Definitions
Controller
A legal or natural person who determines the purposes and means of the processing of personal data within a specific organization to which the Users belong
Processor
A legal or natural person that processes personal data on behalf of the Controller within the limits agreed upon.
The Processor follows the Controller’s instructions and accepts its oversight, particularly regarding the adoption of adequate data protection measures (it coincides with the legal entity managing the “Resource”)
Identity Provider
An IT system providing federated authentication services for users of a specific organization
Resources
Third-party or Controller-managed services that users of the federated authentication system intend to access
Identity Federation
A group of entities providing federated authentication services and service/resource providers who agree to interoperate according to a shared set of rules
User
The natural person using the service
Data Subject
The natural person whose personal data are processed by the Controller or by third parties (coincides with the User)
Service Name
Identity Provider (IdP)
Service Description
The federated authentication service allows ASI users to access federated Resources using their institutional credentials.
The Resources may be provided through the Italian Identity Federation for Universities and Research Institutions (IDEM) or directly.
The federated authentication service is responsible for authenticating users and releasing an authentication token and, when required, a minimal set of personal data for access to the Resource.
Controller and Data Protection Officer
The Controller is the ITALIAN SPACE AGENCY (ASI), headquartered in Rome, Via del Politecnico s.n.c., PEC asi@asi.postacert.it.
The Data Protection Officer (DPO) can be contacted at rpd@asi.it
Jurisdiction and Supervisory Authority
IT-IT Garante per la Protezione dei Dati Personali (Italian Data Protection Authority)
Categories of Direct and Indirect Personal Data Processed
- One or more unique identifiers;
- Authentication credential;
- First name and surname;
- Email address;
- Organizational role;
- Membership in workgroups;
- Specific access rights to resources;
- Name of the affiliated organization;
- Identity Provider service logs: user ID, date and time of access, requested Resource, transmitted attributes;
- Logs of technical services required for IdP operation.
Purposes and Legal Bases of Processing
Personal data are processed for the following purposes:
- Provision of federated authentication services to access requested Resources;
- Verification and monitoring of the correct operation and security of the service;
- Compliance with legal obligations and responses to requests from judicial authorities.
Legal Basis for Processing
The legal bases for processing are:
- Art. 6 §1(e) GDPR: performance of a task carried out in the public interest or in the exercise of official authority, as ASI is a public body providing institutional services;
- Art. 6 §1(c) GDPR: compliance with legal obligations.
Third Parties to Whom Data Are Communicated
In order to correctly provide the service, the Controller shares with the providers of the Resources the proof of successful authentication and only the personal data (attributes) requested, in full compliance with the data minimization principle. Personal data are transmitted only when the data subject explicitly requests access to a third-party Resource. For purposes related to the Controller’s legitimate interests or legal obligations, some log data may be processed by third parties (e.g., CERT, CSIRT, Judicial Authorities).
Exercise of Data Subject Rights
Data subjects may contact the Controller using the above contact details to request access to their personal data, rectification or erasure, restriction of processing, or to object to processing. They may also exercise the right to data portability, pursuant to Articles 15–22 of the GDPR.
Withdrawal of Consent
The only data collected with the data subject’s consent are preferences regarding the display of attributes transmitted to Resources. Preferences are collected during the first access to a Resource and can later be modified by repeating the login process.
Data Portability
Data subjects may request the portability of their data related to the federated authentication service, including attribute display preferences, which will be provided in an open format in accordance with Article 20 of the GDPR. The data portability service is free of charge.
Data Retention Period
All personal data collected for the purpose of providing the federated authentication service are retained for as long as necessary to provide the service itself. After 12 months from deactivation, all personal data collected or generated through use of the service will be deleted.