MyAccessID Privacy Notice
Version: 1.0.1
Effective Date: November 12th, 2021
Note | ||
---|---|---|
| ||
The MyAccessID Service has completed the pilot phase and is in Early Access mode. Currently it is available to selected users who are testing the platform capabilities before the launch of the service in production. |
MyAccessID Privacy Notice
DRAFT
Name of the Service | MyAccessID | ||||||||||||||||||||||||
Description of the Service | The MyAccessID Service enables users to securely access Connected Services and share electronic resources using federated identities from eduGAIN and trusted Identity Providers. Leveraging the ubiquitous presence of eduGAIN federated identities, the MyAccessID Service enables users to securely authenticate and identify themselves by using federated identities assigned by the organisation they are affiliated with. As research is not confined only in the research institutes and universities, the MyAccessID Service caters also for users coming from the industry or citizen scientists who may not have access to an institutional account It does so by supporting external (non-eduGAIN) identity providers, such as social networks providing federated identities, community identity providers and other platforms that can provide federated users identities. Creating a user profile on the MyAccessID Service is voluntary. This privacy notice describes how we process the personal data of you – data subject – when you use the MyAccessID Service. | ||||||||||||||||||||||||
Data controller and a contact person | GÉANT VERENIGING (Association) – registered with the Chamber of Commerce in Amsterdam with registration number 40535155 with its registered address at Hoekenrode 3, 1102 BR, Amsterdam, The Netherlands (hereinafter referred to as: “we” or “GÉANT”) is the data controller. For any inquiries regarding MyAccessID, you can contact the [Support Helpdesk] | ||||||||||||||||||||||||
Data controller’s data protection officer (if applicable) | GÉANT has appointed Data Protection Officer, who can be contacted at: gdpr@geant.org | ||||||||||||||||||||||||
Jurisdiction and supervisory authority | NL, The Netherlands | ||||||||||||||||||||||||
Personal data processed and the legal basis | As part of creating a user profile on the MyAccessID Service, we may request from your home institution or another identity provider of your choice the following data:
The information that we may process when you create a user profile on the MyAccessID Service includes:
All of the information above is provided by you or by the Identity Provider upon your choice. The actual data collected by the Connected Services you access through the MyAccessID Service may differ. You can consult this at any time by visiting the [User Profile Page]. Additionally, during your activity on the MyAccessID Service we keep a technical log consisting of the following data:
| ||||||||||||||||||||||||
Purpose of the processing of personal data | The MyAccessID service processes your personal data to identify, authenticate and authorize your access to Connected Services. Technical log files produced by the MyAcademicID MyAccessID service components will be used only for administrative, operational, accounting, monitoring and security purposes, as well as for compliance purposes. | ||||||||||||||||||||||||
Legal basis for processing | The legal basis for processing your personal data is based on the consent you have provided when you registered on the MyAccessID service. You may withdraw your consent to the processing of your personal data by deactivating your account in the MyAccessID service at any time by sending an email to the [Support Helpdesk]. Withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal. | ||||||||||||||||||||||||
Recipients | The MyAccessID Service may reveal your personal data to the Connected Services you choose to access. By creating a user profile on MyAccessID, you agree that the recorded information may be disclosed to other authorized participants of MyAccessID or the Connected Services, only for the same purposes and only as far as necessary to provide the services. Data release will be done via secured mechanisms and according to the sections 2.f and 2.l of the Data Protection Code of Conduct [Code of Conduct]. The current listing of Connected Services to the MyAccessID Service, which are enabled to receive personal data, is available at the [Connected Services]. Statistical data may be gathered from the technical logs. This data is anonymized and does not contain any personal data. Statistical data may be made publicly available by the MyAccessID Service. | ||||||||||||||||||||||||
Data storage | All data processed by the MyAccessID service is stored within the EU/EEA. The MyAccessID service is operated under the jurisdiction of the Data Controller. Connected services that you choose to access may receive your personal data – those may be based in the EU/EEA, or in countries with less adequate data protection provisions, in which case you will be informed before being allowed to access those services. | ||||||||||||||||||||||||
Data retention | Your personal data associated with your account is kept as long as you are active on the MyAccessID service and can be deactivated on request - in case that you have not logged in to MyAccessID Service for 12 consecutive months your account will be deactivated. The technical logs and related information are kept independently in order to guarantee the security of the infrastructure and its optimization and will be retained no longer than 18 months. | ||||||||||||||||||||||||
Security | GÉANT takes the confidentiality, integrity and availability of your personal data very seriously. We take appropriate security precautions to protect your personal data from loss, misuse and unauthorised access, disclosure, alteration and destruction. In particular: access to technical log data is restricted and can only be accessed in a secure way by the MyAccessID service staff. When accessing MyaccessID we will have adequate security controls in place to keep your personal data safe in accordance with the classification of the personal data we have collected from you. Although we endeavour to ensure your personal data remains secure, there is no absolute guarantee of security when using services online. While we strive to protect your personal data, you acknowledge that:
| ||||||||||||||||||||||||
Your rights | To access your data, go to the [User profile Page]. You may access and rectify your personal data or deactivate your account by sending an email to the [Support Helpdesk]. If you have any additional questions connected with your data protection rights contact the [Support Helpdesk] To access, rectify the data released by your Home Organisation (e.g. your university or research institute), contact your Home Organisation's IT helpdesk. You may object to the processing of your personal data by deactivating your account in the MyAccessID service at any time by sending an email to the [Support Helpdesk]. Moreover, you have the right to file a complaint to the Dutch Data Protection Authority [Autoriteit Persoonsgegevens], Postbus 93374 2509 AJ DEN HAAG, Telephone number: (+31) - (0)70 - 888 85 00. | ||||||||||||||||||||||||
Data Protection Code of Conduct | Your personal data will be protected according to the Code of Conduct for Service Providers [Code of Conduct], a common standard for the research and higher education sector to protect your privacy. | ||||||||||||||||||||||||
References |
| ||||||||||||||||||||||||
Contact Information |
|
...