Processing of personal data

(Privacy notice pursuant to articles 13 and 14 of the EU Regulation 679/29016 hereinafter GDPR;



  • Controller: Physical or legal person  that determines the ways and means of the processing of the personal data of a specific organization to which users belong;
  • Processor:  physical or legal person that processes data on behalf of the Controller within the limits agreed, the Processor  carries out the instructions of the Controller and accepts their checks, in particular  in relation to the adoption of adequate measures for the protection of personal data (coincides with the legal person who manages the “Resource”);
  • Identity Provider: a computer system that provides federated authentication services for users from specific organizations;
  • Resources: third party services or of the owner with which the user of federated authentication service intends to access;
  • Identity Federation: a group of entities providing federated authentication and services and bodies providing access services to resources that decide to interoperate according to a set of common rules.
  • User: the person who uses the service;
  • Interested Party: the person whose personal data are being processed by the data controller and any third parties (coincides with the user);
Service Name Identity Provider (IdP)
Service Description The federated authentication service allows users from University of Enna Kore to access federated resources using their institutional credentials.

The resources can be provided through the Italian Federation of Identity of Universities and Research Bodies (IDEM), or directly.

The Federated Authentication Service is responsible for authenticating the user and issuing an authentication token and, if required, a minimum set of personal data for access to the resource.



Address: Cittadella Universitaria- 94100 Enna (EN)

UNIVERSITY OF ENNA KORE is the owner of the processing of personal data  managed through the service.

Data Protection Officer (GDPR Section 4) (if applicable)
Jurisdiction and supervisory authority IT-IT

Guarantee for the Protection of Personal Data

Direct and indirect personal data categories processed and legal bases of processing 1. one or more unique identifiers;
2. recognition credential;
3. name and surname;
4. e-mail address;
5. role in the organization;
6. membership in working groups;
7. specific rights on resources;
8. name of the organization of affiliation;
9. Log record of the IdP service: user identifier, date and time of use, requested resource, transmitted attributes;
10. Log records of the services necessary for the functioning of the IdP service.The personal data collected are stored in Italy in accordance with the GDPR. Their processing is aimed at providing authentication service. The legal bases for the processing of data are the provision of the authentication service (fulfillment of contractual obligations) and the legitimate interest of the owner.
Purpose of the processing of personal data Provide the federated authentication service in order to access the resources requested by the interested party.
Verify and monitor the proper functioning of the service and guarantee its security (legitimate interest).
Fulfill any legal obligations or requests from judicial authorities.
Third parties to which the data is communicated The Data Controller, in order to provide the service correctly, communicates to the suppliers of the resources the user intends to access, the proof of authentication and only the personal data (attributes) required, in full compliance with the principle of minimization.

Personal data are transmitted only when the interested party requests access to the third party’s resources.

For purposes related to the legitimate interest of the Data Controller or the fulfillment of legal obligations, certain log data may be processed by third parties (eg. CERT, CSIRT, Judicial Authority).

Exercise of rights of the interested parties Contact the data controller using the contact information indicated above to request access to personal data and their rectification or erasure or the restriction of processing that concern them or to object their processing, or to exercise the right to data portability (articles 15 to 22 of the GDPR).
Withdrawal of consent of the interested party The only data that are collected with the consent of the interested party are the preferences when viewing the attributes transmitted to the Resources. The preferences are collected at the moment of the first access to the Resource and can be modified later on by starting the access procedure again.
Portabilità dei Dati L’interessato può richiedere la portabilità dei propri dati relativi al servizio di autenticazione federata, comprese le preferenze sulla visualizzazione degli attributi trasmessi alle Risorse, che verranno forniti in formato aperto e ai sensi dell’Art. 20 del GDPR. Il servizio di portabilità dei dati è gratuito.
Data portability The interested party may request the portability of their data relating to the federated authentication service, including the preferences when viewing the attributes transmitted to the Resources, which will be provided in an open format and pursuant to art. 20 of the GDPR. The data portability service is free.
Duration of Data Retention All personal data collected in order to provide the federated authentication service are kept for as long as it is necessary to provide the service.
Six months after deactivation, all personal data collected or generated while using the service are deleted.