v0.1-Draft (effective XXst July, 2021)
Name of the
OCRE SP Proxy
Description of the Service
The OCRE SP Proxy (the Service) is provided by GEANT with the purpose of enabling cloud service providers which participate in the OCRE framework to authenticate users at academic Identity Providers and/or Community Authentication and Authorization Infrastructure Services in the context of the European Open Science Cloud through the eduGAIN Interfederation Service.
This privacy notice describes how we process the personal data of you – data subject – when you use the Service.
Data controller and a contact person
GÉANT VERENIGING (Association) – registered with the Chamber of Commerce in Amsterdam with registration number 40535155 with its registered address at Hoekenrode 3, 1102 BR, Amsterdam, The Netherlands (hereinafter referred to as: “we” or “GÉANT”) is the data controller.
GÉANT has appointed Data Protection Officer, who can be contacted at: email@example.com
Additionally, you can contact the [Support Helpdesk]
Data controller’s data protection officer (if applicable)
Jurisdiction and supervisory authority
NL, The Netherlands
Personal data processed and the legal basis
As part of use the Service, we may request from your home institution or another identity provider of your choice the following data:
All of the information above is provided by you or by the Identity Provider of your choice. The actual data collected by the Connected Services you access through the Service may differ.
Additionally, during your activity on the Service we keep technical log consisting of the following data:
Purpose of the processing of personal data
The Service processes your personal data to identify, authenticate and authorize your access to Connected Services.
Technical log files produced by the Service components will be used only for administrative, operational, accounting, monitoring and security purposes.
Legal basis for processing
The legal basis for processing your personal data is the GÉANT legitimate interest in providing to the users a technical solution that enables them to access the Connected Services and which is not overridden by the interests or fundamental rights and freedoms of the user (data subject).
The Service may reveal your personal data to the Connected Services you choose to access. By using the Service, you agree that the recorded information may be disclosed to other authorized participants of Service or the Connected Services, only for the same purposes and only as far as necessary to provide the services.
Data release will be done via secured mechanisms and according to the sections 2.f and 2.l of the Data Protection Code of Conduct [Code of Conduct].
The current listing of Connected Services to the Service, which are enabled to receive personal data, is available at the [Connected Services].
Statistical data may be gathered from the technical logs. This data is anonymized and does not contain any personal data. Statistical data may be made publicly available by the Service.
All data processed by the Service is stored within the EU/EEA.
The Service is operated under the jurisdiction of the Data Controller
Connected services that you choose to access may receive your personal data – those may be based in the EU/EEA, or in countries with less adequate data protection provisions, in which case you will be informed before being allowed to access those services.
Your personal data associated with your account is kept as long as you are active on the Service and can be deactivated on request - in case that you have not logged in to Service for 12 consecutive months your account will be deactivated.
The technical logs and related information are kept independently in order to guarantee the security of the infrastructure and its optimization and will be retained no longer than 18 months.
GÉANT takes the confidentiality, integrity and availability of your personal data very seriously. We take appropriate security precautions to protect your personal data from loss, misuse and unauthorised access, disclosure, alteration and destruction.
In particular: access to technical log data is restricted and can only be accessed in a secure way by the Service staff.
When accessing the Service we will have adequate security controls in place to keep your personal data safe in accordance with the classification of the personal data we have collected from you.
Although we endeavour to ensure your personal data remains secure, there is no absolute guarantee of security when using services online. While we strive to protect your personal data, you acknowledge that:
You may access and rectify your personal data or deactivate your account by sending an email to the Support Helpdesk.
If you have any additional questions connected with your data protection rights contact the Support Helpdesk
To access, rectify the data released by your Home Organisation (e.g. your university or research institute), contact your Home Organisation's IT helpdesk. You may object to processing of your personal data by deactivating your account in the Service at any time by sending an email to the Support Helpdesk.
Moreover, you have the right to file a complaint to the Dutch Data Protection Authority [Autoriteit Persoonsgegevens]
Data Protection Code of Conduct
Your personal data will be protected according to the Code of Conduct for Service Providers [Code of Conduct], a common standard for the research and higher education sector to protect your privacy.
[Autoriteit Persoonsgegevens] - https://autoriteitpersoonsgegevens.nl
[Code of Conduct] - http://www.geant.net/uri/dataprotection-code-of-conduct/v1
[Connected Services] - https://wiki.geant.org/display/OSP/Services