Each legal entity in the Netherlands receives a special identification number called btw-nummer shortly after the registration (btw is Dutch for “value-added tax”).
This number is necessary for invoicing, both domestic and international, and—obviously—for VAT payments.
So what’s so special about it? Well, it turns out that if you’re a self-employed entrepreneur, your VAT number is based upon your BSN identifier. Which is quite a blunder from the privacy point of view.
The VAT number and its privacy flaw
When I was assigned this number at the KvK (the Dutch Chamber of Commerce), my first reaction was: “Wait, are you serious?”.
According to the rules, the VAT number is 14 characters long and consists of:
- The two-letter country code (
NL
); - The BSN;
- A three-character suffix in the range
B01
…B99
.
Which makes it look like NL001234567B01
.
The thing is the BSN number uniquely identifies every person ever entered in the Dutch national personal data register BRP, which makes it one of the most sensitive pieces of personal data the GDPR is so eager to protect. You can find it, for example, in passports and driving licenses:
For example, not so long ago we’ve been implementing a unified authentication platform at one of Dutch ministries for DigiD, an online identifier used for numerous government and commercial services. Back then we had to build a special screening unit that hid BSNs in the page’s address, even though it was only visible to the user himself.
To make this privacy fail apparent, it’s important to mention that every legal entity is obliged by law to publish its VAT number on its website, print it on invoices, mention it in emails etc., which essentially forces the entrepreneur to publicly expose their BSN.
That is, this was the situation up to now.
Things are getting better
In late 2018 the problem was finally addressed. Autoriteit Persoonsgegevens, the Dutch Data Protection Authority, has prohibited the Tax Administration from exposing BSNs as of January 1, 2020.
In the fall 2019 the Tax Administration must begin handing out new ID numbers (called btw-id) to the self-employed, so that they can replace the old ones for external communication as of the next year.
The existing identifiers will still be used internally by the tax office and for VAT declarations. The good news is the requirement of publishing them is now waived, which significantly reduces the risk of identity fraud.
The Tax Administration complains the old identifiers (renamed now to ob-nummer or omzetbelastingnummer to avoid confusion) are used by almost every internal system there, so it’s going to take a while for the migration to complete. ■
Comments