• Security & Identity
• Authentication
  • About AAI
  • Participants
  • Join AAI
  • Support & Downloads
    • FAQ
    • Helpdesk
    • Documents
    • Presentations
    • HOWTO
    • Identity Providers
    • Service Providers
    • Metadata
    • Tools
  • Demo
  • Contact
• Computer Emergencies
• Certificates
• Spam protection

Legal Templates for SWITCHaai

Purpose & Introduction

Home Organizations participating in SWITCHaai should consult these legal templates when preparing or reviewing their data protection and user regulations.

Who has to implement the 'Standard Data Protection Clause' and the templates?

The following templates are optional - but strongly recommended from a legal point of view - for implementation by organizations operating an Identity Provider.

When to implement?

• The template for the 'Standard Data Protection Clause' can be implemented with the current or very similar wording in the respective legal framework of an organization.
• The template dialogue for user consent (uApprove) can be included in the SWITCHaai login process by the organization.
• It is the Identity Provider Operator's duty to be compliant with its respective data protection regulation. These clauses are just sample clauses for your convenience.
• The user consent module (uApprove) must be installed, if your organization opts-in to interfederate with organizations or resource providers of foreign jurisdictions.

The 'Standard Data Protection Clause' and further Templates

1. 'Standard Data Protection Clause' for Acceptable Use Policy for the Use of SWITCHaai by an End User of an Identity Provider

   The Standard Data Protection Clause is referenced in the SWITCHaai Service Description. For your convenience the text is included as well just below.

   "The End User notes that personal data about the End User is compiled from generally available sources and from communications received from the End User and other Universities as well as from off-site sources. The policy relating to the use and processing of such data is posted on the University website at <URL>. Such data will be used, inter alia, to authenticate and authorize the access to and use of various resources within the University and on other sites ("Approved Uses").

   The End User hereby consents to the collection, processing, use and release of such data to the extent reasonably necessary for the Approved Uses. Such consent includes, but is not limited to, the release of personal data to other institutions by employing cookies and electronically exchanging, caching and storing personal authorization attributes. At least in case of data export to foreign countries the University respectively the Identity Provider implements a user consent dialogue."

2. Template Dialogue for User Consent
   SWITCH provides you a standard template for the user consent dialogue.

   You are about to access the service <name of service> of <name of organization responsible for the service>
   Description as provided by this service: <some free text description of the service>
   

   Data Requested by Service
   Affiliation	staff
   email	user@example.org
   eduPersonEntitlement	urn:mace:dir:entitlement:common-lib-terms

   The data above is requested to access the service. Do you accept that this data about you is sent to the service whenever you access it?

   Don't show me this page again

   By clicking on the link 'Don't show me this page again', an additional box appears for global data release consent (if so configured by the IdP administrator)

   Note: SWITCH recommends that Global Data Release Consent is not enabled for interfederation purposes! Instead, the IdP administrator may choose to whitelist services with a '.ch' domain name instead.

   Don't show me this page again

   Global Data Release Consent

   I fully agree that in the future all my data will be released to the service provider as required by the service that I will access.

   • This also applies to other service providers than <name of service> and to more data than shown above if necessary.
   • The corresponding service providers committed themselves to use my data only for providing the specific service and to keep it only as long as legally required.
   • This setting can be revoked at any time with the checkbox on the login page.
3. Terms of Use (ToU)

   Before a user will see the user consent (uApprove) dialogue the first time, Terms of Use must be presented. Please find attached sample Terms of Use.

   1. By clicking on the "Confirm" button below, you consent to be bound by these ToU. Read these terms carefully prior to registering and using the inter-organizational authentication and authorization services (hereinafter: the Services) provided by <name of organization> Organization (Identity Provider Operator, hereafter IdP Operator). IdP Operator reserves the right to alter and amend the ToU without prior notice.
   2. In order to benefit from the Services, you need a User ID (UID) and a password. UID and password are for your sole use and may not be assigned or transferred. Protect your UID and password with adequate care. You are personally responsible for any abuse of your UID and password. Any such abuse or any other breach of the ToU will entail a suspension or cancellation of your account.
   3. You may not access or use of the Services for other purposes than defined herein. You commit to access and use the Services in good faith only and in accordance with these ToU and all applicable laws and regulations.
   4. You hereby acknowledge that personal data about you is compiled from generally available sources and from communications received from you, educational organizations and off-site sources. Such data will be used, inter alia, to authenticate and authorize the access to and use of various resources (hereinafter: the Approved Uses), which are offered by members and partners of the SWITCHaai Federation (see http://www.switch.ch/aai/ for details). You hereby consent to the collection, processing, use and release of such data to the extent reasonably necessary for the Approved Uses. Such consent includes, but is not limited to, the release of personal data to other organizations and content providers, inter alia by employing cookies and electronically exchanging, caching and storing personal authorization attributes. At least in case of data export to foreign countries the IdP Operator implements a user consent dialogue.
   5. IdP Operator does not make any representation or give any warranty as to the Services or their use. To the extent permitted by the applicable law, IdP Operator hereby waive all and any claims for cost and damages, whether direct or indirect, incidental, or consequential (including, inter alia, loss of use and lost profits), both in contract and in tort, arising from the use or in any way related to the Services. This waiver of claims shall be valid and effective in relation to all participants and partners of the SWITCHaai Federation including IdP Operator, its affiliates, officers, employees and agents.
   6. You hereby commit to adhere to the IdP Operator Acceptable Use Policy (hereinafter: AUP), i.e. the General Rules of Use for IdP Operators Services as posted at URL <url for general rules>. The AUP are subject to changes without prior notice. We strongly recommend that you visit the above link periodically to stay abreast of such changes. In case of discrepancies between the AUP and these ToU, the latter shall prevail.
   7. These ToU and your use of the Services shall be governed by Swiss law, and you submit to the exclusive jurisdiction of the courts of <city of IdP Operator>.

   I accept the terms of use