This template intends to assist Service Provider Organisations in developing a Privacy Notice document that fulfills the requirements of the GDPR and the Code of Conduct. The template presents some examples (in italics) and proposes some issues that should be to taken into account.

The Privacy Notice must be provided at least in English. You can add another column to the template for a local translation of the text. Alternatively, the local translation can be a parallel page, and you can use the xml:lang element to introduce parallel language versions of the Privacy Notice page as described in SAML2 Profile for the Code of Conduct.


Name of the Service

SHOULD be the same as mdui:DisplayName

WebLicht 

Description of the Service

 

SHOULD be the same as mdui:Description

 WebLicht is a service for language research. It provides an execution environment for automatic annotation of text corpora.

Data controller and a contact person

 

Tübingen university, Institute for language research 

Laboratory manager Bob Smith, bob.smith@example.org 

Personal data processed and the legal basis for processing

 

A. Personal data retrieved from your Home Organisation:

your unique user identifier (SAML persistent identifier) *

your role in your Home Organisation (eduPersonAffiliation  Attribute)*

your name *

B. Personal data you have provided or may be generated as a result of your use of our service:

logfiles on the service activity *

 your profile

 ... 

* = the personal data is necessary for providing the Service that the End User has requested. Other personal data is processed because you have consented to it.

Please make sure the list A. matches the list of requested Attributes in the Service Provider Organisation's SAML 2.0 metadata. 

Purpose of the processing of personal data

 

Don't forget to describe also the purpose of the log files, if they contain personal data (usually they do). 

Your personal data is used 

to authorise your access to and use of the compute resources we provide;

to properly account your use to relevant infrastructure funding bodies;

to ensure the integrity and availability of our service

Third parties to whom personal data is disclosed

 

Notice clause   j   of   the   Code   of   Conduct   for   Service   Provider Organisations.

We may share your personal data with third parties (or otherwise allow them access to it) in the following cases:

(a)   to   satisfy   any   applicable   law,   regulation,   legal   process, subpoena or governmental request

(b)   to   enforce   this   Privacy   Policy,   including investigation  of potential violations thereof;

Inform the user that his/her personal data may be displayed to other users of the service or to the public.

Your personal data may be accessible by others users and by the public (e.g. for a wiki, a text in the bottom of the page may state "This page  was last edited by [first name] [last name] ...".)

Are the 3rd parties outside EU/EEA or the countries or international organisations whose data protection EC has decided to be adequate? If yes, add references to the appropriate or suitable safeguards.

In the case where a third party is located in a country whose data protection laws are not as comprehensive as those of the countries within the European Union we will take appropriate steps to ensure that transfers of your personal data are still protected in line with European standards.

You have a right to contact us for more information about the safeguards we have put in place to ensure the adequate protection of your personal data when this is transferred as mentioned above.

How to access, rectify and delete the personal data and object its processing.

Contact the contact person above. 

To rectify the data released by your Home Organisation, contact your Home Organisation's IT helpdesk.

Withdrawal of consent

If  personal  data  is  processed  based  on  user consent, how  they can withdraw it?

Data portability

Can the user request their data be ported to another Service? How?

Data retention

When the user record is going to be deleted or anonymised? Remember, you cannot store user records infinitely. It is not sufficient that you promise to delete user records on request. Instead, consider defining an explicit period.

Personal data is deleted on request of the user or if the user hasn't  used the Services for 18 months 

Data Protection Code of Conduct 

Your personal data will be protected according to the GÉANT Data Protection Code of Conduct for Service Provider Organisations, a common standard for the research and higher education sector to protect your privacy.

Data controller’s data protection officer, if applicable

If the controller has a data protection officer (GDPR Section 4)

Chief Security Officer bill.smith@example.org

Jurisdiction and supervisory authority

The country in which the Service Provider Organisation is established and whose laws are applied.

 SHOULD be an ISO 3166 code followed by the name of the country and its subdivision if necessary for qualifying the jurisdiction.

 DE-BW Germany Baden-Württemberg

 How to lodge a complaint to the competent Data protection authority:

 Instructions to lodge a complaint are available at ...