Page tree
Skip to end of metadata
Go to start of metadata
123456789101112131415
Name Personal Data Special Category  Data FormatData
Subject 
PurposeLegal
bases 
Location
of PD 
Retention PeriodController Contacts Processor Contact Transfer Recipient Controls implemented Interfaces
Service request and support contact data

professional contact data e.g. Name, email address

  1. configuration Parameters e.g. Details of TLS certificate, hostname, IP address, language code
noDigitalFederation Operator (employee of NREN)

Performance of the future contract

(b) contract

(user orders the service → acceptance of the offer described in the FaaS website)

  • Check of introducing a cancellation clause in the Terms of Service?


GEANT wiki page: wiki.geant.org

As long as the service is provided

GÉANT???non.a.Access control is implemented in the wiki, only the FaaS operations team can access the page.

(FaaS-Operations-Team)

  • contact data added to:

faas-customers@geant.org

for notifications

Resource registry data


information for the local user account: name, email, affiliation, username and password

noDigitalFederation operator and entity administrators

Access control for the FaaS instance.

contract
(f) legitimate  interests

marina: imho legitimate interest would suit better

PSNC (Poland)

As long as the service is provided

check and reconcile the Retention period after cancellation

GÉANTPSNC Secretary’s Office Polish Optical Internet Research Center ul. Jana Pawła II 10, 61-139 Poznannon.a.Access control is implemented in the Jagger software used as the UI for the service.

User's input


Contact person information in identity federation metadata:

GivenName, Surname, EmailAddress, TelephoneNumber, Affiliation

noDigitalFederation (entity) contact personTechnical operation of identity federation infrastructure

(f) legitimate  interests

PSNC (Poland)

As long as the service is provided

check and reconcile the Retention period after cancellation

GÉANTPSNC Secretary’s Office Polish Optical Internet Research Center ul. Jana Pawła II 10, 61-139 Poznanpublic disclosurepublic?User's input

Contact person information in eduGAIN metadata:

GivenName, Surname, EmailAddress, TelephoneNumber, Affiliation

NoDigitalFederation (entity) contact personTechnical operation of eduGAIN infrastructure

(f) legitimate  interests


PSNC (Poland)

As long as the service is provided


GÉANT

PSNC Secretary’s Office Polish Optical Internet Research Center ul. Jana Pawła II 10, 61-139 Poznan

public disclosure

public

?data received from Federations
Webserver Log dataIP address of the Client (System from the domain affiliated with data subject organisation, Chosen by data subject)noDigital

Anyone accessing any FaaS instance via web.

Security

(f) legitimate  interests


PSNC (Poland)4 weeksGÉANT
PSNC Secretary’s Office Polish Optical Internet Research Center ul. Jana Pawła II 10, 61-139 Poznannon.a.Accessible only by the FaaS operations team. Access to servers protected by SSH keys.Data subject access to an FaaS instance.

FaaS Terms of Service

Instructions 

The table above should be filled with all data which is collected or processed by Geant Services according with Article 30 from GDPR. Below are described all the table's points and also the information they shall be provided to complete this exercise. You can find as well the match between GDPR requirements and the points from Data Mapping marked with (). 

1 Name - Name of the service or project and dataset, if applicable; 

2 (30 1c) Personal Data - Any information relating to an identified or identifiable natural person, it means that could be identified, directly or indirectly through this data,

  • Name, 
  • Birth dates
  • Address
  • Email address, IP address, Mac Address,
  • Id card, social security number, VAT number
  • Job title, academic qualifications, 
  • Banking details;

3 (30 1c) Special Category -   Check if special categories of personal data are processed, eg. racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Article 9 of GDPR describes Special categories of Personal data a that can revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. 

  • Medical records
  • Genetic and biometric data 
  • Ethnic origin
  • Political opinions
  • Membership of a trade union
  • Religion
  • Sexual orientation
  • Criminal activity (criminal records)

4 Data Format -  Physical or Digital;

5 Data Subject -  Natural persons who's personal data are collected and processed; 

6 (30 1b) Purpose -  What is the purpose of data collecting and processing. Personal Data should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

7 Legal Bases -  Describe legal bases for data processing as defined in Article 6, one of the following: (a) consent, (b) contract, (c) legal obligation (law), (d) protect vital interest of data subject of another person, (e) public interest or exercise of official authority (law), (f) legitimate  interests Eg.:Contract, Clauses, Terms and Conditions, Agreements, Disclaimers, etc. 

8 Location of Personal Data - Where personal data are stored, database/server, country; 

9 (30 1f) Retention Period - The Personal Data only should be keep for the period previous defined based on Business, Legal or Contratual purposes or Obligations; 

10 (30 1a) Controller Contacts -  The controller means the natural legal person (authority, agency or other body), that is responsible to determines the purposes and means of the processing of personal data. This point should include the contacts of the Data Protection Officer nominated.  

11 (30 1a) Processor Contacts - The processor means a natural or legal person (authority, agency or other body), witch processes personal data on behalf of the controller. If applicable, this point should include the contacts of the Data Protection Officer nominated. 

12 (30 1e) Transfer  - Description of other services, systems, applications, databases where data are being sent.

13 (30 1d) Recipient -  If applicable, name recipient of personal data; 

14 (30 1g) Controls Implemented - Describe what controls are in place to protect personal data as definied in Article 32, (a) pseudonymisation, encryption; (b) confidentiality, integrity, availability and resilience; (c) backup; (d) regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.Eg.: Anonymised (Encryption) 32a) /  Backup 32 c) / Encrypted Channel 32 b) /Access Control 32 2);

15 Interfaces - Who receive and who send personal data- Service, Applications / What are the channels used for communication / What kind of services are connected eg. internet, firewall, storage devices (Cloud Systems);

 

  • No labels