Privacy Policy

Identity Provider

Federated Authentication Service offered by the User's Home Organization.

• Name: ISS - Istituto Superiore di Sanità
• Email: idem-help@iss.it
• Address: Viale Regina Elena, 299 - 00161 ROMA, IT

ISS - Istituto Superiore di Sanità is the owner of Personal Data processing provided by the service, following art.26 of GDPR.

Jurisdiction and

control authority

IT-IT

Personal Data Protection Authority
http://www.garanteprivacy.it

Processed Personal Data and Legal basis for the processing

1. Some of all of the following personal data
   1. one or more unique identifiers
   2. Identification credentials;
   3. Surname and Name;
   4. email address;
   5. role in the Organization;
   6. membership in working groups;
   7. specific rights on resources;
   8. Organization Name;
2. User personal data directly collected during normal service operation:
   1. Preferences about consensus on using resources over the internet;
   2. IdP service log records: user identifier, date and time of usage, requested service, attributes sent to the service;
   3. Log records of the services necessary for IdP service operation.

Collected personal data are gathered and stored in Italy according to GDPR regulation. Their processment is necessary to provide the service.

Goal of the personal data processing

Provide Identity Management as a Service and Identity Provider as a Service and Identity Provider as a Service with the goal of authenticating interested user in order to enable access to network services requested by the interested user

Personal data (attributes) are transferred to third parties (Resources) upon request of the interested user with the goal of accessing the required service

Logging data contain user personal data that are being collected with the goal to verify the operation of the service and to ensure its safety.

Third parties to which data are transferred

The ISS - National Health Institute decides which third parties to release personal data of interested users respecting the principle of minimization. Personal data are transferred only when interested users request access to third party's resource and with the goal of getting the service by the third party itself.

How to access to, correct, delete personal data and oppose to their processing .

Contact the above mentioned Data Processors

How to revoke user consent

The only collected data with user consent are preferences about the transmission of attributes to third parties. Data are gathered online at the time of first access to resources, and can be deleted, with the outcome of eliminating consent to their transmission, starting over the login procedure and checking the "Clean the consent to release information to this service, previously provided" box.

Data portability

The interested user can request data portability related to digital identities, including credentials and consent information. These will be provided in an open format and accordin to Art. 20 of GDPR. Portability service is free of charge at cessation of service.

Duration of Data Custodial

All personal data of the interested user (attributes) are kept for the whole duration of the request of the service to the user.

After 3 months from deactivation, all data of the interested user will be deleted.