Privacy Notice

MyAcademicID Identity and Access Management Service for the European Student Card Initiative

[from now on referred to as the Service]

The Service enables students and faculty of Higher Education Institutions (HEIs) to authenticate and identify themselves to the services of the European Student Card Initiative and services directly supporting the digitisation of Erasmus+, referred to hereafter as “Connected Services”, that support and enable the student mobility process.

Leveraging the ubiquitous presence of eduGAIN and eIDAS federated identities, the Service enables the [Connected Services] to use the academic attributes that are available through the HEI federated logins provided in combination with the national eID of the users participating in student mobility.

This privacy notice describes how we process the personal data of you – data subject – when you use the Service.

GÉANT VERENIGING (Association) – registered with the Chamber of Commerce in Amsterdam with registration number 40535155 with its registered address at Hoekenrode 3, 1102 BR, Amsterdam, The Netherlands (hereinafter referred to as: “we” or “GÉANT”) is the data controller.

GÉANT has appointed a Data Protection Officer, who can be contacted at: gdpr@geant.org 

Additionally, you can contact the [GEANT eduTEAMS Support Desk]

During  your use of the Service we may process and record the following data:

• Honorific
• Given Name
• Middle Name
• Family Name
• Suffix
• Nationality
• The eIDAS Unique Identifier
• Email address(es)
• The HEI you are affiliated with
• Affiliation within the HEI

• Technical protocol identifiers 
• The European Student Identifier (ESI)
• Username
• Access rights relevant to the Connected Services

You may choose not to provide certain information, but this may mean you will not be able to access the [Connected Services] through the Service. 

Additionally, during your activity on the Service we keep technical log consisting of the following data:

• Your actions on the Service along with timestamps
• Services that you accessed through the Service
• Your IP address
• The Identity Provider you used

The legal basis for processing your personal data is the GÉANT legitimate interest consisting of:

• providing to you, as as a member of a HEI to access and use the Connected Services
• any administrative and security maintenance of the Service

which are not overridden by the interests or your fundamental rights and freedoms as the data subject.

The Service may release your personal data to the Connected Services.

Data release will be done via secured mechanisms and according to the sections 2.f and 2.l of the Data Protection Code of Conduct [Code of Conduct].

At the [Connected Services page you can find the list of all the services that can be accessed through the Service.

Statistical data is gathered based on the technical logs. This data is anonymized and does not contain any personal data. Statistical data may be made publicly available by the Service.

All data processed by the Service is stored within the EU/EEA.

The Service is operated under the jurisdiction of the Data Controller.

The [Connected Services] that you access through the Service, process and store your data within the EU/EEA.

Personal data associated with your account on the Service is kept while you are active in the Service and for a period of 6 months after your account has been deactivated.

Technical logs and related information are kept independently in order to guarantee the security of the infrastructure and its optimization and will be retained for no longer than 18 months.

GÉANT takes the confidentiality, integrity and availability of your personal data very seriously. We take appropriate security precautions to protect your personal data from loss, misuse, unauthorised access, disclosure, alteration and destruction.

In particular, access to technical log data is restricted and can only be accessed in a secure way by authorized personnel.

When accessing the Service  we will have adequate security controls in place to keep your personal data safe in accordance with the classification of the personal data we have collected from you.

Although we endeavour to ensure your personal data remains secure, there is no absolute guarantee of security when using services online. While we strive to protect your personal data, you acknowledge that:

• There are security and privacy limitations on the internet which are beyond our control and which can have a negative impact on the confidentiality, integrity and availability of the information.
• We cannot be held accountable for a loss of personal data that results from your own neglect to safeguard the security of your log on credentials and equipment. If you feel this is not enough, then  you must not provide any personal data to the Service.

You may access and modify your user profile on the Service through the [User profile Page]. 

If you have any additional questions connected with your data protection rights, contact [GEANT eduTEAMS Support Desk]

To access and/or modify the data that is being released by your Identity Provider (e.g. your university or research institute), contact your Identity Provider’s support helpdesk. 

You may object to further processing of your personal data by the Service by deactivating your user account on the Service.

You can request for your user account on the Service to be deactivated at any time by contacting the [GEANT eduTEAMS Support desk].

Your account will be automatically deactivated, if you have not logged on to the Service for more than 12 consecutive months. 

You can reactivate your account, by logging on to the Service within 6 months after the deactivation of your account.

You have the right to file a complaint to the Dutch Data Protection Authority [Autoriteit Persoonsgegevens]

[User Profile Page] - https://mms.prod.erasmus.eduteams.org/profile/

[Autoriteit Persoonsgegevens] - https://autoriteitpersoonsgegevens.nl

[Code of Conduct] - http://www.geant.net/uri/dataprotection-code-of-conduct/v1