Privacy Notice − FAS – My Digital Keys – version 1.3

Last updated: 5 August 2025

The Federal Public Service Policy and Support, the Directorate-General for Simplification and Digitization ("DG Simplification and Digitization"), is responsible for your personal data and acts in accordance with the provisions of the EU General Data Protection Regulation 2016/679 (GDPR). Please read this Privacy Notice to learn how personal data are collected and processed within the Federal Authentication Service (FAS) provided by DG Simplification and Digitization.

1. Processing of Personal Data

The FAS enables citizens to authenticate themselves using digital keys, allowing authorities to confirm who is requesting access to their applications.

Available digital keys within the FAS:

• eID or electronic identity card (high degree of security)
• MyGov.be application (high degree with PIN code or substantial with biometrics)
• Digital key from an accredited provider (e.g., itsme®) (high with PIN or substantial with biometrics)
• Digital key accredited at the European level (eIDAS) (high or substantial degree of security)
• Username, password, and security code via mobile app/SMS/email (substantial degree)
• Username and password (low degree of security)

The processing of your data by DG Simplification and Digitization during registration and use of digital keys is based on Article 9 of the Belgian Act of 18 July 2017 on electronic identification. This forms the legal basis for processing the national registration number within the FAS.

Authorisations granted by the former National Register sectoral committee:

• Consultation NR 26/2005 of 6 July 2005
• Consultation 16/2012 of 15 February 2012
• Consultation 21/2015 of 25 March 2015
• Consultation 83/2016 of 19 October 2016

Your data are processed to correctly identify and authenticate you to grant access to government applications. This ensures that administrators can verify your identity and determine your access rights, while protecting your data from unauthorized access.

During initial registration, FAS uses your electronic identity card’s authentication certificate, first name, surname, and national register number. You will enter your PIN code when authenticating. You may also use an accredited key such as itsme® for MyGov.be key registration.

You must provide your email address and mobile number to activate certain keys. Authentic sources such as the National Register or the Crossroads Bank registers (CBSS) may also be consulted.

When authenticating via FAS, your national register number is transmitted to the application you access. Only authorized organizations may use it; otherwise, another unique identifier is used.

For authentication via an EU-accredited key (eIDAS Regulation No. 910/2014), DG Simplification and Digitization retrieves your data from the National Register to provide to the Member State. Data include date/place of birth, gender, name, and cross-border identifier. The legal basis is Article 5 of the Belgian Act of 18 July 2017 and the Royal Decree of 1 February 2018.

With your consent, your email and/or mobile number may be processed to contact you regarding DG Simplification and Digitization services and notifications.

Authentication logs (date, time, ID number, message ID, IP address, browser, OS) are stored in an audit trail for 10 years for investigation or complaint purposes. Data are also anonymized for statistics and service improvement. Data are deleted upon deactivation or death; audit trail data are deleted after 10 years.

Accredited service providers (e.g., itsme®) process your data under applicable regulations and the Royal Decree of 22 October 2017. They may use your national register number when you choose their service.

DG Simplification and Digitization employs subcontractors as processors under GDPR-compliant contracts. The Data Protection Officer (DPO) ensures confidentiality, security, and legal compliance.

2. Security

DG Simplification and Digitization takes all appropriate technical and organizational measures to protect personal data from destruction, loss, alteration, or disclosure. Measures include encrypted communications, data hashing, and regular backups. Access is limited to authorized personnel under confidentiality agreements, with access details logged.

3. Cookies

Cookies are placed on your computer to enhance website performance and user experience, and to enable authentication during sessions.

Types of Cookies

• Necessary cookies: Essential for secure identity verification and access.
• Functionality cookies: Improve website usability (e.g., remember language preferences).
• Performance cookies: Used for load balancing and performance optimization.

You can refuse cookies via browser settings. Instructions for common browsers are at www.aboutcookies.org. Cookies are valid for one year and can be deleted anytime.

4. Your Rights

Under GDPR, you may access, rectify, erase, or restrict processing of your data by contacting DG Simplification and Digitization or using the website. Note that some actions may prevent continued FAS use.

Complaints can be submitted to the Belgian Data Protection Authority:

• Tel: +32 (0)2 274 48 00
• Fax: +32 (0)2 274 48 35
• Email: contact@apd-gba.be

5. Changes

DG Simplification and Digitization may update this Privacy Notice at any time. Updates will be announced on the website. Last revision: 5 August 2025.

6. Contact Details

For questions about data protection or privacy, contact the Data Protection Officer:

• Email: dpo@bosa.fgov.be
• Mail: FPS BOSA, DG Simplification and Digitization,
  Boulevard Simon Bolivar 30, B-1000 Brussels
• Contact form: https://bosa.belgium.be/en/form/contact-us
• Phone: +32 (0)2 740 80 27