Assumptions
This Data protection Code of Conduct relies on the following principles
- The Service Provider indicates in its SAML 2.0 metadata element that it believes that its Service is being operated in a manner that is consistent with the Code of Conduct for Service Providers.
- Reminding the Service Provider of a potential non-compliance issue is not expected to make the reminding party a joint data controller which shares legal responsibility with the Service Provider.
- The federation(s) provides a trusted SAML 2.0 metadata exchange service to the Identity and Service Providers.
Examples of SP non-compliance
There are various ways a Service Provider can violate the Code of Conduct for Service Providers. For instance,
- request attributes which are not relevant for the service.
- indicate wrong legal grounds (i.e. NECESSARY or CONSENT REQUIRED) for the requested attributes.
- omit publishing a privacy policy or publish an insufficient privacy policy.
- omit installing security patches.
- etc.
Possible actions in case of doubts of SP compliance
If anyone (such as an end user, Home Organisation or a Federation Operator) has doubts that a Service Provider is not complying with the Code of Conduct to which it has committed, the following alternative, mutually non-exclusive actions are suggested:
- Contact the Service Provider directly (with a cc to the Service Provider's Home Federation), describe the suspected problem, and ask the SP to check if it has a compliance problem.
- Contact the Service Provider's Home Federation, and ask it to contact the Service Provider and ask the Service Provider to check if it has a compliance problem.
- Depending on the Home Federation's policy, there may be also additional measures available for the the Home Federation for handling non-compliance.
- Determine the location of the legal entity operating the Service Provider, and lodge a complaint with the competent Data Protection Authority, as defined in Article 28 of the Data protection directive.