This template intends to assist Service Provider Organisations in developing a Privacy Notice document that fulfills the requirements of the GDPR and the Code of Conduct. The template presents some examples (in italics) and proposes some issues that should be to taken into account.
The Privacy Notice must be provided at least in English. You can add another column to the template for a local translation of the text. Alternatively, the local translation can be a parallel page, and you can use the
xml:lang element to introduce parallel language versions of the Privacy Notice page as described in Code of Conduct 2.0 Entity Category.
Name of the Service
SHOULD be the same as
Description of the Service
SHOULD be the same as
WebLicht is a service for language research. It provides an execution environment for automatic annotation of text corpora.
Data controller and a contact person
Tübingen university, Institute for language research
Laboratory manager Bob Smith, firstname.lastname@example.org
Personal data processed and the legal basis for processing
A. Personal data retrieved from your Home Organisation:
- your unique user identifier (SAML persistent identifier) *
- your role in your Home Organisation (eduPersonAffiliation Attribute)*
- your name *
B. Personal data you have provided or may be generated as a result of your use of our service:
- logfiles on the service activity *
- your profile
* = the personal data is necessary for providing the Service that the End User has requested. Other personal data is processed because you have consented to it.
Please make sure the list A. matches the list of requested Attributes in the Service Provider's SAML 2.0 metadata.
Purpose of the processing of personal data
Don't forget to describe also the purpose of the log files, if they contain personal data (usually they do).
Your personal data is used
- to authorise your access to and use of the compute resources we provide;
- to properly account your use to relevant infrastructure funding bodies;
- to ensure the integrity and availability of our service
Third parties to whom personal data is disclosed
Notice Clause I and J of the Code of Conduct for Service Providers.
We may share your personal data with third parties (or otherwise allow them access to it) in the following cases:
(a) to satisfy any applicable law, regulation, legal process, subpoena or governmental request
(b) to enforce this Privacy Notice, including investigation of potential violations thereof;
Inform the user that his/her personal data may be displayed to other users of the service or to the public.
Your personal data may be accessible by others users and by the public (e.g. for a wiki, a text in the bottom of the page may state "This page was last edited by [first name] [last name] ...".)
Are the 3rd parties outside EU/EEA or the countries or international organisations whose data protection EC has decided to be adequate? If yes, add references to the appropriate or suitable safeguards.
In the case where a third party is located in a country whose data protection laws are not as comprehensive as those of the countries within the European Union we will take appropriate steps to ensure that transfers of your personal data are still protected in line with European standards.
You have a right to contact us for more information about the safeguards we have put in place to ensure the adequate protection of your personal data when this is transferred as mentioned above.
How to access, rectify and delete the personal data and object its processing.
Contact the contact person above.
To rectify the data released by your Home Organisation, contact your Home Organisation's IT helpdesk.
Withdrawal of consent
If personal data is processed based on user consent, how they can withdraw it?
Can the user request their data be ported to another Service? How?
When the user record is going to be deleted or anonymised? Remember, you cannot store user records infinitely. It is not sufficient that you promise to delete user records on request. Instead, consider defining an explicit period.
Personal data is deleted on request of the user or if the user hasn't used the Services for 18 months
Data controller’s data protection officer, if applicable
If the controller has a data protection officer (GDPR Section 4)
Chief Security Officer email@example.com
Jurisdiction and supervisory authority
The country in which the Service Provider Organisation is established and whose laws are applied.
SHOULD be an ISO 3166 code followed by the name of the country and its subdivision if necessary for qualifying the jurisdiction.
DE-BW Germany Baden-Württemberg
How to lodge a complaint to the competent Data protection authority:
Instructions to lodge a complaint are available at ...