Name of the Service

MyAccessID

Description of the Service

The MyAccessID Service enables users to securely access Connected Services and share electronic resources using federated identities from eduGAIN and trusted Identity Providers.

Leveraging the ubiquitous presence of eduGAIN federated identities, the MyAccessID Service enables users to securely authenticate and identify themselves by using federated identity assigned by the organisation they are affiliated with. As research is not confined only in the research institutes and universities, the MyAccessID Service caters also for users coming from the industry or citizen scientists who may not have access to an institutional account  It does so by supporting external (non-eduGAIN) identity providers, such as social networks providing federated identities, community identity providers and other platforms that can provide federated users identities.

Creating a user profile on the MyAccessID Service is voluntary.

This privacy notice describes how we process the personal data of you – data subject – when you use the MyAccessID Service.

Data controller and a contact person

GÉANT VERENIGING (Association) – registered with the Chamber of Commerce in Amsterdam with registration number 40535155 with its registered address at Hoekenrode 3, 1102 BR, Amsterdam, The Netherlands (hereinafter referred to as: “we” or “GÉANT”) is the data controller.

GÉANT has appointed Data Protection Officer, who can be contacted at: gdpr@geant.org 

Additionally, you can contact the MyAccessID [Support Helpdesk] 

Data controller’s data protection officer (if applicable)

Jurisdiction and supervisory authority

NL, The Netherlands

Personal data processed and the legal basis

As part of creating a user profile on the MyAccessID Service,  we may request from your home institution or another identity provider of your choice the following data:

• Identifiers
• Levels of Assurance
• Given Name
• Middle Name
• Family Name
• Emails
• Affiliations
• Organization that issued your identity

The information that we may process when you create a user profile on the MyAccessID Service includes:

• Honorific
• Given Name
• Middle Name
• Family Name
• Suffix
• Email
• Language Preference
• Organization that issued your identity
• Affiliation
• Username
• SSH public key(s)
• Level of Assurance
• Identifiers, as provided by identity providers like e.g. a Home Institution or from third parties, for example an ORCID

All of the information above is provided by you or by the Identity Provideer upon your choice. The actual data collected by the Connected Services you access through the MyAccessID Service may differ. You can consult this at any time by visiting the [User Profile Page].

Additionally, during your activity on the MyAccessID Service we keep technical log consisting of the following data:

• Your actions on MyAccessID along with timestamps
• Connected services that you accessed through MyAccessID
• Your IP address
• The Identity Provider you used

Purpose of the processing of personal data

The MyAccessID service processes your personal data to identify, authenticate and authorize your access to Connected Services.

Technical log files produced by the MyAcademicID service components will be used only for administrative, operational, accounting, monitoring and security purposes.

Legal basis for processing

The legal basis for processing your personal data is the GÉANT legitimate interest consisting of providing to the users a technical solution enabling them to access the Connected Services and which is not overridden by the interests or fundamental rights and freedoms of the user (data subject).

Recipients

The MyAccessID Service may reveal your personal data to the Connected Services you choose to access. By creating a user profile on MyAccessID, you agree that the recorded information may be disclosed to other authorized participants of MyAccessID or the Connected Services, only for the same purposes and only as far as necessary to provide the services.

Data release will be done via secured mechanisms and according to the sections 2.f and 2.l of the Data Protection Code of Conduct [Code of Conduct].

The current listing of Connected Services to the MyAccessID Service, which are enabled to receive personal data, is available at the [User profile Page]. 

Statistical data may be gathered from the technical logs. This data is anonymized and does not contain any personal data. Statistical data may be made publicly available by the MyAccessID Service.

Data storage

All data processed by the MyAccessID service is stored within the EU/EEA.

The MyAccessID service is operated under the jurisdiction of the Data Controller.

Connected services that you choose to access may receive your personal data – those may be based in the EU/EEA, or in countries with less adequate data protection provisions, in which case you will be informed before being allowed to access those services.

Data retention

Your personal data associated with your account is kept as long as you are active on the MyAccessID service and can be deactivated on request - in case that you have not logged in to MyAccessID Service for 12 consecutive months your account will be deactivated.

The technical logs and related information are kept independently in order to guarantee the security of the infrastructure and its optimization and will be retained no longer than 18 months.

Security

GÉANT takes the confidentiality, integrity and availability of your personal data very seriously. We take appropriate security precautions to protect your personal data from loss, misuse and unauthorised access, disclosure, alteration and destruction. 

In particular: access to technical log data is restricted and can only be accessed in a secure way by the MyAccessID service staff.

When accessing MyaccessID we will have adequate security controls in place to keep your personal data safe in accordance with the classification of the personal data we have collected from you.

Although we endeavour to ensure your personal data remains secure, there is no absolute guarantee of security when using services online. While we strive to protect your personal data, you acknowledge that:

• There are security and privacy limitations on the internet which are beyond our control and which can have a negative impact on the confidentiality, integrity and availability of the information.
• We cannot be held accountable for activity that results from your own neglect to safeguard the security of your log on credentials and equipment which results in a loss of your personal data. If you feel this is not enough, then please do not provide any personal data.

Your rights

To access your data, go to the [User profile Page].  You may access and rectify your personal data or deactivate your account by sending an email to the Support Helpdesk. 

If you have any additional questions connected with your data protection rights contact the Support Helpdesk

To access, rectify the data released by your Home Organisation (e.g. your university or research institute), contact your Home Organisation's IT helpdesk. You may object to processing of your personal data by deactivating your account in the MyAccessID service at any time by sending an email to the Support Helpdesk.

Moreover, you have the right to file a complaint to the Dutch Data Protection Authority [Autoriteit Persoonsgegevens]

Data Protection Code of Conduct

Your personal data will be protected according to the Code of Conduct for Service Providers [Code of Conduct], a common standard for the research and higher education sector to protect your privacy.

References

[User Profile Page] - https://mms.myaccessid.org/fed-sb/profile/

[Autoriteit Persoonsgegevens] - https://autoriteitpersoonsgegevens.nl

[Code of Conduct] - http://www.geant.net/uri/dataprotection-code-of-conduct/v1

[Connected Services] - https://wiki.geant.org/displayMyAccessID/Connected+Services

Contact  Information

[Support Helpdesk] - Please contact our support desk at support+myaccessid@eduteams.org for any further information.