Personal Data Processing

.

(Privacy Notice pursuant to Articles 13 and 14 of EU Regulation 679/2016 - henceforth GDPR)

Definitions

.
Name of Service Identity Provider (IdP)
Service Description The Federated Authentication Service allows Istituto Nazionale di Geofisica e Vulcanologia users to access Federated Resources using their institutional credentials.
Resources can be provided through the Italian Identity Federation of Universities and Research Institutions (IDEM), or directly.
The Federated Authentication Service is responsible for authenticating the user and issuing an authentication token and, if required, a minimum set of personal data for access to the Resource.
Treatment Holder Name: Istituto Nazionale di Geofisica e Vulcanologia
Email: aoo.roma@pec.ingv.it
Address: via di Vigna Murata 605 00143 Roma (Italy)

Istituto Nazionale di Geofisica e Vulcanologia is owner of the processing of personal data managed through the Service.
Data Protection Officer (GDPR Section 4) (if applicable)DPO contact person:
dpo@ingv.it and aoo.roma@pec.ingv.it
Jurisdiction and supervisory authority IT-IT
Garante per la Protezione dei Dati Personali - https://www.garanteprivacy.it
Categories of direct and indirect personal data processed and legal basis for processing
  1. one or more unique identifiers;
  2. recognition credential;
  3. first and last name;
  4. email address;
  5. role in the organization;
  6. membership in working groups;
  7. specific rights to resources;
  8. name of afferent organization;
  9. IdP service log records: user ID, date and time of use, Resource requested, attributes transmitted;
  10. Log record of the services required for the operation of the IdP service.

The personal data collected are stored in Italy in accordance with the GDPR. Their processing è aimed at providing the authentication service. The legal bases for data processing are the provision of the authentication service (fulfillment of contractual obligations) and the legitimate interest of the owner.

Finalities of the processing of personal data . To provide the federated authentication service in order to access the Resources requested by the data subject. To verify and monitor the smooth operation of the service and ensure its security (legitimate interest). Fulfilling any legal obligations or requests from the Judicial Authority.
Third parties to whom data is disclosed The Data Controller, in order to properly deliver the service, communicates to the providers of the Resources to which the User intends to access proof of authentication and only the personal data (attributes) requested, in full compliance with the principle of minimization. Personal data are transmitted only at the time when the data subject requests access to the third party's Resource. For purposes related to the legitimate interest of the Owner or the fulfillment of legal obligations some log data may be processed by third parties (e.g. CERT, CSIRT, Judicial Authority).
Exercise of data subjects' rights Contact the data controller at the contact details above to request access to and rectification or erasure of personal data or restriction of processing concerning him or her or to object to its processing, or to exercise the right to data portability (Articles 15 to 22 of the GDPR).
Revocation of the data subject's consent The only data that are collected with the consent of the data subject are preferences on the display of attributes transmitted to Resources. Preferences are collected at the time of first access to the Resource and can be changed later by starting the access procedure again.
Portability of Data The interested party may request portability of its data related to the federated authentication service, including preferences on the display of attributes transmitted to Resources, which will be provided in an open format and in accordance with Art. 20 of the GDPR. The data portability service is free of charge.
Duration of Data Retention All personal data collected for the purpose of providing the federated authentication service shall be retained for as long as it is necessary to provide the service. Three (3) months after deactivation, all personal data collected or generated from the use of the service shall be deleted.