provided pursuant to art. 13 of the European General Data Protection Regulation 2016/679 (hereinafter “GDPR”) and to the current national regulations on data processing, in its capacity as an interested party, we inform you that:

SUBJECTS OF THE TREATMENT

Data Controller is Sapienza University of Rome in the person of its legal representative, the Magnificent Rector, domiciled for office at the University, p. le Aldo Moro 5 - 00185 Rome.

Email: rettoresapienza@uniroma1.it

PEC: protocollosapienza@cert.uniroma1.it

Data Protection Officer (DPO):

Dr. Andrea Bonomolo - Director of Legal Affairs Area

Email: responsabileprotezionedati@uniroma1.it

PEC: rpd@cert.uniroma1.it

DESCRIPTION OF THE TREATMENT

The federated authentication service (Identity Provider) allows Sapienza users to access federated resources using their institutional credentials.

Resources can be provided through the Italian Federation of Identities of Universities and Research Bodies (IDEM), or directly.

The Federated Authentication Service is responsible for authenticating the user and issuing an authentication token and, if required, a minimum set of personal data for access to the Resource.

PURPOSE OF THE PROCESSING AND LEGAL BASIS

The data being processed, provided by the interested party at the time of registration and necessary for the use of the Identity Provider (IdP) service, is collected and used within the limits established by law and processed for institutional purposes.

It should be noted that the treatment is carried out in compliance with the general principles of lawfulness, correctness, transparency, adequacy, relevance, necessity and non-excess referred to in art. 5 of the GDPR and that the data will be processed exclusively, also with the aid of electronic systems for the following purposes:

• Provide the federated authentication service in order to access the resources requested by the interested party.
• Check and monitor the proper functioning of the service and ensure its security (legitimate interest).
• Fulfill any legal obligations or requests from the judicial authority.

The legal bases for data processing are the fulfillment of contractual obligations (provision of the authentication service) and the legitimate interest of the owner.

INTERESTED PARTIES AND CATEGORIES OF DATA

The subjects interested in Identity Provider data processing are:

• Teaching staff
• Technical-administrative staff
• Students

The provision of personal data is to be considered mandatory for the use of the service.  

The personal data required and necessary to access the service are as follows:

1. one or more unique identifiers;
2. recognition credential;
3. name and surname;
4. email address;
5. role in the organization;
6. belonging to working groups;
7. specific rights to resources;
8. name of the organization concerned.

Personal data collected directly from the subject during normal use of the service are as follows:

• Consent related preferences on the use of Network Resources;
• IDP service log record: user identification, date and time of use of the requested service, attributes transmitted to the service;
• Log record of the secondary  services accessed for the operation of the service (http, ldap, ...).

The only data that is collected with the consent of the interested party are the preferences regarding the transmission of the attributes to third parties. They are collected online at the time of the first access to the resource and can be revoked/deleted, with the result of withdrawing the consent to their transmission , during the login procedure.

CATEGORIES OF DATA RECIPIENTS AND POSSIBLE TRANSFER OF DATA

Access to the data collected for the aforementioned purposes is allowed to the Data Controller and subjects of the University delegated by him such as the System Administrators and appointed to the treatment or to external subjects (service providers) as Data Processors, duly appointed as per art.28 of the GDPR, for assistance, support and maintenance activities necessary for the regular operativity of the platform or for the management of additional functions.

Except for the above cases, the data will be disclosed in any way unless to comply with legal obligations or respond to legal and judicial requests.

The collected data are stored in Italy and will not be transferred to other countries.

THIRD PARTIES TO WHOM THE DATA ARE DISCLOSED

In order to correctly provide the service, the Data Controller provides to the suppliers of the Resources the User intends to access proof of authentication and only the personal data (attributes) requested, in full compliance with the principle of minimization.

Personal data are transmitted only when the interested party requests access to the third party's resource.

Except for the above cases, the data will not be disclosed to third parties unless to comply with legal obligations or respond to legal and judicial requests.

The collected data are stored in Italy and will not be transferred to other countries.

DATA RETENTION PERIOD

All personal data collected in order to provide the federated authentication service will be kept for as long as it is necessary to provide the service itself and in any case not exceeding the achievement of the purposes and with specific regard to the principle of limitation of conservation.

After 18 months from the deactivation of the account, if a reactivation has not been requested, all personal data collected or generated by the use of the service will be deleted.

Log data is kept for 6 months from collection, after which it is removed.

The personal data are collected and stored in Italy in accordance with the GDPR. Their treatment is necessary to provide the service.

PORTABILITY OF DATA

The interested party can request the portability of their data relating to the federated authentication service, including preferences regarding the transmission of the attributes to third parties, which will be provided in open format and pursuant to Art. 20 of the GDPR. The portability service is free of charge upon termination of the service.

RIGHTS OF THE INTERESTED PARTY

Pursuant to articles 15-21 of EU Regulation 679/2016 and current legislation, the interested party has the right to ask the data controller: access to personal data and rectification, cancellation of the same, limitation of the processing that concern them, opposition to their treatment and data portability.

In particular, he can:

1. Know the existence of data processing that may concern him;
   Obtain confirmation of the existence or not of personal data concerning him, even if not yet registered, and the communication in intelligible form of the same data and their origin, as well as the logic and purposes on which the treatment is based;
2. Obtain the cancellation of his data, except for those contained in deeds which must be kept by Sapienza and unless there is a legitimate reason prevailing in relation to the purposes for which the data were collected or subsequently processed;
3. Obtain the update, correction or, if interested, integration of data;
4. To object, in whole or in part, for legitimate reasons the processing of his personal data, without prejudice to the provisions regarding the necessity and mandatory nature of the processing for the purposes of establishing the relationship;
5. Freely transfer his personal data to other service providers;
6. Submit a complaint to the supervisory authority ( www.garanteprivacy.it ).

The interested party may exercise all the above rights by sending an e-mail communication to the Data Controller or Data Protection Manager stated above.