Processing of personal data IDEM-GARR service

Service and purpose

(Privacy information pursuant to articles 13 and 14 of EU Regulation 679/2016 - hereinafter GDPR)

Service Name 

Identity Provider (IdP) of the Università di Napoli L'Orientale

Purpose of the processing of personal data

Provide the federated authentication service in order to access the Resources requested by the interested party. Verify and monitor the proper functioning of the service and guarantee its security (legitimate interest). Fulfill any legal obligations or requests from the judicial authorities.

  • Data Controller: Legal or Physical Person who determines the ways and means of processing personal data of a specific Organization to which the Users belong; 
  • Data Processor: legal or natural person who processes the data on behalf of the Data Controller within the limits of what has been agreed with it , The Manager carries out the instructions of the Owner and accepts the controls, in particular on the effective adoption of adequate personal data protection measures (coincides with the legal entity that manages the "Resource"); 
  • Identity Provider: IT system that provides the federated authentication service for Users of a specific Organization; 
  • Resources: third-party or Owner services to which the User of the federated authentication service intends to access; 
  • Identity Federation: A group of entities providing federated authentication services and bodies providing access services to resources that decide to interoperate according to a set of common rules. 
  • User: natural person who uses the service; 
  • Interested party: natural person whose personal data are processed by the Data Controller and any third parties (coincides with the User);

Description of service

The federated authentication service allows users of the University of Naples l'Orientale to access federated resources using their institutional credentials.  The Resources can be provided through the Italian Identity Federation of Universities and Research Institutions (IDEM), or directly. The Federated Authentication Service is responsible for authenticating the user and issuing an authentication token and, if requested, a minimum set of personal data for access to the Resource.

Data Controller

Name: Università di Napoli L'Orientale

PEC: ateneo@pec.unior.it

Address: Via Chiatamone 61/62 - 80121 Naples 

The Università di Napoli L'Orientale is the data controller of the personal data managed through the Service.

Data Protection Officer (GDPR Section 4) Dr. Antonio Sinno

IT-IT jurisdiction and supervisory authority Guarantor for the Protection of Personal Data https://www.garanteprivacy.it

1. one or more unique identifiers;

2. recognition credential;

3. name and surname;

4. email address;

5. role in the organization;

6. membership of working groups;

7. specific rights to resources;

8. name of the relevant organisation;

9. IdP service log records: user identifier, date and time of use, requested resource, transmitted attributes;

10. Log records of the services necessary for the operation of the IdP service.

The personal data collected is stored in Italy in accordance with the GDPR. Their processing is aimed at providing the authentication service. The legal bases for data processing are the provision of the authentication service (fulfillment of contractual obligations) and the legitimate interest of the owner.

Rights of interested parties

Third parties to whom data is communicated

In order to correctly provide the service, the Data Controller communicates to the suppliers of the Resources to which the User intends to access proof of authentication and only the personal data (attributes) requested, in full compliance with the principle of minimization.

Personal data is transmitted only when the interested party requests access to the third-party Resource.

For the purposes related to the legitimate interest of the Data Controller or the fulfillment of legal obligations, some log data may be processed by third parties (e.g. CERT, CSIRT, Judicial Authority).

Exercise of the rights of the interested parties

Contact the data controller at the contact details indicated above to request access to personal data and the rectification or erasure of the same or the limitation of the processing concerning him or her or to oppose their processing, or to exercise the right to data portability (articles 15 to 22 of the GDPR).

Revocation of the interested party's consent

The only data that is collected with the interested party's consent are the preferences on the display of the attributes transmitted to the Resources. The preferences are collected when the Resource is accessed for the first time and can be modified later by starting the access procedure again.

Data Portability

The interested party can request the portability of their data relating to the federated authentication service, including the preferences on the display of the attributes transmitted to the Resources, which will be provided in open format and pursuant to Art. 20 of the GDPR. The data portability service is free of charge.

Duration of Data Retention

All personal data collected in order to provide the federated authentication service are retained for as long as it is necessary to provide the service itself.
After 6 months from deactivation, all personal data collected or generated by the use of the service are deleted.