, The Hague, the Netherlands
- Telephone number: +31 88 778 78 78
If you have any concerns about the way we handle your personal data, you have the right to register a complaint at any time to the data protection authorities. For Digidentity, this is the Autoriteit Persoonsgegevens (AP) in the Netherlands.
For which purpose do we use your personal data?
- Execution of Contract Digidentity processes personal data to deliver our services. The legal ground for processing personal data is to execute the contract with you for these services and to comply to applicable laws and regulations.
- Legal Obligation Digidentity processes personal data in compliance to legal obligations such as tax obligations, court orders or police investigations.
- Legitimate Interest Based on our legitimate interest, we process personal data to administer, improve and protect our business and website. This includes troubleshooting, data analysis, testing, fraud prevention and detection, system maintenance, support, reporting and hosting of data.
- Consent We use automated technologies and interactions (including, but not limited to log data, data analytics and cookies). You can subscribe to our free newsletter by providing your e-mail address. In case we rely on your consent for the processing of your data, you have to right to revoke your consent at any time.
Please note that any processing Digidentity carried out before the withdrawal of your consent remains lawful. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case when you withdraw your consent.
Which personal data do we collect?
We process personal data while using our website, interact with us, or when you use or purchase our services.Digidentity processes personal data for:
- Administration and invoicing
- Identification, identity validation & verification
- Delivery of services
- Improvement of services
- Fraud prevention & detection
- Comply to laws and regulations
- Customer relation management
- Training purposes
- Contact purposes
- Sending newsletters
- Handling job applications
- Full name
- Previous names
- Date & Place of Birth
- Gender Nationality
- Identity documents (photo, chip)
- Address history
- E-mail address
- Business e-mail address
- Business registration
- Bank account number
- Identity document number
- Personal Identification Number Signature
- Mobile phone number
- Curriculum Vitae
- Motivation letter
To use our services and products, a Digidentity account is required. The legal ground for processing personal data is to execute the contract. For a Digidentity account, an e-mail address is required, and Digidentity requires a second factor for authentication. When you register using the Digidentity Wallet, a smart card with a PIN code will be added to your account as second factor.
Your e-mail address and second factor are required to access your account. A pseudonym is created to identify your account within our systems. Digidentity stores this data until you delete your account, or for a maximum of two (2) years after the last time you logged in to your account. We will then assume that you no longer wish to use our services and will delete your account.
Delivery of services
Digidentity processes personal data to deliver our services. The legal ground for processing personal data is to execute the contract with you for these services and to comply to applicable laws and regulations. For example, we may process your full name, date of birth, place of birth, nationality, identity documents, images, and identity document number to verify your identity. We store this data as long as we provide you with our services.
- Google Analytics: Digidentity uses Google Analytics to monitor and analyse the use of our website. We have set up Google Analytics to anonymise your IP address. We collect only anonymised data to gain insight into the operations of our website, products and services and to improve these.
These cookies are used to gain insight into visitor’s behaviour and to improve the user experience. We have set these cookies to be privacy friendly. Which means that we:
- have concluded a processing agreement with Google only give Google masked IP addresses
- do not share any further data with Google
- do not use other Google services in combination with Analytics
- The retention period for these cookies is maximum of two (2) years.
- Chat: Digidentity processes personal data that you provide during chat sessions with our Service Desk.
Digidentity has a newsletter to inform those interested in our services. Your e-mail address will be added to the list of subscribers upon your consent. You can unsubscribe any time via the link provided in the newsletter. We store this information until you cancel your subscription.
When you use our services, send us an e-mail, fill out a contact form, or contact us in any other way, you accept our offer to contact you. The legal ground for processing personal data is legitimate interest. For this purpose, we may process your full name, e-mail address, mobile phone number and any data you enter yourself in the message content. We store this information until we are sure that you are satisfied with our response and one (1) year thereafter. This way we can access the data in case you have any follow up questions.
The Digidentity Wallet (for Apple iOS and Android) may be used in the registration process, supports authentication and provides access to your virtual smart card. The mobile app requests access to the camera of your mobile phone to allow scanning of QR codes and the NFC reader to read the chip on the identity document. Your name is displayed on the virtual smart card. If you enable analytics in the Digidentity Wallet, we collect anonymised data on the use of our Wallet.
Handling job applications
Have you responded to one of our vacancies or submitted an open application? If so, we will process your personal data in order to process your application and in preparation for the possibility of an employment contract. The legal ground for processing personal data is to execute the contract. For this purpose, we may process your curriculum vitae, motivation letter and any other data you enclose within your application.
We will retain your application details for a maximum of four (4) weeks after the position has been filled. We keep this data to contact you in the event that the position becomes vacant. If we are unable to offer you a job at this time, we may - with your consent – keep your application details for a year. You are able to withdraw your consent at any time by sending us an e-mail. If an employment contract is set up, we will save your application data in the personnel file.
A social media and internet check can be part of the application procedure. We do this on the basis of our legitimate interest. For this purpose, we search your name on the internet and, if necessary, your public profile(s) on social media. If applicable, the findings of this social media and internet check will be discussed with you. If you object to this, it is possible to indicate this by e-mail at the time of your application.
How do we use your personal data?
Digidentity uses your personal data for the delivery of services and to execute the contract that you have entered with us.
As per the laws, regulations and international standards for digital identities, we are required to verify all personal data provided by the applicant to ensure the data is correct. Your e-mail address and phone number are verified using a conformation code in order to verify that you are in possession of the e-mail address and phone number provided. We may use your mobile phone number and e-mail address to contact you in relation to the product or service that you use.
We verify your full name, date of birth and nationality using your identity document. Your age is determined from your date of birth. This verifies that you are of legal age to enter a contract us. During the registration, we may require photos of both front and back of a valid identity document or using the chip (NFC) within the document.
In order to check if an identity document is genuine and valid, Digidentity uses external automated document validation systems. These automated validations check if all data is present as per the requirement (document valid, picture present, personal identification number passes the verification check). Documents which have been modified or missing/hiding data will be rejected. We collect your full name, date of birth, place of birth, gender, nationality and identity document number from your identity document as proof of verification.
For GOV.UK Verify and UK Trust Framework, we may use your mobile phone number to match your personal data with your mobile provider. We send your name and address(es) to an external party and request details of your credit history as part of the verification process as required by GOV.UK Verify or UK Trust Framework.
For services under the Digital Identities and Attributes Trust Framework (Right to Work, Right to Rent, Disclosure and Barring Service), the personal information we have collected will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by www.cifas.org.uk/fpn.
For registered profession certificates, we match your registration at the Profession Registrar using your registration number to make sure you are eligible for a profession certificate.
For sole contractors using eHerkenning, we process your BSN to receive a pseudonym from the Dutch government required to access the Dutch tax office. Your BSN is deleted as soon as the service request is completed.
During registration, pictures (selfies) must be taken. We will compare the selfies to the picture on the identity document to verify your identity.
Digidentity performs several validation and verification steps to confirm your identity. In case fraud is detected, we reject your identity claim and register a fraud indicator. This could result in refusal of Digidentity services.
Digidentity uses external service providers to verify identity documents, perform liveness detection and face comparison, provide activity history and knowledge-based questions. We only share the necessary personal data which is necessary for these providers to perform their tasks. Digidentity also uses external IT suppliers and cookie service providers.
Digidentity only shares your personal data with external parties when this is allowed as per applicable privacy and data protection law. Digidentity may provide personal data to external parties because:
- Digidentity has engaged external parties to process personal data
- It is necessary to execute the contract with you you gave permission for this Digidentity has a
- Legitimate interest
- Digidentity is legally obliged to do so
Digidentity processes all personal data within the European Economic Area (EEA) and the United Kingdom. We do not sell or share your personal data to third parties or store your data outside the EEA. We only share personal data with third parties to comply to legal requirements.Activity Location Data
|Processing Production systems||Ireland|
|Liveness Detection & Face Comparison||Germany, Ireland|
|Certificate Authority (CA) systems||Netherlands|
|Verification of identity documents||Netherlands, Ireland, United Kingdom|
|Identity Fraud Check||Netherlands, United Kingdom|
Digidentity uses automated decision making in the validation and verification of identity evidence. Our systems decide based on the results of validation and verification of identity evidence to accept or reject the identity claim. We always manually review rejected identity claims to prevent false rejections. We manually review automatically accepted identity claims based on random selection to prevent false acceptance of identity claims. We manually reject falsely accepted identities.
How do we protect your personal data?
Digidentity has taken the necessary security measures to protect your personal data against accidental loss, unauthorised access, modification or disclosure. Digidentity uses the principles of “Privacy by Design” and “Privacy by Default” which means that protection of Personal Data was a default part of design of our systems.
Digidentity only collects personal data needed (data minimalisation) and only processes for the identified purposes. We only process validated and verified personal data (data is checked against an authoritative source) to provide accurate digital identities. Digidentity creates a pseudonym for each account and use encryption to protect the personal data.
We limit access to your personal data to employees who have a business need. They will only process your personal data as per our instructions, and they are legally bound to keep your personal data confidential.
We have set up procedures to deal with any suspected personal data breaches, and we will notify you and any relevant data protection authority of a breach where we are legally required to do so.
We have a certified Management System for Information Security (ISO27001:2013) and Privacy Information (ISO27701:2019). As part of our certification, our security measures to protect your personal data are annually evaluated by an independent external auditor. Digidentity is subject to regular inspections by Agentschap Telecom for Trust Services and Electronic Identification which also includes compliance to GDPR.
How long do we keep your personal data?
Digidentity must retain personal data for quality purposes and comply to laws and regulations. We implemented the following data retention periods.Data Retention Period
|Verified Personal Data & photo from chip||Active during contract, archived for seven (7) years after account deletion|
|Identity verification & validation reports||Active during contract, archived for seven (7) years after account deletion|
|Photographic evidence (identity documents, selfies)||Deleted after 45 days, unless consent of user is provided to retain for a longer period|
|Credit file data (GOV.UK Verify)||Deleted after 30 days|
|Social Security Number or BSN||Deleted after completion of registration|
|PKI Key Life Cycle data Active during contract, archived for seven (7) years after account deletion Organisation data||Active during contract, archived for seven (7) years after account deletion Accounts not used in last 24 months Deleted after 45 days|
|Accounts with incomplete registration||Deleted after 45 days|
|Accounts with incomplete registration||Deleted after 45 days|
Digidentity only allows access to archived personal data if required to meet obligations for auditing and forensic evidence purposes. During archival the data is securely stored (encrypted and masked). Data will only be accessible to personnel in functions related to security e.g. Security Officer or the Data Protection Officer (DPO). After the retention period of seven (7) years is reached, the archive is deleted/destroyed. The destruction of data ensures that no data can be recovered.
What are your rights?You have the right to:
- request information on personal data we process and what we do with the personal data
- request access to your personal data
- request correction of your personal data request
- erasure of your personal data request to transfer your personal data (if technically and/or legally possible)
- object to specific processing of the personal data revoke your consent
When you make use of your rights, we are required to verify your identity. You can exercise your rights to access, correct or erase your personal data or revoke consent in your account profile. You can log into your account at www.digidentity.eu.
Digidentity supports data portability. You can download your personal data from within your Digidentity account.
Digidentity reserves the right to update this Privacy Statement. New versions will be published on our website. We advise you to regularly check our website for any available update.
Digidentity protects your personal data and implemented a management system for security and privacy which has been certified against ISO27001:2013, ISO27017:2015, ISO27018:2019 and IS27701:2019.
Digidentity is Privacy (GDPR) Certified by ICT Recht (www.ictrecht.nl). ICT Recht is an independent legal advisory firm specialised in privacy law and regulations.