This template intends to assist Service Providers in developing a Privacy Policy document that fulfills the requirements of the Data protection directive and the Code of Conduct. The second column suggests some phrases, and proposes some issues that should be to taken into account in italic.
The Privacy Policy must be at least in English. You can add another column to the template for a local translation of the text. Alternatively, the local translation can be a parallel page, and you can use the xml:lang
element to introduce parallel language versions of the Privacy Policy page as described in SAML 2 Profile for the Code of Conduct.
Name of the service | SWAMID Identity Provider Test Suite is combined of the following test Service Providers
|
---|---|
Description of the service | This is an test service for Identity Provider administrators to test that they follow the SWAMID Best Current Practice for Entity Category Attribute Release. |
Data controller and a contact person | Swedish Research Council SWAMID Operations Manager Pål Axelsson, pax@sunet.se |
Jurisdiction | SE Sweden |
Personal data processed | A. Following data is retrieved from your Home Organisation: - your unique user identifier (SAML persistent identifier) - your role in your Home Organisation (eduPersonAffiliation attribute) ... B. Following data is gathered from yourself: - your profile ... Please make sure the list A. matches the list of requested attributes in the Service Provider's SAML 2.0 metadata. |
Purpose of the processing of personal data | Don't forget to describe also the purpose of the log files, if they contain personal data (usually they do). |
Third parties to whom personal data is disclosed | Notice section 2.f: Third Parties of the Code of Conduct for Service Providers Are the 3rd parties outside EU/EEA or the countries whose data protection EC has decided to be adequate? If yes, notice also section 2.l |
How to access, rectify and delete the personal data | Contact the contact person above. To rectify the data released by your Home Organisation, contact your Home Organisation's IT helpdesk. |
Data retention | When the user record is going to be deleted or anonymised? Remember, you cannot store user records infinitely. It is not sufficient that you promise to delete user records on request. Instead, consider defining an explicit period. Personal data is deleted on request of the user or if the user hasn't used the service for two years. |
Data Protection Code of Conduct | Your personal data will be protected according to the Code of Conduct for Service Providers, a common standard for the research and higher education sector to protect your privacy. |