Data Privacy Statement

Name of the Service

EUDAT B2ACCESS

Description of the Service

The B2ACCESS service is arbitrating access to other registered Service Providers (in this context called Downstream Service Providers). These Downstream Service Providers consume Attribute assertions provided by the B2ACCESS service when the End User accesses these services.

The role of the B2ACCESS service is to allow these Downstream Service Providers to make the authentication and the authorisation decisions, and other processing required by the Downstream Service Providers, when the End User accesses these services. In turn, B2ACCESS may make use and store the Attributes provided by the IdP for a certain span of time. Furthermore, B2ACCESS itself can act as an Identity Provider to authenticate the End Users that have registered directly with the B2ACCESS service. In those cases, B2ACCESS assigns a dedicated username and the End User defines his/her password. The End User is affected by this privacy statement if he/she uses the B2ACCESS service directly and in connection with the Downstream Service Providers (when logging into the downstream services), regardless of which IdP is primarily used.

By registration to the B2ACCESS service, the End User declares his/her consent to the use of the data as described in this statement. This registration to B2ACCESS happens the first time the End User accesses one of the services of the Downstream Service Providers which requires authentication and when the End User's request has been redirected from this service to the B2ACCESS service. The redirected End User can then directly register with the B2ACCESS service by creating a user name and password, or he/she uses the identity provided by the IdP of his/her Home Organisation or Agent.

Data controller and a contact person

Federated Systems and Data
Juelich Supercomputing Centre (JSC)
Forschungszentrum Juelich GmbH
Wilhelm-Johnen-Strasse
52428 Juelich
Germany

Service Administrator Team
E-Mail: eudat-support@fz-juelich.de

Data controller’s data protection officer

Frank Rinkens
Forschungszentrum Juelich GmbH
Wilhelm-Johnen-Strasse
52428 Juelich
Germany
Tel.: +49-2461-61-9005
E-Mail: DSB@fz-juelich.de

Jurisdiction and supervisory authority

DE-NW Germany North Rhine-Westphalia

A complaint can be lodged at:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestr. 2-4
40213 Duesseldorf
Germany
E-Mail: poststelle@ldi.nrw.de

Cookies

The B2ACCESS service uses cookies. Cookies are text files that are stored in a computer system via an web browser.

Many websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a character string through which Internet pages and servers can be assigned to the specific web browser in which the cookie was stored. This allows visited websites and servers to differentiate the individual browser of the dats subject from other Internet browsers that contain other cookies. A specific web browser can be recognized and identified using the unique cookie ID.

The B2ACCESS service needs cookies for its functionality. It would not be possible to determine whether a user is logged in or not without the use of cookies.

By means of a cookie, the information and offers on our service can be optimized with the user in mind. Cookies allow us, as previously mentioned, to recognize our service users. The purpose of this recognition is to make it easier for users to utilize our service. The service user that uses cookies, e.g. does not have to enter access data each time the service is accessed, because this is taken over by the service, and the cookie is thus stored on the user's computer system.

You may, at any time, prevent the setting of cookies through our service by means of a corresponding setting of the web browser used, and may thus permanently deny the setting of cookies. Furthermore, already set cookies may be deleted at any time via a web browser or other software programs. This is possible in all popular web browsers. If you deactivate the setting of cookies in the web browser used, not all functions of our service may be entirely usable.

Personal data processed and the legal basis

The set and format of personal data depends on the selected remote identity provider.

  1. Personal data retrieved from your remote identity provider:
    • your unique user identifier (eduPersonPrincipalName)*
    • your email address (mail)*
    • your name (givenName + sn/cn/displayName)*
    • your role in your Home Organisation (eduPersonScopedAffiliation)*
  2. Personal data gathered from yourself:
    • your name*
    • your email address*
    • your organisation*
    • logfiles on the service activity*

* the personal data is necessary for providing the Service. Other personal data is processed because you have consented to it.

Purpose of the processing of personal data

The personal data retrieved from your remote identity provider is need to map you to the local account, contact you and provide a comfortable interface. The personal information is used to authenticate and authorize you for further actions at B2ACCESS and other Downstream Service Providers. The logfiles are needed to provide support in case you had problems with the service. Some parts of personal data might be used for anonymised statistics.

Third parties to whom personal data is disclosed

Personal data are disclosed to (registered) downstream service providers within the EUDAT CDI the user will access. Before the data is released to a service provider, you have to give your consent.

Information, stored in B2ACCESS, can be given to

  1. the duly authorised support unit or help desk;
  2. duly authorised bodies, on a case by case basis, e.g. if required by a federation of which the IdP used by the End User is a member, or if required by law.

How to access, rectify and delete the personal data and object its processing.

Personal data can be accessed and reviewed in user home. The account deletion can be done there too. If you delete your account, you will lose access to B2*services and your stored data.
To rectify the data released by your external identity provider, contact your remote identity provider's IT helpdesk.

Withdrawal of consent

Given consents of attribute releases to service providers within the EUDAT CDI could be withdraw in user home. To withdraw the consent to the DPS or ToU delete the account in user home. If you delete your account, you will lose access to B2*services and your stored data.

Data portability

Your profile can be exported and provided in a json file. This file can be used to create an account by other services. To retrieve the json file contact the contact person above.

Data retention

Personal data is deleted on your request or after expiration of a statutory retention period, as long as it is no longer necessary for the fulfillment of the contract or the initiation of a contract. If the account is deleted, you will lose access to B2*services and your stored data.

Data Protection Code of Conduct

Your personal data will be protected according to the Code of Conduct for Service Providers, a common standard for the research and higher education sector to protect your privacy.

Update of this privacy statement

We may update our Privacy Statement from time to time. Updates of our Privacy Statement will be published at this location. Any amendments become effective upon publication. We therefore recommend that you regularly visit the site to keep yourself informed on possible updates.

Version: 1.2
Date: 14.06.2018