Legal Templates for SWITCHaai

Purpose & Introduction

Home Organizations participating in SWITCHaai should consult these legal templates when preparing or reviewing their data protection and user regulations.

Who has to implement the 'Standard Data Protection Clause' and the templates?

The following templates are optional - but strongly recommended from a legal point of view - for implementation by organizations operating an Identity Provider.

When to implement?

  • The template for the 'Standard Data Protection Clause' can be implemented with the current or very similar wording in the respective legal framework of an organization.
  • The template dialogue for user consent (uApprove in IdPv2) can be included in the SWITCHaai login process by the organization.
  • It is the Identity Provider Operator's duty to be compliant with its respective data protection regulation. These clauses are just sample clauses for your convenience.
  • The user consent module (uApprove in IdPv2) must be installed, if your organization opts-in to interfederate with organizations or resource providers of foreign jurisdictions.

The 'Standard Data Protection Clause' and further Templates

  1. 'Standard Data Protection Clause' for Acceptable Use Policy for the Use of SWITCHaai by an End User of an Identity Provider

    The Standard Data Protection Clause is referenced in the SWITCHaai Service Description. For your convenience the text is included as well just below.

    "The End User notes that personal data about the End User is compiled from generally available sources and from communications received from the End User and other Universities as well as from off-site sources. The policy relating to the use and processing of such data is posted on the University website at <URL>. Such data will be used, inter alia, to authenticate and authorize the access to and use of various resources within the University and on other sites ("Approved Uses").

    The End User hereby consents to the collection, processing, use and release of such data to the extent reasonably necessary for the Approved Uses. Such consent includes, but is not limited to, the release of personal data to other institutions by employing cookies and electronically exchanging, caching and storing personal authorization attributes. At least in case of data export to foreign countries the University respectively the Identity Provider implements a user consent dialogue."

  2. Template Dialogue for User Consent
    SWITCH provides you a standard template for the user consent dialogue.

    You are about to access the service:
    <name of service> of <name of organization responsible for the service>

    Description as provided by this service:
    <some free text description of the service>

    Additional Information about the service.

    Information to be Provided to Service
    Affiliation staff
    Email user@example.org
    Entitlement urn:mace:dir:entitlement:common-lib-terms

    Data privacy information of the service.

    The information above would be shared with the service if you proceed. Do you agree to release this information to the service every time you access it?

    Select an information release consent duration:
    Ask me again at next login
    • I agree to send my information this time.
    Ask me again if information to be provided to this service changes
    • I agree that the same information will be sent automatically to this service in the future.
    This setting can be revoked at any time with the checkbox on the login page.

    As an option, the IdP administrator can configure to display a 'Do not ask me again' (in uApprove named 'Global Data Release Consent') choice: The user will not be prompted to consent to attribute release again. All attributes will be released to any service provider.

    Note: SWITCH recommends that 'Do not ask me again' (in uApprove named 'Global Data Release Consent') is not enabled for interfederation purposes! Instead, the IdP administrator could e.g. whitelist the services from the own organisation.

  3. Terms of Use (ToU)

    Before a user will see the user consent dialogue (in IdPv2 named uApprove) the first time, applicable Terms of Use should be presented. Please find attached sample Terms of Use SWITCH uses on the Virtual Home Organization IdP.

    1. By clicking on the "Confirm" button below, you consent to be bound by these ToU. Read these terms carefully prior to registering and using the inter-organizational authentication and authorization services (hereinafter: the Services) provided by <name of organization> Organization (Identity Provider Operator, hereafter IdP Operator). IdP Operator reserves the right to alter and amend the ToU without prior notice.
    2. In order to benefit from the Services, you need a User ID (UID) and a password. UID and password are for your sole use and may not be assigned or transferred. Protect your UID and password with adequate care. You are personally responsible for any abuse of your UID and password. Any such abuse or any other breach of the ToU will entail a suspension or cancellation of your account.
    3. You may not access or make use of the Services for other purposes than defined herein. You commit to access and use the Services in good faith only and in accordance with these ToU and all applicable laws and regulations.
    4. You hereby acknowledge that personal data about you is compiled from generally available sources and from communications received from you, educational organizations and off-site sources. Such data will be used, inter alia, to authenticate and authorize the access to and use of various resources (hereinafter: the Approved Uses), which are offered by members and partners of the SWITCHaai Federation (see https://www.switch.ch/aai/ for details). You hereby consent to the collection, processing, use and release of such data to the extent reasonably necessary for the Approved Uses. Such consent includes, but is not limited to, the release of personal data to other organizations and content providers, inter alia by employing cookies and electronically exchanging, caching and storing personal authorization attributes. At least in case of data export to foreign countries the IdP Operator implements a user consent dialogue.
    5. IdP Operator does not make any representation or give any warranty as to the Services or their use. To the extent permitted by the applicable law, IdP Operator hereby waive all and any claims for cost and damages, whether direct or indirect, incidental, or consequential (including, inter alia, loss of use and lost profits), both in contract and in tort, arising from the use or in any way related to the Services. This waiver of claims shall be valid and effective in relation to all participants and partners of the SWITCHaai Federation including IdP Operator, its affiliates, officers, employees and agents.
    6. You hereby commit to adhere to the IdP Operator Acceptable Use Policy (hereinafter: AUP), i.e. the General Rules of Use for IdP Operators Services as posted at URL <url for general rules>. The AUP are subject to changes without prior notice. We strongly recommend that you visit the above link periodically to stay abreast of such changes. In case of discrepancies between the AUP and these ToU, the latter shall prevail.
    7. These ToU and your use of the Services shall be governed by Swiss law, and you submit to the exclusive jurisdiction of the courts of <city of IdP Operator>.
    I accept the terms of use