The major passport heist in Dutch soccer
Soccer clubs and the KNVB are requiring digital identification through SIIP, but the promised privacy turns out to be a dangerous illusion.
Published on July 11, 2026

Team IO+ selects and features the most important news stories on innovation and technology, carefully curated by our editors.
Anyone who wants to enter a soccer stadium is increasingly required to scan their passport first. Soccer clubs and the KNVB are rapidly rolling out “Personal Digital Access” (PDT). The promise is wonderful: fast entry, optimal security, and full control over your own data. The supplier of this technology, the Zwolle-based company SIIP, touts terms like “privacy by design.” But behind this glossy marketing campaign lies a shocking reality. Independent technical research by expert Mick Beer shows that the promised privacy is a complete illusion. Instead of being stored locally on the phone, fans’ most sensitive identity data is sent directly to U.S. cloud servers. This article exposes how soccer clubs, the KNVB, and SIIP are deliberately ignoring privacy laws for commercial gain.
The false promise of control
SIIP presents itself as an ethical player in the digital identification market. The company promises that fans retain full control over their personal data via a digital wallet on their smartphone. According to its marketing messages, SIIP adheres to the principles of “privacy by design” and “privacy by default.” Soccer clubs, too, are uncritically adopting these claims. PSV, for example, states in its privacy statement that the data remains exclusively on the user’s smartphone. The club claims that SIIP ensures that no unnecessary data is shared. This sounds wonderful at a time when privacy laws are strict. The reality behind the scenes, however, is completely different. The promise of local storage is a myth. Fans are unwittingly revealing much more than they are told. This constitutes a gross violation of the GDPR’s transparency requirement. The clubs and their technical partners lull fans into a false sense of security with flowery language, while the technical infrastructure is doing something entirely different. There is a high likelihood that clubs like PSV are acting unlawfully by providing false information in their privacy statements.
.png&w=2048&q=75)
Exposed by data analysis
Privacy researcher Mick Beer decided to put it to the test and analyzed the PEC Zwolle app. His findings are shocking and reveal a massive flow of data. As soon as a fan registers in the app, a wealth of sensitive data leaves the phone. This goes beyond just a name or email address. The app sends the Citizen Service Number (BSN), the passport photo from the passport’s chip, and even the unique government-issued digital signature to a server. The document number and nationality are also uploaded immediately. This server runs on the cloud infrastructure of Amazon Web Services (AWS) in Ireland. Because AWS is an American company, this data falls under the U.S. CLOUD Act. This means that, in theory, U.S. law enforcement agencies could demand access to this highly sensitive Dutch identity data. The claim that data does not leave the device has thus been irrefutably disproved. Furthermore, soccer clubs have no legal basis for collecting BSN numbers.
Commercial opportunism and illegal tracking
The hunger for data doesn’t stop at the passport. The apps of clubs such as PEC Zwolle, FC Eindhoven, ADO Den Haag, and NAC Breda are built on the same SIIP template. This “white-label” system appears to leak data immediately upon startup. Without the user’s consent, the app sends telemetry and tracking data to U.S. entities such as Google Firebase and Sentry. This is a direct violation of the GDPR, which requires explicit consent for this type of tracking. The underlying motivation is purely commercial. SIIP views the identified visitor as a commercial goldmine. The company advertises the ability to contact the visitor directly before, during, and after the match. This so-called “customized communication” model turns a soccer ticket into a permanent marketing channel. The fan not only pays for their ticket, but—more importantly—pays with their most intimate digital identity.
The KNVB as a driving force behind the data harvest
Instead of intervening, the KNVB is acting as the biggest promoter of this system. The soccer association presents “Identity-Based Access” as an innovative solution for stadium security. Together with SIIP, SportInnovator, and the Ministry of Health, Welfare, and Sport (VWS), the association is attempting to legitimize the system. The goal is ambitious and compelling. The KNVB aims to make this Personal Digital Access (PDT) the standard for all Dutch professional clubs starting in July 2027. The association is pressuring clubs to rapidly increase adoption among fans to 100 percent. Government subsidies are even being used to achieve this. In doing so, the KNVB is ignoring the enormous privacy risks exposed by independent experts. History shows that the association should not blindly trust its own digital security. As recently as 2023, the KNVB was hit by a major cyberattack in which employees’ personal data was stolen. Centralizing passport data is playing with fire.
Oversight is failing, and fans are protesting
The legal basis for the project is riddled with flaws. No independent and public Data Protection Impact Assessment (DPIA) is available that covers the actual data flows. Experts describe the existing documents as superficial checklists. They are completely silent on the processing of the BSN and its transfer to U.S. cloud processors. The Dutch Data Protection Authority (AP) has not yet taken enforcement action against SIIP or the clubs. This is partly because the technical facts were only very recently demonstrated by independent research. Moreover, the KNVB has a strained relationship with the regulator, as evidenced by previous protracted lawsuits over privacy fines. Meanwhile, public resistance is growing. Fan organizations have already risen up en masse against the ticketing system. They refuse to allow their passports to be scanned by commercial entities. The fear of a massive data breach is entirely justified. If this central database containing social security numbers and passport photos is hacked, the consequences for identity fraud would be incalculable.
