Name of the

Service

GÉANT AAI

Description of the Service

The GÉANT AAI  Service  enables users to access GÉANT Services using federated identities provided by their organisations or other identity providers.

This privacy notice describes how we process the personal data of you – data subject – when you use the Service.

Data controller and a contact person

GÉANT VERENIGING (Association) – registered with the Chamber of Commerce in Amsterdam with registration number 40535155 with its registered address at Hoekenrode 3, 1102 BR, Amsterdam, The Netherlands (hereinafter referred to as: “we” or “GÉANT”) is the data controller.

GÉANT has appointed Data Protection Officer, who can be contacted at: gdpr@geant.org

Additionally, you can contact the Support Helpdesk

Jurisdiction and supervisory authority

NL, The Netherlands

Personal data processed

As part of use the Service,  we may request from your home institution or another identity provider of your choice the following data:

• Identifiers
• Levels of Assurance
• Given Name
• Middle Name
• Family Name
• Emails
• Affiliations
• Organization

All of the information above is provided by you or by the Identity Provider of your choice. The actual data collected by the Connected Services you access through the Service may differ.

Additionally, during your activity on the Service we keep technical log consisting of the following data:

• Your actions on Service along with timestamps
• Connected services that you accessed through the Service
• Your IP address
• The Identity Provider you used

Purpose of the processing of personal data

The Service processes your personal data to identify, authenticate and authorize your access to Connected Services.

Technical log files produced by the Service components will be used only for administrative, operational, accounting, monitoring and security purposes.

Legal basis for processing

The legal basis for processing your personal data is the GÉANT legitimate interest in providing to the users a technical solution that enables them to access the Connected Services and which is not overridden by the interests or fundamental rights and freedoms of the user (data subject).

Recipients

The Service may reveal your personal data to the Connected Services you choose to access. By using the Service, you agree that the recorded information may be disclosed to other authorized participants of Service or the Connected Services, only for the same purposes and only as far as necessary to provide the services.

Data release will be done via secured mechanisms and according to the sections 2.f and 2.l of the Data Protection Code of Conduct.

The current listing of Connected Services to the Service, which are enabled to receive personal data, is available at the Connected Services. 

Statistical data may be gathered from the technical logs. This data is anonymized and does not contain any personal data. Statistical data may be made publicly available by the Service.

Data storage

All data processed by the Service is stored within the EU/EEA.

The Service is operated under the jurisdiction of the Data Controller

Connected services that you choose to access may receive your personal data – those may be based in the EU/EEA, or in countries with less adequate data protection provisions, in which case you will be informed before being allowed to access those services.

Data retention

Your personal data associated with your account is kept as long as you are active on the Service and can be deactivated on request - in case that you have not logged in to Service for 12 consecutive months your account will be deactivated.

The technical logs and related information are kept independently in order to guarantee the security of the infrastructure and its optimization and will be retained no longer than 18 months.

Security

GÉANT takes the confidentiality, integrity and availability of your personal data very seriously. We take appropriate security precautions to protect your personal data from loss, misuse and unauthorised access, disclosure, alteration and destruction. 

In particular: access to technical log data is restricted and can only be accessed in a secure way by the Service staff.

When accessing the Service we will have adequate security controls in place to keep your personal data safe in accordance with the classification of the personal data we have collected from you.

Although we endeavour to ensure your personal data remains secure, there is no absolute guarantee of security when using services online. While we strive to protect your personal data, you acknowledge that:

• There are security and privacy limitations on the internet which are beyond our control and which can have a negative impact on the confidentiality, integrity and availability of the information.
• We cannot be held accountable for activity that results from your own neglect to safeguard the security of your log on credentials and equipment which results in a loss of your personal data. If you feel this is not enough, then please do not provide any personal data.

Your rights

You may access and rectify your personal data or deactivate your account by sending an email to the Support Helpdesk. 

If you have any additional questions connected with your data protection rights contact the Support Helpdesk.

To access, rectify the data released by your Home Organisation (e.g. your university or research institute), contact your Home Organisation's IT helpdesk. You may object to processing of your personal data by deactivating your account in the Service at any time by sending an email to the Support Helpdesk.

Moreover, you have the right to file a complaint to the Dutch Data Protection Authority Autoriteit Persoonsgegevens

Data Protection Code of Conduct

Your personal data will be protected according to the Code of Conduct for Service Providers, a common standard for the research and higher education sector to protect your privacy.

References

Contact  Information