IDP Privacy Policy

Service Name Identity Provider
Service Description Federated Authentication Service offered by the User’s Home Organization.
Data Processor The owner of the processing of personal data managed through the service is the I.S.S.M. Guido Cantelli of Novara, addess Via Collegio Gallarini, 1 – 28100 Novara, represented by the President, Dr. Lorenzo Olivieri.
Responsible for Data Protection(GDPR Section 4) (if applicabile)
Jurisdiction and

control authority

IT-IT

Personal Data Protection Authority
How to file a complaint with the data protection authority:
https://www.garanteprivacy.it/home/diritti/come-agire-per-tutelare-i-tuoi-dati-personali

Processed Personal Data and Legal basis for the processing
  1. Some of all of the following personal data from the user collected by the contractor
    1. one or more unique identifiers (uid, schacPersonalUniqueID, eduPersonOrcid, eduPersonTargetedID, SAML persistent identifier);
    2. Identification credentials (userPassword);
    3. Surname and Name (sn, givenName, cn, displayName);
    4. email address (mail);
    5. role in the Organization(eduPersonAffiliation,eduPersonEntitlement);
    6. Organization Name(schacHomeOrganization,schacHomeOrganizationType);
  2. User personal data directly collected during normal service operation:
    1. Preferences about consensus on using resources over the internet;
    2. IdP service log records: user identifier, date and time of usage, requested service, attributes sent to the service;
    3. Log record of other services (http, ldap, …).

Collected personal data are gathered and stored in Italy according to GDPR regulation. Their processment is necessary to provide the service.

Goal of the personal data processing Provide Identity Management as a Service and Identity Provider as a Service and Identity Provider as a Service with the goal of authenticating interested user in order to enable access to network services requested by the interested user

Personal data (attributes) are transferred to third parties (Resources) upon request of the interested user with the goal of accessing the required service

Logging data contain user personal data that are being collected with the goal to verify the operation of the service and to ensure its safety.

Third parties to which data are transferred Contractor decides which third parties to release personal data of interested users respecting the principle of minimization. Personal data are transferred only when interested users request access to third party’s resource and with the goal of getting the service by the third party itself.

Such resources are:

  • All IDEM Federation resources;
  • Le Resources of the eduGAIN interfederation, compliant with the GDPR DP Code of Conduct;
  • eduGAIN resources compliant with Reserach and Scholarship;

Third parties outside EAA:

  • Resources compliant to Data Protection Code of Conduct;
  • Resources compliant with Research and Scholarship;
How to access to, correct, delete personal data and oppose to their processing . Contact the above mentioned Data Processors
Data portability Contractor can request data portability related to digital identities, including credentials and consent information. These will be provided in an open format and accordin to Art. 20 of GDPR. Portability service is free of charge at cessation of service.
Duration of Data Custodial All personal data of the interested user (attributes) are kept for the whole duration of the request of the service to the user. If it is no longer necessary to provide the service, contract can disable users. Also the interested user can request cancellation of its user account. In the case of cancellation of intersted user account, data are kept for additional 18 months in order to evaluate if user has/can be enabled again (reactivated). After 18 months of user account disabling, if no request have arrived of reactivation, all interested user data are deleted.

Logs are kept for 1 month from collection time; after that, they are deleted

X