Privacy Policy

Service Name

Identity Provider

Service Description

Federated Authentication Service offered by the User's Home Organization.

Data Processor

For the contractor:

  • Name: IRCCS CRO di Aviano
  • Email: croaviano@cro.it
  • Address: Via Franco Gallini, 2 - 33081 Aviano (PN)

Provider of the service:

  • Nome: Consortium GARR
  • Email: info@garr.it
  • Address: Via dei Tizii, 6 - 00185 ROMA, IT

Contractor and Consortium GARR are co-owners of Personal Data processing provided by the service, following art.26 of GDPR.


Contractor is responsible for the exploitation of the interested user rights and for the communication of the information related to articles 13 and 14 of GDPR.

Responsible for Data Protection(GDPR Section 4) (if applicabile) Not applicabile

Jurisdiction and

control authority

IT-IT

Personal Data Protection Authority
How to file a complaint with the data protection authority:
https://www.garanteprivacy.it/home/diritti/come-agire-per-tutelare-i-tuoi-dati-personali

Processed Personal Data and Legal basis for the processing

  1. Some of all of the following personal data from the user collected by the contractor
    1. one or more unique identifiers (uid, schacPersonalUniqueID, eduPersonOrcid, eduPersonTargetedID, SAML persistent identifier);
    2. Identification credentials (userPassword);
    3. Surname and Name (sn, givenName, cn, displayName);
    4. email address (mail);
    5. role in the Organization (eduPersonAffiliation,eduPersonEntitlement);
    6. Organization Name (schacHomeOrganization,schacHomeOrganizationType);
  2. User personal data directly collected during normal service operation:
    1. Preferences about consensus on using resources over the internet;
    2. IdP service log records: user identifier, date and time of usage, requested service, attributes sent to the service;
    3. Log record of other services (http, ldap, …).

Collected personal data are gathered and stored in Italy according to GDPR regulation. Their processment is necessary to provide the service.

Goal of the personal data processing

Provide Identity Management as a Service and Identity Provider as a Service and Identity Provider as a Service with the goal of authenticating interested user in order to enable access to network services requested by the interested user

Personal data (attributes) are transferred to third parties (Resources) upon request of the interested user with the goal of accessing the required service

Logging data contain user personal data that are being collected with the goal to verify the operation of the service and to ensure its safety.

Third parties to which data are transferred

Contractor decides which third parties to release personal data of interested users respecting the principle of minimization. Personal data are transferred only when interested users request access to third party's resource and with the goal of getting the service by the third party itself.

Such resources are:

  • All IDEM Federation resources;
  • Le Resources of the eduGAIN interfederation, compliant with the GDPR DP Code of Conduct;
  • eduGAIN resources compliant with Reserach and Scholarship;

Third parties outside EAA:

  • Resources compliant to Data Protection Code of Conduct;
  • Resources compliant with Research and Scholarship;

How to access to, correct, delete personal data and oppose to their processing .

Contact the above mentioned Data Processors

How to revoke user consent

The only collected data with user consent are preferences about the transmission of attributes to third parties. The preferences are collected at the time of the first access to the Resource and may be changed afterwards by starting over again the access procedure.

Data portability

Contractor can request data portability related to digital identities, including credentials and consent information. These will be provided in an open format and accordin to Art. 20 of GDPR. Portability service is free of charge at cessation of service.

Duration of Data Custodial

All personal data of the interested user (attributes) are kept for the whole duration of the request of the service to the user. If it is no longer necessary to provide the service, contract can disable users. Also the interested user can request cancellation of its user account. In the case of cancellation of intersted user account, data are kept for additional 18 months in order to evaluate if user has/can be enabled again (reactivated). After 18 months of user account disabling, if no request have arrived of reactivation, all interested user data are deleted.

Logs are kept for 1 month from collection time; after that, they are deleted