MyAccessID Privacy Notice

...

Version: 2.1

Effective Date: 15th April 2026

Name of the Service

MyAccessID

Description of the Service

The MyAccessID Service enables users to securely access Connected Services and share electronic resources using federated identities from eduGAIN and non-eduGAIN, as well as other trusted Identity Providers. Leveraging the ubiquitous presence of eduGAIN and other federated identities, the MyAccessID Service enables users to securely authenticate and identify themselves by using federated identities assigned by the organisation they are affiliated with. As research is not confined only in the research institutes and universities, the MyAccessID Service caters also for users coming from the industry or citizen scientists who may not have access to an institutional

account 

account. It does so by supporting external (non-eduGAIN) identity providers that provide federated user identities, such as social networks

providing federated identities

, community identity providers and other platforms

that can provide federated users identities

, as well as the Guest Identity Provider for users without a federated identity. Creating a user profile on the MyAccessID Service is voluntary. This privacy notice describes how we process the personal data of you – data subject – when you use the MyAccessID Service.
Data controller and a contact person	GÉANT VERENIGING (Association) – registered with the Chamber of Commerce in Amsterdam with registration number 40535155 with its registered address at Hoekenrode 3, 1102 BR, Amsterdam, The Netherlands (hereinafter referred to as: “we” or “GÉANT”) is the data controller. For any inquiries regarding MyAccessID, you can contact the [Support Helpdesk]
Data controller’s data protection officer (if applicable)	GÉANT has appointed Data Protection Officer, who can be contacted at: gdpr@geant.org
Jurisdiction and supervisory authority

NL, The Netherlands

The applicable jurisdiction is The Netherlands. Our lead supervisory authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Personal data processed

and the legal basisAs part of creating

Data requested from Identity Providers When you create or use a user profile on the MyAccessID Service,

 

we may request from your home institution or another identity provider of your choice some or all of the following

data

information: Identifiers

Levels

(e.g. unique identifiers assigned by the Identity Provider) Level(s) of Assurance Given

Name

name Middle

Name

name Family

Name

Emails

Affiliations

name Email address(es) Affiliations (e.g. student, staff, faculty, employee, collaborator) Organisation

The organisation

that issued your identity Data you provide or manage in your MyAccessID profile The information that

we may process when you create a user profile on the MyAccessID Service

may be processed and visible in your MyAccessID profile includes: Honorific Given

Name

name Middle

Name

Family Name

Suffix

Email

Language Preference

name Family name Suffix Display name(Combination of Given Name and Family Name) Sex Date of Birth Nationality Email address Language preference Type of Organization you might belong to Country of Residence Organization Display Name Country of Registration of the User's Organization Organization

The organisation

that issued your identity Affiliation Username SSH public key(s) Level of Assurance Identifiers

, as

provided by identity providers

like e.g. a Home Institution

(for example from your home institution or from third parties

, for example, an ORCIDAll of the information above is provided

such as ORCID) This information is either provided directly by you or by the Identity Provider

upon your choice.

you choose to use with MyAccessID. The actual data collected and used by

the

any particular Connected

Services

Service that you access

through the

via MyAccessID

Service

may differ, depending on what that service requires. You can consult

this

the attributes released to services at any time

by visiting

via the [User

Profile Page].

profile Page]. Data processed for identity verification Where MyAccessID offers identity verification using a passport or other supported identity document, GÉANT uses ReadID service by Inverid B.V. (Dutch, part of Signicat AS, registered in Norway) to perform document verification. As part of that workflow, facial verification and liveness detection are performed by iProov Ltd within the contracted verification chain. In this process, data may be read from the identity document and processed in order to verify the authenticity and validity of the document. In addition, a facial verification step is performed in which a selfie image and/or short verification video frames captured from the user’s device are processed to compare the user’s face with the face associated with the identity document and to confirm that the user is physically present during the verification transaction. MyAccessID itself receives and processes only the verification result and the limited document-related data necessary to record and maintain the verification status in the user profile. MyAccessID does not retain the full passport chip contents or biometric verification data in the user profile. If verification is successful, MyAccessID may retain the following data in the user profile: date of expiry document code family name given name date of birth date of issue, where available issuing country nationality sex a stable identifier generated from the hash of the issuing country and document number Technical log data When you use the MyAccessID Service, we also generate and store technical log data, which may include

Additionally, during your activity on the MyAccessID Service we keep a technical log consisting of the following data

: Your actions on MyAccessID along with timestamps Connected

services that

Services you accessed through MyAccessID Your IP address The Identity Provider you used Guest Identity Provider data When you create an account on the Guest Identity Provider, we collect the following personal data: Name and surname Email Password (stored securely in hashed form) Organization Reason for Registration

Purpose of the processing of personal data

The MyAccessID service processes your personal data to identify, authenticate and authorize your access to Connected Services.

Technical log files produced by the MyAcademicID service components will be used only for administrative, operational, accounting, monitoring and security purposes

We process your personal data for the following purposes: Provision of the MyAccessID account and identity service To create and maintain your MyAccessID user profile To link identities from different Identity Providers To identify and authenticate you when you access Connected Services To provide Connected Services with unique, persistent identifiers and minimal attributes necessary for authorisation Identity verification to verify your identity, where this functionality is made available in MyAccessID, using a passport or other supported identity document through ReadID verification service by Inverid B.V. (Dutch, part of Signicat AS, registered in Norway). to perform facial verification and liveness detection in order to verify that the person presenting the document is the same person and is physically present during the verification transaction to receive, record and maintain the verification result and the limited verification data necessary to support verified status within MyAccessID Operation and security of the MyAccessID infrastructure To operate and improve the MyAccessID components (Account Registry, Proxy, Discovery Service) To keep technical logs for troubleshooting, monitoring, capacity planning and service optimisation To detect, investigate and prevent abuse, security incidents and fraud To comply with legal and contractual obligations, including security and accountability requirements Statistics and service reporting To produce anonymized and aggregated statistics about the use of MyAccessID and Connected Services for reporting and service planning Optional communications and features (where applicable) To contact you with optional service information, surveys or user experience studies, or To enable optional profile features that are not strictly necessary for providing access to Connected Services as well as providing unique identifiers and attributes required for those services to grant you access.

Legal basis for processing

The legal basis for processing your personal data is the GÉANT legitimate interest consisting of providing to the users a technical solution enabling them to access the Connected Services and which is not overridden by the interests or fundamental rights and freedoms of the user (data subject).

Recipients

We rely on the following legal bases under Article 6 GDPR: 1.     Performance of a contract – Article 6(1)(b) GDPR When you register and use a MyAccessID account, we process your personal data to: create and maintain your account and profile, authenticate you to Connected Services,  provide unique identifiers and attributes required for those services to grant you access ,and provide the requested MyAccessID functionality, including identity verification and verified status where available. This processing is necessary for the performance of a contract between you and GÉANT for the provision of the MyAccessID Service, or to take steps at your request prior to entering into such a contract. 2.     Legitimate interests – Article 6(1)(f) GDPR We process technical log data and certain identifiers as necessary to pursue the legitimate interests of: operating a secure and reliable identity and access management service, enabling research organizations, infrastructure providers and other Connected Services to identify and authorize users correctly, preventing misuse and ensuring the integrity and availability of the MyAccessID infrastructure, and demonstrating accountability and compliance. We carefully balance these interests against your rights and freedoms and apply appropriate safeguards, such as strict access controls, data minimization, pseudonymisation where possible, and limited retention periods. You have the right to object to processing based on legitimate interests (see the “Your rights” section below). 3.     Explicit consent for biometric processing – Article 9(2)(a) GDPR Where identity verification uses facial verification and liveness detection, biometric data is processed for the purpose of verifying that the user presenting the identity document is the same person and is physically present during the verification transaction. Because this involves biometric processing, we rely on your explicit consent for that step. If you do not provide that consent, biometric verification cannot be performed and verified status through this method cannot be granted. You may withdraw your consent to the processing of your personal data by deactivating your account in the MyAccessID service at any time by sending an email to the [Support Helpdesk]. Withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Recipients

When you use MyAccessID, we may disclose your personal data to the following categories of recipients: Connected Services you choose to access, which receive only the attributes necessary to identify and authorise you; Other participants in the MyAccessID, such as Identity Providers and intermediary proxies, to the extent necessary to provide the service and ensure secure operation; Service operators and contractors acting on behalf of GÉANT and bound by appropriate data protection and confidentiality obligations. Where identity verification is used, personal data may also be processed by service providers supporting the document-reading and verification workflow, including Inverid B.V. (Dutch, part of Signicat AS, registered in Norway) for document verification and iProov for facial verification and liveness detection

The MyAccessID Service may reveal your personal data to the Connected Services you choose to access. By creating a user profile on MyAccessID, you agree that the recorded information may be disclosed to other authorized participants of MyAccessID or the Connected Services, only for the same purposes and only as far as necessary to provide the services

. Data release will be done via

secured

secure mechanisms and

according to the sections 2.f and 2.l of the Data Protection Code of Conduct [Code of Conduct].

in accordance with the standards required by GDPR. The current listing of Connected Services to the MyAccessID Service, which are enabled to receive personal data, is available at the [Connected Services].  Statistical data may be gathered from the technical logs. This data is anonymized and does not contain any personal data. Statistical data may be made publicly available by the MyAccessID Service.

Data storage

All data processed by the MyAccessID service is stored within the EU/EEA. Where identity verification is used, personal data is also processed within the contracted verification chain by Inverid B.V. (Dutch, part of Signicat AS, registered in Norway)and, for facial verification and liveness detection, by iProov Ltd. Processing in that verification chain may take place within the EEA and, for the facial-verification component, also in the United Kingdom, subject to applicable contractual safeguards. The MyAccessID service is operated under the jurisdiction of the Data Controller. Where personal data is transferred outside the EU/EEA, such transfers will take place in accordance with applicable data protection law, for example on the basis of Standard Contractual Clause and Transfer Impact Assessment. Connected services that you choose to access may receive your personal data – those may be based in the EU/EEA, or in countries with less adequate data protection provisions, in which case

you will be informed

check the information of those services before being allowed to access those services.
Data retention	Your personal data associated with your MyAccessID account is kept for as long as

you are active on the MyAccessID service and can be deactivated on request - in case that you have not logged in to

your account is active. If you do not log in to the MyAccessID Service for 12 consecutive months, your account will be deactivated.

The technical

Certain limited information may be retained as necessary for audit and security purposes, in line with our retention rules. Technical logs and related information are

kept

retained independently in order to guarantee the security and optimisation of the infrastructure

and its optimization

and will be retained for no longer than 18 months, unless a longer retention period is required in the context of an ongoing security incident or legal obligation. Where identity verification is used, MyAccessID temporarily stores the full verification response for up to 4 hours for debugging and troubleshooting purposes and then deletes it. MyAccessID then retains only the limited verification result and document-related fields needed to maintain verified status for 2 years, after which re-verification is required. MyAccessID does not retain full passport chip contents or biometric verification data in the user profile. Within the verification provider chain, verification-related data may be retained for limited periods necessary to complete the verification process, maintain security, prevent fraud, and troubleshoot service issues.

Security

GÉANT takes the confidentiality, integrity and availability of your personal data very seriously. We take appropriate security precautions to protect your personal data from loss, misuse and unauthorised access, disclosure, alteration and destruction.  In particular: access to technical log data is restricted and can only be accessed in a secure way by the MyAccessID service staff. Where identity verification is used, MyAccessID is designed to retain only the minimum data needed to record the verification outcome and maintain verified status. MyAccessID does not retain biometric templates or raw facial verification video in the user profile. Any temporary processing carried out within the contracted verification chain is subject to limited retention periods and technical and organisational safeguards necessary to complete verification, maintain security, and prevent fraud. When accessing

MyaccessID

MyAccessID we will have adequate security controls in place to keep your personal data safe in accordance with the classification of the personal data we have collected from you. Although we

endeavour

endeavor to ensure your personal data remains secure, there is no absolute guarantee of security when using services online. While we strive to protect your personal data, you acknowledge that: There are security and privacy limitations on the internet which are beyond our control and which can have a negative impact on the confidentiality, integrity and availability of the information. We cannot be held accountable for activity that results from your own neglect to safeguard the security of your login credentials and equipment which results in a loss of your personal data. If you feel this is not enough, then please do not provide any personal data.
Your rights	To access your data, go to the [User profile Page].  You may access and rectify your personal data or deactivate your account by sending an email to the [Support Helpdesk].  If you have any additional questions connected with your data protection rights contact the  [Support Helpdesk] To access, rectify the data released by your Home Organisation (e.g. your university or research institute), contact your Home Organisation's IT helpdesk. You may object to the processing based on the legitimate interest of your personal data by deactivating your account in the MyAccessID service at any time by sending an email to the [Support Helpdesk]. You can also withdraw your consent for the processing based on your consent by sending an email to the [Support Helpdesk]. Moreover, you have the right to file a complaint to the Dutch Data Protection Authority [Autoriteit Persoonsgegevens], Postbus 93374 2509 AJ DEN HAAG, Telephone number: (+31) - (0)70 - 888 85 00.
Data Protection Code of Conduct	Your personal data will be protected according to the Code of Conduct for Service Providers [Code of Conduct], a common standard for the research and higher education sector to protect your privacy.
References	Anchor UserProfilePage UserProfilePage [User Profile Page] - https://mms.myaccessid.org/

fed-sb/

profile/ Anchor AutoriteitPersoonsgegevens AutoriteitPersoonsgegevens [Autoriteit Persoonsgegevens] - https://autoriteitpersoonsgegevens.nl Anchor CodeOfConduct CodeOfConduct [Code of Conduct] -

http

https://

www

refeds.

geant.net

org/

uri

category/

dataprotection-

code-of-conduct/

v1

v2 Anchor ConnectedServices ConnectedServices [Connected Services] - https://wiki.geant.org/displayMyAccessID/Connected+Services
Contact  Information	Anchor SupportHelpdesk SupportHelpdesk [Support Helpdesk] - Please contact our support desk at

support+myaccessid@eduteams

support@myaccessid.org for any further information.

Cookies and similar technologies

The MyAccessID Service uses only essential cookies that are strictly necessary to provide the service and maintain secure sessions.
We do not use cookies for advertising or non-essential analytics.

You can configure your browser to block or delete cookies, but if you block the cookies listed below, MyAccessID may not function correctly and you may not be able to log in or remain logged in.

Cookies used by MyAccessID

Because these cookies are strictly necessary to provide the MyAccessID Service that you request (authentication and secure sessions), they are used on the basis of Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(f) GDPR (legitimate interests) and do not require your prior consent.

Amendments to this Privacy Notice:

Version 2.1 of this Privacy Notice is being updated to reflect changes in the the collection and processing of user data and identity verification process in the MyAccessID.

Version 2.0 of this Privacy Notice introduces a Cookies section that clarifies the nature and use of essential cookies. Additionally, the “Purposes of Processing” section has been updated and improved for greater clarity.