Why do I need to write a Privacy Policy for my Service Provider?

End Users intending to access your service might be interested to know how you treat the personal data the service needs. Therefore, the privacy policy document needs to be publicly accessible, without access restrictions.

The Privacy Policy should be available in English and optionally in other languages.

The privacy policy document should provide answers to questions like:

Where to start in writing a Privacy Policy?

Use this Privacy Policy Template to draft the Privacy Policy for your Service Provider. You should consult your organizational Privacy Policy, if available.

Checkout some privacy policies from SPs already accessible via eduGAIN:


More examples of privacy policies can be found on the page that lists all sevices that support the GÉANT Data Protection Code of Conduct.

Where to publish the link to the Privacy Policy?

The URL pointing to the Privacy Policy must be published in the Metadata of the Service Provider, like in this example:

<md:EntityDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  entityID="https://wiki.edugain.org/shibboleth"
  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
 
  [ ... ]
 
  <SPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
    <Extensions>
      <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
 
        <mdui:PrivacyStatementURL xml:lang="en">https://wiki.edugain.org/eduGAIN:Privacy_policy</mdui:PrivacyStatementURL>
 
        [ ... ]
 
      </mdui:UIInfo>
    </Extensions>
 
    [... More SAML metadata ...]

In addition, end users should easily find the link also on the web interface of the service itself, not just in the Metadata.