Child pages
  • Privacy policy guidelines for Service Providers
Skip to end of metadata
Go to start of metadata

A Privacy Policy document is used for informing the end users on processing of their personal data. This Code of Conduct builds on the EU data protection laws. See

Privacy Policy Template

This template intends to assist Service Providers in developing a Privacy Policy document that fulfills the requirements of the Data protection directive and the Code of Conduct. The second column suggests some phrases, and proposes some issues that should be to taken into account in italic.

The Privacy Policy must be at least in English. You can add another column to the template for a local translation of the text. Alternatively, the local translation can be a parallel page, and you can use the xml:lang element to introduce parallel language versions of the Privacy Policy page as described in SAML 2 Profile for the Code of Conduct.

Name of the serviceSHOULD be the same as mdui:DisplayName
WebLicht
Description of the serviceSHOULD be the same as mdui:Description
WebLicht is a service for language research. It provides an execution environment for automatic annotation of text corpora.
Data controller and a contact personTübingen university, Institute for language research
Laboratory manager Bob Smith, bob.smith@example.org
JurisdictionThe country in which the Service Provider is established and whose laws are applied.
SHOULD be an ISO 3166 code followed by the name of the country and its subdivision if necessary for qualifying the jurisdiction.

DE-BW Germany Baden-Württemberg
Personal data processedA. Following data is retrieved from your Home Organisation:
- your unique user identifier (SAML persistent identifier)
- your role in your Home Organisation (eduPersonAffiliation attribute)
...
B. Following data is gathered from yourself:
- your profile
...
Please make sure the list A. matches the list of requested attributes in the Service Provider's SAML 2.0 metadata.
Purpose of the processing of personal dataDon't forget to describe also the purpose of the log files, if they contain personal data (usually they do).
Third parties to whom personal data is disclosedNotice section 2.f: Third Parties of the Code of Conduct for Service Providers
Are the 3rd parties outside EU/EEA or the countries whose data protection EC has decided to be adequate? If yes, notice also section 2.l
How to access, rectify and delete the personal dataContact the contact person above.
To rectify the data released by your Home Organisation, contact your Home Organisation's IT helpdesk.
Data retentionWhen the user record is going to be deleted or anonymised? Remember, you cannot store user records infinitely. It is not sufficient that you promise to delete user records on request. Instead, consider defining an explicit period.
Personal data is deleted on request of the user or if the user hasn't used the service for two years.
Data Protection Code of ConductYour personal data will be protected according to the Code of Conduct for Service Providers, a common standard for the research and higher education sector to protect your privacy.

 

Links to Member States' Data protection authorities' privacy policy quidelines

  • No labels

3 Comments

  1. Both the Finnish and English guidelines are dead/not working...

    1. Corrected the links.

  2. The privacy policy template includes the phrase that the "Following data is retrieved from your Home Organisation..." The phrase indicates that this and only this data is pulled from the IdP. However, in typical SAML 2 operation where the IdP appends an AttributeStatement to the AuthenticationStatement, the IdP pushes data to the SP. And even though the SP must include the RequestAttribute elements in metadata, and one can configure an IdP to automatically use this information, it is the IdP which makes the ultimate decision about what data is sent to the SP.

    Can the phrase be changed to "The following data is requested from your Home Organisation"?