In order to continue your authentication, please select your nationality and entirely read privacy policy
Privacy Information Notice(pursuant to art. 13 of European Regulation no. 2016/679) Agid, Agenzia Italiana per il Digitale, with registered office in Via Lizst 21 – 00144 Rome, Tax code 97735020584, (hereinafter "Agid"), as Data Controller, pursuant to and in accordance with art. 13 EU Regulation no. 2016/679 (hereinafter "GDPR"), informs you, in your capacity as the Data Subject (as defined in art. 4 of the GDPR), that your personal data (hereinafter “Personal Data” or “Data”) will be processed in full compliance with current legislation on the protection of Personal Data and with the implementation of all security, technical and organizational measures deemed appropriate for the protection of the aforementioned Data. 1. Data processed: The Data processed are the following Data related to you: - personal data obtained as a result of Your express request to use EIDAS Login on an Italian service and relevant activation of Your national E-id procedures which entail direct transmission of data to the Italian EIDAS node operated by Agid and its data processors (the “Node”), e.g. the German E-ID middleware application: this is the minimum dataset provided by EU Regulation 2016/1501, consisting of one or more of the following: name, family name, date of birth, place of birth, address, gender and the univocous person identifier attributed to You along with Your national EIDAS identity. To better understand the above, please note that Personal Data are defined by current European legislation as "any information relating to an identified or identifiable natural person (‘Data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location Data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person". 2. Processing: The processing of your Data is carried out by the Italian EIDAS node in Italy by means of the operations specified in art. 4 no. 2) of the GDPR and specifically, by way of relaying the pertinent data to the Service Provider of Your choice and performing the minimum essential logging operations mandatory to keep track of the transaction and be able to support any claim or incident request by You or competent Authorities. This is done through operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure to authorized processors and/or service providers by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 3. Purposes and Legal Basis of the Processing: Your Data will be processed for the following purposes: a. With your express consent (art. 6 letters a) and c) of the GDPR) - to be able to respond to your express request - for the following Purposes: (i) to fulfil the express requests for authentication to the Service Provider you have made by clicking the “Login with EIDAS” button and relay to the selected Service Provider/Identity Provider the requested personal data after conversion in the appropriate national format. b. When an authentication is requested under consent as per letter a 3(a) above, as mandatory under legal provisions of EU Regulations 2014/910 and 2016/1501, (ii) To record and keep the logs mandated by EU Regulation 2016/1501, for the requested periods which prove the transaction which was processed by the node; (iii) To communicate the data in case any competent judicial and/or administrative authority under Law requests proof of the authentication transaction carried out by the node in its proceedings. 4. Data provided and consequences of refusal: The provision of Data for the purposes referred to in letters a., point (i) of article 3) above and, as a consequence, the mandatory processing referred to in letter b, points (ii) and (iii) above, while optional, once an authentication is requested, is necessary to be able to correctly fulfil legal obligations and your requests to be identified with the Italian service required by the data subject, and therefore consent is required in order to acquire the data and convert it to the appropriate Italian SPID (electronic identity) format, but once the final “SUBMIT” button is activated the data will be provided to the Service Providers and Identity Providers in Italy as described in the authentication screens and the node will not be able to stop this process. To avoid providing the data, You must not activate the “SUBMIT” button” and may cancel or stop the procedure anytime by pressing “CANCEL” or closing the browser. If you do not provide the data, you will not be able to access the required Service Provider as an EIDAS ID user authenticated by conversion to a national Italian SPID identity. If you give your consent you have the right to withdraw it at any time. We remind you that the withdrawal of consent, pursuant to and by effect of art. 7 of the GDPR, does not prejudice the lawfulness of the processing based on the consent you gave before withdrawal and will not allow us to erase the logs of any ID transaction and revoke the authentication operations which have already been successfully performed with national Italian Service Providers. 5. Method of Processing The processing of your Personal Data will be carried out by means of suitable and secure electronic and/or online tools based on secure cloud platforms based in Italy with logic strictly related to the aforementioned purposes and, in any case, in such a way as to guarantee the security and confidentiality of the Data. Agid informs the Data Subjects that no type of automated decision-making process will be used, "automated decision-making" being understood to mean as specified in art. 22 of the GDPR "a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her". 6. Data storage: The Data will be stored at/through Server/Cloud System located in Italian territory, based on the national SPC-Cloud “lotto 1” platform. Your Personal Data and contact details will be used and stored for the purposes referred to in art. 3) above for a period not exceeding 10 (ten) years unless a different period provided by the applicable law in the relevant field as well as in case of litigation or criminal or administrative claims. At the expiration of the storage period the Data will be erased and eliminated from our systems in a secure manner and in full compliance with the Data Protection regulations in force from time to time, or will be made anonymous for the sole purpose of carrying out statistical and/or historical analysis, therefore without any possibility for Agid and/or third parties to identify the Data Subjects. 7. Security Measures: We care about protecting your information. We therefore commit to taking all reasonable measures to protect any Personal Data that we have stored against misuse, loss or unauthorised access. To this purpose, we have implemented a series of specific technical and organisational measures. Measures are included to deal with any suspected Data breaches, based on ISO27001 and other applicable standards. 8. Parties authorised to process Data: For the proper execution of the Processing referred to in this Privacy Information Notice, your Data will be accessible to: a. Employees of Agid and of its authorized Data Processors, expressly authorised by the Data Controller and adequately educated by the Data Controller and/or by the relevant Data Processor to perform the processing in question, comprising suppliers of SPC-Cloud “lotto 1” services; b. Suppliers of Agid and of its Data Processors that provide services connected to and necessary for the aforementioned purposes. c. The Consultants of Agid and of its Data Processors who provide assistance regarding legal, IT and organisational aspects related to the processing in question. These Consultants operate under specific agreements for the processing of Data, stipulated with Agid pursuant to and for the purposes of art. 28 of the GDPR. A list of such third parties is always available at the registered office of the Data Controller. 9. Disclosure and Dissemination of the Data: The Data Controller can disclose your Data to Supervisory Bodies and/or to Judicial Authorities as well as to all other parties to whom the disclosure is mandatory by law for the accomplishment of said purposes. Your Data will not be disseminated and/or disclosed in any other way. 10. Data transfer: The management and storage of Personal Data will be carried out on/through Server/Cloud System located in UE territory, belonging to the Data Controller and/or appointed third-party companies and duly designated as External Data Processors. In any case, it is understood that no transfer of Data outside the European Union will take place. 11. Rights of the Data Subject: In your quality as a Data Subject, you are entitled to the rights set forth in art. 13 et seq. of the GDPR. Precisely, your rights include: a. Pursuant to and for the purposes of art. 15 and art. 77 of the GDPR, the right to lodge a complaint with a competent authority. b. Pursuant to and for the purposes of art. 15 of the GDPR, the right of access to information related to the processing of the Data, including: the purposes for the processing; the categories of Personal Data processed; the envisaged period for wich the Personal Data will be stored or if not possible the criteria used to determine that period ; the recipients or categories to whom the Data were or will be disclosed; any transfer of Data to third countries; if the Data were not collected from the Data subject, the information available about the origin of the Data; the existence of an automated decision-making process, the logic applied to the segmentation of users for profiling activities and the significance and envisaged consequences of such processing for the Data subject. c. Pursuant to and for the purposes of art. 16 of the GDPR, the right to obtain the rectification of inaccurate Data and the completion of incomplete Data. d. Pursuant to and for the purposes of art. 17 of the GDPR, the right to request erasure and to obtain it in certain circumstances, including: the Data are no longer necessary in relation to the purposes for which they were collected; Personal Data have been unlawfully processed; Personal Data must be erased as a consequence of a legal obligation established by the law of the European Union or the Member States to the Data Controller is subject ; the Data subject has withdrawn consent. This right will not be possible if the Data are necessary for the management of complaints. e. Pursuant to and for the purposes of art. 18 of the GDPR, the right to obtain the restriction of processing in certain circumstances , including: the Personal Data available to Agid are inaccurate; the Data subject does not agree with the use of his/her Data but opposes their erasure and therefore requires a restriction of their use; Agid no longer needs to keep the Data but the Data subject needs them for future complaints. In the event of a request for restriction, the Data will be processed only for certain reasons other than storage, including: complaints by the interested party; consent expressed by the interested party; protection of the rights of other natural or legal persons or for reasons of public interest at the level of the European Union or of a certain Member State. f. Pursuant to and for the purposes of art. 20 of the GDPR, the right to receive their Data in a structured format that is commonly used and legible and to transmit them to another Data controller in the cases provided for by the aforementioned law. g. Pursuant to and for the purposes of art. 21 of the GDPR, the right to object - at any time and for reasons related to his/her particular situation - to the processing of Personal Data, including the processing of Data for profiling and direct marketing purposes. In this case Agid shall no longer process the Personal Data unless for specific exceptions provided by the aforementioned law. 12. Data Controller: The Data Controller is Agid with registered office in Via Lizst 21 - 00144 Rome, Tax code 97735020584. 13. How to exercise your rights: To exercise the rights referred to in art. 11) above, you can write to Agid at the following address: protocollo@pec.agid.gov.it and to the appointed DPO at: responsabileprotezionedati@agid.gov.it 14. Changes to this Privacy Information Notice: This Information Privacy Notice may be subject to change. We therefore suggest you regularly check this Privacy Information Notice and refer to the latest version. In the event that you do not accept the changes that have been made, at any time you can cancel your registration on the Website or modify and/or withdraw your previously given consents by writing to the contacts as mentioned above.