Personal Data Processing

(Privacy Notice pursuant to Articles 13 and 14 of EU Regulation 679/2016 - henceforth GDPR)

Definitions

Titleholder: Legal or Physical Person who determines the ways and means of the processing of personal data of a specific Organization to which Users belong;
Processing Manager: a Legal or Physical Person who processes data on behalf of the Controller within the limits of what has been agreed with it, The Manager carries out the Controller's instructions and accepts its controls, in particular on the effective adoption of adequate personal data protection measures (coincides with the Legal Person managing the "Resource");
Identity Provider: computer system that provides the federated authentication service for Users of a specific Organization;
Resource: third-party or Owner's services at which the User of the federated authentication service intends to access;
Identity Federation;: A group of Federated Authentication Service Providers and Resource Access Service Providers that agree to interoperate according to a common set of rules;
User: a natural person who uses the service;
Involved: natural person whose personal data are processed by the Data Controller and any third parties (coincides with the User);

Name of Service	Identity Provider (IdP)
Service Description	The Federated Authentication Service allows Istituto Nazionale di Geofisica e Vulcanologia users to access Federated Resources using their institutional credentials. Resources can be provided through the Italian Identity Federation of Universities and Research Institutions (IDEM), or directly. The Federated Authentication Service is responsible for authenticating the user and issuing an authentication token and, if required, a minimum set of personal data for access to the Resource.
Treatment Holder	Name: Istituto Nazionale di Geofisica e Vulcanologia Email: aoo.roma@pec.ingv.it Address: via di Vigna Murata 605 00143 Roma (Italy) Istituto Nazionale di Geofisica e Vulcanologia is owner of the processing of personal data managed through the Service.
Data Protection Officer (GDPR Section 4) (if applicable)	DPO contact person: dpo@ingv.it and aoo.roma@pec.ingv.it
Jurisdiction and supervisory authority	IT-IT Garante per la Protezione dei Dati Personali - https://www.garanteprivacy.it
Categories of direct and indirect personal data processed and legal basis for processing	one or more unique identifiers; recognition credential; first and last name; email address; role in the organization; membership in working groups; specific rights to resources; name of afferent organization; IdP service log records: user ID, date and time of use, Resource requested, attributes transmitted; Log record of the services required for the operation of the IdP service. The personal data collected are stored in Italy in accordance with the GDPR. Their processing è aimed at providing the authentication service. The legal bases for data processing are the provision of the authentication service (fulfillment of contractual obligations) and the legitimate interest of the owner.
Finalities of the processing of personal data	. To provide the federated authentication service in order to access the Resources requested by the data subject. To verify and monitor the smooth operation of the service and ensure its security (legitimate interest). Fulfilling any legal obligations or requests from the Judicial Authority.
Third parties to whom data is disclosed	The Data Controller, in order to properly deliver the service, communicates to the providers of the Resources to which the User intends to access proof of authentication and only the personal data (attributes) requested, in full compliance with the principle of minimization. Personal data are transmitted only at the time when the data subject requests access to the third party's Resource. For purposes related to the legitimate interest of the Owner or the fulfillment of legal obligations some log data may be processed by third parties (e.g. CERT, CSIRT, Judicial Authority).
Exercise of data subjects' rights	Contact the data controller at the contact details above to request access to and rectification or erasure of personal data or restriction of processing concerning him or her or to object to its processing, or to exercise the right to data portability (Articles 15 to 22 of the GDPR).
Revocation of the data subject's consent	The only data that are collected with the consent of the data subject are preferences on the display of attributes transmitted to Resources. Preferences are collected at the time of first access to the Resource and can be changed later by starting the access procedure again.
Portability of Data	The interested party may request portability of its data related to the federated authentication service, including preferences on the display of attributes transmitted to Resources, which will be provided in an open format and in accordance with Art. 20 of the GDPR. The data portability service is free of charge.
Duration of Data Retention	All personal data collected for the purpose of providing the federated authentication service shall be retained for as long as it is necessary to provide the service. Three (3) months after deactivation, all personal data collected or generated from the use of the service shall be deleted.