Service Name

Identity Provider (IdP) ENEA

Service Description

The federated authentication service that allows the Users of the ENEA to access federated Resources using their institutional credentials (ASIE). Resources can be provided through the Italian Identity Federation of Universities and Research Institutes(IDEM) or directly.

The Federated Authentication Service is responsible for authenticating the user and issuing an authentication token and,if required, a minimum set of personal data for accessing the Resource.

IDEM is an identity federation based on the SAML (Security Assertion Markup Language) standard, a technology that allowsthe exchange of authentication and authorization data (assertions) between distinct security domains called identity providers (entities that provide identity information) and service providers (entity that provides services).

Through to the federation service, Identity Providers (including ENEA) provide their users with privacy protection mechanismsand Service Providers can obtain better access control to protected resources by eliminating user account management which is delegated to the identity management systems of the Identity Provider.

The Resources can be provided through the Italian Identity Federation of Universities and Research Institutions (IDEM), or directly.

The federated Authentication Service is responsible for authenticating the User, issuing an authentication token and, if required, releasing a minimum set of personal data to access the Resource.

Controller

Name: ENEA – National Agency for New Technologies, Energy and Sustainable Economic Development

Email: enea@cert.enea.it

Address: Lungotevere Thaon di Revel, 76 – 00196,Roma

ENEA is the Controller of the personal data managed through the Service of authentication.

Data Protection Officer (GDPR Section 4) (if applicable)

The Data Protection Officer (DPO) for ENEA was appointed by Provision no. 34/2020/PRES of 6 February 2020. For communications relating exclusively to the processing of personal data, the DPO can be contacted at the following email address: uver.dpo@enea.it.

Jurisdiction and supervisory authority

IT-IT

Italian Data Protection Authority https://www.garanteprivacy.it

Categories of direct and indirect personal data processed and legal basis for processing

1.     one or more unique identifiers;

2.     identification credential;

3.     first and last name;

4.     e-mail address;

5.     work group affiliation;

6.     name of the affiliated organisation;

7.     IdP service log records: User identifier, date andtime of use, requested Resource, submitted attributes;

8.     Log records of the services necessary forthe operation of the IdP service.

Any collected personal data is stored in Italy, in accordance with the GDPR. The data processing purpose is the provisioning of the authentication service. The legal bases for data processing are the provision of the authentication service (fulfilment of contractual obligations) in relation to any type of contract existing between the interested parties/users and ENEA (permanent and temporary, defined as type of user: member or staff) and in relation to further forms of relationship with ENEA which determine the need to attribute a user identity (type of user: affiliate) and the user’s consent: the only data collected with the consent of the interested are the preferences on the display ofthe attributes transmitted to the Resources.

Purposes of personal data processing

To provide the federated authentication service in order to access the Resources requested by the User.

To verify and monitor the proper functioning of the service and ensure its security.

To fulfil any legal obligations or requests from the judicial authorities.

Third parties to whom the data are communicated

The Controller, in order to provide the service correctly, communicates to the Resources providers to which the Userintends to access proof of authentication and only the personal data (attributes) requested, in full compliance with the principle of minimization.

Personal data is transmitted only when the subject requestsaccess to the Resource of the third party.

For purposes related to the legitimate interest of the Controller orthe fulfilment of legal obligations, some log data may be processed by third parties (e.g. CERT, CSIRT, Judicial Authority).

Processing methods

The user connects to a web resource offered by a third-partyservice provider, for example an electronic magazine consultation service from a specific publisher. By choosing the”Institutional access” login method, the user is redirected to the login page of ENEA (Institution of belonging) and uses the ASIE institutional credentials.

After successful authentication, the institutional identity system transmits the user’s identity, represented by a minimal set of attributes, to the service provider. The service provider uses this information to authorize the user to access the web resource.

The attributes are transmitted in compliance with the data minimization principle.

Exercise of Subjects’ rights

To request access to your personal data and their correction or deletion or to object to their processing, or to exercise the right to data portability (Articles 15 to 22 of the GDPR), contact theController at the above mentioned contact details.

Revocation of the consent of the interested party

The only data collected with the consent of the subject are preferences about the visualization of the attribute transmitted tothe Resources. The preferences are collected at the time of the first access to the Resource and may be changed afterwards by starting over again the access procedure.

Data Portability

The Interested Party may request the portability of their data concerning the federated authentication service, including preferences regarding the visualization of the attributes transmitted to the Resources, which will be provided in open format and in accordance with Art. 20 of the GDPR. The dataportability service is free of charge.

Duration of Data Storage

All personal data collected to provide the federated authentication service will be stored for the entire time it will be necessary toprovide the service itself.

After 7 days from accessing and using the Resource, all personal data collected or generated from the use of the service, for

verification purposes and to ensure its security (e.g. in case of violations), are deleted.