Template for a Privacy Notice

Privacy Policy    

This policy is effective from <insert date>. 

Name of the Service

SHOULD be the same as mdui:DisplayName

Description of the ServiceSHOULD be the same as mdui:Description
Data controller and a contact personYou may wish to include the Data Controller defined for the Infrastructure, rather than per-service
Data controller’s data protection officer (if applicable)
Jurisdiction and supervisory authority

The  country  in  which  the  Service  Provider  is  established  and  whose laws  are applied. SHOULD  be  an ISO  3166  code followed  by  the  name  of the  country  and  its subdivision if necessary for qualifying the jurisdiction.

How to lodge a complaint to the competent Data protection authority:

Instructions to lodge a complaint are available at...

Personal data processed and the legal basis

1. Personal data retrieved from your Home organisation:

* your unique user identifier (SAML persistent identifier) *
* your role in your Home Organisation (eduPersonAffiliation attribute) *
* your name *
* ...


2. Personal data gathered from yourself

* Logfiles on the service activity*
* Your profile
* …


*  =  the  personal  data  is  necessary  for  providing  the Service.  Other  personal data is processed because you have consented to it.


Please  make  sure  the  list  A.  matches  the  list  of  requested  attributes  in  the Service Provider's SAML 2.0 metadata.

Purpose of the processing of personal dataDon’t forget to describe also the purpose of the log files, if they contain personal data (they usually do)
Third parties to whom personal data is disclosed

Notice clause of the Code of Conduct for Service Providers.

Are   the   3rd   parties   outside   EU/EEA   or   the   countries   or   international organisations  whose  data  protection  EC  has  decided  to  be  adequate?  If  yes, references to the appropriate or suitable safeguards.

How to access, rectify and delete the personal data and object to its processingContact the contact personal above. To rectify the data released by your Home Organisation, contact your Home Organisation’s IT helpdesk.
Withdrawal of consentIf personal data is processed on user consent, how can he/she withdraw it?
Data portabilityCan the user request his/her data be ported to another Service? How?
Data retention

When  the  user  record  is  going  to  be  deleted  or  anonymised? Remember,  you cannot  store  user  records  infinitely.  It is not  sufficient  that  you  promise  to delete user records on request. Instead, consider defining an explicit period.


Personal  data  is  deleted on  request  of  the  user  or  if  the  user  hasn't  used  the Service for 18 months

Data Protection Code of Conduct

Your  personal  data  will  be  protected  according  to  the Code  of  Conduct  for Service  Providers,  a  common standard  for  the  research  and  higher  education sector to protect your privacy


  • No labels