Version:1.0
Publication Date:2023-02-18
Effective Date2023-02-21



DEFINITIONS

AAI - The GEANT AAI Service

DPO - Data Protection Officer

CIRT: Computer Incident Response Team

Participant - An entity providing, managing, operating, supporting or coordinating one or more service(s) connected to the AAI

Personal Data - Any information relating to an identified or identifiable natural person [GDPR].

Policy - This document

Processing (Processed) - Any operation or set of operations, including collection and storage, which is performed upon Personal Data [GDPR].

End User - An individual who by virtue of their membership of on the AAI is authorized to use the Participant's services.

INTRODUCTION

This Policy ensures that data collected as a result of the use of the AAI is processed fairly and lawfully by the AAI participants. Some of this data, for example that relating to user registration, monitoring and accounting contains “personal data” as defined by the European Union (EU) [GDPR]. The collection and processing of Personal Data is subject to restrictions aimed at protecting the privacy of individuals.

SCOPE

This Policy covers Personal Data that is Processed as a prerequisite for or as a result of an End User’s use of the  Participant's services. Examples of such Personal Data include registration information, credential identifiers and usage, accounting, security and monitoring records.

POLICY

By using the AAI, Participants: 

  1. Declare that they have read, understood and will abide by the Principles of Personal Data Processing as set out below. 
  2. Declare their acknowledgment that failure to abide by these Principles may result in exclusion from the AAI, and that if such failure is thought to be the result of an unlawful act or results in unlawful information disclosure, they may be reported to the relevant legal authorities.

PRINCIPLES OF PERSONAL DATA PROCESSING

I. The End User whose Personal Data is being Processed shall be treated fairly and in an open and transparent manner.

II. Personal Data of End Users (hereinafter “Personal Data”) shall be Processed only for those administrative, operational, accounting, monitoring and security purposes that the End Users have been information about, and that are necessary for the safe and reliable operation of the Participant's services, without prejudice to the End Users’ rights under the relevant laws.

III. Processing of Personal Data shall be adequate, relevant and not excessive in relation to the purposes for which they are Processed.

IV. Personal Data shall be accurate and, where necessary, kept up to date. Where Personal Data are found to be inaccurate or incomplete, having regard to the purposes for which they are Processed, they shall be rectified or purged.

V. Personal Data Processed for the purposes listed under paragraph II above shall not be kept for longer than the period defined in the relevant policy of the Participant governing the type of Personal Data record being Processed (e.g. registration, monitoring or accounting) and by default shall be anonymised or purged after a period of 18 months.

VI. Appropriate technical and organisational measures shall be taken against unauthorised disclosure or Processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data. As a minimum, Participants shall:

    1. Restrict access to stored Personal Data under their control to appropriate authorised individuals;
    2. Transmit Personal Data by network or other means in a manner to prevent disclosure to unauthorised individuals;
    3. Not disclose Personal Data unless in accordance with these Principles of Personal Data Processing;
    4. Appoint at least one DPO with appropriate training and publish to the AAI a single contact point for the DPO to which End Users or Participants can report suspected breaches of this Policy;
    5. Respond to suspected breaches of this Policy promptly and effectively and take the appropriate action where a breach is found to have occurred;
    6. Perform periodic audits of compliance to this Policy and make available the results of such audits to the AAI upon request.
    7. Each Participant's service interface provided for the End User must provide, in a visible and accessible way, a Privacy Notice containing at least the following elements:
      1. Name and contact details of the Participant Processing Personal Data; 
      2. Description of Personal Data being Processed; 
      3. Purpose or purposes of Processing of Personal Data;
      4. Explanation of the rights of the End User to:
        1. Obtain a copy of their Personal Data being stored by the Participant without undue delay; 
        2. Request that any Personal Data relating to them which is shown to be incomplete or inaccurate be rectified;
        3. Request that on compelling legitimate grounds Processing of their Personal Data should cease;
      5. The contact details of the Participant’s DPO to which the End User should direct requests in relation to their rights above;
      6. Retention period of the Personal Data Processed;
    8. Personal Data may only be transferred to or otherwise shared with individuals or organisations where the recipient:
      1. has agreed to be bound by this Policy and the set of AAI Policies, or 
      2. is part of a recognised CIRT framework and as part of an incident investigation to prevent active or suspected misuse of Infrastructure services, or 
      3. presents an appropriately enforced legal request.