Service Name |
Identity Provider |
Service Description |
Federated Authentication Service offered by the User's Home Organization. |
Data Processor |
For the contractor:
Contractor and Consortium GARR are co-owners of Personal Data processing provided by the service, following art.26 of GDPR. Contractor is responsible for the exploitation of the interested user rights and for the communication of the information related to articles 13 and 14 of GDPR. |
Responsible for Data Protection(GDPR Section 4) |
DPO:
|
Jurisdiction and |
IT-IT Personal Data Protection Authority |
Processed Personal Data and Legal basis for the processing |
Collected personal data are gathered and stored in Italy according to GDPR regulation. Their processment is necessary to provide the service. |
Goal of the personal data processing |
Provide Identity Management as a Service and Identity Provider as a Service and Identity Provider as a Service with the goal of authenticating interested user in order to enable access to network services requested by the interested user Personal data (attributes) are transferred to third parties (Resources) upon request of the interested user with the goal of accessing the required service Logging data contain user personal data that are being collected with the goal to verify the operation of the service and to ensure its safety. |
Third parties to which data are transferred |
Contractor decides which third parties to release personal data of interested users respecting the principle of minimization. Personal data are transferred only when interested users request access to third party's resource and with the goal of getting the service by the third party itself. Such resources are:
Third parties outside EAA:
|
How to access to, correct, delete personal data and oppose to their processing . |
Contact the above mentioned Data Processors |
How to revoke user consent |
The only collected data with user consent are preferences about the transmission of attributes to third parties. Data are gathered online at the time of first access to resources, and can be deleted, with the outcome of eliminating consent to their transmission, starting over the login procedure and checking the "Clean the consent to release information to this service, previously provided" box. |
Data portability |
Contractor can request data portability related to digital identities, including credentials and consent information. These will be provided in an open format and accordin to Art. 20 of GDPR. Portability service is free of charge at cessation of service. |
Duration of Data Custodial |
All personal data of the interested user (attributes) are kept for the whole duration of the request of the service to the user. If it is no longer necessary to provide the service, contract can disable users. Also the interested user can request cancellation of its user account. In the case of cancellation of intersted user account, data are kept for additional 18 months in order to evaluate if user has/can be enabled again (reactivated). After 18 months of user account disabling, if no request have arrived of reactivation, all interested user data are deleted. Logs are kept for 1 month from collection time; after that, they are deleted |
Here you can find the IRCCS Azienda Ospedaliero-Universitaria di Bologna Information Page: Information Page