1 Privacy Notice FAS 1.1
Privacy Notice − My digital keys 1.1 7th of June 2023
The Federal Public Service Policy and Support, the Directorate-General for Simplification and Digitization, ("DG Simplification and Digitization") is responsible for your personal data and in that capacity acts in accordance with the provisions of the EU General Data Protection Act 2016/679 (GDPR) at all times. Please read this Privacy Notice for more information about the way in which personal data are collected and processed within the scope of the Federal Authentication Service ('FAS') within the CSAM, provided by the DG Simplification and Digitization.
1. Processing of personal data
The FAS enables citizens to authenticate themselves using digital keys. This allows authorities to know who is requesting access to their applications and to grant such access.
The processing of your data by DG Simplification and Digitization during your registration and during your use of your digital keys is justified on the basis of Article 9 of the Belgian Act of 18 July 2017 on electronic identification, in which DG Simplification and Digitization is charged with the provision of digital keys for government applications within the FAS. This also forms the basis for processing of the national registration number by DG Simplification and Digitization within the FAS.
Authorisations for the aforementioned processing were granted by the former National Register sectoral committee:
- Consultation NR 26/2005 of 6 July 2005;
- Consultation 16/2012 of 15 February 2012;
- Consultation 21/2015 of 25 March 2015;
- Consultation 83/2016 of 19 October 2016.
Your data will be processed for the purpose of correctly identifying and authenticating you so that you can gain access to all kinds of government applications. Once you have been correctly identified, you are able to use digital keys to authenticate yourself whenever you wish to access a government application. This gives the application administrators certainty about your identity and enables them to determine whether and/or to what applications you have access. This way, you can also be sure that no one else will gain access to your data.
To complete your initial registration for the purpose of creating your digital keys, the FAS uses your electronic identity card, specifically the authentication certificate on it, as well as your first name and surname stated on the card, and your national register number. The purpose of this is to correctly identify you. You will be required to enter your PIN code when using the authentication certificate.
Another way of completing your initial registration is to go to a registration office. You will need to be present in person and prove your identity.
You also need to provide your e-mail address and mobile number in order to activate certain keys.
Authentic sources such as the National Register or the Crossroads Bank registers of the Crossroads Bank for Social Security (CBSS) (BIS register) are also consulted for the creation of some keys.
When you authenticate yourself via FAS, your national register number is forwarded to the application to which you requesting access. The organisations that manage the application are authorised to use.
2 Privacy Notice FAS 1.1
the national register number. If they are not authorised to use the national register number, a different identification number may be used in order to uniquely identify you.
For authentication via eIDAS (across borders of EU Member States) on the basis of the eIDAS Regulation, DG Simplification and Digitization retrieves your data from the National Register to provide them to the Member State in which you are registering using a digital key registered in Belgium. These data concern your date of birth and place of birth, gender, surname, first name and an identification number intended for cross-border authentication. The statutory basis for this is
contained in Article 5 of the Belgian Act of 18 July 2017 on electronic identification and in the Belgian Royal Decree of 1 February 2018 designating bodies in accordance with the Act of 18 July 2017 on electronic identification.
With your consent, we also process your e-mail address and/or mobile number in order to contact you in connection with the services. Your data are then used to send you service notifications in connection with the services provided.
Authentications and authentication attempts (date, time, identification number and a message ID in order to link with the application, your IP address, your browser, and operating system) are recorded and stored in an audit trail in order to create a full reconstruction of which natural person logged in with which service and when in the event of an investigation, instigated by a relevant body or supervisory body, or further to a complaint. This information is retained for 10 years.
This information is also processed in anonymised form for statistical purposes and for making further improvements to this service. As part of this processing, the data are never linked to the personal data that have been collected about you during the registration procedure.
The processing (except for retention in the audit trail) ceases when you expressly cease use of your digital keys within FAS or in the event of your death, in which case the data are destroyed.
The data in the audit trail are destroyed after 10 years.
The FAS also provides digital keys from accredited service providers.
The accredited service providers (such as the provider of itsme) process your data in accordance with the applicable regulations. Following accreditation in accordance with the Belgian Royal Decree of 22 October 2017 establishing the conditions, the procedure and the effects of the accreditation of services for electronic identification for government applications, these service providers are authorised to use your national register number if you choose to use their service (as a subcontractor of the accrediting authority within the meaning of Article 5, paragraph 1, 3° of the Belgian Act of 8 August 1983 providing for a National Register of natural persons).
DG Simplification and Digitization uses the services of a subcontractor which acts as a processor and which is required to comply with the legislation in that capacity. DG Simplification and Digitization includes the necessary personal data protection provisions in the contract it concludes with the
3 Privacy Notice FAS
1. DG Simplification and Digitization is responsible for the processing of the aforementioned personal data and employs a data protection officer who ensures the confidentiality and security of the data, as well as compliance with the requirements in the legislation.
As provided for in the GDPR, you are entitled to obtain further information about the processing methods by contacting DG Simplification and Digitization using the contact details shown below.
DG Simplification and Digitization undertakes to take all appropriate technical and organisational measures to protect your personal data from destruction, loss, unintended changes, damage or disclosure.
In order to guarantee this degree of security, DG Simplification and Digitization uses measures including, but not limited to, encryption of communications between the server and your computer, hashing of stored data, and periodic back-ups.
Access to your data is limited to persons working under the supervision of DG Simplification and Digitization who have signed the requisite confidentiality agreements. Details of when data are accessed are recorded.
Cookies are placed on your computer when you use our applications. These are small pieces of information that are stored on your computer by the browser.
These cookies are essential in order to verify your identity securely and are used to grant you access to the applications that you wish to access.
Cookies for website performance
DG Simplification and Digitization uses load balancing cookies. They are used for websites that you visit frequently and their purpose is to distribute the load from requests across several separate networks and servers.
4 Privacy Notice FAS
The cookies are valid for one year.
4. Right of access, amendment and rectification − erasure of data and restricon of processing
As provided for by the GDPR, you are entitled at all times to view your personal data that is being processed by DG Simplification and Digitization or obtain information about the processing methods, and you are entitled to rectify your personal data by contacting DG Simplification and Digitization using the contact details shown below or by doing this yourself via the website. You are also entitled to erase or request erasure of your personal data or to request that certain types of processing be ceased. In some cases, you will then no longer be able to use the FAS.
Anyone has the right to submit a complaint to the Belgian Data Protection Authority. It can be contacted as follows:
Telephone: +32 (0)2 274 48 00
Fax: +32 (0)2 274 48 35
DG Simplification and Digitization reserves the right to make changes to its Privacy Notice at any
time. Changes to the Privacy Notice will be announced via the website. This Privacy Notice was last
amended and revised on 30 November 2020.
6. Contact details
DG Simplification and Digitization is responsible for the processing of these personal data and employs a data protection officer who ensures the confidentiality and security of the data, as well as compliance with the requirements of the GDPR. Should you have any queries relating to data protection and privacy, you can contact the data protection officer by sending an e-mail to firstname.lastname@example.org. You may send details of incidents and complaints to email@example.com.
DG Simplification and Digitization can be contacted by writing to the following address: FPS BOSA, DG Simplification and Digitization, Boulevard Simon Bolivar 30, B-1000 Brussels, sending an e-mail to firstname.lastname@example.org and by calling +32 (0)2/740 80 27.