INFORMATION ON THE PROCESSING OF PERSONAL DATA IN THE FIELD OF FEDERATED AUTHENTICATION SERVICES (IDEM – GARR)
This information is provided, pursuant to art. 13-14 of EU Regulation 679/2016, hereinafter GDPR, with reference to the processing of personal data in the context of federated authentication services. The processing of personal data will be based on principles of correctness, lawfulness, transparency, relevance, accountability and will be carried out using IT media, however suitable to guarantee its security and confidentiality and in any case through the use of procedures that avoid the risk of loss, theft, unauthorized access, illicit use, unwanted modifications and disclosure of personal data, in compliance with current regulations and professional secret.
Within the federated provision of services, a user who has received credentials from organization A is allowed to authenticate through them to another service provided by organization B.
To simplify and at the same time clarify the roles of the involved organizations, it must be taken into account that, typically, there are therefore at least two involved organizations:
- Organization A, so-called “Identity Provider”, which confirms that that person actually corresponds to that digital identity;
- Organization B, so-called “Service Provider” that displays an application or a service whose access is allowed only if the Identity Provider confirms the existence of that identity and if that type of user is allowed for its displayed service.
The University of Molise acts both as an Identity Provider and Service Provider.
When acting as an Identity Provider:
- ascertains the correct and secure assignment of the credentials assigned to its users;
- verify the correctness of the credentials entered by the user to access the Service Provider services;
- provides, depending on the service provided by the Service Provider, user data, whose list and purpose of the processing are defined in the use of the service or in the web pages of the Service Provider itself.
When acting as a Service Provider, the University receives and uses the data released by another Identity Provider at the request of the user who wishes to authenticate to the services of the University of Molise
INFORMATION SHEET
Owner of treatment: | University of Molise in the person of the Legal Representative prof. Luca Brunese |
Responsible for data processing: | CINECA – Interuniversity Consortium – Via Magnanelli nr. 6/3 chap. 40033 Casalecchio di Reno (BO) |
Specific purposes and methods of processing |
|
Legal basis and nature of the provision |
|
Type of data processed |
|
Data retention period | All personal data collected in order to provide the federated authentication service will be kept for as long as it is necessary to provide the service in compliance with the contractual terms. After 3 months from the expiration / termination of the contract, all personal data collected or generated by the use of the service will be deleted. |
Recipients | The University, in order to correctly provide the federated authentication service, will communicate to the suppliers of the Resources to which the User intends to access the proof of authentication and only the personal data (attributes) requested, in full compliance with the principle of minimization. Personal data are transmitted only when the interested party requests access to the third party’s resource. For purposes related to the legitimate interest of the Data Controller or the fulfillment of legal obligations, some log data may be disclosed to legitimate third parties (eg. CERT, CSIRT, Judicial Authority). |
Exercise of the rights: | Access (Article 15 GDPR);
Cancellation (Article 17 GDPR); Data portability (Article 20 GDPR); Rectification (Article 16 GDPR); Limitation (Article 18 GDPR); Opposition (Article 21 GDPR); Communication of the violation (Article 34 GDPR); |
Right to complain | Competent authority to the Guarantor Authority – art. 77. Complaints can be forwarded to the Guarantor for the protection of personal data – Piazza di Montecitorio n.121 – 00186 ROME – fax: (+39) 06.696773785 – telephone: (+39) 06.696771 – Email:
garante@gpdp.it – PEC: protocol@pec.gpdp.it |
Contact details for the exercise of the rights | Data Protection Officer
Dr. MARIA SCOCCA mail scocca@unimol.it |
Withdrawal of consent | The only data that is collected with the consent of the interested party are the preferences regarding the transmission of attributes to third parties. The preferences are collected at the time of the first access to the Resource and can be deleted, with the result of withdrawing consent to their transmission, starting the login procedure again and ticking the “Remove authorization to issue your information to this service “. |
Automated Decision making prediction – Profiling | Personal data will not be subject to disclosure or to any fully automated decision-making process, including profiling. |
Data transfer to third countries outside the EU | There are no data transfers to third countries outside the EU; however, the Data Controller ensures from now on, and where necessary, that the transfer of data outside the EU will take place in compliance with the applicable legal provisions, for example after stipulating the standard contractual clauses adopted by the ‘European Union. |
Provision of data | The provision of personal data is necessary for using the federated authentication service. |
Data source | The personal data are mostly already in possession of the University, as Data Controller. |