IDEM Privacy Policy

(Privacy Policy under to articles 13 and 14 of Regulation (EU) 2016/679)

The new Regulation (EU) 2016/679, General Data Protection Regulation (GDPR), together with Legislative Decree 196/2003, Personal Data Protection Code, as amended by Legislative Decree 101/2018, define rules concerning the protection of individuals with regard to the processing of personal data and the free circulation of data.

Definitions

Personal data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Data processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Identity Provider: IT system that provides the federated authentication service for the Users of a specific Organization;
Resources: third-party services or the Data Controller with which the User of the federated authentication service intends to access;
Risorse: servizi di terze parti o del Titolare presso i quali l'Utente del servizio di autenticazione federata intende accedere;
Federation of Identity: a group of Bodies providing federated authentication services and Bodies providing access services to resources that decide to interoperate according to a set of common rules.
User: natural person who uses the service;
Data subject: natural person whose personal data are processed by the Data Controller and any third parties (coincides with the User);

Service Name	Identity Provider (IdP)
Description of service	The federated authentication service allows users of the Politecnico di Torino to access federated resources using their institutional credentials. The Resources can be provided through the Italian Federation of Identity of Universities and Research Bodies (IDEM), or directly. The Federated Authentication Service is responsible for authenticating the user and issuing an authentication token and, if required, a minimum set of personal data for accessing the Resource.
Data Controller	Name: Politecnico di Torino, represented by the Rector pro tempore. Email: politenicoditorino@pec.polito.it Address: Corso Duca degli Abruzzi, 24 – 10129 Torino - Italy
Data Protection Officer (GDPR Section 4)	The Data Protection Officer of the Politecnico di Torino, to whom data subject can request information on the processing of your personal data and your rights is the lawyer Nicoletta Roz, who can be contacted at the following address: dpo@polito.it; PEC: dpo@pec.polito.it. The University IT Security Coordinator is Eng. Enrico Venuto. The contact details are: ciso@polito.it.
Categories of personal data processed and legal basis for processing	one or more unique identifiers; recognition credential; name and surname; email address; role in the organization; membership in working groups; The personal data collected are stored in Italy in accordance with the GDPR. Their treatment is aimed at providing the authentication service. The legal bases for data processing are the provision of the authentication service (fulfillment of contractual obligations) and the public interest of the Data Controller.
Purpose of the processing of personal data	Provide the federated authentication service in order to access the resources requested by the data subject. Verify and monitor the proper functioning of the service and ensure its security (legitimate interest). Fulfill any legal obligations or requests from the judicial authority.
Principles of treatment	All treatments are based on the principles established by art. 5 of the GDPR, with particular regard to the lawfulness, fairness and transparency, to the use of data for legitimate purposes and connected to the institutional activities of the Politecnico di Torino, as indicated in art. 2 of the PoliTO Statute. Personal data are processed in a manner relevant to the purposes and respecting the principles of data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability of the Data Controller.
Third parties to whom the data is disclosed	The Data Controller, in order to provide the service correctly, communicates to the suppliers of the Resources to which the User intends to access the proof of authentication and only the personal data (attributes) requested, in full compliance with the principle of minimization. Personal data are transmitted only when the interested party requests access to the third party's resource. For purposes related to the public interest of the Data Controller or to the fulfillment of legal obligations, some log data may be processed by third parties (eg CERT, CSIRT, Judicial Authority).
Rights of interested parties	the data subject has the right to obtain confirmation of the fact that his personal data are being processed, has the right to access his personal data, as well as to request the correction of inaccurate data or, in case, to request their elimination, blocking o the modification only if this does not affect the performance of the institutional task of the Politecnico di Torino; the data subject, in certain circumstances and for reasons related to their particular situation, has the right to oppose the processing of their data, to request data portability, as well as to revoke the consent given, at any time, without this it affects the lawfulness of the processing based on consent prior to withdrawal; the right of the data subject to contact the Data Controller to exercise their rights; the right to lodge a complaint with the Italian Data Protection Authorityin the manner indicated on the page " "What is the complaint and how it is presented to the The Italian Data Protection Authority".
Exercise of the rights of the interested parties	Contact the Data Controller at the addresses indicated above to request access to personal data, correction, cancellation, restriction of the processing, to oppose of the processing or to exercise the right to the portability of the data. (articles from 15 to 22 of the GDPR).
Revocation of the consent of the interested party	The only data that are collected with the consent of the data subject are preferences regarding the transmission of attributes to third parties. The preferences are collected at the time of the first access to the Resource and can be modified later by starting the access procedure again.
Data portability	The data subject may request the portability of their data relating to the federated authentication service, including preferences regarding the transmission of attributes to third parties, which will be provided in an open format and pursuant to Art. 20 of the GDPR. The portability service is free upon termination of the service.
Duration of Data Retention	All personal data collected in order to provide the federated authentication service are kept for as long as it is necessary to provide the service. After 12 months of deactivation, all personal data collected or generated by the use of the service are deleted.