Privacy policy

The ENVRI-ID Service (hereinafter referred to as: “the service” or “ENVRI-ID”) enables the registration and management of users, groups, communities (also referred to as virtual organisations), roles, and rights. ENVRI-ID uses this information to allow user access to external services provided by or for a community.

This privacy notice describes how we, the EGI Foundation (hereinafter referred to as "we" or "the Data Controller"), collect and process data by which you can be personally identified (“Personal Data”) when you use the service.

Jurisdiction: NL, The Netherlands

EGI Foundation's lead supervisory authority is the Dutch Data Protection Authority. They can be contacted at https://autoriteitpersoonsgegevens.nl/en/contact-dutch-dpa/contact-us

The service may process the following personal data:

Identification data:

• Name
• Identification numbers (as provided by identity providers like a home institution, or identifiers from third parties like ORCID)
• E-mail address
• Affiliation
• Country
• IP address

Behavioural data:

• Usage data (websites, services, social login providers)
• Technical logs with timestamps

Data allowing conclusions on the personality:

• Membership information on roles, groups, and communities

The purpose of the collection, processing, and use of the personal data mentioned above is:

• To provide the service functions, i.e., to identify, authenticate, and authorise users for accessing EGI or third-party services as a member of one or more groups or communities identified by ENVRI-ID. This involves processing identification data and membership information.
• To monitor and maintain service stability, performance, and security. This involves processing usage data and technical logs with timestamps (e.g. authentication events, IP addresses).
• To compute anonymised service usage statistics.

The legal basis for processing personal data is:

Performance of a contract according to Article 6(1)(b) GDPR:

When you register for and use ENVRI-ID, we process your personal data as necessary to create and manage your account, authenticate you, and enable access to services integrated with ENVRI-ID. This processing is necessary for the provision of the ENVRI-ID service.

Legitimate Interests pursued by the controller or by a third-party according to Art. 6(1)(f) GDPR:

We process certain personal data, in particular technical logs and identifiers, as necessary to ensure the security, integrity, and proper operation of the service. This includes activities such as monitoring, incident response, prevention of misuse, and ensuring the availability and reliability of the ENVRI-ID infrastructure.

We carefully balance these interests against your rights and freedoms and apply appropriate safeguards, such as data minimisation, access controls, and limited retention periods.

The personal data mentioned above is transmitted to service providers integrated with ENVRI-ID (i.e. services using ENVRI-ID for user authentication and authorisation), as necessary to enable access to those services. These service providers process the data in accordance with their own privacy policies.

For the purpose given in this privacy policy, personal data may be passed to the following third parties:

Within the EU / EEA:

• GRNET (resource provider, sub-contracted data processor)
• Service providers (integrated with ENVRI-ID)
• Group managers, acting on behalf of ENVRI research communities or virtual organisations (VOs) integrated with ENVRI-ID. These managers are designated by the respective communities and are granted access only to the personal data necessary for managing membership, roles, and access rights within their community.
• The records of your use and technical log files produced by the service components may be shared for security incident response purposes with other authorised security incident response teams such as CSIRTs within the academic and research distributed digital infrastructures via secured mechanisms, only for the same purposes and only as far as necessary to provide the incident response capability where doing so is likely to assist in the investigation of suspected misuse of Infrastructure resources.

Outside the EU / EEA:

• Service providers (integrated with ENVRI-ID)
• Group managers (as described above)

Any data transfer to a Third Country outside the EU or the EEA only takes place under the conditions contained in Chapter V of the GDPR and in compliance with the provisions of this privacy policy and any related policies adopted by the EGI Federation.

You can exercise the following rights at any time by contacting our data protection officer using the contact details provided in the Data Protection Officer section:

• Information about your data stored with us and its processing
• Correction of incorrect personal data
• Deletion of your data stored by us
• Restriction of data processing, if we are not yet allowed to delete your data due to legal obligations
• Objection to the processing of your data by us
• Data portability, to the extent applicable. As ENVRI-ID operates as a federated AAI and relies on external Identity Providers, this right applies only to data for which ENVRI-ID is the authoritative source (e.g. group memberships, roles, and locally managed attributes).

To access your profile information, you can go to your ENVRI-ID user profile page.

ENVRI-ID relies on external Identity Providers as the authoritative source for core identity attributes such as name, affiliation, and external identifiers. These attributes cannot be directly modified within ENVRI-ID, and requests for their rectification must be addressed to the respective Identity Provider. To access and rectify the data released by your home organisation (e.g., your university, research institute, or any other identity provider), you should contact them.

You can complain at any time to the supervisory data protection authority (DPA) responsible for you. Your responsible DPA depends on your Country and State of residence, your workplace, or the location of the presumed violation. A list of the supervisory authorities' addresses can be found at https://edpb.europa.eu/about-edpb/board/members_en.

You can contact the EGI Foundation's lead supervising authority using the contact details provided in the Jurisdiction and Supervisory Authority section.

The records of your use and technical log files produced by the ENVRI-ID service components will be deleted or anonymised after, at most, 18 months. This extended retention period is necessary to support long-term security trend analysis and complex security incident investigations.

We take appropriate technical and organisational measures to ensure data security and the protection against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access.

A comprehensive overview of the technical and organisational measures taken by EGI Foundation can be found here: Technical and organisational measures (TOM).

EGI Foundation is conforming to the GÉANT Code of Conduct, and your personal data will be processed in accordance with the Code of Conduct for Service Providers and the EGI-doc-2732-v3: Policy on the Processing of Personal Data.

The service uses cookies. Cookies are small text files created by the service and stored on your computer. We use cookies to identify you, thereby enabling us to grant you access to the provided services and resources, and to improve the user experience. To find out more, read our cookie policy.

Based on AARC Policy development kit (licensed under CC BY-NC-SA 4.0)