Date: Fri, 29 Mar 2024 00:50:18 +0000 (UTC)
Message-ID: <1198638433.2050.1711673418131@wiki-prod.refeds.org>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_2049_1215334972.1711673418130"
------=_Part_2049_1215334972.1711673418130
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
Assumptions
This Data protection Code of Conduct relies on the following principles<=
/p>
- The Service Provider has an Entity Category element in its SAML 2.0 met=
adata that indicates it has committed to and believes that its Service is b=
eing operated in a manner consistent with the Code of Conduct.
- The Service Provider informs the Home federation operator (Registrar) a=
bout any material changes that may influence their ability to commit to the=
Code of Conduct for Service Providers.
- Reminding the Service Provider of a potential non-compliance issue is n=
ot expected to make the reminding party a joint data controller which share=
s legal responsibility with the Service Provider.
- The federation(s) provides a trusted SAML 2.0 metadata exchange service=
to the Identity and Service Providers.
Examples of SP non-compliance
There are various ways a Service Provider can violate the Code of Conduc=
t for Service Providers. For instance,
- request attributes which are not relevant for the service.
- omit publishing a privacy notice or publish an insufficient privacy not=
ice.
- omit installing security patches.
Possible actions in case of doubts of SP =
compliance
If anyone (such as an end user, Home Organisation or a Federation Operat=
or) has doubts that a Service Provider is not complying with the Code of Co=
nduct to which it has committed, the following alternative, mutually non-ex=
clusive actions are suggested:
- Contact the Service Provider directly (with a cc to the Service Provide=
r's Home Federation), describe the suspected problem, and ask the SP to che=
ck if it has a compliance problem.
- Contact the Service Provider's Home Federation, and ask it to contact t=
he Service Provider and ask the Service Provider to check if it has a compl=
iance problem.
- The Home federation operator (Registrar) has the right to remove the Co=
de of Conduct Entity Category element if the Service Provider can no longer=
demonstrate commitment to the Code of Conduct.
- Depending on the Home Federation's policy, there may be also additional=
measures available for the the Home Federation for handling non-compliance=
.
- For version 2.0 of the Code of Conduct, raise an issue with the REFEDS Steering Committee.<=
/li>
- Lodge a complaint with the competent Data Protection Authority, as defi=
ned in the SP's Privacy Notice and Articles 55 and 56 of the GDPR.
------=_Part_2049_1215334972.1711673418130--