|Identity Provider (IdP)
|The federated authentication service allows users from University of Enna Kore to access federated resources using their institutional credentials.
The resources can be provided through the Italian Federation of Identity of Universities and Research Bodies (IDEM), or directly.
The Federated Authentication Service is responsible for authenticating the user and issuing an authentication token and, if required, a minimum set of personal data for access to the resource.
|Name: UNIVERSITY OF ENNA KORE
Address: Cittadella Universitaria- 94100 Enna (EN)
UNIVERSITY OF ENNA KORE is the owner of the processing of personal data managed through the service.
|Data Protection Officer (GDPR Section 4) (if applicable)
|Jurisdiction and supervisory authority
Guarantee for the Protection of Personal Data
|Direct and indirect personal data categories processed and legal bases of processing
|1. one or more unique identifiers;
2. recognition credential;
3. name and surname;
4. e-mail address;
5. role in the organization;
6. membership in working groups;
7. specific rights on resources;
8. name of the organization of affiliation;
9. Log record of the IdP service: user identifier, date and time of use, requested resource, transmitted attributes;
10. Log records of the services necessary for the functioning of the IdP service.The personal data collected are stored in Italy in accordance with the GDPR. Their processing is aimed at providing authentication service. The legal bases for the processing of data are the provision of the authentication service (fulfillment of contractual obligations) and the legitimate interest of the owner.
|Purpose of the processing of personal data
|Provide the federated authentication service in order to access the resources requested by the interested party.
Verify and monitor the proper functioning of the service and guarantee its security (legitimate interest).
Fulfill any legal obligations or requests from judicial authorities.
|Third parties to which the data is communicated
|The Data Controller, in order to provide the service correctly, communicates to the suppliers of the resources the user intends to access, the proof of authentication and only the personal data (attributes) required, in full compliance with the principle of minimization.
Personal data are transmitted only when the interested party requests access to the third party’s resources.
For purposes related to the legitimate interest of the Data Controller or the fulfillment of legal obligations, certain log data may be processed by third parties (eg. CERT, CSIRT, Judicial Authority).
|Exercise of rights of the interested parties
|Contact the data controller using the contact information indicated above to request access to personal data and their rectification or erasure or the restriction of processing that concern them or to object their processing, or to exercise the right to data portability (articles 15 to 22 of the GDPR).
|Withdrawal of consent of the interested party
|The only data that are collected with the consent of the interested party are the preferences when viewing the attributes transmitted to the Resources. The preferences are collected at the moment of the first access to the Resource and can be modified later on by starting the access procedure again.
|Portabilità dei Dati
|L’interessato può richiedere la portabilità dei propri dati relativi al servizio di autenticazione federata, comprese le preferenze sulla visualizzazione degli attributi trasmessi alle Risorse, che verranno forniti in formato aperto e ai sensi dell’Art. 20 del GDPR. Il servizio di portabilità dei dati è gratuito.
|The interested party may request the portability of their data relating to the federated authentication service, including the preferences when viewing the attributes transmitted to the Resources, which will be provided in an open format and pursuant to art. 20 of the GDPR. The data portability service is free.
|Duration of Data Retention
|All personal data collected in order to provide the federated authentication service are kept for as long as it is necessary to provide the service.
Six months after deactivation, all personal data collected or generated while using the service are deleted.