INFORMATION ON THE PROCESSING OF PERSONAL DATA IN THE FIELD OF FEDERATED AUTHENTICATION SERVICES (IDEM – GARR)

icon

 

Italian version

This information is provided, pursuant to art. 13-14 of EU Regulation 679/2016, hereinafter  GDPR, with reference to the processing of personal data in the context of federated authentication services. The processing of personal data will be based on principles of correctness, lawfulness, transparency, relevance, accountability and will be carried out using IT media, however suitable to guarantee its security and confidentiality and in any case through the use of procedures that avoid the risk of loss, theft, unauthorized access, illicit use, unwanted modifications and disclosure of personal data, in compliance with current regulations and professional secret.

Within the federated provision of services, a user who has received credentials from organization A is allowed to authenticate through them to another service provided by organization B.

To simplify and at the same time clarify the roles of the involved organizations, it must be taken into account that, typically, there are therefore at least two involved organizations:

  • Organization A, so-called “Identity Provider”, which confirms that that person actually corresponds to that digital identity;
  • Organization B, so-called “Service Provider” that displays an application or a service whose access is allowed only if the Identity Provider confirms the existence of that identity and if that type of user is allowed for its displayed service.

The University of Molise acts both as an Identity Provider and Service Provider.

When acting as an Identity Provider:

  • ascertains the correct and secure assignment of the credentials assigned to its users;
  • verify the correctness of the credentials entered by the user to access the Service Provider services;
  • provides, depending on the service provided by the Service Provider, user data, whose list and purpose of the processing are defined in the use of the service or in the web pages of the Service Provider itself.

When acting as a Service Provider, the University receives and uses the data released by another Identity Provider at the request of the user who wishes to authenticate to the services of the University of Molise

INFORMATION SHEET

Owner of treatment: University of Molise in the person of the Legal Representative prof. Luca Brunese
Responsible for data processing: CINECA – Interuniversity Consortium – Via Magnanelli nr. 6/3 chap. 40033 Casalecchio di Reno (BO)
Specific purposes and methods of processing
  1. Provide the federated authentication service in order to access the resources requested by the interested party;
  2. Verify and monitor the proper functioning of the service and ensure its safety;
  3. Fulfill any legal obligations or requests by the judicial authorities
Legal basis and nature of the provision
  • with reference to the purpose referred to in point a): art. 6 par. 1 letter b) of the GDPR: the processing of personal data is necessary for the execution of a contract of which the party concerned is party (contract between the University and the GARR Consortium);
  • with reference to the purpose referred to in point b): art. 6 par. 1 letter f) of the GDPR: the processing of personal data is necessary for the pursuit of the legitimate interest of the data controller or third parties;
  • with reference to the purpose referred to in point c): art. 6 par. 1 letter c) of the GDPR: the processing is necessary to fulfill a legal obligation to which the data controller is subject.
Type of data processed
  • e-mail address (email);
  • name;
  • surname;
  • Identification of the membership organization;
  • Type of membership organization;
  • Type of affiliation to the membership organization;
  • Username with identification of the membership organization;
  • Values used to grant privileges on the resource to be accessed;
  • Identifier that allows the management of sessions in anonymous form calculated thanks to a random and non-reassignable algorithm.
Data retention period All personal data collected in order to provide the federated authentication service will be kept for as long as it is necessary to provide the service in compliance with the contractual terms. After 3 months from the expiration / termination of the contract, all personal data collected or generated by the use of the service will be deleted.
Recipients The University, in order to correctly provide the federated authentication service, will communicate to the suppliers of the Resources to which the User intends to access the proof of authentication and only the personal data (attributes) requested, in full compliance with the principle of minimization. Personal data are transmitted only when the interested party requests access to the third party’s resource. For purposes related to the legitimate interest of the Data Controller or the fulfillment of legal obligations, some log data may be disclosed to legitimate third parties (eg. CERT, CSIRT, Judicial Authority).
Exercise of the rights: Access (Article 15 GDPR);

Cancellation (Article 17 GDPR);

Data portability (Article 20 GDPR);

Rectification (Article 16 GDPR);

Limitation (Article 18 GDPR);

Opposition (Article 21 GDPR);

Communication of the violation (Article 34 GDPR);
Right to complain Competent authority to the Guarantor Authority – art. 77. Complaints can be forwarded to the Guarantor for the protection of personal data – Piazza di Montecitorio n.121 – 00186 ROME – fax: (+39) 06.696773785 – telephone: (+39) 06.696771 – Email:

garante@gpdp.it – PEC: protocol@pec.gpdp.it
Contact details for the exercise of the rights Data Protection Officer

  Dr. MARIA SCOCCA

mail scocca@unimol.it

mail supportprivacy@unimol.it
Withdrawal of consent The only data that is collected with the consent of the interested party are the preferences regarding the transmission of attributes to third parties. The preferences are collected at the time of the first access to the Resource and can be deleted, with the result of withdrawing consent to their transmission, starting the login procedure again and ticking the “Remove authorization to issue your information to this service “.
Automated Decision making prediction – Profiling Personal data will not be subject to disclosure or to any fully automated decision-making process, including profiling.
Data transfer to third countries outside the EU There are no data transfers to third countries outside the EU; however, the Data Controller ensures from now on, and  where necessary, that the transfer of data outside the EU will take place in compliance with the applicable legal provisions, for example after stipulating the standard contractual clauses adopted by the ‘European Union.
Provision of data The provision of personal data is necessary for using the  federated authentication service.
Data source The personal data are mostly already in possession of the University, as Data Controller.