...
- The Service Provider indicates in its SAML 2.0 metadata element that it believes that its Service is being operated in a manner that is consistent with the Code of Conduct for Service Providers.
- Reminding the Service Provider of a potential non-compliance issue is not expected to make the reminding party a joint data controller which shares legal responsibility with the Service Provider.
- The federation(s) provides a trusted SAML 2.0 metadata exchange service to the Identity and Service Providers.
...
There are various ways a Service Provider can violate the Code of Conduct for Service Providers. For instance,
- request attributes which are not relevant for the service.
- indicate wrong legal grounds (i.e. NECESSARY or CONSENT REQUIRED) for the requested attributes.
- omit publishing a privacy policy or publish an insufficient privacy policy.
- omit installing security patches.
- etc.
...