The eHerkenning tool is a digital identity that enables employees of companies to log in to government agencies and other organisations.
It is essential to verify the identity of the applicant for an eHerkenning registration, ensuring that governments and other organisations can be confident that the correct individual is accessing their services.
Registration
During the registration process for the eHerkenning tool, Digidentity requests to read the chip of your ID. This allows us to verify that the ID is genuine and that the data has not been altered. We utilize the information from the ID for identity verification. Alternatively, another registration method involves taking photos of the front and back of the ID. An automated check of these photos ensures the validation of the ID.
Both the chip in the ID and the photo contain the Citizen Service Number (BSN) of the applicant. Currently, processing the BSN falls into a grey area within eHerkenning. For self-employed individuals (ZZP), we must process the BSN to create a link with the BSN Link Register (BSNk); however, it is not necessary for employees of companies.
Nonetheless, we must establish the authenticity of the document and perform a test on the BSN (using the photo of the ID) to verify its validity. After this verification, we delete the BSN. When reading the chip, we delete the BSN immediately, and for ZZP, this occurs after the link with BSNk has been established.
The Digital Government Act provides the legal basis for processing BSNs, but this law has not yet come into effect.
Legal representative
An eHerkenning tool is linked to an authorisation for an organisation. Digidentity must verify that the applicant is authorised to act on behalf of the organisation, utilising the data registered with the Chamber of Commerce (KvK).
After the applicant enters the KvK number of the organisation, Digidentity checks whether the applicant is authorised. If the applicant is fully authorised, the application process continues. However, if the applicant is not listed in the KvK as an authorised representative, the legal representative or another authorised individual must approve the application. Digidentity is required to identify the legal representative in the same manner as the applicant.
Depending on the level of authority stated at the Chamber of Commerce (independently authorised, jointly authorised, or limited authorisation), one or more signatures may be required for the authorisation.
Company Administrator
An employee can request authorisation to become a company administrator. Once approved by the legal representative(s), the company administrator can approve eHerkenning applications from other employees, and the legal representative's approval is delegated to the company administrator. A minimum of eHerkenning level 3 is required for the role of company administrators. Company administrators may approve applications only for the same level or lower; for example, an administrator with eH3 cannot approve an eH4 application.
Data Storage & Retention Periods
We utilise two parties for ID validation: if you register using NFC, ReadID handles the validation. If you register by taking a photo of the ID, Mitek is responsible for the validation. Both organisations operate from the Netherlands. It is important to note that these parties only conduct authenticity checks; Digidentity decides whether to accept the ID based on the verification reports provided.
We only store data that has been verified, and all data is kept in data centres located in Europe. The retention periods we follow are as follows: we store all photos for 120 days and verification reports for 7 years (to meet compliance requirements). I will soon publish a new Privacy Statement that includes the retention periods as well as the third parties involved in the validation process.
Designation & Supervision
Digidentity is one of six companies designated by the Ministry of the Interior and Kingdom Relations to issue eHerkenning tokens. As a participant in the Agreement System (available in Dutch only), Digidentity is supervised by the Telecom Agency (AT). Through regular inspections conducted by AT, Digidentity must demonstrate compliance with the requirements of the Agreement System.
One requirement within the Agreement Framework is that participants must implement a certified Information Security Management System (ISMS). Digidentity has a certified ISMS compliant with ISO 27001:2013 and is assessed annually by an independent auditor to ensure that the requirements of ISO 27001:2013 are met. Additionally, Digidentity is certified against ETSI 319 411-1 and 319 411-2 for the issuance of PKI certificates for SSL and qualified signatures.