Assumptions

This Data protection Code of Conduct relies on the following principles

  • The Service Provider indicates in its SAML 2.0 metadata element that it believes that its Service is being operated in a manner that is consistent with the Code of Conduct for Service Providers
  • Reminding the Service Provider of a potential non-compliance issue is not expected to make the reminding party a joint data controller which shares legal responsibility with the Service Provider. 
  • The federation(s) provides a trusted SAML 2.0 metadata exchange service to the Identity and Service Providers.

Examples of SP non-compliance

There are various ways a Service Provider can violate the Code of Conduct for Service Providers. For instance,

  • request attributes which are not relevant for the service.
  • indicate wrong legal grounds (i.e. NECESSARY or CONSENT REQUIRED) for the requested attributes.
  • omit publishing a privacy policy or publish an insufficient privacy policy.
  • omit installing security patches.
  • etc.

Possible actions in case of doubts of SP compliance

If anyone (such as an end user, Home Organisation or a Federation Operator) has doubts that a Service Provider is not complying with the Code of Conduct to which it has committed, the following alternative, mutually non-exclusive actions are suggested:

  • Contact the Service Provider directly (with a cc to the Service Provider's Home Federation), describe the suspected problem, and ask the SP to check if it has a compliance problem.
  • Contact the Service Provider's Home Federation, and ask it to contact the Service Provider and ask the Service Provider to check if it has a compliance problem.
    • Depending on the Home Federation's policy, there may be also additional measures available for the the Home Federation for handling non-compliance.
  • Determine the location of the legal entity operating the Service Provider, and lodge a complaint with the competent Data Protection Authority, as defined in Article 28 of the Data protection directive.
  • No labels